CSP: connect-src 'self' should always include https: and wss: schemes

author: janekptacijarabaci <janekptacijarabaci@seznam.cz> 2017-08-25 10:38:52 +0200
committer: wolfbeast <mcwerewolf@gmail.com> 2018-02-22 11:30:29 +0100
commit: 896e23c20eba71bffa77cb0874b9b341e1b6c264 (patch)
tree: 1175498d423599b5cf56ce4788f3c64ab77b283b /dom/security
parent: cdcfbde10dbcf0fab0630d5ee0146be45d7a6572 (diff)
download: uxp-896e23c20eba71bffa77cb0874b9b341e1b6c264.tar.gz
8 files changed, 168 insertions, 11 deletions
diff --git a/dom/security/nsCSPParser.cpp b/dom/security/nsCSPParser.cpp
index f1b5d8ba74..86aa4e0018 100644
--- a/dom/security/nsCSPParser.cpp
+++ b/dom/security/nsCSPParser.cpp
@@ -532,7 +532,7 @@ nsCSPParser::keywordSource()
   // Special case handling for 'self' which is not stored internally as a keyword,
   // but rather creates a nsCSPHostSrc using the selfURI
   if (CSP_IsKeyword(mCurToken, CSP_SELF)) {
-    return CSP_CreateHostSrcFromURI(mSelfURI);
+    return CSP_CreateHostSrcFromSelfURI(mSelfURI);
   }
 
   if (CSP_IsKeyword(mCurToken, CSP_STRICT_DYNAMIC)) {
diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp
index 0ca8f520e9..a5f683b018 100644
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -266,20 +266,21 @@ CSP_ContentTypeToDirective(nsContentPolicyType aType)
 }
 
 nsCSPHostSrc*
-CSP_CreateHostSrcFromURI(nsIURI* aURI)
+CSP_CreateHostSrcFromSelfURI(nsIURI* aSelfURI)
 {
   // Create the host first
   nsCString host;
-  aURI->GetAsciiHost(host);
+  aSelfURI->GetAsciiHost(host);
   nsCSPHostSrc *hostsrc = new nsCSPHostSrc(NS_ConvertUTF8toUTF16(host));
+  hostsrc->setGeneratedFromSelfKeyword();
 
   // Add the scheme.
   nsCString scheme;
-  aURI->GetScheme(scheme);
+  aSelfURI->GetScheme(scheme);
   hostsrc->setScheme(NS_ConvertUTF8toUTF16(scheme));
 
   int32_t port;
-  aURI->GetPort(&port);
+  aSelfURI->GetPort(&port);
   // Only add port if it's not default port.
   if (port > 0) {
     nsAutoString portStr;
@@ -348,13 +349,17 @@ CSP_IsQuotelessKeyword(const nsAString& aKey)
  * @param aUpgradeInsecure
  *        Whether the policy makes use of the directive
  *        'upgrade-insecure-requests'.
+ * @param aFromSelfURI
+ *        Whether a scheme was generated from the keyword 'self'
+ *        which then allows schemeless sources to match ws and wss.
  */
 
 bool
 permitsScheme(const nsAString& aEnforcementScheme,
               nsIURI* aUri,
               bool aReportOnly,
-              bool aUpgradeInsecure)
+              bool aUpgradeInsecure,
+              bool aFromSelfURI)
 {
   nsAutoCString scheme;
   nsresult rv = aUri->GetScheme(scheme);
@@ -373,8 +378,20 @@ permitsScheme(const nsAString& aEnforcementScheme,
   // allow scheme-less sources where the protected resource is http
   // and the load is https, see:
   // http://www.w3.org/TR/CSP2/#match-source-expression
-  if (aEnforcementScheme.EqualsASCII("http") &&
-      scheme.EqualsASCII("https")) {
+  if (aEnforcementScheme.EqualsASCII("http")) {
+    if (scheme.EqualsASCII("https")) {
+      return true;
+    }
+    if ((scheme.EqualsASCII("ws") || scheme.EqualsASCII("wss")) && aFromSelfURI) {
+      return true;
+    }
+  }
+  if (aEnforcementScheme.EqualsASCII("https")) {
+    if (scheme.EqualsLiteral("wss") && aFromSelfURI) {
+      return true;
+    }
+  }
+  if (aEnforcementScheme.EqualsASCII("ws") && scheme.EqualsASCII("wss")) {
     return true;
   }
 
