From 13e9a0c06d35bb02d211df873c105a350aeab8eb Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 15 Aug 2017 21:10:10 +0200 Subject: CSP should only check host (not including path) when performing frame ancestors checks. This has been explicitly stated in the CSP-3 spec. --- dom/security/nsCSPParser.cpp | 5 +++++ dom/security/nsCSPParser.h | 4 ++++ dom/security/nsCSPUtils.cpp | 6 ++++++ dom/security/nsCSPUtils.h | 4 ++++ 4 files changed, 19 insertions(+) (limited to 'dom') diff --git a/dom/security/nsCSPParser.cpp b/dom/security/nsCSPParser.cpp index a662c9cd1..f1b5d8ba7 100644 --- a/dom/security/nsCSPParser.cpp +++ b/dom/security/nsCSPParser.cpp @@ -136,6 +136,7 @@ nsCSPParser::nsCSPParser(cspTokens& aTokens, , mUnsafeInlineKeywordSrc(nullptr) , mChildSrc(nullptr) , mFrameSrc(nullptr) + , mParsingFrameAncestorsDir(false) , mTokens(aTokens) , mSelfURI(aSelfURI) , mPolicy(nullptr) @@ -807,6 +808,7 @@ nsCSPParser::sourceExpression() if (nsCSPHostSrc *cspHost = hostSource()) { // Do not forget to set the parsed scheme. cspHost->setScheme(parsedScheme); + cspHost->setWithinFrameAncestorsDir(mParsingFrameAncestorsDir); return cspHost; } // Error was reported in hostSource() @@ -1209,6 +1211,9 @@ nsCSPParser::directive() mStrictDynamic = false; mUnsafeInlineKeywordSrc = nullptr; + mParsingFrameAncestorsDir = + CSP_IsDirective(mCurDir[0], nsIContentSecurityPolicy::FRAME_ANCESTORS_DIRECTIVE); + // Try to parse all the srcs by handing the array off to directiveValue nsTArray srcs; directiveValue(srcs); diff --git a/dom/security/nsCSPParser.h b/dom/security/nsCSPParser.h index 30954b10f..1bfc56c65 100644 --- a/dom/security/nsCSPParser.h +++ b/dom/security/nsCSPParser.h @@ -252,6 +252,10 @@ class nsCSPParser { nsCSPChildSrcDirective* mChildSrc; nsCSPDirective* mFrameSrc; + // cache variable to let nsCSPHostSrc know that it's within + // the frame-ancestors directive. + bool mParsingFrameAncestorsDir; + cspTokens mTokens; nsIURI* mSelfURI; nsCSPPolicy* mPolicy; diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp index 63b4aae2c..b074a980c 100644 --- a/dom/security/nsCSPUtils.cpp +++ b/dom/security/nsCSPUtils.cpp @@ -503,6 +503,7 @@ nsCSPSchemeSrc::toString(nsAString& outStr) const nsCSPHostSrc::nsCSPHostSrc(const nsAString& aHost) : mHost(aHost) + , mWithinFrameAncstorsDir(false) { ToLowerCase(mHost); } @@ -686,6 +687,11 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected rv = url->GetFilePath(uriPath); NS_ENSURE_SUCCESS(rv, false); + if (mWithinFrameAncstorsDir) { + // no path matching for frame-ancestors to not leak any path information. + return true; + } + nsString decodedUriPath; CSP_PercentDecodeStr(NS_ConvertUTF8toUTF16(uriPath), decodedUriPath); diff --git a/dom/security/nsCSPUtils.h b/dom/security/nsCSPUtils.h index b33c8932a..468c734a2 100644 --- a/dom/security/nsCSPUtils.h +++ b/dom/security/nsCSPUtils.h @@ -256,6 +256,9 @@ class nsCSPHostSrc : public nsCSPBaseSrc { void setPort(const nsAString& aPort); void appendPath(const nsAString &aPath); + inline void setWithinFrameAncestorsDir(bool aValue) const + { mWithinFrameAncstorsDir = aValue; } + inline void getScheme(nsAString& outStr) const { outStr.Assign(mScheme); }; @@ -273,6 +276,7 @@ class nsCSPHostSrc : public nsCSPBaseSrc { nsString mHost; nsString mPort; nsString mPath; + mutable bool mWithinFrameAncstorsDir; }; /* =============== nsCSPKeywordSrc ============ */ -- cgit v1.2.3