roytam1/basilisk55
1
0
Fork 0
mirror of https://github.com/roytam1/basilisk55.git synced 2026-05-26 15:02:46 +00:00
Code Issues Projects Releases Wiki Activity

import from UXP: [DOM security] Be more explicit about CSP checks and reports. (95120acb)

Browse Source
This commit is contained in:
roytam1
2022-09-22 10:46:25 +08:00
parent c9eb916505
commit d8979aa9f6
5 changed files with 70 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
parser/html/nsHtml5TreeOpExecutor.cpp
+55 -1
View File
@@ -1021,9 +1021,63 @@ nsHtml5TreeOpExecutor::SetSpeculationBase(const nsAString& aURL)
return;
}
const nsCString& charset = mDocument->GetDocumentCharacterSet();
DebugOnly<nsresult> rv = NS_NewURI(getter_AddRefs(mSpeculationBaseURI), aURL,
nsCOMPtr<nsIURI> newBaseURI;
nsresult rv = NS_NewURI(getter_AddRefs(newBaseURI), aURL,
charset.get(), mDocument->GetDocumentURI());
NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "Failed to create a URI");
if (!newBaseURI) {
return;
}
if (!CSPService::sCSPEnabled) {
// If CSP is not enabled, just pass back the URI
mSpeculationBaseURI = newBaseURI;
return;
}
NS_ASSERTION(NS_IsMainThread(), "Wrong thread!");
nsCOMPtr<nsIPrincipal> principal = mDocument->NodePrincipal();
nsCOMPtr<nsIDOMDocument> domDoc = do_QueryInterface(mDocument);
// Check the document's CSP usually delivered via the CSP header.
nsCOMPtr<nsIContentSecurityPolicy> documentCsp;
rv = principal->EnsureCSP(domDoc, getter_AddRefs(documentCsp));
NS_ENSURE_SUCCESS_VOID(rv);
if (documentCsp) {
// base-uri should not fallback to the default-src and preloads should not
// trigger violation reports.
bool cspPermitsBaseURI = true;
rv = documentCsp->Permits(
newBaseURI,
nsIContentSecurityPolicy::BASE_URI_DIRECTIVE,
true /* aSpecific */,
false /* aSendViolationReports */,
&cspPermitsBaseURI);
if (NS_FAILED(rv) || !cspPermitsBaseURI) {
return;
}
}
// Also check the CSP discovered from the <meta> tag during speculative
// parsing.
nsCOMPtr<nsIContentSecurityPolicy> preloadCsp;
rv = principal->EnsurePreloadCSP(domDoc, getter_AddRefs(preloadCsp));
NS_ENSURE_SUCCESS_VOID(rv);
if (preloadCsp) {
bool cspPermitsBaseURI = true;
rv = preloadCsp->Permits(
newBaseURI,
nsIContentSecurityPolicy::BASE_URI_DIRECTIVE,
true /* aSpecific */,
false /* aSendViolationReports */,
&cspPermitsBaseURI);
if (NS_FAILED(rv) || !cspPermitsBaseURI) {
return;
}
}
mSpeculationBaseURI = newBaseURI;
}
void