@@ -483,7 +500,7 @@ nsCSPSchemeSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirect
   if (mInvalidated) {
     return false;
   }
-  return permitsScheme(mScheme, aUri, aReportOnly, aUpgradeInsecure);
+  return permitsScheme(mScheme, aUri, aReportOnly, aUpgradeInsecure, false);
 }
 
 bool
@@ -503,6 +520,7 @@ nsCSPSchemeSrc::toString(nsAString& outStr) const
 
 nsCSPHostSrc::nsCSPHostSrc(const nsAString& aHost)
   : mHost(aHost)
+  , mGeneratedFromSelfKeyword(false)
   , mWithinFrameAncstorsDir(false)
 {
   ToLowerCase(mHost);
@@ -612,7 +630,7 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
   // http://www.w3.org/TR/CSP11/#match-source-expression
 
   // 4.3) scheme matching: Check if the scheme matches.
-  if (!permitsScheme(mScheme, aUri, aReportOnly, aUpgradeInsecure)) {
+  if (!permitsScheme(mScheme, aUri, aReportOnly, aUpgradeInsecure, mGeneratedFromSelfKeyword)) {
     return false;
   }
 
diff --git a/dom/security/nsCSPUtils.h b/dom/security/nsCSPUtils.h
index 468c734a22..cfbe832568 100644
--- a/dom/security/nsCSPUtils.h
+++ b/dom/security/nsCSPUtils.h
@@ -186,7 +186,7 @@ nsresult CSP_AppendCSPFromHeader(nsIContentSecurityPolicy* aCsp,
 
 class nsCSPHostSrc;
 
-nsCSPHostSrc* CSP_CreateHostSrcFromURI(nsIURI* aURI);
+nsCSPHostSrc* CSP_CreateHostSrcFromSelfURI(nsIURI* aSelfURI);
 bool CSP_IsValidDirective(const nsAString& aDir);
 bool CSP_IsDirective(const nsAString& aValue, CSPDirective aDir);
 bool CSP_IsKeyword(const nsAString& aValue, enum CSPKeyword aKey);
@@ -256,6 +256,9 @@ class nsCSPHostSrc : public nsCSPBaseSrc {
     void setPort(const nsAString& aPort);
     void appendPath(const nsAString &aPath);
 
+    inline void setGeneratedFromSelfKeyword() const
+      { mGeneratedFromSelfKeyword = true;}
+
     inline void setWithinFrameAncestorsDir(bool aValue) const
       { mWithinFrameAncstorsDir = aValue; }
 
@@ -276,6 +279,7 @@ class nsCSPHostSrc : public nsCSPBaseSrc {
     nsString mHost;
     nsString mPort;
     nsString mPath;
+    mutable bool mGeneratedFromSelfKeyword;
     mutable bool mWithinFrameAncstorsDir;
 };
 
