Merge branch 'master' into js-modules

# Conflicts: # modules/libpref/init/all.js
author: wolfbeast <mcwerewolf@wolfbeast.com> 2019-11-10 11:39:27 +0100
committer: wolfbeast <mcwerewolf@wolfbeast.com> 2019-11-10 11:39:27 +0100
commit: 974a481d12bf430891725bd3662876358e57e11a (patch)
tree: cad011151456251fef2f1b8d02ef4b4e45fad61a /dom/security
parent: 6bd66b1728eeddb058066edda740aaeb2ceaec23 (diff)
parent: 736d25cbec4541186ed46c935c117ce4d1c7f3bb (diff)
download: UXP-974a481d12bf430891725bd3662876358e57e11a.tar
UXP-974a481d12bf430891725bd3662876358e57e11a.tar.gz
UXP-974a481d12bf430891725bd3662876358e57e11a.tar.lz
UXP-974a481d12bf430891725bd3662876358e57e11a.tar.xz
UXP-974a481d12bf430891725bd3662876358e57e11a.zip
7 files changed, 116 insertions, 73 deletions
diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp
index 65be02809..56a119e1a 100644
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -513,8 +513,19 @@ nsCSPContext::GetAllowsInline(nsContentPolicyType aContentType,
   for (uint32_t i = 0; i < mPolicies.Length(); i++) {
     bool allowed =
       mPolicies[i]->allows(aContentType, CSP_UNSAFE_INLINE, EmptyString(), aParserCreated) ||
-      mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated) ||
-      mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated);
+      mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated);
+      
+    // If the inlined script or style is allowed by either unsafe-inline or the
+    // nonce, go ahead and shortcut this loop.
+    if (allowed) {
+      continue;
+    }
+    
+    // Check if the csp-hash matches against the hash of the script.
+    // If we don't have any content to check, block the script.
+    if (!aContent.IsEmpty()) {
+      allowed = mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated);
+    }
 
     if (!allowed) {
       // policy is violoated: deny the load unless policy is report only and
diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp
index 71c8e3433..d07ad7945 100644
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -641,13 +641,22 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
   // just a specific scheme, the parser should generate a nsCSPSchemeSource.
   NS_ASSERTION((!mHost.IsEmpty()), "host can not be the empty string");
 
+  // Before we can check if the host matches, we have to
+  // extract the host part from aUri.
+  nsAutoCString uriHost;
+  nsresult rv = aUri->GetAsciiHost(uriHost);
+  NS_ENSURE_SUCCESS(rv, false);
+
+  nsString decodedUriHost;
+  CSP_PercentDecodeStr(NS_ConvertUTF8toUTF16(uriHost), decodedUriHost);
+
   // 2) host matching: Enforce a single *
   if (mHost.EqualsASCII("*")) {
     // The single ASTERISK character (*) does not match a URI's scheme of a type
     // designating a globally unique identifier (such as blob:, data:, or filesystem:)
-    // At the moment firefox does not support filesystem; but for future compatibility
+    // At the moment UXP does not support "filesystem:" but for future compatibility
     // we support it in CSP according to the spec, see: 4.2.2 Matching Source Expressions
-    // Note, that whitelisting any of these schemes would call nsCSPSchemeSrc::permits().
+    // Note: whitelisting any of these schemes would call nsCSPSchemeSrc::permits().
     bool isBlobScheme =
       (NS_SUCCEEDED(aUri->SchemeIs("blob", &isBlobScheme)) && isBlobScheme);
     bool isDataScheme =
@@ -658,20 +667,15 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
     if (isBlobScheme || isDataScheme || isFileScheme) {
       return false;
     }
-    return true;
-  }
-
-  // Before we can check if the host matches, we have to
-  // extract the host part from aUri.
-  nsAutoCString uriHost;
-  nsresult rv = aUri->GetAsciiHost(uriHost);
-  NS_ENSURE_SUCCESS(rv, false);
-
-  nsString decodedUriHost;
-  CSP_PercentDecodeStr(NS_ConvertUTF8toUTF16(uriHost), decodedUriHost);
 
