CSP: Support IDNs in connect-src

author: janekptacijarabaci <janekptacijarabaci@seznam.cz> 2017-08-25 09:50:55 +0200
committer: wolfbeast <mcwerewolf@gmail.com> 2018-02-22 11:23:16 +0100
commit: cdcfbde10dbcf0fab0630d5ee0146be45d7a6572 (patch)
tree: fc40d9dcb0e31e526b468b1202ca0f445f24e729
parent: b4dac5093a75a024643b93aef88758770df73c55 (diff)
download: UXP-cdcfbde10dbcf0fab0630d5ee0146be45d7a6572.tar
UXP-cdcfbde10dbcf0fab0630d5ee0146be45d7a6572.tar.gz
UXP-cdcfbde10dbcf0fab0630d5ee0146be45d7a6572.tar.lz
UXP-cdcfbde10dbcf0fab0630d5ee0146be45d7a6572.tar.xz
UXP-cdcfbde10dbcf0fab0630d5ee0146be45d7a6572.zip
6 files changed, 135 insertions, 2 deletions
diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp
index b074a980c..0ca8f520e 100644
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -270,7 +270,7 @@ CSP_CreateHostSrcFromURI(nsIURI* aURI)
 {
   // Create the host first
   nsCString host;
-  aURI->GetHost(host);
+  aURI->GetAsciiHost(host);
   nsCSPHostSrc *hostsrc = new nsCSPHostSrc(NS_ConvertUTF8toUTF16(host));
 
   // Add the scheme.
@@ -643,7 +643,7 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
   // Before we can check if the host matches, we have to
   // extract the host part from aUri.
   nsAutoCString uriHost;
-  nsresult rv = aUri->GetHost(uriHost);
+  nsresult rv = aUri->GetAsciiHost(uriHost);
   NS_ENSURE_SUCCESS(rv, false);
 
