summaryrefslogtreecommitdiffstats
path: root/dom/security
diff options
context:
space:
mode:
Diffstat (limited to 'dom/security')
-rw-r--r--dom/security/nsCSPContext.cpp15
-rw-r--r--dom/security/nsCSPUtils.cpp32
2 files changed, 31 insertions, 16 deletions
diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp
index 65be02809..56a119e1a 100644
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -513,8 +513,19 @@ nsCSPContext::GetAllowsInline(nsContentPolicyType aContentType,
for (uint32_t i = 0; i < mPolicies.Length(); i++) {
bool allowed =
mPolicies[i]->allows(aContentType, CSP_UNSAFE_INLINE, EmptyString(), aParserCreated) ||
- mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated) ||
- mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated);
+ mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated);
+
+ // If the inlined script or style is allowed by either unsafe-inline or the
+ // nonce, go ahead and shortcut this loop.
+ if (allowed) {
+ continue;
+ }
+
+ // Check if the csp-hash matches against the hash of the script.
+ // If we don't have any content to check, block the script.
+ if (!aContent.IsEmpty()) {
+ allowed = mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated);
+ }
if (!allowed) {
// policy is violoated: deny the load unless policy is report only and
diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp
index 71c8e3433..d07ad7945 100644
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -641,13 +641,22 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
// just a specific scheme, the parser should generate a nsCSPSchemeSource.
NS_ASSERTION((!mHost.IsEmpty()), "host can not be the empty string");
+ // Before we can check if the host matches, we have to
+ // extract the host part from aUri.
+ nsAutoCString uriHost;
+ nsresult rv = aUri->GetAsciiHost(uriHost);
+ NS_ENSURE_SUCCESS(rv, false);
+
+ nsString decodedUriHost;
+ CSP_PercentDecodeStr(NS_ConvertUTF8toUTF16(uriHost), decodedUriHost);
+
// 2) host matching: Enforce a single *
if (mHost.EqualsASCII("*")) {
// The single ASTERISK character (*) does not match a URI's scheme of a type
// designating a globally unique identifier (such as blob:, data:, or filesystem:)
- // At the moment firefox does not support filesystem; but for future compatibility
+ // At the moment UXP does not support "filesystem:" but for future compatibility
// we support it in CSP according to the spec, see: 4.2.2 Matching Source Expressions
- // Note, that whitelisting any of these schemes would call nsCSPSchemeSrc::permits().
+ // Note: whitelisting any of these schemes would call nsCSPSchemeSrc::permits().
bool isBlobScheme =
(NS_SUCCEEDED(aUri->SchemeIs("blob", &isBlobScheme)) && isBlobScheme);
bool isDataScheme =
@@ -658,20 +667,15 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
if (isBlobScheme || isDataScheme || isFileScheme) {
return false;
}
- return true;
- }
-
- // Before we can check if the host matches, we have to
- // extract the host part from aUri.
- nsAutoCString uriHost;
- nsresult rv = aUri->GetAsciiHost(uriHost);
- NS_ENSURE_SUCCESS(rv, false);
-
- nsString decodedUriHost;
- CSP_PercentDecodeStr(NS_ConvertUTF8toUTF16(uriHost), decodedUriHost);
+ // If no scheme is present there also won't be a port and folder to check
+ // which means we can return early.
+ if (mScheme.IsEmpty()) {
+ return true;
+ }
+ }
// 4.5) host matching: Check if the allowed host starts with a wilcard.
- if (mHost.First() == '*') {
+ else if (mHost.First() == '*') {
NS_ASSERTION(mHost[1] == '.', "Second character needs to be '.' whenever host starts with '*'");
// Eliminate leading "*", but keeping the FULL STOP (.) thereafter before checking