diff options
| -rw-r--r-- | dom/html/HTMLFormElement.cpp | 3 | ||||
| -rw-r--r-- | dom/html/HTMLSharedElement.cpp | 3 | ||||
| -rw-r--r-- | dom/interfaces/security/nsIContentSecurityPolicy.idl | 11 | ||||
| -rw-r--r-- | dom/security/nsCSPContext.cpp | 7 | ||||
| -rw-r--r-- | netwerk/cookie/nsCookieService.cpp | 87 | ||||
| -rw-r--r-- | netwerk/cookie/nsCookieService.h | 1 | ||||
| -rw-r--r-- | parser/html/nsHtml5TreeOpExecutor.cpp | 56 |
7 files changed, 128 insertions, 40 deletions
diff --git a/dom/html/HTMLFormElement.cpp b/dom/html/HTMLFormElement.cpp index 2fe452bcd0..c8bb526379 100644 --- a/dom/html/HTMLFormElement.cpp +++ b/dom/html/HTMLFormElement.cpp @@ -1721,7 +1721,8 @@ HTMLFormElement::GetActionURL(nsIURI** aActionURL, // policy - do *not* consult default-src, see: // http://www.w3.org/TR/CSP2/#directive-default-src rv = csp->Permits(actionURL, nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE, - true, &permitsFormAction); + true /*aSpecific */, true /* aSendViolationReports */, + &permitsFormAction); NS_ENSURE_SUCCESS(rv, rv); if (!permitsFormAction) { return NS_ERROR_CSP_FORM_ACTION_VIOLATION; diff --git a/dom/html/HTMLSharedElement.cpp b/dom/html/HTMLSharedElement.cpp index e8c75f8aa9..90f9ff62ea 100644 --- a/dom/html/HTMLSharedElement.cpp +++ b/dom/html/HTMLSharedElement.cpp @@ -191,7 +191,8 @@ SetBaseURIUsingFirstBaseWithHref(nsIDocument* aDocument, nsIContent* aMustMatch) // http://www.w3.org/TR/CSP2/#directive-default-src bool cspPermitsBaseURI = true; rv = csp->Permits(newBaseURI, nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, - true, &cspPermitsBaseURI); + true /* aSpecific */, true /* aSendViolationReports */, + &cspPermitsBaseURI); if (NS_FAILED(rv) || !cspPermitsBaseURI) { newBaseURI = nullptr; } diff --git a/dom/interfaces/security/nsIContentSecurityPolicy.idl b/dom/interfaces/security/nsIContentSecurityPolicy.idl index da4297f338..e76c39c44b 100644 --- a/dom/interfaces/security/nsIContentSecurityPolicy.idl +++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl @@ -252,9 +252,6 @@ interface nsIContentSecurityPolicy : nsISerializable /** * Checks if a specific directive permits loading of a URI. * - * NOTE: Calls to this may trigger violation reports when queried, so the - * return value should not be cached. - * * @param aURI * The URI about to be loaded or used. * @param aDir @@ -266,11 +263,17 @@ interface nsIContentSecurityPolicy : nsISerializable * "false" allows CSP to fall back to default-src. This function * behaves the same for both values of canUseDefault when querying * directives that don't fall-back. + * @param aSendViolationReports + * If `true` and the uri is not allowed then trigger violation reports. + * This should be `false` for caching or preloads. * @return * Whether or not the provided URI is allowed by CSP under the given * directive. (block the pending operation if false). */ - boolean permits(in nsIURI aURI, in CSPDirective aDir, in boolean aSpecific); + boolean permits(in nsIURI aURI, + in CSPDirective aDir, + in boolean aSpecific, + in boolean aSendViolationReports); /** * Delegate method called by the service when sub-elements of the protected diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp index ec698b91d0..544fe118b7 100644 --- a/dom/security/nsCSPContext.cpp +++ b/dom/security/nsCSPContext.cpp @@ -1309,6 +1309,7 @@ NS_IMETHODIMP nsCSPContext::Permits(nsIURI* aURI, CSPDirective aDir, bool aSpecific, + bool aSendViolationReports, bool* outPermits) { // Can't perform check without aURI @@ -1323,13 +1324,13 @@ nsCSPContext::Permits(nsIURI* aURI, false, // not redirected. false, // not a preload. aSpecific, - true, // send violation reports + aSendViolationReports, true, // send blocked URI in violation reports false); // not parser created if (CSPCONTEXTLOGENABLED()) { - CSPCONTEXTLOG(("nsCSPContext::Permits, aUri: %s, aDir: %d, isAllowed: %s", - aURI->GetSpecOrDefault().get(), aDir, + CSPCONTEXTLOG(("nsCSPContext::Permits, aUri: %s, aDir: %s, isAllowed: %s", + aURI->GetSpecOrDefault().get(), CSP_CSPDirectiveToString(aDir), *outPermits ? "allow" : "deny")); } diff --git a/netwerk/cookie/nsCookieService.cpp b/netwerk/cookie/nsCookieService.cpp index 9a08bd1d79..828b8920c2 100644 --- a/netwerk/cookie/nsCookieService.cpp +++ b/netwerk/cookie/nsCookieService.cpp @@ -3344,6 +3344,10 @@ nsCookieService::SetCookieInternal(nsIURI *aHostURI, COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "failed the path tests"); return newCookie; } + if (!CheckHiddenPrefix(cookieAttributes)) { + COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "failed the CheckHiddenPrefix tests"); + return newCookie; + } // magic prefix checks. MUST be run after CheckDomain() and CheckPath() if (!CheckPrefixes(cookieAttributes, isHTTPS)) { COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "failed the prefix tests"); @@ -4042,7 +4046,7 @@ nsCookieService::CheckPrefs(nsIURI *aHostURI, // processes domain attribute, and returns true if host has permission to set for this domain. bool -nsCookieService::CheckDomain(nsCookieAttributes &aCookieAttributes, +nsCookieService::CheckDomain(nsCookieAttributes &aCookie, nsIURI *aHostURI, const nsCString &aBaseDomain, bool aRequireHostMatch) @@ -4057,15 +4061,15 @@ nsCookieService::CheckDomain(nsCookieAttributes &aCookieAttributes, aHostURI->GetAsciiHost(hostFromURI); // if a domain is given, check the host has permission - if (!aCookieAttributes.host.IsEmpty()) { + if (!aCookie.host.IsEmpty()) { // Tolerate leading '.' characters, but not if it's otherwise an empty host. - if (aCookieAttributes.host.Length() > 1 && - aCookieAttributes.host.First() == '.') { - aCookieAttributes.host.Cut(0, 1); + if (aCookie.host.Length() > 1 && + aCookie.host.First() == '.') { + aCookie.host.Cut(0, 1); } // switch to lowercase now, to avoid case-insensitive compares everywhere - ToLowerCase(aCookieAttributes.host); + ToLowerCase(aCookie.host); // check whether the host is either an IP address, an alias such as // 'localhost', an eTLD such as 'co.uk', or the empty string. in these @@ -4073,14 +4077,14 @@ nsCookieService::CheckDomain(nsCookieAttributes &aCookieAttributes, // as a non-domain one. bug 105917 originally noted the requirement to deal // with IP addresses. if (aRequireHostMatch) - return hostFromURI.Equals(aCookieAttributes.host); + return hostFromURI.Equals(aCookie.host); // ensure the proposed domain is derived from the base domain; and also // that the host domain is derived from the proposed domain (per RFC2109). - if (IsSubdomainOf(aCookieAttributes.host, aBaseDomain) && - IsSubdomainOf(hostFromURI, aCookieAttributes.host)) { + if (IsSubdomainOf(aCookie.host, aBaseDomain) && + IsSubdomainOf(hostFromURI, aCookie.host)) { // prepend a dot to indicate a domain cookie - aCookieAttributes.host.Insert(NS_LITERAL_CSTRING("."), 0); + aCookie.host.Insert(NS_LITERAL_CSTRING("."), 0); return true; } @@ -4095,7 +4099,7 @@ nsCookieService::CheckDomain(nsCookieAttributes &aCookieAttributes, } // no domain specified, use hostFromURI - aCookieAttributes.host = hostFromURI; + aCookie.host = hostFromURI; return true; } @@ -4121,12 +4125,12 @@ GetPathFromURI(nsIURI* aHostURI) } bool -nsCookieService::CheckPath(nsCookieAttributes &aCookieAttributes, +nsCookieService::CheckPath(nsCookieAttributes &aCookie, nsIURI *aHostURI) { // if a path is given, check the host has permission - if (aCookieAttributes.path.IsEmpty() || aCookieAttributes.path.First() != '/') { - aCookieAttributes.path = GetPathFromURI(aHostURI); + if (aCookie.path.IsEmpty() || aCookie.path.First() != '/') { + aCookie.path = GetPathFromURI(aHostURI); #if 0 } else { @@ -4139,19 +4143,42 @@ nsCookieService::CheckPath(nsCookieAttributes &aCookieAttributes, // get path from aHostURI nsAutoCString pathFromURI; if (NS_FAILED(aHostURI->GetPath(pathFromURI)) || - !StringBeginsWith(pathFromURI, aCookieAttributes.path)) { + !StringBeginsWith(pathFromURI, aCookie.path)) { return false; } #endif } - if (aCookieAttributes.path.Length() > kMaxBytesPerPath || - aCookieAttributes.path.Contains('\t')) + if (aCookie.path.Length() > kMaxBytesPerPath || + aCookie.path.Contains('\t')) return false; return true; } +bool +nsCookieService::CheckHiddenPrefix(nsCookieAttributes &aCookie) { + // If a cookie is nameless, then its value must not start with + // `__Host-` or `__Secure-` + if (aCookie.name.Length() != 0) { + return true; + } + + static const char kSecure[] = "__Secure-"; + static const char kHost[] = "__Host-"; + static const int kSecureLen = sizeof( kSecure ) - 1; + static const int kHostLen = sizeof( kHost ) - 1; + + bool isSecure = strncmp( aCookie.value.get(), kSecure, kSecureLen ) == 0; + bool isHost = strncmp( aCookie.value.get(), kHost, kHostLen ) == 0; + + if (isSecure || isHost) { + return false; + } + + return true; +} + // CheckPrefixes // // Reject cookies whose name starts with the magic prefixes from @@ -4161,7 +4188,7 @@ nsCookieService::CheckPath(nsCookieAttributes &aCookieAttributes, // Must not be called until after CheckDomain() and CheckPath() have // regularized and validated the nsCookieAttributes values! bool -nsCookieService::CheckPrefixes(nsCookieAttributes &aCookieAttributes, +nsCookieService::CheckPrefixes(nsCookieAttributes &aCookie, bool aSecureRequest) { static const char kSecure[] = "__Secure-"; @@ -4169,15 +4196,15 @@ nsCookieService::CheckPrefixes(nsCookieAttributes &aCookieAttributes, static const int kSecureLen = sizeof( kSecure ) - 1; static const int kHostLen = sizeof( kHost ) - 1; - bool isSecure = strncmp( aCookieAttributes.name.get(), kSecure, kSecureLen ) == 0; - bool isHost = strncmp( aCookieAttributes.name.get(), kHost, kHostLen ) == 0; + bool isSecure = strncmp( aCookie.value.get(), kSecure, kSecureLen ) == 0; + bool isHost = strncmp( aCookie.value.get(), kHost, kHostLen ) == 0; if ( !isSecure && !isHost ) { // not one of the magic prefixes: carry on return true; } - if ( !aSecureRequest || !aCookieAttributes.isSecure ) { + if ( !aSecureRequest || !aCookie.isSecure ) { // the magic prefixes may only be used from a secure request and // the secure attribute must be set on the cookie return false; @@ -4190,8 +4217,8 @@ nsCookieService::CheckPrefixes(nsCookieAttributes &aCookieAttributes, // them. In particular all explicit domain attributes result in a host // that starts with a dot, and if the host doesn't start with a dot it // correctly matches the true host. - if ( aCookieAttributes.host[0] == '.' || - !aCookieAttributes.path.EqualsLiteral( "/" )) { + if ( aCookie.host[0] == '.' || + !aCookie.path.EqualsLiteral( "/" )) { return false; } } @@ -4200,7 +4227,7 @@ nsCookieService::CheckPrefixes(nsCookieAttributes &aCookieAttributes, } bool -nsCookieService::GetExpiry(nsCookieAttributes &aCookieAttributes, +nsCookieService::GetExpiry(nsCookieAttributes &aCookie, int64_t aServerTime, int64_t aCurrentTime) { @@ -4212,10 +4239,10 @@ nsCookieService::GetExpiry(nsCookieAttributes &aCookieAttributes, * Note: We need to consider accounting for network lag here, per RFC. */ // check for max-age attribute first; this overrides expires attribute - if (!aCookieAttributes.maxage.IsEmpty()) { + if (!aCookie.maxage.IsEmpty()) { // obtain numeric value of maxageAttribute int64_t maxage; - int32_t numInts = PR_sscanf(aCookieAttributes.maxage.get(), "%lld", &maxage); + int32_t numInts = PR_sscanf(aCookie.maxage.get(), "%lld", &maxage); // default to session cookie if the conversion failed if (numInts != 1) { @@ -4224,14 +4251,14 @@ nsCookieService::GetExpiry(nsCookieAttributes &aCookieAttributes, // if this addition overflows, expiryTime will be less than currentTime // and the cookie will be expired - that's okay. - aCookieAttributes.expiryTime = aCurrentTime + maxage; + aCookie.expiryTime = aCurrentTime + maxage; // check for expires attribute - } else if (!aCookieAttributes.expires.IsEmpty()) { + } else if (!aCookie.expires.IsEmpty()) { PRTime expires; // parse expiry time - if (PR_ParseTimeString(aCookieAttributes.expires.get(), true, &expires) != PR_SUCCESS) { + if (PR_ParseTimeString(aCookie.expires.get(), true, &expires) != PR_SUCCESS) { return true; } @@ -4240,7 +4267,7 @@ nsCookieService::GetExpiry(nsCookieAttributes &aCookieAttributes, // Because if current time be set in the future, but the cookie expire // time be set less than current time and more than server time. // The cookie item have to be used to the expired cookie. - aCookieAttributes.expiryTime = expires / int64_t(PR_USEC_PER_SEC); + aCookie.expiryTime = expires / int64_t(PR_USEC_PER_SEC); // default to session cookie if no attributes found } else { diff --git a/netwerk/cookie/nsCookieService.h b/netwerk/cookie/nsCookieService.h index 185f0b4926..deb9fed330 100644 --- a/netwerk/cookie/nsCookieService.h +++ b/netwerk/cookie/nsCookieService.h @@ -307,6 +307,7 @@ class nsCookieService final : public nsICookieService CookieStatus CheckPrefs(nsIURI *aHostURI, bool aIsForeign, const char *aCookieHeader); bool CheckDomain(nsCookieAttributes &aCookie, nsIURI *aHostURI, const nsCString &aBaseDomain, bool aRequireHostMatch); static bool CheckPath(nsCookieAttributes &aCookie, nsIURI *aHostURI); + static bool CheckHiddenPrefix(nsCookieAttributes &aCookie); static bool CheckPrefixes(nsCookieAttributes &aCookie, bool aSecureRequest); static bool GetExpiry(nsCookieAttributes &aCookie, int64_t aServerTime, int64_t aCurrentTime); void RemoveAllFromMemory(); diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp index a7a8f28f9c..33fb3d0c7d 100644 --- a/parser/html/nsHtml5TreeOpExecutor.cpp +++ b/parser/html/nsHtml5TreeOpExecutor.cpp @@ -1018,9 +1018,63 @@ nsHtml5TreeOpExecutor::SetSpeculationBase(const nsAString& aURL) return; } const nsCString& charset = mDocument->GetDocumentCharacterSet(); - DebugOnly<nsresult> rv = NS_NewURI(getter_AddRefs(mSpeculationBaseURI), aURL, + nsCOMPtr<nsIURI> newBaseURI; + nsresult rv = NS_NewURI(getter_AddRefs(newBaseURI), aURL, charset.get(), mDocument->GetDocumentURI()); NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "Failed to create a URI"); + if (!newBaseURI) { + return; + } + + if (!CSPService::sCSPEnabled) { + // If CSP is not enabled, just pass back the URI + mSpeculationBaseURI = newBaseURI; + return; + } + + NS_ASSERTION(NS_IsMainThread(), "Wrong thread!"); + + nsCOMPtr<nsIPrincipal> principal = mDocument->NodePrincipal(); + nsCOMPtr<nsIDOMDocument> domDoc = do_QueryInterface(mDocument); + + // Check the document's CSP usually delivered via the CSP header. + nsCOMPtr<nsIContentSecurityPolicy> documentCsp; + rv = principal->EnsureCSP(domDoc, getter_AddRefs(documentCsp)); + NS_ENSURE_SUCCESS_VOID(rv); + if (documentCsp) { + // base-uri should not fallback to the default-src and preloads should not + // trigger violation reports. + bool cspPermitsBaseURI = true; + rv = documentCsp->Permits( + newBaseURI, + nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, + true /* aSpecific */, + false /* aSendViolationReports */, + &cspPermitsBaseURI); + if (NS_FAILED(rv) || !cspPermitsBaseURI) { + return; + } + } + + // Also check the CSP discovered from the <meta> tag during speculative + // parsing. + nsCOMPtr<nsIContentSecurityPolicy> preloadCsp; + rv = principal->EnsurePreloadCSP(domDoc, getter_AddRefs(preloadCsp)); + NS_ENSURE_SUCCESS_VOID(rv); + if (preloadCsp) { + bool cspPermitsBaseURI = true; + rv = preloadCsp->Permits( + newBaseURI, + nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, + true /* aSpecific */, + false /* aSendViolationReports */, + &cspPermitsBaseURI); + if (NS_FAILED(rv) || !cspPermitsBaseURI) { + return; + } + } + + mSpeculationBaseURI = newBaseURI; } void |