From b4dac5093a75a024643b93aef88758770df73c55 Mon Sep 17 00:00:00 2001
From: janekptacijarabaci <janekptacijarabaci@seznam.cz>
Date: Fri, 25 Aug 2017 09:36:20 +0200
Subject: CSP: Ignore nonces on <img> per spec

---
 dom/security/nsCSPContext.cpp                      | 11 ++--
 dom/security/test/csp/file_image_nonce.html        | 39 ++++++++++++++
 .../test/csp/file_image_nonce.html^headers^        |  2 +
 dom/security/test/csp/mochitest.ini                |  3 ++
 dom/security/test/csp/test_image_nonce.html        | 60 ++++++++++++++++++++++
 5 files changed, 111 insertions(+), 4 deletions(-)
 create mode 100644 dom/security/test/csp/file_image_nonce.html
 create mode 100644 dom/security/test/csp/file_image_nonce.html^headers^
 create mode 100644 dom/security/test/csp/test_image_nonce.html

(limited to 'dom/security')

diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp
index 0a3e20305..5e435d4ca 100644
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -156,10 +156,13 @@ nsCSPContext::ShouldLoad(nsContentPolicyType aContentType,
   nsAutoString nonce;
   bool parserCreated = false;
   if (!isPreload) {
-    nsCOMPtr<nsIDOMHTMLElement> htmlElement = do_QueryInterface(aRequestContext);
-    if (htmlElement) {
-      rv = htmlElement->GetAttribute(NS_LITERAL_STRING("nonce"), nonce);
-      NS_ENSURE_SUCCESS(rv, rv);
+    if (aContentType == nsIContentPolicy::TYPE_SCRIPT ||
+        aContentType == nsIContentPolicy::TYPE_STYLESHEET) {
+      nsCOMPtr<nsIDOMHTMLElement> htmlElement = do_QueryInterface(aRequestContext);
+      if (htmlElement) {
+        rv = htmlElement->GetAttribute(NS_LITERAL_STRING("nonce"), nonce);
+        NS_ENSURE_SUCCESS(rv, rv);
+      }
     }
 
     nsCOMPtr<nsIScriptElement> script = do_QueryInterface(aRequestContext);
diff --git a/dom/security/test/csp/file_image_nonce.html b/dom/security/test/csp/file_image_nonce.html
new file mode 100644
index 000000000..5d57bb837
--- /dev/null
+++ b/dom/security/test/csp/file_image_nonce.html
@@ -0,0 +1,39 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+  <meta charset='utf-8'>
+  <title>Bug 1355801: Nonce should not apply to images</title>
+  </head>
+<body>
+
+<img id='matchingNonce' src='http://mochi.test:8888/tests/image/test/mochitest/blue.png?a' nonce='abc'></img>
+<img id='nonMatchingNonce' src='http://mochi.test:8888/tests/image/test/mochitest/blue.png?b' nonce='bca'></img>
+<img id='noNonce' src='http://mochi.test:8888/tests/image/test/mochitest/blue.png?c'></img>
+
+<script type='application/javascript'>
+  var matchingNonce = document.getElementById('matchingNonce');
+  matchingNonce.onload = function(e) {
+    window.parent.postMessage({result: 'img-with-matching-nonce-loaded'}, '*');
+  };
+  matchingNonce.onerror = function(e) {
+    window.parent.postMessage({result: 'img-with-matching-nonce-blocked'}, '*');
+  }
+
+  var nonMatchingNonce = document.getElementById('nonMatchingNonce');
+  nonMatchingNonce.onload = function(e) {
+    window.parent.postMessage({result: 'img-with_non-matching-nonce-loaded'}, '*');
+  };
+  nonMatchingNonce.onerror = function(e) {
+    window.parent.postMessage({result: 'img-with_non-matching-nonce-blocked'}, '*');
+  }
+
+  var noNonce = document.getElementById('noNonce');
+  noNonce.onload = function(e) {
+    window.parent.postMessage({result: 'img-without-nonce-loaded'}, '*');
+  };
+  noNonce.onerror = function(e) {
+    window.parent.postMessage({result: 'img-without-nonce-blocked'}, '*');
+  }
+</script>
+</body>
+</html>
diff --git a/dom/security/test/csp/file_image_nonce.html^headers^ b/dom/security/test/csp/file_image_nonce.html^headers^
new file mode 100644
index 000000000..0d63558c4
--- /dev/null
+++ b/dom/security/test/csp/file_image_nonce.html^headers^
@@ -0,0 +1,2 @@
+Content-Security-Policy: img-src 'nonce-abc';
+Cache-Control: no-cache
diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini
index 04401b063..d3cabc16d 100644
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -211,6 +211,8 @@ support-files =
   file_ro_ignore_xfo.html
   file_ro_ignore_xfo.html^headers^
   file_upgrade_insecure_navigation.sjs
+  file_image_nonce.html
+  file_image_nonce.html^headers^
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
@@ -305,3 +307,4 @@ support-files =
   file_sandbox_allow_scripts.html
   file_sandbox_allow_scripts.html^headers^
 [test_ignore_xfo.html]
+[test_image_nonce.html]
diff --git a/dom/security/test/csp/test_image_nonce.html b/dom/security/test/csp/test_image_nonce.html
new file mode 100644
index 000000000..ff6d636b6
--- /dev/null
+++ b/dom/security/test/csp/test_image_nonce.html
@@ -0,0 +1,60 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load three images: (a) with a matching nonce,
+                         (b) with a non matching nonce,
+ *                       (c) with no nonce
+ * and make sure that all three images get blocked because
+ * "img-src nonce-bla" should not allow an image load, not
+ * even if the nonce matches*.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+var counter = 0;
+
+function finishTest() {
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+function checkResults(aResult) {
+  counter++;
+  if (aResult === "img-with-matching-nonce-blocked" ||
+      aResult === "img-with_non-matching-nonce-blocked" ||
+      aResult === "img-without-nonce-blocked") {
+    ok (true, "correct result for: " + aResult);
+  }
+  else {
+    ok(false, "unexpected result: " + aResult + "\n\n");
+  }
+  if (counter < 3) {
+    return;
+  }
+  finishTest();
+}
+
+// a postMessage handler that is used by sandboxed iframes without
+// 'allow-same-origin' to bubble up results back to this main page.
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  checkResults(event.data.result);
+}
+
+document.getElementById("testframe").src = "file_image_nonce.html";
+
+</script>
+</body>
+</html>
-- 
cgit v1.2.3