Loading dom/security/nsCSPContext.cpp +39 −20 Original line number Diff line number Diff line Loading @@ -201,6 +201,12 @@ bool nsCSPContext::permitsInternal( permits = false; } // In CSP 3.0 the effective directive doesn't become the actually used // directive in case of a fallback from e.g. script-src-elem to // script-src or default-src. nsAutoString effectiveDirective; effectiveDirective.AssignASCII(CSP_CSPDirectiveToString(aDir)); // Callers should set |aSendViolationReports| to false if this is a // preload - the decision may be wrong due to the inability to get the // nonce, and will incorrectly fail the unit tests. Loading @@ -221,7 +227,7 @@ bool nsCSPContext::permitsInternal( BlockedContentSource::eUnknown, /* a BlockedContentSource */ aOriginalURIIfRedirect, /* in case of redirect originalURI is not null */ violatedDirective, p, /* policy index */ violatedDirective, effectiveDirective, p, /* policy index */ u""_ns, /* no observer subject */ spec, /* source file */ u""_ns, /* no script sample */ Loading Loading @@ -511,6 +517,7 @@ void nsCSPContext::reportInlineViolation( CSPDirective aDirective, Element* aTriggeringElement, nsICSPEventListener* aCSPEventListener, const nsAString& aNonce, const nsAString& aContent, const nsAString& aViolatedDirective, const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex, // TODO, use report only flag for that uint32_t aLineNumber, uint32_t aColumnNumber) { nsString observerSubject; Loading Loading @@ -553,6 +560,7 @@ void nsCSPContext::reportInlineViolation( BlockedContentSource::eInline, // aBlockedSource mSelfURI, // aOriginalURI aViolatedDirective, // aViolatedDirective aEffectiveDirective, // aEffectiveDirective aViolatedPolicyIndex, // aViolatedPolicyIndex observerSubject, // aObserverSubject sourceFile, // aSourceFile Loading Loading @@ -619,9 +627,12 @@ nsCSPContext::GetAllowsInline(CSPDirective aDirective, const nsAString& aNonce, bool reportSample = false; mPolicies[i]->getDirectiveStringAndReportSampleForContentType( aDirective, violatedDirective, &reportSample); nsAutoString effectiveDirective; effectiveDirective.AssignASCII(CSP_CSPDirectiveToString(aDirective)); reportInlineViolation(aDirective, aTriggeringElement, aCSPEventListener, aNonce, reportSample ? content : EmptyString(), violatedDirective, i, aLineNumber, aColumnNumber); violatedDirective, effectiveDirective, i, aLineNumber, aColumnNumber); } } return NS_OK; Loading Loading @@ -698,6 +709,7 @@ nsCSPContext::GetAllowsNavigateTo(nsIURI* aURI, bool aIsFormSubmission, nsCSPContext::BlockedContentSource::eSelf, // aBlockedSource nullptr, // aOriginalURI u"navigate-to"_ns, // aViolatedDirective u"navigate-to"_ns, // aEffectiveDirective i, // aViolatedPolicyIndex u""_ns, // aObserverSubject NS_ConvertUTF8toUTF16(spec), // aSourceFile Loading Loading @@ -758,10 +770,13 @@ nsCSPContext::GetAllowsNavigateTo(nsIURI* aURI, bool aIsFormSubmission, aViolationType == \ nsIContentSecurityPolicy::VIOLATION_TYPE_WASM_EVAL) { \ violatedDirective = u"script-src"_ns; \ } else { \ MOZ_ASSERT_UNREACHABLE("dead code"); \ } \ AsyncReportViolation(aTriggeringElement, aCSPEventListener, nullptr, \ blockedContentSource, nullptr, violatedDirective, \ p, NS_LITERAL_STRING_FROM_CSTRING(observerTopic), \ u"script-src"_ns /* aEffectiveDirective */, p, \ NS_LITERAL_STRING_FROM_CSTRING(observerTopic), \ aSourceFile, reportSample ? aScriptSample : u""_ns, \ aLineNum, aColumnNum); \ } \ Loading Loading @@ -1029,9 +1044,9 @@ void StripURIForReporting(nsIURI* aURI, nsACString& outStrippedURI) { nsresult nsCSPContext::GatherSecurityPolicyViolationEventData( nsIURI* aBlockedURI, const nsACString& aBlockedString, nsIURI* aOriginalURI, nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex, nsAString& aSourceFile, nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum, nsAString& aViolatedDirective, const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex, nsAString& aSourceFile, nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum, mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit) { EnsureIPCPoliciesRead(); NS_ENSURE_ARG_MAX(aViolatedPolicyIndex, mPolicies.Length() - 1); Loading Loading @@ -1387,9 +1402,10 @@ class CSPReportSenderRunnable final : public Runnable { nsIURI* aBlockedURI, nsCSPContext::BlockedContentSource aBlockedContentSource, nsIURI* aOriginalURI, uint32_t aViolatedPolicyIndex, bool aReportOnlyFlag, const nsAString& aViolatedDirective, const nsAString& aObserverSubject, const