summaryrefslogtreecommitdiffstats
path: root/dom/security/nsCSPParser.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'dom/security/nsCSPParser.cpp')
-rw-r--r--dom/security/nsCSPParser.cpp70
1 files changed, 41 insertions, 29 deletions
diff --git a/dom/security/nsCSPParser.cpp b/dom/security/nsCSPParser.cpp
index 2559367831..07812470a3 100644
--- a/dom/security/nsCSPParser.cpp
+++ b/dom/security/nsCSPParser.cpp
@@ -936,14 +936,6 @@ nsCSPDirective* nsCSPParser::directiveName() {
// directive = *WSP [ directive-name [ WSP directive-value ] ]
void nsCSPParser::directive() {
- // Set the directiveName to mCurToken
- // Remember, the directive name is stored at index 0
- mCurToken = mCurDir[0];
-
- CSPPARSERLOG(("nsCSPParser::directive, mCurToken: %s, mCurValue: %s",
- NS_ConvertUTF16toUTF8(mCurToken).get(),
- NS_ConvertUTF16toUTF8(mCurValue).get()));
-
// Make sure that the directive-srcs-array contains at least
// one directive.
if (mCurDir.Length() == 0) {
@@ -953,6 +945,14 @@ void nsCSPParser::directive() {
return;
}
+ // Set the directiveName to mCurToken
+ // Remember, the directive name is stored at index 0
+ mCurToken = mCurDir[0];
+
+ CSPPARSERLOG(("nsCSPParser::directive, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
if (CSP_IsEmptyDirective(mCurValue, mCurToken)) {
return;
}
@@ -1029,20 +1029,32 @@ void nsCSPParser::directive() {
srcs.InsertElementAt(0, keyword);
}
+ MaybeWarnAboutIgnoredSources(srcs);
+ MaybeWarnAboutUnsafeInline(*cspDir);
+ MaybeWarnAboutUnsafeEval(*cspDir);
+
+ // Add the newly created srcs to the directive and add the directive to the
+ // policy
+ cspDir->addSrcs(srcs);
+ mPolicy->addDirective(cspDir);
+}
+
+void nsCSPParser::MaybeWarnAboutIgnoredSources(
+ const nsTArray<nsCSPBaseSrc*>& aSrcs) {
// If policy contains 'strict-dynamic' warn about ignored sources.
if (mStrictDynamic &&
!CSP_IsDirective(mCurDir[0],
nsIContentSecurityPolicy::DEFAULT_SRC_DIRECTIVE)) {
- for (uint32_t i = 0; i < srcs.Length(); i++) {
+ for (uint32_t i = 0; i < aSrcs.Length(); i++) {
nsAutoString srcStr;
- srcs[i]->toString(srcStr);
+ aSrcs[i]->toString(srcStr);
// Hashes and nonces continue to apply with 'strict-dynamic', as well as
// 'unsafe-eval', 'wasm-unsafe-eval' and 'unsafe-hashes'.
- if (!srcs[i]->isKeyword(CSP_STRICT_DYNAMIC) &&
- !srcs[i]->isKeyword(CSP_UNSAFE_EVAL) &&
- !srcs[i]->isKeyword(CSP_WASM_UNSAFE_EVAL) &&
- !srcs[i]->isKeyword(CSP_UNSAFE_HASHES) && !srcs[i]->isNonce() &&
- !srcs[i]->isHash()) {
+ if (!aSrcs[i]->isKeyword(CSP_STRICT_DYNAMIC) &&
+ !aSrcs[i]->isKeyword(CSP_UNSAFE_EVAL) &&
+ !aSrcs[i]->isKeyword(CSP_WASM_UNSAFE_EVAL) &&
+ !aSrcs[i]->isKeyword(CSP_UNSAFE_HASHES) && !aSrcs[i]->isNonce() &&
+ !aSrcs[i]->isHash()) {
AutoTArray<nsString, 2> params = {srcStr, mCurDir[0]};
logWarningErrorToConsole(nsIScriptError::warningFlag,
"ignoringScriptSrcForStrictDynamic", params);
@@ -1057,37 +1069,37 @@ void nsCSPParser::directive() {
"strictDynamicButNoHashOrNonce", params);
}
}
+}
+void nsCSPParser::MaybeWarnAboutUnsafeInline(const nsCSPDirective& aDirective) {
// From https://w3c.github.io/webappsec-csp/#allow-all-inline
// follows that when either a hash or nonce is specified, 'unsafe-inline'
// should not apply.
if (mHasHashOrNonce && mUnsafeInlineKeywordSrc &&
- (cspDir->isDefaultDirective() ||
- cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) ||
- cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) ||
- cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE) ||
- cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_DIRECTIVE) ||
- cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_ELEM_DIRECTIVE) ||
- cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_ATTR_DIRECTIVE))) {
+ (aDirective.isDefaultDirective() ||
+ aDirective.equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) ||
+ aDirective.equals(nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) ||
+ aDirective.equals(nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE) ||
+ aDirective.equals(nsIContentSecurityPolicy::STYLE_SRC_DIRECTIVE) ||
+ aDirective.equals(nsIContentSecurityPolicy::STYLE_SRC_ELEM_DIRECTIVE) ||
+ aDirective.equals(nsIContentSecurityPolicy::STYLE_SRC_ATTR_DIRECTIVE))) {
// Log to the console that unsafe-inline will be ignored.
AutoTArray<nsString, 2> params = {u"'unsafe-inline'"_ns, mCurDir[0]};
logWarningErrorToConsole(nsIScriptError::warningFlag,
"ignoringSrcWithinNonceOrHashDirective", params);
}
+}
+void nsCSPParser::MaybeWarnAboutUnsafeEval(const nsCSPDirective& aDirective) {
if (mHasAnyUnsafeEval &&
- (cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) ||
- cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE))) {
+ (aDirective.equals(nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) ||
+ aDirective.equals(
+ nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE))) {
// Log to the console that (wasm-)unsafe-eval will be ignored.
AutoTArray<nsString, 1> params = {mCurDir[0]};
logWarningErrorToConsole(nsIScriptError::warningFlag, "ignoringUnsafeEval",
params);
}
-
- // Add the newly created srcs to the directive and add the directive to the
- // policy
- cspDir->addSrcs(srcs);
- mPolicy->addDirective(cspDir);
}
// policy = [ directive *( ";" [ directive ] ) ]