summaryrefslogtreecommitdiffstats
path: root/dom/security/nsCSPParser.cpp
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
commit43a97878ce14b72f0981164f87f2e35e14151312 (patch)
tree620249daf56c0258faa40cbdcf9cfba06de2a846 /dom/security/nsCSPParser.cpp
parentInitial commit. (diff)
downloadfirefox-43a97878ce14b72f0981164f87f2e35e14151312.tar.xz
firefox-43a97878ce14b72f0981164f87f2e35e14151312.zip
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'dom/security/nsCSPParser.cpp')
-rw-r--r--dom/security/nsCSPParser.cpp1290
1 files changed, 1290 insertions, 0 deletions
diff --git a/dom/security/nsCSPParser.cpp b/dom/security/nsCSPParser.cpp
new file mode 100644
index 0000000000..623de34f28
--- /dev/null
+++ b/dom/security/nsCSPParser.cpp
@@ -0,0 +1,1290 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/TextUtils.h"
+#include "mozilla/dom/Document.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/StaticPrefs_security.h"
+#include "nsCOMPtr.h"
+#include "nsContentUtils.h"
+#include "nsCSPParser.h"
+#include "nsCSPUtils.h"
+#include "nsIScriptError.h"
+#include "nsNetUtil.h"
+#include "nsReadableUtils.h"
+#include "nsServiceManagerUtils.h"
+#include "nsUnicharUtils.h"
+
+using namespace mozilla;
+using namespace mozilla::dom;
+
+static LogModule* GetCspParserLog() {
+ static LazyLogModule gCspParserPRLog("CSPParser");
+ return gCspParserPRLog;
+}
+
+#define CSPPARSERLOG(args) \
+ MOZ_LOG(GetCspParserLog(), mozilla::LogLevel::Debug, args)
+#define CSPPARSERLOGENABLED() \
+ MOZ_LOG_TEST(GetCspParserLog(), mozilla::LogLevel::Debug)
+
+static const uint32_t kSubHostPathCharacterCutoff = 512;
+
+static const char* const kHashSourceValidFns[] = {"sha256", "sha384", "sha512"};
+static const uint32_t kHashSourceValidFnsLen = 3;
+
+/* ===== nsCSPParser ==================== */
+
+nsCSPParser::nsCSPParser(policyTokens& aTokens, nsIURI* aSelfURI,
+ nsCSPContext* aCSPContext, bool aDeliveredViaMetaTag,
+ bool aSuppressLogMessages)
+ : mCurChar(nullptr),
+ mEndChar(nullptr),
+ mHasHashOrNonce(false),
+ mHasAnyUnsafeEval(false),
+ mStrictDynamic(false),
+ mUnsafeInlineKeywordSrc(nullptr),
+ mChildSrc(nullptr),
+ mFrameSrc(nullptr),
+ mWorkerSrc(nullptr),
+ mScriptSrc(nullptr),
+ mStyleSrc(nullptr),
+ mParsingFrameAncestorsDir(false),
+ mTokens(aTokens.Clone()),
+ mSelfURI(aSelfURI),
+ mPolicy(nullptr),
+ mCSPContext(aCSPContext),
+ mDeliveredViaMetaTag(aDeliveredViaMetaTag),
+ mSuppressLogMessages(aSuppressLogMessages) {
+ CSPPARSERLOG(("nsCSPParser::nsCSPParser"));
+}
+
+nsCSPParser::~nsCSPParser() { CSPPARSERLOG(("nsCSPParser::~nsCSPParser")); }
+
+static bool isCharacterToken(char16_t aSymbol) {
+ return (aSymbol >= 'a' && aSymbol <= 'z') ||
+ (aSymbol >= 'A' && aSymbol <= 'Z');
+}
+
+bool isNumberToken(char16_t aSymbol) {
+ return (aSymbol >= '0' && aSymbol <= '9');
+}
+
+bool isValidHexDig(char16_t aHexDig) {
+ return (isNumberToken(aHexDig) || (aHexDig >= 'A' && aHexDig <= 'F') ||
+ (aHexDig >= 'a' && aHexDig <= 'f'));
+}
+
+static bool isValidBase64Value(const char16_t* cur, const char16_t* end) {
+ // Using grammar at
+ // https://w3c.github.io/webappsec-csp/#grammardef-nonce-source
+
+ // May end with one or two =
+ if (end > cur && *(end - 1) == EQUALS) end--;
+ if (end > cur && *(end - 1) == EQUALS) end--;
+
+ // Must have at least one character aside from any =
+ if (end == cur) {
+ return false;
+ }
+
+ // Rest must all be A-Za-z0-9+/-_
+ for (; cur < end; ++cur) {
+ if (!(isCharacterToken(*cur) || isNumberToken(*cur) || *cur == PLUS ||
+ *cur == SLASH || *cur == DASH || *cur == UNDERLINE)) {
+ return false;
+ }
+ }
+
+ return true;
+}
+
+void nsCSPParser::resetCurChar(const nsAString& aToken) {
+ mCurChar = aToken.BeginReading();
+ mEndChar = aToken.EndReading();
+ resetCurValue();
+}
+
+// The path is terminated by the first question mark ("?") or
+// number sign ("#") character, or by the end of the URI.