diff --git a/dom/security/test/csp/file_websocket_explicit.html b/dom/security/test/csp/file_websocket_explicit.html
new file mode 100644
index 0000000000..51462ab741
--- /dev/null
+++ b/dom/security/test/csp/file_websocket_explicit.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1345615: Allow websocket schemes when using 'self' in CSP</title>
+  <meta http-equiv="Content-Security-Policy" content="connect-src ws:">
+</head>
+<body>
+  <script type="application/javascript">
+    /* load socket using ws */
+    var wsSocket = new WebSocket("ws://example.com/tests/dom/security/test/csp/file_websocket_self");
+    wsSocket.onopen = function(e) {
+      window.parent.postMessage({result: "explicit-ws-loaded"}, "*");
+      wsSocket.close();
+    };
+    wsSocket.onerror = function(e) {
+      window.parent.postMessage({result: "explicit-ws-blocked"}, "*");
+    };
+
+    /* load socket using wss */
+    var wssSocket = new WebSocket("wss://example.com/tests/dom/security/test/csp/file_websocket_self");
+    wssSocket.onopen = function(e) {
+      window.parent.postMessage({result: "explicit-wss-loaded"}, "*");
+      wssSocket.close();
+    };
+    wssSocket.onerror = function(e) {
+      window.parent.postMessage({result: "explicit-wss-blocked"}, "*");
+    };
+  </script>
+</body>
+</html>
diff --git a/dom/security/test/csp/file_websocket_self.html b/dom/security/test/csp/file_websocket_self.html
new file mode 100644
index 0000000000..3ff5f05580
--- /dev/null
+++ b/dom/security/test/csp/file_websocket_self.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1345615: Allow websocket schemes when using 'self' in CSP</title>
+  <meta http-equiv="Content-Security-Policy" content="connect-src 'self'">
+</head>
+<body>
+  <script type="application/javascript">
+    /* load socket using ws */
+    var wsSocket = new WebSocket("ws://example.com/tests/dom/security/test/csp/file_websocket_self");
+    wsSocket.onopen = function(e) {
+      window.parent.postMessage({result: "self-ws-loaded"}, "*");
+      wsSocket.close();
+    };
+    wsSocket.onerror = function(e) {
+      window.parent.postMessage({result: "self-ws-blocked"}, "*");
+    };
+
+    /* load socket using wss */
+    var wssSocket = new WebSocket("wss://example.com/tests/dom/security/test/csp/file_websocket_self");
+    wssSocket.onopen = function(e) {
+      window.parent.postMessage({result: "self-wss-loaded"}, "*");
+      wssSocket.close();
+    };
+    wssSocket.onerror = function(e) {
+      window.parent.postMessage({result: "self-wss-blocked"}, "*");
+    };
+  </script>
+</body>
+</html>
diff --git a/dom/security/test/csp/file_websocket_self_wsh.py b/dom/security/test/csp/file_websocket_self_wsh.py
new file mode 100644
index 0000000000..5fe508a910
--- /dev/null
+++ b/dom/security/test/csp/file_websocket_self_wsh.py
@@ -0,0 +1,7 @@
+from mod_pywebsocket import msgutil
+
+def web_socket_do_extra_handshake(request):
+  pass
+
+def web_socket_transfer_data(request):
+  pass
diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini
index 8d44e9b0bb..2102cbe706 100644
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -215,6 +215,9 @@ support-files =
   file_image_nonce.html^headers^
   file_punycode_host_src.sjs
   file_punycode_host_src.js
+  file_websocket_self.html
+  file_websocket_explicit.html
+  file_websocket_self_wsh.py
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
@@ -311,3 +314,5 @@ support-files =
 [test_ignore_xfo.html]
 [test_image_nonce.html]
 [test_punycode_host_src.html]
+[test_websocket_self.html]
+skip-if = toolkit == 'android'
diff --git a/dom/security/test/csp/test_websocket_self.html b/dom/security/test/csp/test_websocket_self.html
new file mode 100644
index 0000000000..a03c32704e
--- /dev/null
+++ b/dom/security/test/csp/test_websocket_self.html
@@ -0,0 +1,61 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1345615: Allow websocket schemes when using 'self' in CSP</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="test_ws_self_frame"></iframe>
+<iframe style="width:100%;" id="test_ws_explicit_frame"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load an iframe using connect-src 'self' and one
+ *            iframe using connect-src ws: and make
+ * sure that in both cases ws: as well as wss: is allowed to load.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+function finishTest() {
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+const TOTAL_TESTS = 4;
+var counter = 0;
+
+function checkResults(result) {
+  counter++;
+  if (result === "self-ws-loaded" || result === "self-wss-loaded" ||
+      result === "explicit-ws-loaded" || result === "explicit-wss-loaded") {
+    ok(true, "Evaluating: " + result);
+  }
+  else {
+    ok(false, "Evaluating: " + result);
+  }
+  if (counter < TOTAL_TESTS) {
+    return;
+  }
+  finishTest();
+}
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  checkResults(event.data.result);
+}
+
+const HOST = "http://example.com/tests/dom/security/test/csp/";
+var test_ws_self_frame = document.getElementById("test_ws_self_frame");
+test_ws_self_frame.src = HOST + "file_websocket_self.html";
+
+var test_ws_explicit_frame = document.getElementById("test_ws_explicit_frame");
+test_ws_explicit_frame.src = HOST + "file_websocket_explicit.html";
+
+</script>
+</body>
+</html>
author	janekptacijarabaci <janekptacijarabaci@seznam.cz>	2017-08-25 10:38:52 +0200
committer	wolfbeast <mcwerewolf@gmail.com>	2018-02-22 11:30:29 +0100
commit	896e23c20eba71bffa77cb0874b9b341e1b6c264 (patch)
tree	1175498d423599b5cf56ce4788f3c64ab77b283b /dom/security
parent	cdcfbde10dbcf0fab0630d5ee0146be45d7a6572 (diff)
download	uxp-896e23c20eba71bffa77cb0874b9b341e1b6c264.tar.gz