roytam1/basilisk55
1
0
Fork 0
mirror of https://github.com/roytam1/basilisk55.git synced 2026-05-26 13:31:57 +00:00
Code Issues Projects Releases Wiki Activity

ported from UXP: Issue #2728 - Remove obsolete CSP referrer policy. (0331e633)

Browse Source
This commit is contained in:
roytam1
2025-04-30 23:26:26 +08:00
parent fea416d4f2
commit 7173daa457
15 changed files with 32 additions and 486 deletions
Download Patch File Download Diff File Expand all files Collapse all files
dom/base/nsDocument.cpp
-10
View File
@@ -2488,16 +2488,6 @@ nsDocument::ApplySettingsFromCSP(bool aSpeculative)
rv = NodePrincipal()->GetCsp(getter_AddRefs(csp));
NS_ENSURE_SUCCESS_VOID(rv);
if (csp) {
// Set up any Referrer Policy specified by CSP
bool hasReferrerPolicy = false;
uint32_t referrerPolicy = mozilla::net::RP_Unset;
rv = csp->GetReferrerPolicy(&referrerPolicy, &hasReferrerPolicy);
NS_ENSURE_SUCCESS_VOID(rv);
if (hasReferrerPolicy) {
mReferrerPolicy = static_cast<ReferrerPolicy>(referrerPolicy);
mReferrerPolicySet = true;
}
// Set up 'block-all-mixed-content' if not already inherited
// from the parent context or set by any other CSP.
if (!mBlockAllMixedContent) {
dom/interfaces/security/nsIContentSecurityPolicy.idl
+11 -27
View File
@@ -52,18 +52,17 @@ interface nsIContentSecurityPolicy : nsISerializable
const unsigned short REFLECTED_XSS_DIRECTIVE = 12;
const unsigned short BASE_URI_DIRECTIVE = 13;
const unsigned short FORM_ACTION_DIRECTIVE = 14;
const unsigned short REFERRER_DIRECTIVE = 15;
const unsigned short WEB_MANIFEST_SRC_DIRECTIVE = 16;
const unsigned short UPGRADE_IF_INSECURE_DIRECTIVE = 17;
const unsigned short CHILD_SRC_DIRECTIVE = 18;
const unsigned short BLOCK_ALL_MIXED_CONTENT = 19;
const unsigned short REQUIRE_SRI_FOR = 20;
const unsigned short SANDBOX_DIRECTIVE = 21;
const unsigned short WORKER_SRC_DIRECTIVE = 22;
const unsigned short SCRIPT_SRC_ELEM_DIRECTIVE = 23;
const unsigned short SCRIPT_SRC_ATTR_DIRECTIVE = 24;
const unsigned short STYLE_SRC_ELEM_DIRECTIVE = 25;
const unsigned short STYLE_SRC_ATTR_DIRECTIVE = 26;
const unsigned short WEB_MANIFEST_SRC_DIRECTIVE = 15;
const unsigned short UPGRADE_IF_INSECURE_DIRECTIVE = 16;
const unsigned short CHILD_SRC_DIRECTIVE = 17;
const unsigned short BLOCK_ALL_MIXED_CONTENT = 18;
const unsigned short REQUIRE_SRI_FOR = 19;
const unsigned short SANDBOX_DIRECTIVE = 20;
const unsigned short WORKER_SRC_DIRECTIVE = 21;
const unsigned short SCRIPT_SRC_ELEM_DIRECTIVE = 22;
const unsigned short SCRIPT_SRC_ATTR_DIRECTIVE = 23;
const unsigned short STYLE_SRC_ELEM_DIRECTIVE = 24;
const unsigned short STYLE_SRC_ATTR_DIRECTIVE = 25;
/**
* Accessor method for a read-only string version of the policy at a given
@@ -105,21 +104,6 @@ interface nsIContentSecurityPolicy : nsISerializable
*/
readonly attribute bool enforcesFrameAncestors;
/**
* Obtains the referrer policy (as integer) for this browsing context as
* specified in CSP. If there are multiple policies and...
* - only one sets a referrer policy: that policy is returned
* - more than one sets different referrer policies: no-referrer is returned
* - more than one set equivalent policies: that policy is returned
* For the enumeration of policies see ReferrerPolicy.h and nsIHttpChannel.
