Issue #2402 - importScripts should be governed by script-src in Web Workers. https://bugzilla.mozilla.org/show_bug.cgi?id=1322111 Add TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS content policy. Update the Cache API schema to account for new nsIContentPolicy type.

2026-05-26 13:58:49 +00:00 · 2024-01-06 15:29:04 -06:00
parent f8a174e19f
commit 6979441734
8 changed files with 40 additions and 8 deletions
@@ -135,6 +135,7 @@ NS_CP_ContentTypeName(uint32_t contentType)
    CASE_RETURN( TYPE_INTERNAL_STYLESHEET         );
    CASE_RETURN( TYPE_INTERNAL_STYLESHEET_PRELOAD );
    CASE_RETURN( TYPE_SAVEAS_DOWNLOAD             );
+    CASE_RETURN( TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS );
   default:
    return "<Unknown Type>";
  }
@@ -8595,6 +8595,7 @@ nsContentUtils::InternalContentPolicyTypeToExternal(nsContentPolicyType aType)
  case nsIContentPolicy::TYPE_INTERNAL_WORKER:
  case nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER:
  case nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER:
+  case nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS:
    return nsIContentPolicy::TYPE_SCRIPT;

  case nsIContentPolicy::TYPE_INTERNAL_EMBED:
@@ -333,6 +333,14 @@ interface nsIContentPolicyBase : nsISupports
   */
  const nsContentPolicyType TYPE_SAVEAS_DOWNLOAD = 42;

+  /**
+   * Indicates an importScripts() inside a worker script.
+   *
+   * This will be mapped to TYPE_SCRIPT before being passed to content policy
+   * implementations.
+   */
+  const nsContentPolicyType TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS = 43;
+
  /* When adding new content types, please update nsContentBlocker,
   * NS_CP_ContentTypeName, nsCSPContext, CSP_ContentTypeToDirective,
   * DoContentSecurityChecks, all nsIContentPolicy implementations, the
@@ -34,7 +34,7 @@ namespace db {
 const int32_t kFirstShippedSchemaVersion = 15;
 namespace {
 // Update this whenever the DB schema is changed.
-const int32_t kLatestSchemaVersion = 24;
+const int32_t kLatestSchemaVersion = 25;
 // ---------
 // The following constants define the SQL schema.  These are defined in the
 // same order the SQL should be executed in CreateOrMigrateSchema().  They are
@@ -287,7 +287,8 @@ static_assert(nsIContentPolicy::TYPE_INVALID == 0 &&
              nsIContentPolicy::TYPE_INTERNAL_STYLESHEET == 39 &&
              nsIContentPolicy::TYPE_INTERNAL_STYLESHEET_PRELOAD == 40 &&
              nsIContentPolicy::TYPE_INTERNAL_IMAGE_FAVICON == 41 &&
-              nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD == 42,
+              nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD == 42 &&
+              nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS == 43,
              "nsContentPolicyType values are as expected");

 namespace {
@@ -2478,6 +2479,7 @@ nsresult MigrateFrom20To21(mozIStorageConnection* aConn, bool& aRewriteSchema);
 nsresult MigrateFrom21To22(mozIStorageConnection* aConn, bool& aRewriteSchema);
 nsresult MigrateFrom22To23(mozIStorageConnection* aConn, bool& aRewriteSchema);
 nsresult MigrateFrom23To24(mozIStorageConnection* aConn, bool& aRewriteSchema);
+nsresult MigrateFrom24To25(mozIStorageConnection* aConn, bool& aRewriteSchema);
 // Configure migration functions to run for the given starting version.
 Migration sMigrationList[] = {
  Migration(15, MigrateFrom15To16),
@@ -2489,6 +2491,7 @@ Migration sMigrationList[] = {
  Migration(21, MigrateFrom21To22),
  Migration(22, MigrateFrom22To23),
  Migration(23, MigrateFrom23To24),
+  Migration(24, MigrateFrom24To25),
 };
 uint32_t sMigrationListLength = sizeof(sMigrationList) / sizeof(Migration);
 nsresult
@@ -3013,6 +3016,17 @@ nsresult MigrateFrom23To24(mozIStorageConnection* aConn, bool& aRewriteSchema)
  return rv;
 }

