From cdcfbde10dbcf0fab0630d5ee0146be45d7a6572 Mon Sep 17 00:00:00 2001
From: janekptacijarabaci <janekptacijarabaci@seznam.cz>
Date: Fri, 25 Aug 2017 09:50:55 +0200
Subject: CSP: Support IDNs in connect-src

---
 dom/security/nsCSPUtils.cpp                       |  4 +-
 dom/security/test/csp/file_punycode_host_src.js   |  2 +
 dom/security/test/csp/file_punycode_host_src.sjs  | 45 +++++++++++++
 dom/security/test/csp/mochitest.ini               |  3 +
 dom/security/test/csp/test_punycode_host_src.html | 81 +++++++++++++++++++++++
 dom/security/test/gtest/TestCSPParser.cpp         |  2 +
 6 files changed, 135 insertions(+), 2 deletions(-)
 create mode 100644 dom/security/test/csp/file_punycode_host_src.js
 create mode 100644 dom/security/test/csp/file_punycode_host_src.sjs
 create mode 100644 dom/security/test/csp/test_punycode_host_src.html

(limited to 'dom/security')

diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp
index b074a980c..0ca8f520e 100644
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -270,7 +270,7 @@ CSP_CreateHostSrcFromURI(nsIURI* aURI)
 {
   // Create the host first
   nsCString host;
-  aURI->GetHost(host);
+  aURI->GetAsciiHost(host);
   nsCSPHostSrc *hostsrc = new nsCSPHostSrc(NS_ConvertUTF8toUTF16(host));
 
   // Add the scheme.
@@ -643,7 +643,7 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
   // Before we can check if the host matches, we have to
   // extract the host part from aUri.
   nsAutoCString uriHost;
-  nsresult rv = aUri->GetHost(uriHost);
+  nsresult rv = aUri->GetAsciiHost(uriHost);
   NS_ENSURE_SUCCESS(rv, false);
 
   nsString decodedUriHost;
diff --git a/dom/security/test/csp/file_punycode_host_src.js b/dom/security/test/csp/file_punycode_host_src.js
new file mode 100644
index 000000000..3505faf70
--- /dev/null
+++ b/dom/security/test/csp/file_punycode_host_src.js
@@ -0,0 +1,2 @@
+const LOADED = true;
+parent.postMessage({result: 'script-allowed'}, "*");
\ No newline at end of file
diff --git a/dom/security/test/csp/file_punycode_host_src.sjs b/dom/security/test/csp/file_punycode_host_src.sjs
new file mode 100644
index 000000000..3189cc063
--- /dev/null
+++ b/dom/security/test/csp/file_punycode_host_src.sjs
@@ -0,0 +1,45 @@
+// custom *.sjs for Bug 1224225
+// Punycode in CSP host sources
+
+const HTML_PART1 =
+  "<!DOCTYPE HTML>" +
+  "<html><head><meta charset=\"utf-8\">" +
+  "<title>Bug 1224225 - CSP source matching should work for punycoded domain names</title>" +
+  "</head>" +
+  "<body>" +
+  "<script id='script' src='";
+
+const TESTCASE1 = "http://sub2.ält.example.org/";
+const TESTCASE2 = "http://sub2.xn--lt-uia.example.org/"
+
+const HTML_PART2 = "tests/dom/security/test/csp/file_punycode_host_src.js'></script>" +
+  "</body>" +
+  "</html>";
+
+function handleRequest(request, response)
+{
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Type", "text/html", false);
+
+  Components.utils.importGlobalProperties(["URLSearchParams"]);
+  const query = new URLSearchParams(request.queryString);
+
+
+  if (query.get("csp")) {
+    response.setHeader("Content-Security-Policy", query.get("csp"), false);
+  }
+  if (query.get("action") == "script-unicode-csp-punycode") {
+    response.write(HTML_PART1 + TESTCASE1 + HTML_PART2);
+    return
+  }
+  if (query.get("action") == "script-punycode-csp-punycode") {
+    response.write(HTML_PART1 + TESTCASE2 + HTML_PART2);
+    return
+  }
+
+
+  // we should never get here, but just in case
+  // return something unexpected
+  response.write("do'h");
+}
diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini
index d3cabc16d..8d44e9b0b 100644
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -213,6 +213,8 @@ support-files =
   file_upgrade_insecure_navigation.sjs
   file_image_nonce.html
   file_image_nonce.html^headers^
+  file_punycode_host_src.sjs
+  file_punycode_host_src.js
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
@@ -308,3 +310,4 @@ support-files =
   file_sandbox_allow_scripts.html^headers^
 [test_ignore_xfo.html]
 [test_image_nonce.html]
+[test_punycode_host_src.html]
diff --git a/dom/security/test/csp/test_punycode_host_src.html b/dom/security/test/csp/test_punycode_host_src.html
new file mode 100644
index 000000000..8d891725c
--- /dev/null
+++ b/dom/security/test/csp/test_punycode_host_src.html
@@ -0,0 +1,81 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1224225 - CSP source matching should work for punycoded domain names</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load scripts within an iframe and make sure that the
+ * CSP matching is same for punycode domain names as well as IDNA.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+
+var curTest;
+var counter = -1;
+
+const tests = [
+  { // test 1
+    description: "loads script as sub2.ält.example.org, but whitelist in CSP as sub2.xn--lt-uia.example.org",
+    action: "script-unicode-csp-punycode",
+    csp: "script-src http://sub2.xn--lt-uia.example.org;",
+    expected: "script-allowed",
+
+  },
+  { // test 2
+    description: "loads script as sub2.xn--lt-uia.example.org, and whitelist in CSP as sub2.xn--lt-uia.example.org",
+    action: "script-punycode-csp-punycode",
+    csp: "script-src http://sub2.xn--lt-uia.example.org;",
+    expected: "script-allowed",
+
+  },
+    { // test 3
+    description: "loads script as sub2.xn--lt-uia.example.org, and whitelist in CSP as sub2.xn--lt-uia.example.org",
+    action: "script-punycode-csp-punycode",
+    csp: "script-src *.xn--lt-uia.example.org;",
+    expected: "script-allowed",
+
+  },
+
+];
+
+function finishTest() {
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+function checkResults(result) {
+  is(result, curTest.expected, curTest.description);
+  loadNextTest();
+}
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  checkResults(event.data.result);
+}
+
+function loadNextTest() {
+  counter++;
+  if (counter == tests.length) {
+    finishTest();
+    return;
+  }
+  curTest = tests[counter];
+  var testframe = document.getElementById("testframe");
+  testframe.src = `file_punycode_host_src.sjs?action=${curTest.action}&csp=${curTest.csp}`;
+}
+
+loadNextTest();
+
+</script>
+</body>
+</html>
diff --git a/dom/security/test/gtest/TestCSPParser.cpp b/dom/security/test/gtest/TestCSPParser.cpp
index fafa7b5d9..8d168d81c 100644
--- a/dom/security/test/gtest/TestCSPParser.cpp
+++ b/dom/security/test/gtest/TestCSPParser.cpp
@@ -204,6 +204,8 @@ TEST(CSPParser, Directives)
 {
   static const PolicyTest policies[] =
   {
+    { "connect-src xn--mnchen-3ya.de",
+      "connect-src http://xn--mnchen-3ya.de"},
     { "default-src http://www.example.com",
       "default-src http://www.example.com" },
     { "script-src http://www.example.com",
-- 
cgit v1.2.3