+    // If no scheme is present there also won't be a port and folder to check
+    // which means we can return early.
+    if (mScheme.IsEmpty()) {
+      return true;
+    }
+  }
   // 4.5) host matching: Check if the allowed host starts with a wilcard.
-  if (mHost.First() == '*') {
+  else if (mHost.First() == '*') {
     NS_ASSERTION(mHost[1] == '.', "Second character needs to be '.' whenever host starts with '*'");
 
     // Eliminate leading "*", but keeping the FULL STOP (.) thereafter before checking
diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp
index 570730312..5c6701992 100644
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -10,6 +10,7 @@
 #include "nsIStreamListener.h"
 #include "nsCDefaultURIFixup.h"
 #include "nsIURIFixup.h"
+#include "nsIImageLoadingContent.h"
 
 #include "mozilla/dom/Element.h"
 #include "mozilla/dom/TabChild.h"
@@ -92,6 +93,78 @@ nsContentSecurityManager::AllowTopLevelNavigationToDataURI(nsIChannel* aChannel)
   return false;
 }
 
+/* static */ nsresult
+nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel)
+{
+  // We dissallow using FTP resources as a subresource almost everywhere.
+  // The only valid way to use FTP resources is loading it as
+  // a top level document.
+  
+  // Override blocking if the pref is set to allow.
+  if (!mozilla::net::nsIOService::BlockFTPSubresources()) {
+    return NS_OK;
+  }
+
+  nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo();
+  if (!loadInfo) {
+    return NS_OK;
+  }
+
+  nsContentPolicyType type = loadInfo->GetExternalContentPolicyType();
+
+  // Allow save-as download of FTP files on HTTP pages.
+  if (type == nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD) {
+    return NS_OK;
+  }
+
+  // Allow direct document requests
+  if (type == nsIContentPolicy::TYPE_DOCUMENT) {
+    return NS_OK;
+  }
+
+  nsCOMPtr<nsIURI> uri;
+  nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
+  NS_ENSURE_SUCCESS(rv, rv);
+  if (!uri) {
+    return NS_OK;
+  }
+
+  // Allow if it's not the FTP protocol
+  bool isFtpURI = (NS_SUCCEEDED(uri->SchemeIs("ftp", &isFtpURI)) && isFtpURI);
+  if (!isFtpURI) {
+    return NS_OK;
+  }
+
+  // Allow loading FTP subresources in top-level FTP documents.
+  nsIPrincipal* triggeringPrincipal = loadInfo->TriggeringPrincipal();
+  nsCOMPtr<nsIURI> tURI;
+  triggeringPrincipal->GetURI(getter_AddRefs(tURI));
+  bool isTrigFtpURI = (NS_SUCCEEDED(tURI->SchemeIs("ftp", &isTrigFtpURI)) && isTrigFtpURI);
+  if (isTrigFtpURI) {
+    return NS_OK;
+  }
+
+  // If we get here, the request is blocked and should be reported.
+  nsCOMPtr<nsIDocument> doc;
+  if (nsINode* node = loadInfo->LoadingNode()) {
+    doc = node->OwnerDoc();
+  }
+
+  nsAutoCString spec;
+  uri->GetSpec(spec);
+  NS_ConvertUTF8toUTF16 specUTF16(NS_UnescapeURL(spec));
+  const char16_t* params[] = { specUTF16.get() };
+
+  nsContentUtils::ReportToConsole(nsIScriptError::warningFlag,
+                                  NS_LITERAL_CSTRING("FTP_URI_BLOCKED"),
+                                  doc,
+                                  nsContentUtils::eSECURITY_PROPERTIES,
+                                  "BlockSubresourceFTP",
+                                  params, ArrayLength(params));
+
+  return NS_ERROR_CONTENT_BLOCKED;
+}
+
 static nsresult
 ValidateSecurityFlags(nsILoadInfo* aLoadInfo)
 {
@@ -574,6 +647,10 @@ nsContentSecurityManager::doContentSecurityCheck(nsIChannel* aChannel,
   rv = DoContentSecurityChecks(aChannel, loadInfo);
   NS_ENSURE_SUCCESS(rv, rv);
 
