summaryrefslogtreecommitdiffstats
path: root/dom/security
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2017-08-15 21:10:10 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-02-06 09:03:16 +0100
commit13e9a0c06d35bb02d211df873c105a350aeab8eb (patch)
tree7a02bdb0992080b231c190c383bc12fac1607cd4 /dom/security
parenta9b44dbcb33cd98b163f8a21223643f2cf3829cd (diff)
downloadUXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.tar
UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.tar.gz
UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.tar.lz
UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.tar.xz
UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.zip
CSP should only check host (not including path) when performing frame ancestors checks.
This has been explicitly stated in the CSP-3 spec.
Diffstat (limited to 'dom/security')
-rw-r--r--dom/security/nsCSPParser.cpp5
-rw-r--r--dom/security/nsCSPParser.h4
-rw-r--r--dom/security/nsCSPUtils.cpp6
-rw-r--r--dom/security/nsCSPUtils.h4
4 files changed, 19 insertions, 0 deletions
diff --git a/dom/security/nsCSPParser.cpp b/dom/security/nsCSPParser.cpp
index a662c9cd1..f1b5d8ba7 100644
--- a/dom/security/nsCSPParser.cpp
+++ b/dom/security/nsCSPParser.cpp
@@ -136,6 +136,7 @@ nsCSPParser::nsCSPParser(cspTokens& aTokens,
, mUnsafeInlineKeywordSrc(nullptr)
, mChildSrc(nullptr)
, mFrameSrc(nullptr)
+ , mParsingFrameAncestorsDir(false)
, mTokens(aTokens)
, mSelfURI(aSelfURI)
, mPolicy(nullptr)
@@ -807,6 +808,7 @@ nsCSPParser::sourceExpression()
if (nsCSPHostSrc *cspHost = hostSource()) {
// Do not forget to set the parsed scheme.
cspHost->setScheme(parsedScheme);
+ cspHost->setWithinFrameAncestorsDir(mParsingFrameAncestorsDir);
return cspHost;
}
// Error was reported in hostSource()
@@ -1209,6 +1211,9 @@ nsCSPParser::directive()
mStrictDynamic = false;
mUnsafeInlineKeywordSrc = nullptr;
+ mParsingFrameAncestorsDir =
+ CSP_IsDirective(mCurDir[0], nsIContentSecurityPolicy::FRAME_ANCESTORS_DIRECTIVE);
+
// Try to parse all the srcs by handing the array off to directiveValue
nsTArray<nsCSPBaseSrc*> srcs;
directiveValue(srcs);
diff --git a/dom/security/nsCSPParser.h b/dom/security/nsCSPParser.h
index 30954b10f..1bfc56c65 100644
--- a/dom/security/nsCSPParser.h
+++ b/dom/security/nsCSPParser.h
@@ -252,6 +252,10 @@ class nsCSPParser {
nsCSPChildSrcDirective* mChildSrc;
nsCSPDirective* mFrameSrc;
+ // cache variable to let nsCSPHostSrc know that it's within
+ // the frame-ancestors directive.
+ bool mParsingFrameAncestorsDir;
+
cspTokens mTokens;
nsIURI* mSelfURI;
nsCSPPolicy* mPolicy;
diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp
index 63b4aae2c..b074a980c 100644
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -503,6 +503,7 @@ nsCSPSchemeSrc::toString(nsAString& outStr) const
nsCSPHostSrc::nsCSPHostSrc(const nsAString& aHost)
: mHost(aHost)
+ , mWithinFrameAncstorsDir(false)
{
ToLowerCase(mHost);
}
@@ -686,6 +687,11 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
rv = url->GetFilePath(uriPath);
NS_ENSURE_SUCCESS(rv, false);
+ if (mWithinFrameAncstorsDir) {
+ // no path matching for frame-ancestors to not leak any path information.
+ return true;
+ }
+
nsString decodedUriPath;
CSP_PercentDecodeStr(NS_ConvertUTF8toUTF16(uriPath), decodedUriPath);
diff --git a/dom/security/nsCSPUtils.h b/dom/security/nsCSPUtils.h
index b33c8932a..468c734a2 100644
--- a/dom/security/nsCSPUtils.h
+++ b/dom/security/nsCSPUtils.h
@@ -256,6 +256,9 @@ class nsCSPHostSrc : public nsCSPBaseSrc {
void setPort(const nsAString& aPort);
void appendPath(const nsAString &aPath);
+ inline void setWithinFrameAncestorsDir(bool aValue) const
+ { mWithinFrameAncstorsDir = aValue; }
+
inline void getScheme(nsAString& outStr) const
{ outStr.Assign(mScheme); };
@@ -273,6 +276,7 @@ class nsCSPHostSrc : public nsCSPBaseSrc {
nsString mHost;
nsString mPort;
nsString mPath;
+ mutable bool mWithinFrameAncstorsDir;
};
/* =============== nsCSPKeywordSrc ============ */