CSP: connect-src 'self' should always include https: and wss: schemes

8 files changed, 168 insertions, 11 deletions

diff --git a/dom/security/nsCSPParser.cpp b/dom/security/nsCSPParser.cpp
index f1b5d8ba7..86aa4e001 100644
--- a/dom/security/nsCSPParser.cpp
+++ b/dom/security/nsCSPParser.cpp
@@ -532,7 +532,7 @@ nsCSPParser::keywordSource()
   // Special case handling for 'self' which is not stored internally as a keyword,
   // but rather creates a nsCSPHostSrc using the selfURI
   if (CSP_IsKeyword(mCurToken, CSP_SELF)) {
-    return CSP_CreateHostSrcFromURI(mSelfURI);
+    return CSP_CreateHostSrcFromSelfURI(mSelfURI);
   }
 
   if (CSP_IsKeyword(mCurToken, CSP_STRICT_DYNAMIC)) {
diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp
index 0ca8f520e..a5f683b01 100644
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -266,20 +266,21 @@ CSP_ContentTypeToDirective(nsContentPolicyType aType)
 }
 
 nsCSPHostSrc*
-CSP_CreateHostSrcFromURI(nsIURI* aURI)
+CSP_CreateHostSrcFromSelfURI(nsIURI* aSelfURI)
 {
   // Create the host first
   nsCString host;
-  aURI->GetAsciiHost(host);
+  aSelfURI->GetAsciiHost(host);
   nsCSPHostSrc *hostsrc = new nsCSPHostSrc(NS_ConvertUTF8toUTF16(host));
+  hostsrc->setGeneratedFromSelfKeyword();
 
   // Add the scheme.
   nsCString scheme;
-  aURI->GetScheme(scheme);
+  aSelfURI->GetScheme(scheme);
   hostsrc->setScheme(NS_ConvertUTF8toUTF16(scheme));
 
   int32_t port;
-  aURI->GetPort(&port);
+  aSelfURI->GetPort(&port);
   // Only add port if it's not default port.
   if (port > 0) {
     nsAutoString portStr;
@@ -348,13 +349,17 @@ CSP_IsQuotelessKeyword(const nsAString& aKey)
  * @param aUpgradeInsecure
  *        Whether the policy makes use of the directive
  *        'upgrade-insecure-requests'.
+ * @param aFromSelfURI
+ *        Whether a scheme was generated from the keyword 'self'
+ *        which then allows schemeless sources to match ws and wss.
  */
 
 bool
 permitsScheme(const nsAString& aEnforcementScheme,
               nsIURI* aUri,
               bool aReportOnly,
-              bool aUpgradeInsecure)
+              bool aUpgradeInsecure,
+              bool aFromSelfURI)
 {
   nsAutoCString scheme;
   nsresult rv = aUri->GetScheme(scheme);
@@ -373,8 +378,20 @@ permitsScheme(const nsAString& aEnforcementScheme,
   // allow scheme-less sources where the protected resource is http
   // and the load is https, see:
   // http://www.w3.org/TR/CSP2/#match-source-expression
-  if (aEnforcementScheme.EqualsASCII("http") &&
-      scheme.EqualsASCII("https")) {
+  if (aEnforcementScheme.EqualsASCII("http")) {
+    if (scheme.EqualsASCII("https")) {
+      return true;
+    }
+    if ((scheme.EqualsASCII("ws") || scheme.EqualsASCII("wss")) && aFromSelfURI) {
+      return true;
+    }
+  }
+  if (aEnforcementScheme.EqualsASCII("https")) {
+    if (scheme.EqualsLiteral("wss") && aFromSelfURI) {
+      return true;
+    }
+  }
+  if (aEnforcementScheme.EqualsASCII("ws") && scheme.EqualsASCII("wss")) {
     return true;
   }
 
@@ -483,7 +500,7 @@ nsCSPSchemeSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirect
   if (mInvalidated) {
     return false;
   }
-  return permitsScheme(mScheme, aUri, aReportOnly, aUpgradeInsecure);
+  return permitsScheme(mScheme, aUri, aReportOnly, aUpgradeInsecure, false);
 }
 
 bool
@@ -503,6 +520,7 @@ nsCSPSchemeSrc::toString(nsAString& outStr) const
 
 nsCSPHostSrc::nsCSPHostSrc(const nsAString& aHost)
   : mHost(aHost)
+  , mGeneratedFromSelfKeyword(false)
   , mWithinFrameAncstorsDir(false)
 {
   ToLowerCase(mHost);
@@ -612,7 +630,7 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
   // http://www.w3.org/TR/CSP11/#match-source-expression
 
