From a06ce3f03b260d59199dba7e01ea8afb3de1ef59 Mon Sep 17 00:00:00 2001 From: janekptacijarabaci Date: Fri, 25 Aug 2017 09:25:03 +0200 Subject: CSP: Upgrade SO navigational requests per spec. --- docshell/base/nsDocShell.cpp | 23 +++++ .../test/csp/file_upgrade_insecure_navigation.sjs | 79 ++++++++++++++++ dom/security/test/csp/mochitest.ini | 2 + .../test/csp/test_upgrade_insecure_navigation.html | 103 +++++++++++++++++++++ netwerk/base/LoadInfo.cpp | 6 ++ netwerk/base/LoadInfo.h | 1 + 6 files changed, 214 insertions(+) create mode 100644 dom/security/test/csp/file_upgrade_insecure_navigation.sjs create mode 100644 dom/security/test/csp/test_upgrade_insecure_navigation.html diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp index ab119a016..2e08e6720 100644 --- a/docshell/base/nsDocShell.cpp +++ b/docshell/base/nsDocShell.cpp @@ -11025,6 +11025,29 @@ nsDocShell::DoURILoad(nsIURI* aURI, } } + // Navigational requests that are same origin need to be upgraded in case + // upgrade-insecure-requests is present. Please note that in that case + // the triggeringPrincipal is holding the CSP that potentially + // holds upgrade-insecure-requests. + nsCOMPtr csp; + aTriggeringPrincipal->GetCsp(getter_AddRefs(csp)); + if (csp) { + bool upgradeInsecureRequests = false; + csp->GetUpgradeInsecureRequests(&upgradeInsecureRequests); + if (upgradeInsecureRequests) { + // only upgrade if the navigation is same origin + nsCOMPtr resultPrincipal; + rv = nsContentUtils::GetSecurityManager()-> + GetChannelResultPrincipal(channel, + getter_AddRefs(resultPrincipal)); + NS_ENSURE_SUCCESS(rv, rv); + if (resultPrincipal->Equals(aTriggeringPrincipal)) { + static_cast(loadInfo.get())->SetUpgradeInsecureRequests(); + } + } + } + + nsCOMPtr appCacheChannel = do_QueryInterface(channel); if (appCacheChannel) { diff --git a/dom/security/test/csp/file_upgrade_insecure_navigation.sjs b/dom/security/test/csp/file_upgrade_insecure_navigation.sjs new file mode 100644 index 000000000..51afa39bf --- /dev/null +++ b/dom/security/test/csp/file_upgrade_insecure_navigation.sjs @@ -0,0 +1,79 @@ +// Custom *.sjs file specifically for the needs of +// https://bugzilla.mozilla.org/show_bug.cgi?id=1271173 + +"use strict"; +Components.utils.importGlobalProperties(["URLSearchParams"]); + +const TEST_NAVIGATIONAL_UPGRADE = ` + + + + + clickme + + + `; + +const FRAME_NAV = ` + + + + + + + `; + +const DOC_NAV = ` + + + + + + + `; + +function handleRequest(request, response) { + const query = new URLSearchParams(request.queryString); + + response.setHeader("Cache-Control", "no-cache", false); + response.setHeader("Content-Type", "text/html", false); + if (query.get("csp")) { + response.setHeader("Content-Security-Policy", query.get("csp"), false); + } + + if (query.get("action") === "perform_navigation") { + response.write(TEST_NAVIGATIONAL_UPGRADE); + return; + } + + if (query.get("action") === "framenav") { + response.write(FRAME_NAV); + return; + } + + if (query.get("action") === "docnav") { + response.write(DOC_NAV); + return; + } + + // we should never get here, but just in case + // return something unexpected + response.write("do'h"); +} diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini index 535109752..04401b063 100644 --- a/dom/security/test/csp/mochitest.ini +++ b/dom/security/test/csp/mochitest.ini @@ -210,6 +210,7 @@ support-files = file_ignore_xfo.html^headers^ file_ro_ignore_xfo.html file_ro_ignore_xfo.html^headers^ + file_upgrade_insecure_navigation.sjs [test_base-uri.html] [test_blob_data_schemes.html] @@ -296,6 +297,7 @@ tags = mcb [test_strict_dynamic.html] [test_strict_dynamic_parser_inserted.html] [test_strict_dynamic_default_src.html] +[test_upgrade_insecure_navigation.html] [test_iframe_sandbox_srcdoc.html] [test_iframe_srcdoc.html] [test_sandbox_allow_scripts.html] diff --git a/dom/security/test/csp/test_upgrade_insecure_navigation.html b/dom/security/test/csp/test_upgrade_insecure_navigation.html new file mode 100644 index 000000000..db6a6a1be --- /dev/null +++ b/dom/security/test/csp/test_upgrade_insecure_navigation.html @@ -0,0 +1,103 @@ + + + + Bug 1271173 - Missing spec on Upgrade Insecure Requests(Navigational Upgrades) + + + + + + + + + + + diff --git a/netwerk/base/LoadInfo.cpp b/netwerk/base/LoadInfo.cpp index 216cf559c..42fdea4a1 100644 --- a/netwerk/base/LoadInfo.cpp +++ b/netwerk/base/LoadInfo.cpp @@ -859,6 +859,12 @@ LoadInfo::SetIsPreflight() mIsPreflight = true; } +void +LoadInfo::SetUpgradeInsecureRequests() +{ + mUpgradeInsecureRequests = true; +} + NS_IMETHODIMP LoadInfo::GetIsPreflight(bool* aIsPreflight) { diff --git a/netwerk/base/LoadInfo.h b/netwerk/base/LoadInfo.h index 261f85349..3e1b92ff4 100644 --- a/netwerk/base/LoadInfo.h +++ b/netwerk/base/LoadInfo.h @@ -78,6 +78,7 @@ public: already_AddRefed CloneForNewRequest() const; void SetIsPreflight(); + void SetUpgradeInsecureRequests(); private: // private constructor that is only allowed to be called from within -- cgit v1.2.3