*
* @param aPolicy
* The referrer policy to use for the protected resource.
* @return
* true if a referrer policy is specified, false if it's unspecified.
*/
bool getReferrerPolicy(out unsigned long policy);
/**
* Parse and install a CSP policy.
* @param aPolicy
dom/security/nsCSPContext.cpp
-42
View File
@@ -399,48 +399,6 @@ nsCSPContext::GetEnforcesFrameAncestors(bool *outEnforcesFrameAncestors)
return NS_OK;
}
NS_IMETHODIMP
nsCSPContext::GetReferrerPolicy(uint32_t* outPolicy, bool* outIsSet)
{
*outIsSet = false;
*outPolicy = mozilla::net::RP_Unset;
nsAutoString refpol;
mozilla::net::ReferrerPolicy previousPolicy = mozilla::net::RP_Unset;
for (uint32_t i = 0; i < mPolicies.Length(); i++) {
mPolicies[i]->getReferrerPolicy(refpol);
// only set the referrer policy if not delievered through a CSPRO and
// note that and an empty string in refpol means it wasn't set
// (that's the default in nsCSPPolicy).
if (!mPolicies[i]->getReportOnlyFlag() && !refpol.IsEmpty()) {
// Referrer Directive in CSP is no more used and going to be replaced by
// Referrer-Policy HTTP header. But we still keep using referrer directive,
// and would remove it later.
// Referrer Directive specs is not fully compliant with new referrer policy
// specs. What we are using here:
// - If the value of the referrer directive is invalid, the user agent
// should set the referrer policy to no-referrer.
// - If there are two policies that specify a referrer policy, then they
// must agree or the employed policy is no-referrer.
if (!mozilla::net::IsValidReferrerPolicy(refpol)) {
*outPolicy = mozilla::net::RP_No_Referrer;
*outIsSet = true;
return NS_OK;
}
uint32_t currentPolicy = mozilla::net::ReferrerPolicyFromString(refpol);
if (*outIsSet && previousPolicy != currentPolicy) {
*outPolicy = mozilla::net::RP_No_Referrer;
return NS_OK;
}
*outPolicy = currentPolicy;
*outIsSet = true;
}
}
return NS_OK;
}
NS_IMETHODIMP
nsCSPContext::AppendPolicy(const nsAString& aPolicyString,
bool aReportOnly,
dom/security/nsCSPParser.cpp
+18 -63
View File
@@ -18,7 +18,6 @@
#include "nsReadableUtils.h"
#include "nsServiceManagerUtils.h"
#include "nsUnicharUtils.h"
#include "mozilla/net/ReferrerPolicy.h"
using namespace mozilla;
@@ -809,43 +808,6 @@ nsCSPParser::sourceList(nsTArray<nsCSPBaseSrc*>& outSrcs)
}
}
void
nsCSPParser::referrerDirectiveValue(nsCSPDirective* aDir)
{
// directive-value = "none" / "none-when-downgrade" / "origin" / "origin-when-cross-origin" / "unsafe-url"
// directive name is token 0, we need to examine the remaining tokens (and
// there should only be one token in the value).
CSPPARSERLOG(("nsCSPParser::referrerDirectiveValue"));
if (mCurDir.Length() != 2) {
CSPPARSERLOG(("Incorrect number of tokens in referrer directive, got %d expected 1",
mCurDir.Length() - 1));
delete aDir;
return;
}
if (!mozilla::net::IsValidReferrerPolicy(mCurDir[1])) {
CSPPARSERLOG(("invalid value for referrer directive: %s",
NS_ConvertUTF16toUTF8(mCurDir[1]).get()));
delete aDir;
return;
}
//referrer-directive deprecation warning
const char16_t* params[] = { mCurDir[1].get() };
logWarningErrorToConsole(nsIScriptError::warningFlag, "deprecatedReferrerDirective",
params, ArrayLength(params));
// the referrer policy is valid, so go ahead and use it.
