[tbb-commits] [tor-browser/tor-browser-78.8.0esr-10.0-1] Bug 1687342: Blocked-URI in CSP reports should be URI before redirects with ref removed r=freddyb, dveditz a=pascalc
sysrqb at torproject.org
sysrqb at torproject.org
Wed Feb 17 03:51:18 UTC 2021
commit 834ae039ea8957f794624ca6d125628e3979569f
Author: Christoph Kerschbaumer <ckerschb at christophkerschbaumer.com>
Date: Tue Feb 9 18:42:03 2021 +0000
Bug 1687342: Blocked-URI in CSP reports should be URI before redirects with ref removed r=freddyb,dveditz a=pascalc
Differential Revision: https://phabricator.services.mozilla.com/D103450
---
dom/security/nsCSPContext.cpp | 38 ++++++++--------------
.../test/csp/test_blocked_uri_in_reports.html | 6 ++--
.../frame-src/frame-src-redirect.html.ini | 5 +++
3 files changed, 22 insertions(+), 27 deletions(-)
diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp
index 3601f5a4f2fc..413044afcc88 100644
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -950,20 +950,18 @@ void nsCSPContext::logToConsole(const char* aName,
/**
* Strip URI for reporting according to:
- * http://www.w3.org/TR/CSP/#violation-reports
+ * https://w3c.github.io/webappsec-csp/#security-violation-reports
*
* @param aURI
- * The uri to be stripped for reporting
- * @param aSelfURI
- * The uri of the protected resource
- * which is needed to enforce the SOP.
- * @return ASCII serialization of the uri to be reported.
+ * The URI of the blocked resource. In case of a redirect, this it the
+ * initial URI the request started out with, not the redirected URI.
+ * @return The ASCII serialization of the uri to be reported ignoring
+ * the ref part of the URI.
*/
-void StripURIForReporting(nsIURI* aURI, nsIURI* aSelfURI,
- nsACString& outStrippedURI) {
- // 1) If the origin of uri is a globally unique identifier (for example,
- // aURI has a scheme of data, blob, or filesystem), then return the
- // ASCII serialization of uriâs scheme.
+void StripURIForReporting(nsIURI* aURI, nsACString& outStrippedURI) {
+ // If the origin of aURI is a globally unique identifier (for example,
+ // aURI has a scheme of data, blob, or filesystem), then
+ // return the ASCII serialization of uriâs scheme.
bool isHttpFtpOrWs =
(aURI->SchemeIs("http") || aURI->SchemeIs("https") ||
aURI->SchemeIs("ftp") || aURI->SchemeIs("ws") || aURI->SchemeIs("wss"));
@@ -976,7 +974,7 @@ void StripURIForReporting(nsIURI* aURI, nsIURI* aSelfURI,
return;
}
- // Return uri, with any fragment component removed.
+ // Return aURI, with any fragment component removed.
aURI->GetSpecIgnoringRef(outStrippedURI);
}
@@ -996,7 +994,7 @@ nsresult nsCSPContext::GatherSecurityPolicyViolationEventData(
// document-uri
nsAutoCString reportDocumentURI;
- StripURIForReporting(mSelfURI, mSelfURI, reportDocumentURI);
+ StripURIForReporting(mSelfURI, reportDocumentURI);
aViolationEventInit.mDocumentURI = NS_ConvertUTF8toUTF16(reportDocumentURI);
// referrer
@@ -1004,17 +1002,9 @@ nsresult nsCSPContext::GatherSecurityPolicyViolationEventData(
// blocked-uri
if (aBlockedURI) {
- // in case of blocking a browsing context (frame) we have to report
- // the final URI in case of a redirect. For subresources we report
- // the URI before redirects.
- nsCOMPtr<nsIURI> uriToReport;
- if (aViolatedDirective.EqualsLiteral("frame-src")) {
- uriToReport = aBlockedURI;
- } else {
- uriToReport = aOriginalURI ? aOriginalURI : aBlockedURI;
- }
nsAutoCString reportBlockedURI;
- StripURIForReporting(uriToReport, mSelfURI, reportBlockedURI);
+ StripURIForReporting(aOriginalURI ? aOriginalURI : aBlockedURI,
+ reportBlockedURI);
aViolationEventInit.mBlockedURI = NS_ConvertUTF8toUTF16(reportBlockedURI);
} else {
aViolationEventInit.mBlockedURI = NS_ConvertUTF8toUTF16(aBlockedString);
@@ -1914,4 +1904,4 @@ void nsCSPContext::SerializePolicies(
}
aPolicies.AppendElements(mIPCPolicies);
-}
\ No newline at end of file
+}
diff --git a/dom/security/test/csp/test_blocked_uri_in_reports.html b/dom/security/test/csp/test_blocked_uri_in_reports.html
index 0bb986ec3d04..f40d98efc5d3 100644
--- a/dom/security/test/csp/test_blocked_uri_in_reports.html
+++ b/dom/security/test/csp/test_blocked_uri_in_reports.html
@@ -19,9 +19,9 @@ SimpleTest.waitForExplicitFinish();
* which gets redirected to:
* http://test1.example.com/tests/dom/security//test/csp/file_path_matching.js
*
- * The blocked-uri in the csp-report should be:
- * test1.example.com
- * instead of:
+ * The blocked-uri in the csp-report should be the original URI:
+ * http://example.com/tests/dom/security/test/csp/file_path_matching_redirect_server.sjs
+ * instead of the redirected URI:
* http://test1.example.com/tests/com/security/test/csp/file_path_matching.js
*
* see also: http://www.w3.org/TR/CSP/#violation-reports
diff --git a/testing/web-platform/meta/content-security-policy/frame-src/frame-src-redirect.html.ini b/testing/web-platform/meta/content-security-policy/frame-src/frame-src-redirect.html.ini
new file mode 100644
index 000000000000..afc5b552aae4
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/frame-src/frame-src-redirect.html.ini
@@ -0,0 +1,5 @@
+[frame-src-redirect.html]
+ expected: TIMEOUT
+ [Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect]
+ expected: TIMEOUT
+
More information about the tbb-commits
mailing list