   nsString decodedUriHost;
diff --git a/dom/security/test/csp/file_punycode_host_src.js b/dom/security/test/csp/file_punycode_host_src.js
new file mode 100644
index 000000000..3505faf70
--- /dev/null
+++ b/dom/security/test/csp/file_punycode_host_src.js
@@ -0,0 +1,2 @@
+const LOADED = true;
+parent.postMessage({result: 'script-allowed'}, "*");
+\ No newline at end of file
diff --git a/dom/security/test/csp/file_punycode_host_src.sjs b/dom/security/test/csp/file_punycode_host_src.sjs
new file mode 100644
index 000000000..3189cc063
--- /dev/null
+++ b/dom/security/test/csp/file_punycode_host_src.sjs
@@ -0,0 +1,45 @@
+// custom *.sjs for Bug 1224225
+// Punycode in CSP host sources
+
+const HTML_PART1 =
+  "<!DOCTYPE HTML>" +
+  "<html><head><meta charset=\"utf-8\">" +
+  "<title>Bug 1224225 - CSP source matching should work for punycoded domain names</title>" +
+  "</head>" +
+  "<body>" +
+  "<script id='script' src='";
+
+const TESTCASE1 = "http://sub2.ält.example.org/";
+const TESTCASE2 = "http://sub2.xn--lt-uia.example.org/"
+
+const HTML_PART2 = "tests/dom/security/test/csp/file_punycode_host_src.js'></script>" +
+  "</body>" +
+  "</html>";
+
+function handleRequest(request, response)
+{
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Type", "text/html", false);
+
+  Components.utils.importGlobalProperties(["URLSearchParams"]);
+  const query = new URLSearchParams(request.queryString);
+
+
+  if (query.get("csp")) {
+    response.setHeader("Content-Security-Policy", query.get("csp"), false);
+  }
+  if (query.get("action") == "script-unicode-csp-punycode") {
+    response.write(HTML_PART1 + TESTCASE1 + HTML_PART2);
+    return
+  }
+  if (query.get("action") == "script-punycode-csp-punycode") {
+    response.write(HTML_PART1 + TESTCASE2 + HTML_PART2);
+    return
+  }
+
+
+  // we should never get here, but just in case
+  // return something unexpected
+  response.write("do'h");
+}
diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini
index d3cabc16d..8d44e9b0b 100644
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -213,6 +213,8 @@ support-files =
   file_upgrade_insecure_navigation.sjs
   file_image_nonce.html
   file_image_nonce.html^headers^
+  file_punycode_host_src.sjs
+  file_punycode_host_src.js
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
@@ -308,3 +310,4 @@ support-files =
   file_sandbox_allow_scripts.html^headers^
 [test_ignore_xfo.html]
 [test_image_nonce.html]
+[test_punycode_host_src.html]
diff --git a/dom/security/test/csp/test_punycode_host_src.html b/dom/security/test/csp/test_punycode_host_src.html
new file mode 100644
index 000000000..8d891725c
--- /dev/null
+++ b/dom/security/test/csp/test_punycode_host_src.html
@@ -0,0 +1,81 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1224225 - CSP source matching should work for punycoded domain names</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load scripts within an iframe and make sure that the
+ * CSP matching is same for punycode domain names as well as IDNA.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+
+var curTest;
+var counter = -1;
+
+const tests = [
+  { // test 1
+    description: "loads script as sub2.ält.example.org, but whitelist in CSP as sub2.xn--lt-uia.example.org",
+    action: "script-unicode-csp-punycode",
+    csp: "script-src http://sub2.xn--lt-uia.example.org;",
+    expected: "script-allowed",
+
+  },
+  { // test 2
+    description: "loads script as sub2.xn--lt-uia.example.org, and whitelist in CSP as sub2.xn--lt-uia.example.org",
+    action: "script-punycode-csp-punycode",
+    csp: "script-src http://sub2.xn--lt-uia.example.org;",
+    expected: "script-allowed",
+
+  },
+    { // test 3
+    description: "loads script as sub2.xn--lt-uia.example.org, and whitelist in CSP as sub2.xn--lt-uia.example.org",
+    action: "script-punycode-csp-punycode",
+    csp: "script-src *.xn--lt-uia.example.org;",
+    expected: "script-allowed",
+
+  },
+
+];
+
+function finishTest() {
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+function checkResults(result) {
+  is(result, curTest.expected, curTest.description);
+  loadNextTest();
+}
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  checkResults(event.data.result);
+}
+
+function loadNextTest() {
+  counter++;
+  if (counter == tests.length) {
+    finishTest();
+    return;
+  }
+  curTest = tests[counter];
+  var testframe = document.getElementById("testframe");
+  testframe.src = `file_punycode_host_src.sjs?action=${curTest.action}&csp=${curTest.csp}`;
+}
+
+loadNextTest();
+
+</script>
+</body>
+</html>
diff --git a/dom/security/test/gtest/TestCSPParser.cpp b/dom/security/test/gtest/TestCSPParser.cpp
index fafa7b5d9..8d168d81c 100644
--- a/dom/security/test/gtest/TestCSPParser.cpp
+++ b/dom/security/test/gtest/TestCSPParser.cpp
@@ -204,6 +204,8 @@ TEST(CSPParser, Directives)
 {
   static const PolicyTest policies[] =
   {
+    { "connect-src xn--mnchen-3ya.de",
+      "connect-src http://xn--mnchen-3ya.de"},
     { "default-src http://www.example.com",
       "default-src http://www.example.com" },
     { "script-src http://www.example.com",
author	janekptacijarabaci <janekptacijarabaci@seznam.cz>	2017-08-25 09:50:55 +0200
committer	wolfbeast <mcwerewolf@gmail.com>	2018-02-22 11:23:16 +0100
commit	cdcfbde10dbcf0fab0630d5ee0146be45d7a6572 (patch)
tree	fc40d9dcb0e31e526b468b1202ca0f445f24e729
parent	b4dac5093a75a024643b93aef88758770df73c55 (diff)
download	UXP-cdcfbde10dbcf0fab0630d5ee0146be45d7a6572.tar UXP-cdcfbde10dbcf0fab0630d5ee0146be45d7a6572.tar.gz UXP-cdcfbde10dbcf0fab0630d5ee0146be45d7a6572.tar.lz UXP-cdcfbde10dbcf0fab0630d5ee0146be45d7a6572.tar.xz UXP-cdcfbde10dbcf0fab0630d5ee0146be45d7a6572.zip