From cdcfbde10dbcf0fab0630d5ee0146be45d7a6572 Mon Sep 17 00:00:00 2001 From: janekptacijarabaci Date: Fri, 25 Aug 2017 09:50:55 +0200 Subject: CSP: Support IDNs in connect-src --- dom/security/nsCSPUtils.cpp | 4 +- dom/security/test/csp/file_punycode_host_src.js | 2 + dom/security/test/csp/file_punycode_host_src.sjs | 45 +++++++++++++ dom/security/test/csp/mochitest.ini | 3 + dom/security/test/csp/test_punycode_host_src.html | 81 +++++++++++++++++++++++ dom/security/test/gtest/TestCSPParser.cpp | 2 + 6 files changed, 135 insertions(+), 2 deletions(-) create mode 100644 dom/security/test/csp/file_punycode_host_src.js create mode 100644 dom/security/test/csp/file_punycode_host_src.sjs create mode 100644 dom/security/test/csp/test_punycode_host_src.html diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp index b074a980c..0ca8f520e 100644 --- a/dom/security/nsCSPUtils.cpp +++ b/dom/security/nsCSPUtils.cpp @@ -270,7 +270,7 @@ CSP_CreateHostSrcFromURI(nsIURI* aURI) { // Create the host first nsCString host; - aURI->GetHost(host); + aURI->GetAsciiHost(host); nsCSPHostSrc *hostsrc = new nsCSPHostSrc(NS_ConvertUTF8toUTF16(host)); // Add the scheme. @@ -643,7 +643,7 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected // Before we can check if the host matches, we have to // extract the host part from aUri. nsAutoCString uriHost; - nsresult rv = aUri->GetHost(uriHost); + nsresult rv = aUri->GetAsciiHost(uriHost); NS_ENSURE_SUCCESS(rv, false); nsString decodedUriHost; diff --git a/dom/security/test/csp/file_punycode_host_src.js b/dom/security/test/csp/file_punycode_host_src.js new file mode 100644 index 000000000..3505faf70 --- /dev/null +++ b/dom/security/test/csp/file_punycode_host_src.js @@ -0,0 +1,2 @@ +const LOADED = true; +parent.postMessage({result: 'script-allowed'}, "*"); \ No newline at end of file diff --git a/dom/security/test/csp/file_punycode_host_src.sjs b/dom/security/test/csp/file_punycode_host_src.sjs new file mode 100644 index 000000000..3189cc063 --- /dev/null +++ b/dom/security/test/csp/file_punycode_host_src.sjs @@ -0,0 +1,45 @@ +// custom *.sjs for Bug 1224225 +// Punycode in CSP host sources + +const HTML_PART1 = + "" + + "" + + "Bug 1224225 - CSP source matching should work for punycoded domain names" + + "" + + "" + + "" + + "" + + ""; + +function handleRequest(request, response) +{ + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + response.setHeader("Content-Type", "text/html", false); + + Components.utils.importGlobalProperties(["URLSearchParams"]); + const query = new URLSearchParams(request.queryString); + + + if (query.get("csp")) { + response.setHeader("Content-Security-Policy", query.get("csp"), false); + } + if (query.get("action") == "script-unicode-csp-punycode") { + response.write(HTML_PART1 + TESTCASE1 + HTML_PART2); + return + } + if (query.get("action") == "script-punycode-csp-punycode") { + response.write(HTML_PART1 + TESTCASE2 + HTML_PART2); + return + } + + + // we should never get here, but just in case + // return something unexpected + response.write("do'h"); +} diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini index d3cabc16d..8d44e9b0b 100644 --- a/dom/security/test/csp/mochitest.ini +++ b/dom/security/test/csp/mochitest.ini @@ -213,6 +213,8 @@ support-files = file_upgrade_insecure_navigation.sjs file_image_nonce.html file_image_nonce.html^headers^ + file_punycode_host_src.sjs + file_punycode_host_src.js [test_base-uri.html] [test_blob_data_schemes.html] @@ -308,3 +310,4 @@ support-files = file_sandbox_allow_scripts.html^headers^ [test_ignore_xfo.html] [test_image_nonce.html] +[test_punycode_host_src.html] diff --git a/dom/security/test/csp/test_punycode_host_src.html b/dom/security/test/csp/test_punycode_host_src.html new file mode 100644 index 000000000..8d891725c --- /dev/null +++ b/dom/security/test/csp/test_punycode_host_src.html @@ -0,0 +1,81 @@ + + + + + Bug 1224225 - CSP source matching should work for punycoded domain names + + + + + + + + + + diff --git a/dom/security/test/gtest/TestCSPParser.cpp b/dom/security/test/gtest/TestCSPParser.cpp index fafa7b5d9..8d168d81c 100644 --- a/dom/security/test/gtest/TestCSPParser.cpp +++ b/dom/security/test/gtest/TestCSPParser.cpp @@ -204,6 +204,8 @@ TEST(CSPParser, Directives) { static const PolicyTest policies[] = { + { "connect-src xn--mnchen-3ya.de", + "connect-src http://xn--mnchen-3ya.de"}, { "default-src http://www.example.com", "default-src http://www.example.com" }, { "script-src http://www.example.com", -- cgit v1.2.3