   // 4.3) scheme matching: Check if the scheme matches.
-  if (!permitsScheme(mScheme, aUri, aReportOnly, aUpgradeInsecure)) {
+  if (!permitsScheme(mScheme, aUri, aReportOnly, aUpgradeInsecure, mGeneratedFromSelfKeyword)) {
     return false;
   }
 
diff --git a/dom/security/nsCSPUtils.h b/dom/security/nsCSPUtils.h
index 468c734a2..cfbe83256 100644
--- a/dom/security/nsCSPUtils.h
+++ b/dom/security/nsCSPUtils.h
@@ -186,7 +186,7 @@ nsresult CSP_AppendCSPFromHeader(nsIContentSecurityPolicy* aCsp,
 
 class nsCSPHostSrc;
 
-nsCSPHostSrc* CSP_CreateHostSrcFromURI(nsIURI* aURI);
+nsCSPHostSrc* CSP_CreateHostSrcFromSelfURI(nsIURI* aSelfURI);
 bool CSP_IsValidDirective(const nsAString& aDir);
 bool CSP_IsDirective(const nsAString& aValue, CSPDirective aDir);
 bool CSP_IsKeyword(const nsAString& aValue, enum CSPKeyword aKey);
@@ -256,6 +256,9 @@ class nsCSPHostSrc : public nsCSPBaseSrc {
     void setPort(const nsAString& aPort);
     void appendPath(const nsAString &aPath);
 
+    inline void setGeneratedFromSelfKeyword() const
+      { mGeneratedFromSelfKeyword = true;}
+
     inline void setWithinFrameAncestorsDir(bool aValue) const
       { mWithinFrameAncstorsDir = aValue; }
 
@@ -276,6 +279,7 @@ class nsCSPHostSrc : public nsCSPBaseSrc {
     nsString mHost;
     nsString mPort;
     nsString mPath;
+    mutable bool mGeneratedFromSelfKeyword;
     mutable bool mWithinFrameAncstorsDir;
 };
 
diff --git a/dom/security/test/csp/file_websocket_explicit.html b/dom/security/test/csp/file_websocket_explicit.html
new file mode 100644
index 000000000..51462ab74
--- /dev/null
+++ b/dom/security/test/csp/file_websocket_explicit.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>

+<html>

+<head>

+  <meta charset="utf-8">

+  <title>Bug 1345615: Allow websocket schemes when using 'self' in CSP</title>

+  <meta http-equiv="Content-Security-Policy" content="connect-src ws:">

+</head>

+<body>

+  <script type="application/javascript">

+    /* load socket using ws */

+    var wsSocket = new WebSocket("ws://example.com/tests/dom/security/test/csp/file_websocket_self");

+    wsSocket.onopen = function(e) {

+      window.parent.postMessage({result: "explicit-ws-loaded"}, "*");

+      wsSocket.close();

+    };

+    wsSocket.onerror = function(e) {

+      window.parent.postMessage({result: "explicit-ws-blocked"}, "*");

+    };

+

+    /* load socket using wss */

+    var wssSocket = new WebSocket("wss://example.com/tests/dom/security/test/csp/file_websocket_self");

+    wssSocket.onopen = function(e) {

+      window.parent.postMessage({result: "explicit-wss-loaded"}, "*");

+      wssSocket.close();

+    };

+    wssSocket.onerror = function(e) {

+      window.parent.postMessage({result: "explicit-wss-blocked"}, "*");

+    };

+  </script>

+</body>

+</html>

diff --git a/dom/security/test/csp/file_websocket_self.html b/dom/security/test/csp/file_websocket_self.html
new file mode 100644
index 000000000..3ff5f0558
--- /dev/null
+++ b/dom/security/test/csp/file_websocket_self.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>