nsWeakPtr ctx = mCSPContext->GetLoadingContext();
nsCOMPtr<nsIDocument> doc = do_QueryReferent(ctx);
if (doc) {
doc->SetHasReferrerPolicyCSP(true);
}
mPolicy->setReferrerPolicy(&mCurDir[1]);
mPolicy->addDirective(aDir);
}
void
nsCSPParser::requireSRIForDirectiveValue(nsRequireSRIForDirective* aDir)
{
@@ -1077,12 +1039,12 @@ nsCSPParser::directiveName()
return mScriptSrc;
}
// If we have a style-src, cache it as a fallback for style-src-elem and
// style-src-attr.
if (CSP_IsDirective(mCurToken, nsIContentSecurityPolicy::STYLE_SRC_DIRECTIVE)) {
mStyleSrc = new nsCSPStyleSrcDirective(CSP_StringToCSPDirective(mCurToken));
return mStyleSrc;
}
// If we have a style-src, cache it as a fallback for style-src-elem and
// style-src-attr.
if (CSP_IsDirective(mCurToken, nsIContentSecurityPolicy::STYLE_SRC_DIRECTIVE)) {
mStyleSrc = new nsCSPStyleSrcDirective(CSP_StringToCSPDirective(mCurToken));
return mStyleSrc;
}
if (CSP_IsDirective(mCurToken, nsIContentSecurityPolicy::REQUIRE_SRI_FOR)) {
return new nsRequireSRIForDirective(CSP_StringToCSPDirective(mCurToken));
@@ -1158,13 +1120,6 @@ nsCSPParser::directive()
return;
}
// special case handling of the referrer directive (since it doesn't contain
// source lists)
if (cspDir->equals(nsIContentSecurityPolicy::REFERRER_DIRECTIVE)) {
referrerDirectiveValue(cspDir);
return;
}
// special case handling for report-uri directive (since it doesn't contain
// a valid source list but rather actual URIs)
if (CSP_IsDirective(mCurDir[0], nsIContentSecurityPolicy::REPORT_URI_DIRECTIVE)) {
@@ -1309,18 +1264,18 @@ nsCSPParser::policy()
if (mScriptSrc && !mPolicy->hasDirective(nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE)) {
mScriptSrc->setRestrictScriptAttr();
}
// If style-src is specified and style-src-elem is not specified, then
// style-src serves as a fallback.
if (mStyleSrc && !mPolicy->hasDirective(nsIContentSecurityPolicy::STYLE_SRC_ELEM_DIRECTIVE)) {
mStyleSrc->setRestrictStyleElem();
}
// If style-src is specified and style-src-attr is not specified, then
// style-src serves as a fallback.
if (mStyleSrc && !mPolicy->hasDirective(nsIContentSecurityPolicy::STYLE_SRC_ATTR_DIRECTIVE)) {
mStyleSrc->setRestrictStyleAttr();
}
// If style-src is specified and style-src-elem is not specified, then
// style-src serves as a fallback.
if (mStyleSrc && !mPolicy->hasDirective(nsIContentSecurityPolicy::STYLE_SRC_ELEM_DIRECTIVE)) {
mStyleSrc->setRestrictStyleElem();
}
// If style-src is specified and style-src-attr is not specified, then
// style-src serves as a fallback.