+// http://tools.ietf.org/html/rfc3986#section-3.3
+bool nsCSPParser::atEndOfPath() {
+ return (atEnd() || peek(QUESTIONMARK) || peek(NUMBER_SIGN));
+}
+
+// unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
+bool nsCSPParser::atValidUnreservedChar() {
+ return (peek(isCharacterToken) || peek(isNumberToken) || peek(DASH) ||
+ peek(DOT) || peek(UNDERLINE) || peek(TILDE));
+}
+
+// sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
+// / "*" / "+" / "," / ";" / "="
+// Please note that even though ',' and ';' appear to be
+// valid sub-delims according to the RFC production of paths,
+// both can not appear here by itself, they would need to be
+// pct-encoded in order to be part of the path.
+bool nsCSPParser::atValidSubDelimChar() {
+ return (peek(EXCLAMATION) || peek(DOLLAR) || peek(AMPERSAND) ||
+ peek(SINGLEQUOTE) || peek(OPENBRACE) || peek(CLOSINGBRACE) ||
+ peek(WILDCARD) || peek(PLUS) || peek(EQUALS));
+}
+
+// pct-encoded = "%" HEXDIG HEXDIG
+bool nsCSPParser::atValidPctEncodedChar() {
+ const char16_t* pctCurChar = mCurChar;
+
+ if ((pctCurChar + 2) >= mEndChar) {
+ // string too short, can't be a valid pct-encoded char.
+ return false;
+ }
+
+ // Any valid pct-encoding must follow the following format:
+ // "% HEXDIG HEXDIG"
+ if (PERCENT_SIGN != *pctCurChar || !isValidHexDig(*(pctCurChar + 1)) ||
+ !isValidHexDig(*(pctCurChar + 2))) {
+ return false;
+ }
+ return true;
+}
+
+// pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
+// http://tools.ietf.org/html/rfc3986#section-3.3
+bool nsCSPParser::atValidPathChar() {
+ return (atValidUnreservedChar() || atValidSubDelimChar() ||
+ atValidPctEncodedChar() || peek(COLON) || peek(ATSYMBOL));
+}
+
+void nsCSPParser::logWarningErrorToConsole(uint32_t aSeverityFlag,
+ const char* aProperty,
+ const nsTArray<nsString>& aParams) {
+ CSPPARSERLOG(("nsCSPParser::logWarningErrorToConsole: %s", aProperty));
+
+ if (mSuppressLogMessages) {
+ return;
+ }
+
+ // send console messages off to the context and let the context
+ // deal with it (potentially messages need to be queued up)
+ mCSPContext->logToConsole(aProperty, aParams,
+ u""_ns, // aSourceName
+ u""_ns, // aSourceLine
+ 0, // aLineNumber
+ 0, // aColumnNumber
+ aSeverityFlag); // aFlags
+}
+
+bool nsCSPParser::hostChar() {
+ if (atEnd()) {
+ return false;
+ }
+ return accept(isCharacterToken) || accept(isNumberToken) || accept(DASH);
+}
+
+// (ALPHA / DIGIT / "+" / "-" / "." )
+bool nsCSPParser::schemeChar() {
+ if (atEnd()) {
+ return false;
+ }
+ return accept(isCharacterToken) || accept(isNumberToken) || accept(PLUS) ||
+ accept(DASH) || accept(DOT);
+}
+
+// port = ":" ( 1*DIGIT / "*" )
+bool nsCSPParser::port() {
+ CSPPARSERLOG(("nsCSPParser::port, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ // Consume the COLON we just peeked at in houstSource
+ accept(COLON);
+
+ // Resetting current value since we start to parse a port now.
+ // e.g; "http://www.example.com:8888" then we have already parsed
+ // everything up to (including) ":";
+ resetCurValue();
+
+ // Port might be "*"
+ if (accept(WILDCARD)) {
+ return true;
+ }
+
+ // Port must start with a number
+ if (!accept(isNumberToken)) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag, "couldntParsePort",
+ params);
+ return false;
+ }
+ // Consume more numbers and set parsed port to the nsCSPHost
+ while (accept(isNumberToken)) { /* consume */
+ }
+ return true;
+}
+
+bool nsCSPParser::subPath(nsCSPHostSrc* aCspHost) {
+ CSPPARSERLOG(("nsCSPParser::subPath, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ // Emergency exit to avoid endless loops in case a path in a CSP policy
+ // is longer than 512 characters, or also to avoid endless loops
+ // in case we are parsing unrecognized characters in the following loop.
+ uint32_t charCounter = 0;
+ nsString pctDecodedSubPath;
+
+ while (!atEndOfPath()) {
+ if (peek(SLASH)) {
+ // before appendig any additional portion of a subpath we have to
+ // pct-decode that portion of the subpath. atValidPathChar() already
+ // verified a correct pct-encoding, now we can safely decode and append
+ // the decoded-sub path.
+ CSP_PercentDecodeStr(mCurValue, pctDecodedSubPath);
+ aCspHost->appendPath(pctDecodedSubPath);
+ // Resetting current value since we are appending parts of the path
+ // to aCspHost, e.g; "http://www.example.com/path1/path2" then the
+ // first part is "/path1", second part "/path2"
+ resetCurValue();
+ } else if (!atValidPathChar()) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "couldntParseInvalidSource", params);
+ return false;
+ }
+ // potentially we have encountred a valid pct-encoded character in
+ // atValidPathChar(); if so, we have to account for "% HEXDIG HEXDIG" and
+ // advance the pointer past the pct-encoded char.