+<html>

+<head>

+  <meta charset="utf-8">

+  <title>Bug 1345615: Allow websocket schemes when using 'self' in CSP</title>

+  <meta http-equiv="Content-Security-Policy" content="connect-src 'self'">

+</head>

+<body>

+  <script type="application/javascript">

+    /* load socket using ws */

+    var wsSocket = new WebSocket("ws://example.com/tests/dom/security/test/csp/file_websocket_self");

+    wsSocket.onopen = function(e) {

+      window.parent.postMessage({result: "self-ws-loaded"}, "*");

+      wsSocket.close();

+    };

+    wsSocket.onerror = function(e) {

+      window.parent.postMessage({result: "self-ws-blocked"}, "*");

+    };

+

+    /* load socket using wss */

+    var wssSocket = new WebSocket("wss://example.com/tests/dom/security/test/csp/file_websocket_self");

+    wssSocket.onopen = function(e) {

+      window.parent.postMessage({result: "self-wss-loaded"}, "*");

+      wssSocket.close();

+    };

+    wssSocket.onerror = function(e) {

+      window.parent.postMessage({result: "self-wss-blocked"}, "*");

+    };

+  </script>

+</body>

+</html>

diff --git a/dom/security/test/csp/file_websocket_self_wsh.py b/dom/security/test/csp/file_websocket_self_wsh.py
new file mode 100644
index 000000000..5fe508a91
--- /dev/null
+++ b/dom/security/test/csp/file_websocket_self_wsh.py
@@ -0,0 +1,7 @@
+from mod_pywebsocket import msgutil

+

+def web_socket_do_extra_handshake(request):

+  pass

+

+def web_socket_transfer_data(request):

+  pass

diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini
index 8d44e9b0b..2102cbe70 100644
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -215,6 +215,9 @@ support-files =
   file_image_nonce.html^headers^
   file_punycode_host_src.sjs
   file_punycode_host_src.js
+  file_websocket_self.html
+  file_websocket_explicit.html
+  file_websocket_self_wsh.py
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
@@ -311,3 +314,5 @@ support-files =
 [test_ignore_xfo.html]
 [test_image_nonce.html]
 [test_punycode_host_src.html]
+[test_websocket_self.html]
+skip-if = toolkit == 'android'
diff --git a/dom/security/test/csp/test_websocket_self.html b/dom/security/test/csp/test_websocket_self.html
new file mode 100644
index 000000000..a03c32704
--- /dev/null
+++ b/dom/security/test/csp/test_websocket_self.html
@@ -0,0 +1,61 @@
+<!DOCTYPE HTML>

+<html>

+<head>

+  <meta charset="utf-8">

+  <title>Bug 1345615: Allow websocket schemes when using 'self' in CSP</title>

+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->

+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>

+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

+</head>

+<body>

+<iframe style="width:100%;" id="test_ws_self_frame"></iframe>

+<iframe style="width:100%;" id="test_ws_explicit_frame"></iframe>

+

+<script class="testbody" type="text/javascript">

+

+/* Description of the test:

+ * We load an iframe using connect-src 'self' and one

+ *            iframe using connect-src ws: and make

+ * sure that in both cases ws: as well as wss: is allowed to load.

+ */

+

+SimpleTest.waitForExplicitFinish();

+

+function finishTest() {

+  window.removeEventListener("message", receiveMessage);

+  SimpleTest.finish();

+}

+

+const TOTAL_TESTS = 4;

+var counter = 0;

+

+function checkResults(result) {

+  counter++;

+  if (result === "self-ws-loaded" || result === "self-wss-loaded" ||

+      result === "explicit-ws-loaded" || result === "explicit-wss-loaded") {

+    ok(true, "Evaluating: " + result);

+  }

+  else {

+    ok(false, "Evaluating: " + result);

+  }

+  if (counter < TOTAL_TESTS) {

+    return;

+  }

+  finishTest();

+}

+

+window.addEventListener("message", receiveMessage);

+function receiveMessage(event) {

+  checkResults(event.data.result);

+}

+

+const HOST = "http://example.com/tests/dom/security/test/csp/";

+var test_ws_self_frame = document.getElementById("test_ws_self_frame");

+test_ws_self_frame.src = HOST + "file_websocket_self.html";

+

+var test_ws_explicit_frame = document.getElementById("test_ws_explicit_frame");

+test_ws_explicit_frame.src = HOST + "file_websocket_explicit.html";

+

+</script>

+</body>

+</html>