if (mStyleSrc && !mPolicy->hasDirective(nsIContentSecurityPolicy::STYLE_SRC_ATTR_DIRECTIVE)) {
mStyleSrc->setRestrictStyleAttr();
}
return mPolicy;
}
dom/security/nsCSPUtils.cpp
+3 -17
View File
@@ -1268,7 +1268,7 @@ nsCSPDirective::toDomCSPStruct(mozilla::dom::CSP& outCSP) const
outCSP.mScript_src_attr.Value() = mozilla::Move(srcs);
return;
// REFERRER_DIRECTIVE and REQUIRE_SRI_FOR are handled in nsCSPPolicy::toDomCSPStruct()
// REQUIRE_SRI_FOR is handled in nsCSPPolicy::toDomCSPStruct()
default:
NS_ASSERTION(false, "cannot find directive to convert CSP to JSON");
@@ -1614,14 +1614,7 @@ nsCSPPolicy::toString(nsAString& outStr) const
{
uint32_t length = mDirectives.Length();
for (uint32_t i = 0; i < length; ++i) {
if (mDirectives[i]->equals(nsIContentSecurityPolicy::REFERRER_DIRECTIVE)) {
outStr.AppendASCII(CSP_CSPDirectiveToString(nsIContentSecurityPolicy::REFERRER_DIRECTIVE));
outStr.AppendASCII(" ");
outStr.Append(mReferrerPolicy);
} else {
mDirectives[i]->toString(outStr);
}
mDirectives[i]->toString(outStr);
if (i != (length - 1)) {
outStr.AppendASCII("; ");
}
@@ -1634,14 +1627,7 @@ nsCSPPolicy::toDomCSPStruct(mozilla::dom::CSP& outCSP) const
outCSP.mReport_only = mReportOnly;
for (uint32_t i = 0; i < mDirectives.Length(); ++i) {
if (mDirectives[i]->equals(nsIContentSecurityPolicy::REFERRER_DIRECTIVE)) {
mozilla::dom::Sequence<nsString> srcs;
srcs.AppendElement(mReferrerPolicy, mozilla::fallible);
outCSP.mReferrer.Construct();
outCSP.mReferrer.Value() = srcs;
} else {
mDirectives[i]->toDomCSPStruct(outCSP);
}
mDirectives[i]->toDomCSPStruct(outCSP);
}
}
dom/security/nsCSPUtils.h
-11
View File
@@ -158,7 +158,6 @@ static const char* CSPStrDirectives[] = {
"reflected-xss", // REFLECTED_XSS_DIRECTIVE
"base-uri", // BASE_URI_DIRECTIVE
"form-action", // FORM_ACTION_DIRECTIVE
"referrer", // REFERRER_DIRECTIVE
"manifest-src", // MANIFEST_SRC_DIRECTIVE
"upgrade-insecure-requests", // UPGRADE_IF_INSECURE_DIRECTIVE
"child-src", // CHILD_SRC_DIRECTIVE
@@ -747,15 +746,6 @@ class nsCSPPolicy {
inline bool getReportOnlyFlag() const
{ return mReportOnly; }
inline void setReferrerPolicy(const nsAString* aValue)
{
mReferrerPolicy = *aValue;
ToLowerCase(mReferrerPolicy);
}
inline void getReferrerPolicy(nsAString& outPolicy) const
{ outPolicy.Assign(mReferrerPolicy); }
void getReportURIs(nsTArray<nsString> &outReportURIs) const;
void getDirectiveStringForContentType(CSPDirective aDirective,
@@ -776,7 +766,6 @@ class nsCSPPolicy {
nsUpgradeInsecureDirective* mUpgradeInsecDir;
nsTArray<nsCSPDirective*> mDirectives;
bool mReportOnly;
nsString mReferrerPolicy;
};
#endif /* nsCSPUtils_h___ */
dom/security/test/csp/file_referrerdirective.html
-55
View File
@@ -1,55 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Subframe test for bug 965727</title>
<script type="text/javascript">
// we can get the ID out of the querystring.
var args = document.location.search.substring(1).split('&');
var id = "unknown";
for (var i=0; i < args.length; i++) {
var arg = unescape(args[i]);
if (arg.indexOf('=') > 0 && arg.indexOf('id') == 0) {
id = arg.split('=')[1].trim();
}
}
var results = {
'id': id,
'referrer': document.location.href,
'results': {
'sameorigin': false,
'crossorigin': false,
'downgrade': false
}
};
// this is called back by each script load.
var postResult = function(loadType, referrerLevel, referrer) {
results.results[loadType] = referrerLevel;
// and then check if all three have loaded.
for (var id in results.results) {
if (!results.results[id]) {
return;
}
}
//finished if we don't return early
window.parent.postMessage(JSON.stringify(results), "*");
console.log(JSON.stringify(results));
}
</script>
</head>
<body>
Testing ...