nsAString& aSourceFile, const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum, nsCSPContext* aCSPContext) const nsAString& aViolatedDirective, const nsAString& aEffectiveDirective, const nsAString& aObserverSubject, const nsAString& aSourceFile, const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum, nsCSPContext* aCSPContext) : mozilla::Runnable("CSPReportSenderRunnable"), mTriggeringElement(aTriggeringElement), mCSPEventListener(aCSPEventListener), Loading @@ -1399,6 +1415,7 @@ class CSPReportSenderRunnable final : public Runnable { mViolatedPolicyIndex(aViolatedPolicyIndex), mReportOnlyFlag(aReportOnlyFlag), mViolatedDirective(aViolatedDirective), mEffectiveDirective(aEffectiveDirective), mSourceFile(aSourceFile), mScriptSample(aScriptSample), mLineNum(aLineNum), Loading Loading @@ -1442,8 +1459,8 @@ class CSPReportSenderRunnable final : public Runnable { rv = mCSPContext->GatherSecurityPolicyViolationEventData( mBlockedURI, blockedContentSource, mOriginalURI, mViolatedDirective, mViolatedPolicyIndex, mSourceFile, mScriptSample, mLineNum, mColumnNum, init); mEffectiveDirective, mViolatedPolicyIndex, mSourceFile, mScriptSample, mLineNum, mColumnNum, init); NS_ENSURE_SUCCESS(rv, rv); // 1) notify observers Loading Loading @@ -1506,6 +1523,7 @@ class CSPReportSenderRunnable final : public Runnable { uint32_t mViolatedPolicyIndex; bool mReportOnlyFlag; nsString mViolatedDirective; nsString mEffectiveDirective; nsCOMPtr<nsISupports> mObserverSubject; nsString mSourceFile; nsString mScriptSample; Loading Loading @@ -1547,9 +1565,9 @@ nsresult nsCSPContext::AsyncReportViolation( Element* aTriggeringElement, nsICSPEventListener* aCSPEventListener, nsIURI* aBlockedURI, BlockedContentSource aBlockedContentSource, nsIURI* aOriginalURI, const nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex, const nsAString& aObserverSubject, const nsAString& aSourceFile, const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum) { const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex, const nsAString& aObserverSubject, const nsAString& aSourceFile, const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum) { EnsureIPCPoliciesRead(); NS_ENSURE_ARG_MAX(aViolatedPolicyIndex, mPolicies.Length() - 1); Loading @@ -1557,7 +1575,8 @@ nsresult nsCSPContext::AsyncReportViolation( aTriggeringElement, aCSPEventListener, aBlockedURI, aBlockedContentSource, aOriginalURI, aViolatedPolicyIndex, mPolicies[aViolatedPolicyIndex]->getReportOnlyFlag(), aViolatedDirective, aObserverSubject, aSourceFile, aScriptSample, aLineNum, aColumnNum, this); aEffectiveDirective, aObserverSubject, aSourceFile, aScriptSample, aLineNum, aColumnNum, this); if (XRE_IsContentProcess()) { if (mEventTarget) { Loading dom/security/nsCSPContext.h +8 −5 Original line number Diff line number Diff line Loading @@ -96,8 +96,9 @@ class nsCSPContext : public nsIContentSecurityPolicy { nsresult GatherSecurityPolicyViolationEventData( nsIURI* aBlockedURI, const nsACString& aBlockedString, nsIURI* aOriginalURI, nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex, nsAString& aSourceFile, nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum, const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex, nsAString& aSourceFile, nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum, mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit); nsresult SendReports( Loading @@ -122,9 +123,10 @@ class nsCSPContext : public nsIContentSecurityPolicy { mozilla::dom::Element* aTriggeringElement, nsICSPEventListener* aCSPEventListener, nsIURI* aBlockedURI, BlockedContentSource aBlockedContentSource, nsIURI* aOriginalURI, const nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex, const nsAString& aObserverSubject, const nsAString& aSourceFile, const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum); const nsAString& aViolatedDirective, const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex, const nsAString& aObserverSubject, const nsAString& aSourceFile, const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum); // Hands off! Don't call this method unless you know what you // are doing. It's only supposed to be called from within Loading Loading @@ -161,6 +163,7 @@ class nsCSPContext : public nsIContentSecurityPolicy { nsICSPEventListener* aCSPEventListener, const nsAString& aNonce, const nsAString& aContent, const nsAString& aViolatedDirective, const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex, uint32_t aLineNumber, uint32_t aColumnNumber); Loading Loading