+ if (peek(PERCENT_SIGN)) {
+ advance();
+ advance();
+ }
+ advance();
+ if (++charCounter > kSubHostPathCharacterCutoff) {
+ return false;
+ }
+ }
+ // before appendig any additional portion of a subpath we have to pct-decode
+ // that portion of the subpath. atValidPathChar() already verified a correct
+ // pct-encoding, now we can safely decode and append the decoded-sub path.
+ CSP_PercentDecodeStr(mCurValue, pctDecodedSubPath);
+ aCspHost->appendPath(pctDecodedSubPath);
+ resetCurValue();
+ return true;
+}
+
+bool nsCSPParser::path(nsCSPHostSrc* aCspHost) {
+ CSPPARSERLOG(("nsCSPParser::path, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ // Resetting current value and forgetting everything we have parsed so far
+ // e.g. parsing "http://www.example.com/path1/path2", then
+ // "http://www.example.com" has already been parsed so far
+ // forget about it.
+ resetCurValue();
+
+ if (!accept(SLASH)) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "couldntParseInvalidSource", params);
+ return false;
+ }
+ if (atEndOfPath()) {
+ // one slash right after host [port] is also considered a path, e.g.
+ // www.example.com/ should result in www.example.com/
+ // please note that we do not have to perform any pct-decoding here
+ // because we are just appending a '/' and not any actual chars.
+ aCspHost->appendPath(u"/"_ns);
+ return true;
+ }
+ // path can begin with "/" but not "//"
+ // see http://tools.ietf.org/html/rfc3986#section-3.3
+ if (peek(SLASH)) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "couldntParseInvalidSource", params);
+ return false;
+ }
+ return subPath(aCspHost);
+}
+
+bool nsCSPParser::subHost() {
+ CSPPARSERLOG(("nsCSPParser::subHost, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ // Emergency exit to avoid endless loops in case a host in a CSP policy
+ // is longer than 512 characters, or also to avoid endless loops
+ // in case we are parsing unrecognized characters in the following loop.
+ uint32_t charCounter = 0;
+
+ while (!atEndOfPath() && !peek(COLON) && !peek(SLASH)) {
+ ++charCounter;
+ while (hostChar()) {
+ /* consume */
+ ++charCounter;
+ }
+ if (accept(DOT) && !hostChar()) {
+ return false;
+ }
+ if (charCounter > kSubHostPathCharacterCutoff) {
+ return false;
+ }
+ }
+ return true;
+}
+
+// host = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
+nsCSPHostSrc* nsCSPParser::host() {
+ CSPPARSERLOG(("nsCSPParser::host, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ // Check if the token starts with "*"; please remember that we handle
+ // a single "*" as host in sourceExpression, but we still have to handle
+ // the case where a scheme was defined, e.g., as:
+ // "https://*", "*.example.com", "*:*", etc.
+ if (accept(WILDCARD)) {
+ // Might solely be the wildcard
+ if (atEnd() || peek(COLON)) {
+ return new nsCSPHostSrc(mCurValue);
+ }
+ // If the token is not only the "*", a "." must follow right after
+ if (!accept(DOT)) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "couldntParseInvalidHost", params);
+ return nullptr;
+ }
+ }
+
+ // Expecting at least one host-char
+ if (!hostChar()) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "couldntParseInvalidHost", params);
+ return nullptr;
+ }
+
+ // There might be several sub hosts defined.
+ if (!subHost()) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "couldntParseInvalidHost", params);
+ return nullptr;
+ }
+
+ // HostName might match a keyword, log to the console.
+ if (CSP_IsQuotelessKeyword(mCurValue)) {
+ nsString keyword = mCurValue;
+ ToLowerCase(keyword);
+ AutoTArray<nsString, 2> params = {mCurToken, keyword};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "hostNameMightBeKeyword", params);
+ }
+
+ // Create a new nsCSPHostSrc with the parsed host.