+  // Apply this after CSP checks to allow CSP reporting.
+  rv = CheckFTPSubresourceLoad(aChannel);
+  NS_ENSURE_SUCCESS(rv, rv);
+
   // now lets set the initalSecurityFlag for subsequent calls
   loadInfo->SetInitialSecurityCheckDone(true);
 
@@ -591,6 +668,9 @@ nsContentSecurityManager::AsyncOnChannelRedirect(nsIChannel* aOldChannel,
   // Are we enforcing security using LoadInfo?
   if (loadInfo && loadInfo->GetEnforceSecurity()) {
     nsresult rv = CheckChannel(aNewChannel);
+    if (NS_SUCCEEDED(rv)) {
+      rv = CheckFTPSubresourceLoad(aNewChannel);
+    }
     if (NS_FAILED(rv)) {
       aOldChannel->Cancel(rv);
       return rv;
@@ -722,6 +802,8 @@ nsContentSecurityManager::CheckChannel(nsIChannel* aChannel)
     // within nsCorsListenerProxy
     rv = DoCheckLoadURIChecks(uri, loadInfo);
     NS_ENSURE_SUCCESS(rv, rv);
+    // TODO: Bug 1371237
+    // consider calling SetBlockedRequest in nsContentSecurityManager::CheckChannel
   }
 
   return NS_OK;
diff --git a/dom/security/nsContentSecurityManager.h b/dom/security/nsContentSecurityManager.h
index bab847743..750dd8803 100644
--- a/dom/security/nsContentSecurityManager.h
+++ b/dom/security/nsContentSecurityManager.h
@@ -36,6 +36,7 @@ public:
 
 private:
   static nsresult CheckChannel(nsIChannel* aChannel);
+  static nsresult CheckFTPSubresourceLoad(nsIChannel* aChannel);
 
   virtual ~nsContentSecurityManager() {}
 
diff --git a/dom/security/nsMixedContentBlocker.cpp b/dom/security/nsMixedContentBlocker.cpp
index c03628da0..543429aff 100644
--- a/dom/security/nsMixedContentBlocker.cpp
+++ b/dom/security/nsMixedContentBlocker.cpp
@@ -35,7 +35,6 @@
 #include "nsISiteSecurityService.h"
 
 #include "mozilla/Logging.h"
-#include "mozilla/Telemetry.h"
 #include "mozilla/dom/ContentChild.h"
 #include "mozilla/ipc/URIUtils.h"
 