dom/security/nsCSPContext.cpp +39 −20 Original line number Diff line number Diff line Loading @@ -201,6 +201,12 @@ bool nsCSPContext::permitsInternal( permits = false; } // In CSP 3.0 the effective directive doesn't become the actually used // directive in case of a fallback from e.g. script-src-elem to // script-src or default-src. nsAutoString effectiveDirective; effectiveDirective.AssignASCII(CSP_CSPDirectiveToString(aDir)); // Callers should set |aSendViolationReports| to false if this is a // preload - the decision may be wrong due to the inability to get the // nonce, and will incorrectly fail the unit tests. Loading @@ -221,7 +227,7 @@ bool nsCSPContext::permitsInternal( BlockedContentSource::eUnknown, /* a BlockedContentSource */ aOriginalURIIfRedirect, /* in case of redirect originalURI is not null */ violatedDirective, p, /* policy index */ violatedDirective, effectiveDirective, p, /* policy index */ u""_ns, /* no observer subject */ spec, /* source file */ u""_ns, /* no script sample */ Loading Loading @@ -511,6 +517,7 @@ void nsCSPContext::reportInlineViolation( CSPDirective aDirective, Element* aTriggeringElement, nsICSPEventListener* aCSPEventListener, const nsAString& aNonce, const nsAString& aContent, const nsAString& aViolatedDirective, const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex, // TODO, use report only flag for that uint32_t aLineNumber, uint32_t aColumnNumber) { nsString observerSubject; Loading Loading @@ -553,6 +560,7 @@ void nsCSPContext::reportInlineViolation( BlockedContentSource::eInline, // aBlockedSource mSelfURI, // aOriginalURI aViolatedDirective, // aViolatedDirective aEffectiveDirective, // aEffectiveDirective aViolatedPolicyIndex, // aViolatedPolicyIndex observerSubject, // aObserverSubject sourceFile, // aSourceFile Loading Loading @@ -619,9 +627,12 @@ nsCSPContext::GetAllowsInline(CSPDirective aDirective, const nsAString& aNonce, bool reportSample = false; mPolicies[i]->getDirectiveStringAndReportSampleForContentType( aDirective, violatedDirective, &reportSample); nsAutoString effectiveDirective; effectiveDirective.AssignASCII(CSP_CSPDirectiveToString(aDirective)); reportInlineViolation(aDirective, aTriggeringElement, aCSPEventListener, aNonce, reportSample ? content : EmptyString(), violatedDirective, i, aLineNumber, aColumnNumber); violatedDirective, effectiveDirective, i, aLineNumber, aColumnNumber); } } return NS_OK; Loading Loading @@ -698,6 +709,7 @@ nsCSPContext::GetAllowsNavigateTo(nsIURI* aURI, bool aIsFormSubmission, nsCSPContext::BlockedContentSource::eSelf, // aBlockedSource nullptr, // aOriginalURI u"navigate-to"_ns, // aViolatedDirective u"navigate-to"_ns, // aEffectiveDirective i, // aViolatedPolicyIndex u""_ns, // aObserverSubject NS_ConvertUTF8toUTF16(spec), // aSourceFile Loading Loading @@ -758,10 +770,13 @@ nsCSPContext::GetAllowsNavigateTo(nsIURI* aURI, bool aIsFormSubmission, aViolationType == \ nsIContentSecurityPolicy::VIOLATION_TYPE_WASM_EVAL) { \ violatedDirective = u"script-src"_ns; \ } else { \ MOZ_ASSERT_UNREACHABLE("dead code"); \ } \ AsyncReportViolation(aTriggeringElement, aCSPEventListener, nullptr, \ blockedContentSource, nullptr, violatedDirective, \ p, NS_LITERAL_STRING_FROM_CSTRING(observerTopic), \ u"script-src"_ns /* aEffectiveDirective */, p, \ NS_LITERAL_STRING_FROM_CSTRING(observerTopic), \ aSourceFile, reportSample ? aScriptSample : u""_ns, \ aLineNum, aColumnNum); \ } \ Loading Loading @@ -1029,9 +1044,9 @@ void StripURIForReporting(nsIURI* aURI, nsACString& outStrippedURI) { nsresult nsCSPContext::GatherSecurityPolicyViolationEventData( nsIURI* aBlockedURI, const nsACString& aBlockedString, nsIURI* aOriginalURI, nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex, nsAString& aSourceFile, nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum, nsAString& aViolatedDirective, const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex, nsAString& aSourceFile, nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum, mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit) { EnsureIPCPoliciesRead(); NS_ENSURE_ARG_MAX(aViolatedPolicyIndex, mPolicies.Length() - 1); Loading Loading @@ -1387,9 +1402,10 @@ class CSPReportSenderRunnable final : public Runnable { nsIURI* aBlockedURI, nsCSPContext::BlockedContentSource aBlockedContentSource, nsIURI* aOriginalURI, uint32_t aViolatedPolicyIndex, bool aReportOnlyFlag, const nsAString& aViolatedDirective, const nsAString& aObserverSubject, const