+ return new nsCSPHostSrc(mCurValue);
+}
+
+// keyword-source = "'self'" / "'unsafe-inline'" / "'unsafe-eval'" /
+// "'wasm-unsafe-eval'"
+nsCSPBaseSrc* nsCSPParser::keywordSource() {
+ CSPPARSERLOG(("nsCSPParser::keywordSource, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ // Special case handling for 'self' which is not stored internally as a
+ // keyword, but rather creates a nsCSPHostSrc using the selfURI
+ if (CSP_IsKeyword(mCurToken, CSP_SELF)) {
+ return CSP_CreateHostSrcFromSelfURI(mSelfURI);
+ }
+
+ if (CSP_IsKeyword(mCurToken, CSP_REPORT_SAMPLE)) {
+ return new nsCSPKeywordSrc(CSP_UTF16KeywordToEnum(mCurToken));
+ }
+
+ if (CSP_IsKeyword(mCurToken, CSP_STRICT_DYNAMIC)) {
+ if (!CSP_IsDirective(mCurDir[0],
+ nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) &&
+ !CSP_IsDirective(mCurDir[0],
+ nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) &&
+ !CSP_IsDirective(mCurDir[0],
+ nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE)) {
+ // Todo: Enforce 'strict-dynamic' within default-src; see Bug 1313937
+ AutoTArray<nsString, 1> params = {u"strict-dynamic"_ns};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "ignoringStrictDynamic", params);
+ return nullptr;
+ }
+ mStrictDynamic = true;
+ return new nsCSPKeywordSrc(CSP_UTF16KeywordToEnum(mCurToken));
+ }
+
+ if (CSP_IsKeyword(mCurToken, CSP_UNSAFE_INLINE)) {
+ nsWeakPtr ctx = mCSPContext->GetLoadingContext();
+ nsCOMPtr<Document> doc = do_QueryReferent(ctx);
+ if (doc) {
+ doc->SetHasUnsafeInlineCSP(true);
+ }
+ // make sure script-src only contains 'unsafe-inline' once;
+ // ignore duplicates and log warning
+ if (mUnsafeInlineKeywordSrc) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "ignoringDuplicateSrc", params);
+ return nullptr;
+ }
+ // cache if we encounter 'unsafe-inline' so we can invalidate (ignore) it in
+ // case that script-src directive also contains hash- or nonce-.
+ mUnsafeInlineKeywordSrc =
+ new nsCSPKeywordSrc(CSP_UTF16KeywordToEnum(mCurToken));
+ return mUnsafeInlineKeywordSrc;
+ }
+
+ if (CSP_IsKeyword(mCurToken, CSP_UNSAFE_EVAL)) {
+ nsWeakPtr ctx = mCSPContext->GetLoadingContext();
+ nsCOMPtr<Document> doc = do_QueryReferent(ctx);
+ if (doc) {
+ doc->SetHasUnsafeEvalCSP(true);
+ }
+ mHasAnyUnsafeEval = true;
+ return new nsCSPKeywordSrc(CSP_UTF16KeywordToEnum(mCurToken));
+ }
+
+ if (StaticPrefs::security_csp_wasm_unsafe_eval_enabled() &&
+ CSP_IsKeyword(mCurToken, CSP_WASM_UNSAFE_EVAL)) {
+ mHasAnyUnsafeEval = true;
+ return new nsCSPKeywordSrc(CSP_UTF16KeywordToEnum(mCurToken));
+ }
+
+ if (StaticPrefs::security_csp_unsafe_hashes_enabled() &&
+ CSP_IsKeyword(mCurToken, CSP_UNSAFE_HASHES)) {
+ return new nsCSPKeywordSrc(CSP_UTF16KeywordToEnum(mCurToken));
+ }
+
+ if (CSP_IsKeyword(mCurToken, CSP_UNSAFE_ALLOW_REDIRECTS)) {
+ if (!CSP_IsDirective(mCurDir[0],
+ nsIContentSecurityPolicy::NAVIGATE_TO_DIRECTIVE)) {
+ // Only allow 'unsafe-allow-redirects' within navigate-to.
+ AutoTArray<nsString, 2> params = {u"unsafe-allow-redirects"_ns,
+ u"navigate-to"_ns};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "IgnoringSourceWithinDirective", params);
+ return nullptr;
+ }
+
+ return new nsCSPKeywordSrc(CSP_UTF16KeywordToEnum(mCurToken));
+ }
+
+ return nullptr;
+}
+
+// host-source = [ scheme "://" ] host [ port ] [ path ]
+nsCSPHostSrc* nsCSPParser::hostSource() {
+ CSPPARSERLOG(("nsCSPParser::hostSource, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ nsCSPHostSrc* cspHost = host();
+ if (!cspHost) {
+ // Error was reported in host()
+ return nullptr;
+ }
+
+ // Calling port() to see if there is a port to parse, if an error
+ // occurs, port() reports the error, if port() returns true;
+ // we have a valid port, so we add it to cspHost.
+ if (peek(COLON)) {
+ if (!port()) {
+ delete cspHost;
+ return nullptr;
+ }
+ cspHost->setPort(mCurValue);
+ }
+
+ if (atEndOfPath()) {
+ return cspHost;
+ }
+
+ // Calling path() to see if there is a path to parse, if an error
+ // occurs, path() reports the error; handing cspHost as an argument
+ // which simplifies parsing of several paths.
+ if (!path(cspHost)) {
+ // If the host [port] is followed by a path, it has to be a valid path,
+ // otherwise we pass the nullptr, indicating an error, up the callstack.