<script src="https://example.com/tests/dom/security/test/csp/referrerdirective.sjs?type=sameorigin&"
onerror="postResult('sameorigin', 'error');"></script>
<script src="https://test2.example.com/tests/dom/security/test/csp/referrerdirective.sjs?type=crossorigin&"
onerror="postResult('crossorigin', 'error');"></script>
<script src="http://example.com/tests/dom/security/test/csp/referrerdirective.sjs?type=downgrade&"
onerror="postResult('downgrade', 'error');"></script>
</body>
</html>
dom/security/test/csp/file_upgrade_insecure_referrer.sjs
-55
View File
@@ -1,55 +0,0 @@
// special *.sjs specifically customized for the needs of
// Bug 1139297 and Bug 663570
const PRE_HEAD =
"<!DOCTYPE HTML>" +
"<html>" +
"<head>";
const POST_HEAD =
"<meta charset='utf-8'>" +
"<title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>" +
"</head>" +
"<body>" +
"<img id='testimage' src='http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_referrer_server.sjs?img'></img>" +
"</body>" +
"</html>";
const PRE_CSP = "upgrade-insecure-requests; default-src https:; ";
const CSP_REFERRER_ORIGIN = "referrer origin";
const CSP_REFEFFER_NO_REFERRER = "referrer no-referrer";
function handleRequest(request, response)
{
// avoid confusing cache behaviors
response.setHeader("Cache-Control", "no-cache", false);
var queryString = request.queryString;
if (queryString === "test1") {
response.setHeader("Content-Security-Policy", PRE_CSP + CSP_REFERRER_ORIGIN, false);
response.write(PRE_HEAD + POST_HEAD);
return;
}
if (queryString === "test2") {
response.setHeader("Content-Security-Policy", PRE_CSP + CSP_REFEFFER_NO_REFERRER, false);
response.write(PRE_HEAD + POST_HEAD);
return;
}
if (queryString === "test3") {
var metacsp = "<meta http-equiv=\"Content-Security-Policy\" content = \"" + PRE_CSP + CSP_REFERRER_ORIGIN + "\" >";
response.write(PRE_HEAD + metacsp + POST_HEAD);
return;
}
if (queryString === "test4") {
var metacsp = "<meta http-equiv=\"Content-Security-Policy\" content = \"" + PRE_CSP + CSP_REFEFFER_NO_REFERRER + "\" >";
response.write(PRE_HEAD + metacsp + POST_HEAD);
return;
}
// we should never get here, but just in case return
// something unexpected
response.write("do'h");
}
dom/security/test/csp/file_upgrade_insecure_referrer_server.sjs
-56
View File
@@ -1,56 +0,0 @@
// Custom *.sjs file specifically for the needs of Bug:
// Bug 1139297 - Implement CSP upgrade-insecure-requests directive
// small red image
const IMG_BYTES = atob(
"iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
"P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==");
function handleRequest(request, response)
{
// avoid confusing cache behaviors
response.setHeader("Cache-Control", "no-cache", false);
var queryString = request.queryString;
// (1) lets process the queryresult request async and
// wait till we have received the image request.
if (queryString == "queryresult") {
response.processAsync();
setObjectState("queryResult", response);
return;
}
// (2) Handle the image request and return the referrer
// result back to the stored queryresult request.
if (request.queryString == "img") {
response.setHeader("Content-Type", "image/png");
response.write(IMG_BYTES);
let referrer = "";
try {
referrer = request.getHeader("referer");
} catch (e) {
referrer = "";
}
// make sure the received image request was upgraded to https,
// otherwise we return not only the referrer but also indicate
// that the request was not upgraded to https. Note, that
// all upgrades happen in the browser before any non-secure
// request hits the wire.
referrer += (request.scheme == "https") ?
"" : " but request is not https";
getObjectState("queryResult", function(queryResponse) {
if (!queryResponse) {
return;
}
queryResponse.write(referrer);
queryResponse.finish();
});
return;
}
// we should not get here ever, but just in case return
// something unexpected.