+nsresult MigrateFrom24To25(mozIStorageConnection* aConn, bool& aRewriteSchema)
+{
+  MOZ_ASSERT(!NS_IsMainThread());
+  MOZ_DIAGNOSTIC_ASSERT(aConn);
+
+  // The only change between 24 and 25 was a new nsIContentPolicy type.
+  nsresult rv = aConn->SetSchemaVersion(25);
+  if (NS_WARN_IF(NS_FAILED(rv))) { return rv; }
+  return rv;
+}
+
 } // anonymous namespace
 } // namespace db
 } // namespace cache
@@ -234,6 +234,7 @@ InternalRequest::MapContentPolicyTypeToRequestContext(nsContentPolicyType aConte
  case nsIContentPolicy::TYPE_INTERNAL_SCRIPT:
  case nsIContentPolicy::TYPE_INTERNAL_SCRIPT_PRELOAD:
  case nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER:
+  case nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS:
    context = RequestContext::Script;
    break;
  case nsIContentPolicy::TYPE_INTERNAL_WORKER:
@@ -212,6 +212,7 @@ CSP_ContentTypeToDirective(nsContentPolicyType aType)
    case nsIContentPolicy::TYPE_SCRIPT:
    case nsIContentPolicy::TYPE_INTERNAL_SCRIPT:
    case nsIContentPolicy::TYPE_INTERNAL_SCRIPT_PRELOAD:
+    case nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS:
      return nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE;

    case nsIContentPolicy::TYPE_STYLESHEET:
@@ -112,7 +112,7 @@ ChannelFromScriptURL(nsIPrincipal* principal,
                     const nsAString& aScriptURL,
                     bool aIsMainScript,
                     WorkerScriptType aWorkerScriptType,
-                     nsContentPolicyType aContentPolicyType,
+                     nsContentPolicyType aMainScriptContentPolicyType,
                     nsLoadFlags aLoadFlags,
                     bool aDefaultURIEncoding,
                     nsIChannel** aChannel)
@@ -169,6 +169,10 @@ ChannelFromScriptURL(nsIPrincipal* principal,
    secFlags = nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL;
  }

+  nsContentPolicyType contentPolicyType =
+    aIsMainScript ? aMainScriptContentPolicyType
+                  : nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS;
+
  nsCOMPtr<nsIChannel> channel;
  // If we have the document, use it. Unfortunately, for dedicated workers
  // 'parentDoc' ends up being the parent document, which is not the document
@@ -179,7 +183,7 @@ ChannelFromScriptURL(nsIPrincipal* principal,
                       uri,
                       parentDoc,
                       secFlags,
-                       aContentPolicyType,
+                       contentPolicyType,
                       loadGroup,
                       nullptr, // aCallbacks
                       aLoadFlags,
@@ -194,7 +198,7 @@ ChannelFromScriptURL(nsIPrincipal* principal,
                       uri,
                       principal,
                       secFlags,
-                       aContentPolicyType,
+                       contentPolicyType,
                       loadGroup,
                       nullptr, // aCallbacks
                       aLoadFlags,
@@ -2165,7 +2169,7 @@ ChannelFromScriptURLMainThread(nsIPrincipal* aPrincipal,
                               nsIDocument* aParentDoc,
                               nsILoadGroup* aLoadGroup,
                               const nsAString& aScriptURL,
-                               nsContentPolicyType aContentPolicyType,
+                               nsContentPolicyType aMainScriptContentPolicyType,
                               bool aDefaultURIEncoding,
                               nsIChannel** aChannel)
 {
@@ -2178,8 +2182,9 @@ ChannelFromScriptURLMainThread(nsIPrincipal* aPrincipal,

  return ChannelFromScriptURL(aPrincipal, aBaseURI, aParentDoc, aLoadGroup,
                              ios, secMan, aScriptURL, true, WorkerScript,
-                              aContentPolicyType, nsIRequest::LOAD_NORMAL,
-                              aDefaultURIEncoding, aChannel);
+                              aMainScriptContentPolicyType,
+                              nsIRequest::LOAD_NORMAL, aDefaultURIEncoding,
+                              aChannel);
 }

 nsresult
@@ -67,6 +67,7 @@ static const char *kTypeString[] = {
                                    "", // TYPE_INTERNAL_STYLESHEET_PRELOAD
                                    "", // TYPE_INTERNAL_IMAGE_FAVICON
                                    "saveas_download",
+                                    "", // TYPE_INTERNAL_WORKERS_IMPORT_SCRIPTS
 };

 #define NUMBER_OF_TYPES MOZ_ARRAY_LENGTH(kTypeString)