+ // see also http://www.w3.org/TR/CSP11/#source-list
+ delete cspHost;
+ return nullptr;
+ }
+ return cspHost;
+}
+
+// scheme-source = scheme ":"
+nsCSPSchemeSrc* nsCSPParser::schemeSource() {
+ CSPPARSERLOG(("nsCSPParser::schemeSource, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ if (!accept(isCharacterToken)) {
+ return nullptr;
+ }
+ while (schemeChar()) { /* consume */
+ }
+ nsString scheme = mCurValue;
+
+ // If the potential scheme is not followed by ":" - it's not a scheme
+ if (!accept(COLON)) {
+ return nullptr;
+ }
+
+ // If the chraracter following the ":" is a number or the "*"
+ // then we are not parsing a scheme; but rather a host;
+ if (peek(isNumberToken) || peek(WILDCARD)) {
+ return nullptr;
+ }
+
+ return new nsCSPSchemeSrc(scheme);
+}
+
+// nonce-source = "'nonce-" nonce-value "'"
+nsCSPNonceSrc* nsCSPParser::nonceSource() {
+ CSPPARSERLOG(("nsCSPParser::nonceSource, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ // Check if mCurToken begins with "'nonce-" and ends with "'"
+ if (!StringBeginsWith(mCurToken,
+ nsDependentString(CSP_EnumToUTF16Keyword(CSP_NONCE)),
+ nsASCIICaseInsensitiveStringComparator) ||
+ mCurToken.Last() != SINGLEQUOTE) {
+ return nullptr;
+ }
+
+ // Trim surrounding single quotes
+ const nsAString& expr = Substring(mCurToken, 1, mCurToken.Length() - 2);
+
+ int32_t dashIndex = expr.FindChar(DASH);
+ if (dashIndex < 0) {
+ return nullptr;
+ }
+ if (!isValidBase64Value(expr.BeginReading() + dashIndex + 1,
+ expr.EndReading())) {
+ return nullptr;
+ }
+
+ // cache if encountering hash or nonce to invalidate unsafe-inline
+ mHasHashOrNonce = true;
+ return new nsCSPNonceSrc(
+ Substring(expr, dashIndex + 1, expr.Length() - dashIndex + 1));
+}
+
+// hash-source = "'" hash-algo "-" base64-value "'"
+nsCSPHashSrc* nsCSPParser::hashSource() {
+ CSPPARSERLOG(("nsCSPParser::hashSource, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ // Check if mCurToken starts and ends with "'"
+ if (mCurToken.First() != SINGLEQUOTE || mCurToken.Last() != SINGLEQUOTE) {
+ return nullptr;
+ }
+
+ // Trim surrounding single quotes
+ const nsAString& expr = Substring(mCurToken, 1, mCurToken.Length() - 2);
+
+ int32_t dashIndex = expr.FindChar(DASH);
+ if (dashIndex < 0) {
+ return nullptr;
+ }
+
+ if (!isValidBase64Value(expr.BeginReading() + dashIndex + 1,
+ expr.EndReading())) {
+ return nullptr;
+ }
+
+ nsAutoString algo(Substring(expr, 0, dashIndex));
+ nsAutoString hash(
+ Substring(expr, dashIndex + 1, expr.Length() - dashIndex + 1));
+
+ for (uint32_t i = 0; i < kHashSourceValidFnsLen; i++) {
+ if (algo.LowerCaseEqualsASCII(kHashSourceValidFns[i])) {
+ // cache if encountering hash or nonce to invalidate unsafe-inline
+ mHasHashOrNonce = true;
+ return new nsCSPHashSrc(algo, hash);
+ }
+ }
+ return nullptr;
+}
+
+// source-expression = scheme-source / host-source / keyword-source
+// / nonce-source / hash-source
+nsCSPBaseSrc* nsCSPParser::sourceExpression() {
+ CSPPARSERLOG(("nsCSPParser::sourceExpression, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ // Check if it is a keyword
+ if (nsCSPBaseSrc* cspKeyword = keywordSource()) {
+ return cspKeyword;
+ }
+
+ // Check if it is a nonce-source
+ if (nsCSPNonceSrc* cspNonce = nonceSource()) {
+ return cspNonce;
+ }
+
+ // Check if it is a hash-source
+ if (nsCSPHashSrc* cspHash = hashSource()) {
+ return cspHash;
+ }
+
+ // We handle a single "*" as host here, to avoid any confusion when applying
+ // the default scheme. However, we still would need to apply the default
+ // scheme in case we would parse "*:80".
+ if (mCurToken.EqualsASCII("*")) {
+ return new nsCSPHostSrc(u"*"_ns);
+ }
+
+ // Calling resetCurChar allows us to use mCurChar and mEndChar
+ // to parse mCurToken; e.g. mCurToken = "http://www.example.com", then
+ // mCurChar = 'h'
+ // mEndChar = points just after the last 'm'
+ // mCurValue = ""
+ resetCurChar(mCurToken);
+
+ // Check if mCurToken starts with a scheme
+ nsAutoString parsedScheme;
+ if (nsCSPSchemeSrc* cspScheme = schemeSource()) {
+ // mCurToken might only enforce a specific scheme
+ if (atEnd()) {
+ return cspScheme;
+ }
+ // If something follows the scheme, we do not create
+ // a nsCSPSchemeSrc, but rather a nsCSPHostSrc, which
+ // needs to know the scheme to enforce; remember the
+ // scheme and delete cspScheme;
+ cspScheme->toString(parsedScheme);
+ parsedScheme.Trim(":", false, true);
+ delete cspScheme;
+
+ // If mCurToken provides not only a scheme, but also a host, we have to
+ // check if two slashes follow the scheme.