response.write("doh!");
}
dom/security/test/csp/mochitest.ini
-6
View File
@@ -125,7 +125,6 @@ support-files =
file_multi_policy_injection_bypass_2.html^headers^
file_null_baseuri.html
file_form-action.html
file_referrerdirective.html
referrerdirective.sjs
file_upgrade_insecure.html
file_upgrade_insecure_meta.html
@@ -133,8 +132,6 @@ support-files =
file_upgrade_insecure_wsh.py
file_upgrade_insecure_reporting.html
file_upgrade_insecure_reporting_server.sjs
file_upgrade_insecure_referrer.sjs
file_upgrade_insecure_referrer_server.sjs
file_upgrade_insecure_cors.html
file_upgrade_insecure_cors_server.sjs
file_report_for_import.css
@@ -266,15 +263,12 @@ skip-if = toolkit == 'android' # Times out, not sure why (bug 1008445)
[test_leading_wildcard.html]
[test_multi_policy_injection_bypass.html]
[test_null_baseuri.html]
[test_referrerdirective.html]
[test_dual_header.html]
[test_upgrade_insecure.html]
# no ssl support as well as websocket tests do not work (see test_websocket.html)
skip-if = toolkit == 'android' || (os != 'linux' && !debug) # Bug 1316305, Bug 1183300
[test_upgrade_insecure_reporting.html]
skip-if = toolkit == 'android'
[test_upgrade_insecure_referrer.html]
skip-if = toolkit == 'android'
[test_upgrade_insecure_cors.html]
skip-if = toolkit == 'android'
[test_report_for_import.html]
dom/security/test/csp/test_upgrade_insecure_referrer.html
-85
View File
@@ -1,85 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe style="width:100%;" id="testframe"></iframe>
<script class="testbody" type="text/javascript">
/* Description of the test:
* We load a page that makes use of the CSP referrer directive as well
* as upgrade-insecure-requests. The page loads an image over http.
* The test makes sure the request gets upgraded to https and the
* correct referrer gets sent.
*/
var tests = [
{
query: "test1",
description: "upgrade insecure request with 'referrer = origin' (CSP in header)",
result: "http://example.com/"
},
{
query: "test2",
description: "upgrade insecure request with 'referrer = no-referrer' (CSP in header)",
result: ""
},
{
query: "test3",
description: "upgrade insecure request with 'referrer = origin' (Meta CSP)",
result: "http://example.com/"
},
{
query: "test4",
description: "upgrade insecure request with 'referrer = no-referrer' (Meta CSP)",
result: ""
}
];
var counter = 0;
var curTest;
function loadTestPage() {
curTest = tests[counter++];
var src = "http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_referrer.sjs?";
// append the query
src += curTest.query;
document.getElementById("testframe").src = src;
}
function runNextTest() {
// sends a request to the server which is processed async and returns
// once the server received the expected image request
var myXHR = new XMLHttpRequest();
myXHR.open("GET", "file_upgrade_insecure_referrer_server.sjs?queryresult");
myXHR.onload = function(e) {
is(myXHR.responseText, curTest.result, curTest.description);
if (counter == tests.length) {
SimpleTest.finish();
return;
}
// move on to the next test by setting off another query request.
runNextTest();
}
myXHR.onerror = function(e) {
ok(false, "could not query results from server (" + e.message + ")");
SimpleTest.finish();
}
myXHR.send();
// give it some time and load the testpage
SimpleTest.executeSoon(loadTestPage);
}
SimpleTest.waitForExplicitFinish();
runNextTest();
</script>
</body>
</html>
dom/security/test/gtest/TestCSPParser.cpp
-6
View File
@@ -234,8 +234,6 @@ TEST(CSPParser, Directives)
"script-src 'sha256-a'" },
{ "script-src 'sha256-siVR8vAcqP06h2ppeNwqgjr0yZ6yned4X2VF84j4GmI='",