@@ -814,17 +813,13 @@ nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
   //
   // We do not count requests aHadInsecureImageRedirect=true, since these are
   // just an artifact of the image caching system.
-  bool active = (classification == eMixedScript);
   if (!aHadInsecureImageRedirect) {
-    if (XRE_IsParentProcess()) {
-      AccumulateMixedContentHSTS(innerContentLocation, active);
-    } else {
+    if (!XRE_IsParentProcess()) {
       // Ask the parent process to do the same call
       mozilla::dom::ContentChild* cc = mozilla::dom::ContentChild::GetSingleton();
       if (cc) {
         mozilla::ipc::URIParams uri;
         SerializeURI(innerContentLocation, uri);
-        cc->SendAccumulateMixedContentHSTS(uri, active);
       }
     }
   }
@@ -977,50 +972,3 @@ enum MixedContentHSTSState {
   MCB_HSTS_ACTIVE_NO_HSTS    = 2,
   MCB_HSTS_ACTIVE_WITH_HSTS  = 3
 };
-
-// Record information on when HSTS would have made mixed content not mixed
-// content (regardless of whether it was actually blocked)
-void
-nsMixedContentBlocker::AccumulateMixedContentHSTS(nsIURI* aURI, bool aActive)
-{
-  // This method must only be called in the parent, because
-  // nsSiteSecurityService is only available in the parent
-  if (!XRE_IsParentProcess()) {
-    MOZ_ASSERT(false);
-    return;
-  }
-
-  bool hsts;
-  nsresult rv;
-  nsCOMPtr<nsISiteSecurityService> sss = do_GetService(NS_SSSERVICE_CONTRACTID, &rv);
-  if (NS_FAILED(rv)) {
-    return;
-  }
-  rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS, aURI, 0, nullptr, &hsts);
-  if (NS_FAILED(rv)) {
-    return;
-  }
-
-  // states: would upgrade, hsts info cached
-  // active, passive
-  //
-  if (!aActive) {
-    if (!hsts) {
-      Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS,
-                            MCB_HSTS_PASSIVE_NO_HSTS);
-    }
-    else {
-      Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS,
-                            MCB_HSTS_PASSIVE_WITH_HSTS);
-    }
-  } else {
-    if (!hsts) {
-      Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS,
-                            MCB_HSTS_ACTIVE_NO_HSTS);
-    }
-    else {
-      Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS,
-                            MCB_HSTS_ACTIVE_WITH_HSTS);
-    }
-  }
-}
-\ No newline at end of file
diff --git a/dom/security/nsMixedContentBlocker.h b/dom/security/nsMixedContentBlocker.h
index 56ab9621f..068068b25 100644
--- a/dom/security/nsMixedContentBlocker.h
+++ b/dom/security/nsMixedContentBlocker.h
@@ -61,9 +61,6 @@ public:
                              nsISupports* aExtra,
                              nsIPrincipal* aRequestPrincipal,
                              int16_t* aDecision);
-  static void AccumulateMixedContentHSTS(nsIURI* aURI,
-                                         bool aActive);
-
 
   static bool sBlockMixedScript;
   static bool sBlockMixedDisplay;
diff --git a/dom/security/test/cors/test_CrossSiteXHR.html b/dom/security/test/cors/test_CrossSiteXHR.html
index b3cda3b87..d9aef5c60 100644
--- a/dom/security/test/cors/test_CrossSiteXHR.html
+++ b/dom/security/test/cors/test_CrossSiteXHR.html
@@ -743,7 +743,7 @@ function runTest() {
             is(res.responseHeaders[header], test.responseHeaders[header],
                "|xhr.getResponseHeader()|wrong response header (" + header + ") in test for " +
                test.toSource());
-            is(res.allResponseHeaders[header], test.responseHeaders[header],
+            is(res.allResponseHeaders[header.toLowerCase()], test.responseHeaders[header],
               "|xhr.getAllResponseHeaderss()|wrong response header (" + header + ") in test for " +
               test.toSource());
           }
author	wolfbeast <mcwerewolf@wolfbeast.com>	2019-11-10 11:39:27 +0100
committer	wolfbeast <mcwerewolf@wolfbeast.com>	2019-11-10 11:39:27 +0100
commit	974a481d12bf430891725bd3662876358e57e11a (patch)
tree	cad011151456251fef2f1b8d02ef4b4e45fad61a /dom/security
parent	6bd66b1728eeddb058066edda740aaeb2ceaec23 (diff)
parent	736d25cbec4541186ed46c935c117ce4d1c7f3bb (diff)
download	UXP-974a481d12bf430891725bd3662876358e57e11a.tar UXP-974a481d12bf430891725bd3662876358e57e11a.tar.gz UXP-974a481d12bf430891725bd3662876358e57e11a.tar.lz UXP-974a481d12bf430891725bd3662876358e57e11a.tar.xz UXP-974a481d12bf430891725bd3662876358e57e11a.zip