+ if (!accept(SLASH) || !accept(SLASH)) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "failedToParseUnrecognizedSource", params);
+ return nullptr;
+ }
+ }
+
+ // Calling resetCurValue allows us to keep pointers for mCurChar and mEndChar
+ // alive, but resets mCurValue; e.g. mCurToken = "http://www.example.com",
+ // then mCurChar = 'w' mEndChar = 'm' mCurValue = ""
+ resetCurValue();
+
+ // If mCurToken does not provide a scheme (scheme-less source), we apply the
+ // scheme from selfURI
+ if (parsedScheme.IsEmpty()) {
+ // Resetting internal helpers, because we might already have parsed some of
+ // the host when trying to parse a scheme.
+ resetCurChar(mCurToken);
+ nsAutoCString selfScheme;
+ mSelfURI->GetScheme(selfScheme);
+ parsedScheme.AssignASCII(selfScheme.get());
+ }
+
+ // At this point we are expecting a host to be parsed.
+ // Trying to create a new nsCSPHost.
+ if (nsCSPHostSrc* cspHost = hostSource()) {
+ // Do not forget to set the parsed scheme.
+ cspHost->setScheme(parsedScheme);
+ cspHost->setWithinFrameAncestorsDir(mParsingFrameAncestorsDir);
+ return cspHost;
+ }
+ // Error was reported in hostSource()
+ return nullptr;
+}
+
+// source-list = *WSP [ source-expression *( 1*WSP source-expression ) *WSP ]
+// / *WSP "'none'" *WSP
+void nsCSPParser::sourceList(nsTArray<nsCSPBaseSrc*>& outSrcs) {
+ bool isNone = false;
+
+ // remember, srcs start at index 1
+ for (uint32_t i = 1; i < mCurDir.Length(); i++) {
+ // mCurToken is only set here and remains the current token
+ // to be processed, which avoid passing arguments between functions.
+ mCurToken = mCurDir[i];
+ resetCurValue();
+
+ CSPPARSERLOG(("nsCSPParser::sourceList, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ // Special case handling for none:
+ // Ignore 'none' if any other src is available.
+ // (See http://www.w3.org/TR/CSP11/#parsing)
+ if (CSP_IsKeyword(mCurToken, CSP_NONE)) {
+ isNone = true;
+ continue;
+ }
+ // Must be a regular source expression
+ nsCSPBaseSrc* src = sourceExpression();
+ if (src) {
+ outSrcs.AppendElement(src);
+ }
+ }
+
+ // Check if the directive contains a 'none'
+ if (isNone) {
+ // If the directive contains no other srcs, then we set the 'none'
+ if (outSrcs.IsEmpty() ||
+ (outSrcs.Length() == 1 && outSrcs[0]->isReportSample())) {
+ nsCSPKeywordSrc* keyword = new nsCSPKeywordSrc(CSP_NONE);
+ outSrcs.InsertElementAt(0, keyword);
+ }
+ // Otherwise, we ignore 'none' and report a warning
+ else {
+ AutoTArray<nsString, 1> params;
+ params.AppendElement(CSP_EnumToUTF16Keyword(CSP_NONE));
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "ignoringUnknownOption", params);
+ }
+ }
+}
+
+void nsCSPParser::reportURIList(nsCSPDirective* aDir) {
+ CSPPARSERLOG(("nsCSPParser::reportURIList"));
+
+ nsTArray<nsCSPBaseSrc*> srcs;
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv;
+
+ // remember, srcs start at index 1
+ for (uint32_t i = 1; i < mCurDir.Length(); i++) {
+ mCurToken = mCurDir[i];
+
+ CSPPARSERLOG(("nsCSPParser::reportURIList, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ rv = NS_NewURI(getter_AddRefs(uri), mCurToken, "", mSelfURI);
+
+ // If creating the URI casued an error, skip this URI
+ if (NS_FAILED(rv)) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "couldNotParseReportURI", params);
+ continue;
+ }
+
+ // Create new nsCSPReportURI and append to the list.
+ nsCSPReportURI* reportURI = new nsCSPReportURI(uri);
+ srcs.AppendElement(reportURI);
+ }
+
+ if (srcs.Length() == 0) {
+ AutoTArray<nsString, 1> directiveName = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "ignoringDirectiveWithNoValues", directiveName);
+ delete aDir;
+ return;
+ }
+
+ aDir->addSrcs(srcs);
+ mPolicy->addDirective(aDir);
+}
+
+/* Helper function for parsing sandbox flags. This function solely concatenates
+ * all the source list tokens (the sandbox flags) so the attribute parser
+ * (nsContentUtils::ParseSandboxAttributeToFlags) can parse them.
+ */
+void nsCSPParser::sandboxFlagList(nsCSPDirective* aDir) {
+ CSPPARSERLOG(("nsCSPParser::sandboxFlagList"));
+
+ nsAutoString flags;
+
+ // remember, srcs start at index 1
+ for (uint32_t i = 1; i < mCurDir.Length(); i++) {
+ mCurToken = mCurDir[i];
+
+ CSPPARSERLOG(("nsCSPParser::sandboxFlagList, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ if (!nsContentUtils::IsValidSandboxFlag(mCurToken)) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "couldntParseInvalidSandboxFlag", params);
+ continue;
+ }
+
+ flags.Append(mCurToken);
+ if (i != mCurDir.Length() - 1) {
+ flags.AppendLiteral(" ");
+ }
+ }
+
+ // Please note that the sandbox directive can exist
+ // by itself (not containing any flags).
