diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-15 03:35:49 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-15 03:35:49 +0000 |
| commit | d8bbc7858622b6d9c278469aab701ca0b609cddf (patch) | |
| tree | eff41dc61d9f714852212739e6b3738b82a2af87 /dom/security/nsCSPParser.cpp | |
| parent | Releasing progress-linux version 125.0.3-1~progress7.99u1. (diff) | |
| download | firefox-d8bbc7858622b6d9c278469aab701ca0b609cddf.tar.xz firefox-d8bbc7858622b6d9c278469aab701ca0b609cddf.zip | |
Merging upstream version 126.0.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'dom/security/nsCSPParser.cpp')
| -rw-r--r-- | dom/security/nsCSPParser.cpp | 70 |
1 files changed, 41 insertions, 29 deletions
diff --git a/dom/security/nsCSPParser.cpp b/dom/security/nsCSPParser.cpp index 2559367831..07812470a3 100644 --- a/dom/security/nsCSPParser.cpp +++ b/dom/security/nsCSPParser.cpp @@ -936,14 +936,6 @@ nsCSPDirective* nsCSPParser::directiveName() { // directive = *WSP [ directive-name [ WSP directive-value ] ] void nsCSPParser::directive() { - // Set the directiveName to mCurToken - // Remember, the directive name is stored at index 0 - mCurToken = mCurDir[0]; - - CSPPARSERLOG(("nsCSPParser::directive, mCurToken: %s, mCurValue: %s", - NS_ConvertUTF16toUTF8(mCurToken).get(), - NS_ConvertUTF16toUTF8(mCurValue).get())); - // Make sure that the directive-srcs-array contains at least // one directive. if (mCurDir.Length() == 0) { @@ -953,6 +945,14 @@ void nsCSPParser::directive() { return; } + // Set the directiveName to mCurToken + // Remember, the directive name is stored at index 0 + mCurToken = mCurDir[0]; + + CSPPARSERLOG(("nsCSPParser::directive, mCurToken: %s, mCurValue: %s", + NS_ConvertUTF16toUTF8(mCurToken).get(), + NS_ConvertUTF16toUTF8(mCurValue).get())); + if (CSP_IsEmptyDirective(mCurValue, mCurToken)) { return; } @@ -1029,20 +1029,32 @@ void nsCSPParser::directive() { srcs.InsertElementAt(0, keyword); } + MaybeWarnAboutIgnoredSources(srcs); + MaybeWarnAboutUnsafeInline(*cspDir); + MaybeWarnAboutUnsafeEval(*cspDir); + + // Add the newly created srcs to the directive and add the directive to the + // policy + cspDir->addSrcs(srcs); + mPolicy->addDirective(cspDir); +} + +void nsCSPParser::MaybeWarnAboutIgnoredSources( + const nsTArray<nsCSPBaseSrc*>& aSrcs) { // If policy contains 'strict-dynamic' warn about ignored sources. if (mStrictDynamic && !CSP_IsDirective(mCurDir[0], nsIContentSecurityPolicy::DEFAULT_SRC_DIRECTIVE)) { - for (uint32_t i = 0; i < srcs.Length(); i++) { + for (uint32_t i = 0; i < aSrcs.Length(); i++) { nsAutoString srcStr; - srcs[i]->toString(srcStr); + aSrcs[i]->toString(srcStr); // Hashes and nonces continue to apply with 'strict-dynamic', as well as // 'unsafe-eval', 'wasm-unsafe-eval' and 'unsafe-hashes'. - if (!srcs[i]->isKeyword(CSP_STRICT_DYNAMIC) && - !srcs[i]->isKeyword(CSP_UNSAFE_EVAL) && - !srcs[i]->isKeyword(CSP_WASM_UNSAFE_EVAL) && - !srcs[i]->isKeyword(CSP_UNSAFE_HASHES) && !srcs[i]->isNonce() && - !srcs[i]->isHash()) { + if (!aSrcs[i]->isKeyword(CSP_STRICT_DYNAMIC) && + !aSrcs[i]->isKeyword(CSP_UNSAFE_EVAL) && + !aSrcs[i]->isKeyword(CSP_WASM_UNSAFE_EVAL) && + !aSrcs[i]->isKeyword(CSP_UNSAFE_HASHES) && !aSrcs[i]->isNonce() && + !aSrcs[i]->isHash()) { AutoTArray<nsString, 2> params = {srcStr, mCurDir[0]}; logWarningErrorToConsole(nsIScriptError::warningFlag, "ignoringScriptSrcForStrictDynamic", params); @@ -1057,37 +1069,37 @@ void nsCSPParser::directive() { "strictDynamicButNoHashOrNonce", params); } } +} +void nsCSPParser::MaybeWarnAboutUnsafeInline(const nsCSPDirective& aDirective) { // From https://w3c.github.io/webappsec-csp/#allow-all-inline // follows that when either a hash or nonce is specified, 'unsafe-inline' // should not apply. if (mHasHashOrNonce && mUnsafeInlineKeywordSrc && - (cspDir->isDefaultDirective() || - cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) || - cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) || - cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE) || - cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_DIRECTIVE) || - cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_ELEM_DIRECTIVE) || - cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_ATTR_DIRECTIVE))) { + (aDirective.isDefaultDirective() || + aDirective.equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) || + aDirective.equals(nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) || + aDirective.equals(nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE) || + aDirective.equals(nsIContentSecurityPolicy::STYLE_SRC_DIRECTIVE) || + aDirective.equals(nsIContentSecurityPolicy::STYLE_SRC_ELEM_DIRECTIVE) || + aDirective.equals(nsIContentSecurityPolicy::STYLE_SRC_ATTR_DIRECTIVE))) { // Log to the console that unsafe-inline will be ignored. AutoTArray<nsString, 2> params = {u"'unsafe-inline'"_ns, mCurDir[0]}; logWarningErrorToConsole(nsIScriptError::warningFlag, "ignoringSrcWithinNonceOrHashDirective", params); } +} +void nsCSPParser::MaybeWarnAboutUnsafeEval(const nsCSPDirective& aDirective) { if (mHasAnyUnsafeEval && - (cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) || - cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE))) { + (aDirective.equals(nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) || + aDirective.equals( + nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE))) { // Log to the console that (wasm-)unsafe-eval will be ignored. AutoTArray<nsString, 1> params = {mCurDir[0]}; logWarningErrorToConsole(nsIScriptError::warningFlag, "ignoringUnsafeEval", params); } - - // Add the newly created srcs to the directive and add the directive to the - // policy - cspDir->addSrcs(srcs); - mPolicy->addDirective(cspDir); } // policy = [ directive *( ";" [ directive ] ) ] |