"script-src 'sha256-siVR8vAcqP06h2ppeNwqgjr0yZ6yned4X2VF84j4GmI='" },
{ "referrer no-referrer",
"referrer no-referrer" },
{ "require-sri-for script style",
"require-sri-for script style"},
{ "script-src 'nonce-foo' 'unsafe-inline' ",
@@ -310,8 +308,6 @@ TEST(CSPParser, IgnoreUpperLowerCasePolicies)
"script-src 'nonce-NONCENEEDSTOBEUPPERCASE'" },
{ "script-src 'SHA256-siVR8vAcqP06h2ppeNwqgjr0yZ6yned4X2VF84j4GmI='",
"script-src 'sha256-siVR8vAcqP06h2ppeNwqgjr0yZ6yned4X2VF84j4GmI='" },
{ "refERRer No-refeRRer",
"referrer no-referrer" },
{ "upgrade-INSECURE-requests",
"upgrade-insecure-requests" },
{ "sanDBox alloW-foRMs",
@@ -605,8 +601,6 @@ TEST(CSPParser, BadPolicies)
{ "defaut-src asdf", "" },
{ "default-src: aaa", "" },
{ "asdf http://test.com", ""},
{ "referrer", ""},
{ "referrer foo", ""},
{ "require-sri-for", ""},
{ "require-sri-for foo", ""},
{ "report-uri", ""},
dom/workers/WorkerPrivate.cpp
-20
View File
@@ -2377,20 +2377,10 @@ WorkerPrivateParent<Derived>::SetCSPFromHeaderValues(const nsACString& aCSPHeade
rv = csp->GetAllowsEval(&reportEvalViolations, &evalAllowed);
NS_ENSURE_SUCCESS(rv, rv);
// Set ReferrerPolicy, default value is set in GetReferrerPolicy
bool hasReferrerPolicy = false;
uint32_t rp = mozilla::net::RP_Unset;
rv = csp->GetReferrerPolicy(&rp, &hasReferrerPolicy);
NS_ENSURE_SUCCESS(rv, rv);
mLoadInfo.mCSP = csp;
mLoadInfo.mEvalAllowed = evalAllowed;
mLoadInfo.mReportCSPViolations = reportEvalViolations;
if (hasReferrerPolicy) {
mLoadInfo.mReferrerPolicy = static_cast<net::ReferrerPolicy>(rp);
}
return NS_OK;
}
@@ -3635,16 +3625,6 @@ WorkerLoadInfo::SetPrincipalOnMainThread(nsIPrincipal* aPrincipal,
if (mCSP) {
mCSP->GetAllowsEval(&mReportCSPViolations, &mEvalAllowed);
// Set ReferrerPolicy
bool hasReferrerPolicy = false;
uint32_t rp = mozilla::net::RP_Unset;
rv = mCSP->GetReferrerPolicy(&rp, &hasReferrerPolicy);
NS_ENSURE_SUCCESS(rv, rv);
if (hasReferrerPolicy) {
mReferrerPolicy = static_cast<net::ReferrerPolicy>(rp);
}
} else {
mEvalAllowed = true;
mReportCSPViolations = false;
netwerk/base/ReferrerPolicy.h
-24
View File
@@ -113,30 +113,6 @@ ReferrerPolicyFromString(const nsAString& content)
}
inline bool
IsValidReferrerPolicy(const nsAString& content)
{
if (content.IsEmpty()) {
return true;
}
nsString lowerContent(content);
ToLowerCase(lowerContent);
return lowerContent.EqualsLiteral(kRPS_Never)
|| lowerContent.EqualsLiteral(kRPS_No_Referrer)
|| lowerContent.EqualsLiteral(kRPS_Origin)
|| lowerContent.EqualsLiteral(kRPS_Default)
|| lowerContent.EqualsLiteral(kRPS_No_Referrer_When_Downgrade)
|| lowerContent.EqualsLiteral(kRPS_Origin_When_Cross_Origin)
|| lowerContent.EqualsLiteral(kRPS_Origin_When_Crossorigin)
|| lowerContent.EqualsLiteral(kRPS_Same_Origin)
|| lowerContent.EqualsLiteral(kRPS_Strict_Origin)
|| lowerContent.EqualsLiteral(kRPS_Strict_Origin_When_Cross_Origin)
|| lowerContent.EqualsLiteral(kRPS_Always)
|| lowerContent.EqualsLiteral(kRPS_Unsafe_URL);
}
inline ReferrerPolicy
AttributeReferrerPolicyFromString(const nsAString& content)
{
parser/html/nsHtml5TreeOpExecutor.cpp
-9
View File
@@ -1141,15 +1141,6 @@ nsHtml5TreeOpExecutor::AddSpeculationCSP(const nsAString& aCSP)
true); // delivered through the meta tag
NS_ENSURE_SUCCESS_VOID(rv);
// Record "speculated" referrer policy for preloads
bool hasReferrerPolicy = false;
uint32_t referrerPolicy = mozilla::net::RP_Unset;
rv = preloadCsp->GetReferrerPolicy(&referrerPolicy, &hasReferrerPolicy);
NS_ENSURE_SUCCESS_VOID(rv);
if (hasReferrerPolicy) {
SetSpeculationReferrerPolicy(static_cast<ReferrerPolicy>(referrerPolicy));
}
mDocument->ApplySettingsFromCSP(true);
}