+ nsTArray<nsCSPBaseSrc*> srcs;
+ srcs.AppendElement(new nsCSPSandboxFlags(flags));
+ aDir->addSrcs(srcs);
+ mPolicy->addDirective(aDir);
+}
+
+// directive-value = *( WSP / <VCHAR except ";" and ","> )
+void nsCSPParser::directiveValue(nsTArray<nsCSPBaseSrc*>& outSrcs) {
+ CSPPARSERLOG(("nsCSPParser::directiveValue"));
+
+ // Just forward to sourceList
+ sourceList(outSrcs);
+}
+
+// directive-name = 1*( ALPHA / DIGIT / "-" )
+nsCSPDirective* nsCSPParser::directiveName() {
+ CSPPARSERLOG(("nsCSPParser::directiveName, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ // Check if it is a valid directive
+ CSPDirective directive = CSP_StringToCSPDirective(mCurToken);
+ if (directive == nsIContentSecurityPolicy::NO_DIRECTIVE) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "couldNotProcessUnknownDirective", params);
+ return nullptr;
+ }
+
+ // The directive 'reflected-xss' is part of CSP 1.1, see:
+ // http://www.w3.org/TR/2014/WD-CSP11-20140211/#reflected-xss
+ // Currently we are not supporting that directive, hence we log a
+ // warning to the console and ignore the directive including its values.
+ if (directive == nsIContentSecurityPolicy::REFLECTED_XSS_DIRECTIVE) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "notSupportingDirective", params);
+ return nullptr;
+ }
+
+ // script-src-attr and script-scr-elem might have been disabled.
+ // Similarly style-src-{attr, elem}.
+ if (((directive == nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE ||
+ directive == nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) &&
+ !StaticPrefs::security_csp_script_src_attr_elem_enabled()) ||
+ ((directive == nsIContentSecurityPolicy::STYLE_SRC_ATTR_DIRECTIVE ||
+ directive == nsIContentSecurityPolicy::STYLE_SRC_ELEM_DIRECTIVE) &&
+ !StaticPrefs::security_csp_style_src_attr_elem_enabled())) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "notSupportingDirective", params);
+ return nullptr;
+ }
+
+ // Bug 1529068: Implement navigate-to directive.
+ // Once all corner cases are resolved we can remove that special
+ // if-handling here and let the parser just fall through to
+ // return new nsCSPDirective.
+ if (directive == nsIContentSecurityPolicy::NAVIGATE_TO_DIRECTIVE &&
+ !StaticPrefs::security_csp_enableNavigateTo()) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "couldNotProcessUnknownDirective", params);
+ return nullptr;
+ }
+
+ // Make sure the directive does not already exist
+ // (see http://www.w3.org/TR/CSP11/#parsing)
+ if (mPolicy->hasDirective(directive)) {
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag, "duplicateDirective",
+ params);
+ return nullptr;
+ }
+
+ // CSP delivered via meta tag should ignore the following directives:
+ // report-uri, frame-ancestors, and sandbox, see:
+ // http://www.w3.org/TR/CSP11/#delivery-html-meta-element
+ if (mDeliveredViaMetaTag &&
+ ((directive == nsIContentSecurityPolicy::REPORT_URI_DIRECTIVE) ||
+ (directive == nsIContentSecurityPolicy::FRAME_ANCESTORS_DIRECTIVE) ||
+ (directive == nsIContentSecurityPolicy::SANDBOX_DIRECTIVE))) {
+ // log to the console to indicate that meta CSP is ignoring the directive
+ AutoTArray<nsString, 1> params = {mCurToken};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "ignoringSrcFromMetaCSP", params);
+ return nullptr;
+ }
+
+ // special case handling for block-all-mixed-content
+ if (directive == nsIContentSecurityPolicy::BLOCK_ALL_MIXED_CONTENT) {
+ return new nsBlockAllMixedContentDirective(directive);
+ }
+
+ // special case handling for upgrade-insecure-requests
+ if (directive == nsIContentSecurityPolicy::UPGRADE_IF_INSECURE_DIRECTIVE) {
+ return new nsUpgradeInsecureDirective(directive);
+ }
+
+ // if we have a child-src, cache it as a fallback for
+ // * workers (if worker-src is not explicitly specified)
+ // * frames (if frame-src is not explicitly specified)
+ if (directive == nsIContentSecurityPolicy::CHILD_SRC_DIRECTIVE) {
+ mChildSrc = new nsCSPChildSrcDirective(directive);
+ return mChildSrc;
+ }
+
+ // if we have a frame-src, cache it so we can discard child-src for frames
+ if (directive == nsIContentSecurityPolicy::FRAME_SRC_DIRECTIVE) {
+ mFrameSrc = new nsCSPDirective(directive);
+ return mFrameSrc;
+ }
+
+ // if we have a worker-src, cache it so we can discard child-src for workers
+ if (directive == nsIContentSecurityPolicy::WORKER_SRC_DIRECTIVE) {
+ mWorkerSrc = new nsCSPDirective(directive);
+ return mWorkerSrc;
+ }
+
+ // if we have a script-src, cache it as a fallback for worker-src
+ // in case child-src is not present. It is also used as a fallback for
+ // script-src-elem and script-src-attr.