nsAString& aSourceFile, const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum, nsCSPContext* aCSPContext) const nsAString& aViolatedDirective, const nsAString& aEffectiveDirective, const nsAString& aObserverSubject, const nsAString& aSourceFile, const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum, nsCSPContext* aCSPContext) : mozilla::Runnable("CSPReportSenderRunnable"), mTriggeringElement(aTriggeringElement), mCSPEventListener(aCSPEventListener), Loading @@ -1399,6 +1415,7 @@ class CSPReportSenderRunnable final : public Runnable { mViolatedPolicyIndex(aViolatedPolicyIndex), mReportOnlyFlag(aReportOnlyFlag), mViolatedDirective(aViolatedDirective), mEffectiveDirective(aEffectiveDirective), mSourceFile(aSourceFile), mScriptSample(aScriptSample), mLineNum(aLineNum), Loading Loading @@ -1442,8 +1459,8 @@ class CSPReportSenderRunnable final : public Runnable { rv = mCSPContext->GatherSecurityPolicyViolationEventData( mBlockedURI, blockedContentSource, mOriginalURI, mViolatedDirective, mViolatedPolicyIndex, mSourceFile, mScriptSample, mLineNum, mColumnNum, init); mEffectiveDirective, mViolatedPolicyIndex, mSourceFile, mScriptSample, mLineNum, mColumnNum, init); NS_ENSURE_SUCCESS(rv, rv); // 1) notify observers Loading Loading @@ -1506,6 +1523,7 @@ class CSPReportSenderRunnable final : public Runnable { uint32_t mViolatedPolicyIndex; bool mReportOnlyFlag; nsString mViolatedDirective; nsString mEffectiveDirective; nsCOMPtr<nsISupports> mObserverSubject; nsString mSourceFile; nsString mScriptSample; Loading Loading @@ -1547,9 +1565,9 @@ nsresult nsCSPContext::AsyncReportViolation( Element* aTriggeringElement, nsICSPEventListener* aCSPEventListener, nsIURI* aBlockedURI, BlockedContentSource aBlockedContentSource, nsIURI* aOriginalURI, const nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex, const nsAString& aObserverSubject, const nsAString& aSourceFile, const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum) { const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex, const nsAString& aObserverSubject, const nsAString& aSourceFile, const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum) { EnsureIPCPoliciesRead(); NS_ENSURE_ARG_MAX(aViolatedPolicyIndex, mPolicies.Length() - 1); Loading @@ -1557,7 +1575,8 @@ nsresult nsCSPContext::AsyncReportViolation( aTriggeringElement, aCSPEventListener, aBlockedURI, aBlockedContentSource, aOriginalURI, aViolatedPolicyIndex, mPolicies[aViolatedPolicyIndex]->getReportOnlyFlag(), aViolatedDirective, aObserverSubject, aSourceFile, aScriptSample, aLineNum, aColumnNum, this); aEffectiveDirective, aObserverSubject, aSourceFile, aScriptSample, aLineNum, aColumnNum, this); if (XRE_IsContentProcess()) { if (mEventTarget) { Loading
dom/security/nsCSPContext.h +8 −5 Original line number Diff line number Diff line Loading @@ -96,8 +96,9 @@ class nsCSPContext : public nsIContentSecurityPolicy { nsresult GatherSecurityPolicyViolationEventData( nsIURI* aBlockedURI, const nsACString& aBlockedString, nsIURI* aOriginalURI, nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex, nsAString& aSourceFile, nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum, const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex, nsAString& aSourceFile, nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum, mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit); nsresult SendReports( Loading @@ -122,9 +123,10 @@ class nsCSPContext : public nsIContentSecurityPolicy { mozilla::dom::Element* aTriggeringElement, nsICSPEventListener* aCSPEventListener, nsIURI* aBlockedURI, BlockedContentSource aBlockedContentSource, nsIURI* aOriginalURI, const nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex, const nsAString& aObserverSubject, const nsAString& aSourceFile, const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum); const nsAString& aViolatedDirective, const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex, const nsAString& aObserverSubject, const nsAString& aSourceFile, const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum); // Hands off! Don't call this method unless you know what you // are doing. It's only supposed to be called from within Loading Loading @@ -161,6 +163,7 @@ class nsCSPContext : public nsIContentSecurityPolicy { nsICSPEventListener* aCSPEventListener, const nsAString& aNonce, const nsAString& aContent, const nsAString& aViolatedDirective, const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex, uint32_t aLineNumber, uint32_t aColumnNumber); Loading