+ if (directive == nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) {
+ mScriptSrc = new nsCSPScriptSrcDirective(directive);
+ return mScriptSrc;
+ }
+
+ // If we have a style-src, cache it as a fallback for style-src-elem and
+ // style-src-attr.
+ if (directive == nsIContentSecurityPolicy::STYLE_SRC_DIRECTIVE) {
+ mStyleSrc = new nsCSPStyleSrcDirective(directive);
+ return mStyleSrc;
+ }
+
+ return new nsCSPDirective(directive);
+}
+
+// directive = *WSP [ directive-name [ WSP directive-value ] ]
+void nsCSPParser::directive() {
+ // Set the directiveName to mCurToken
+ // Remember, the directive name is stored at index 0
+ mCurToken = mCurDir[0];
+
+ CSPPARSERLOG(("nsCSPParser::directive, mCurToken: %s, mCurValue: %s",
+ NS_ConvertUTF16toUTF8(mCurToken).get(),
+ NS_ConvertUTF16toUTF8(mCurValue).get()));
+
+ // Make sure that the directive-srcs-array contains at least
+ // one directive.
+ if (mCurDir.Length() == 0) {
+ AutoTArray<nsString, 1> params = {u"directive missing"_ns};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "failedToParseUnrecognizedSource", params);
+ return;
+ }
+
+ if (CSP_IsEmptyDirective(mCurValue, mCurToken)) {
+ return;
+ }
+
+ // Try to create a new CSPDirective
+ nsCSPDirective* cspDir = directiveName();
+ if (!cspDir) {
+ // if we can not create a CSPDirective, we can skip parsing the srcs for
+ // that array
+ return;
+ }
+
+ // special case handling for block-all-mixed-content, which is only specified
+ // by a directive name but does not include any srcs.
+ if (cspDir->equals(nsIContentSecurityPolicy::BLOCK_ALL_MIXED_CONTENT)) {
+ if (mCurDir.Length() > 1) {
+ AutoTArray<nsString, 1> params = {u"block-all-mixed-content"_ns};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "ignoreSrcForDirective", params);
+ }
+ // add the directive and return
+ mPolicy->addDirective(cspDir);
+ return;
+ }
+
+ // special case handling for upgrade-insecure-requests, which is only
+ // specified by a directive name but does not include any srcs.
+ if (cspDir->equals(nsIContentSecurityPolicy::UPGRADE_IF_INSECURE_DIRECTIVE)) {
+ if (mCurDir.Length() > 1) {
+ AutoTArray<nsString, 1> params = {u"upgrade-insecure-requests"_ns};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "ignoreSrcForDirective", params);
+ }
+ // add the directive and return
+ mPolicy->addUpgradeInsecDir(
+ static_cast<nsUpgradeInsecureDirective*>(cspDir));
+ return;
+ }
+
+ // special case handling for report-uri directive (since it doesn't contain
+ // a valid source list but rather actual URIs)
+ if (CSP_IsDirective(mCurDir[0],
+ nsIContentSecurityPolicy::REPORT_URI_DIRECTIVE)) {
+ reportURIList(cspDir);
+ return;
+ }
+
+ // special case handling for sandbox directive (since it doe4sn't contain
+ // a valid source list but rather special sandbox flags)
+ if (CSP_IsDirective(mCurDir[0],
+ nsIContentSecurityPolicy::SANDBOX_DIRECTIVE)) {
+ sandboxFlagList(cspDir);
+ return;
+ }
+
+ // make sure to reset cache variables when trying to invalidate unsafe-inline;
+ // unsafe-inline might not only appear in script-src, but also in default-src
+ mHasHashOrNonce = false;
+ mHasAnyUnsafeEval = false;
+ mStrictDynamic = false;
+ mUnsafeInlineKeywordSrc = nullptr;
+
+ mParsingFrameAncestorsDir = CSP_IsDirective(
+ mCurDir[0], nsIContentSecurityPolicy::FRAME_ANCESTORS_DIRECTIVE);
+
+ // Try to parse all the srcs by handing the array off to directiveValue
+ nsTArray<nsCSPBaseSrc*> srcs;
+ directiveValue(srcs);
+
+ // If we can not parse any srcs; we let the source expression be the empty set
+ // ('none') see, http://www.w3.org/TR/CSP11/#source-list-parsing
+ if (srcs.IsEmpty() || (srcs.Length() == 1 && srcs[0]->isReportSample())) {
+ nsCSPKeywordSrc* keyword = new nsCSPKeywordSrc(CSP_NONE);
+ srcs.InsertElementAt(0, keyword);
+ }
+
+ // If policy contains 'strict-dynamic' invalidate all srcs within script-src.
+ if (mStrictDynamic) {
+ MOZ_ASSERT(
+ cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) ||
+ cspDir->equals(
+ nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) ||
+ cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE),
+ "strict-dynamic only allowed within script-src(-elem|attr)");
+ for (uint32_t i = 0; i < srcs.Length(); i++) {
+ // Please note that nsCSPNonceSrc as well as nsCSPHashSrc overwrite
+ // invalidate(), so it's fine to just call invalidate() on all srcs.
+ // Please also note that nsCSPKeywordSrc() can not be invalidated and
+ // always returns false unless the keyword is 'strict-dynamic' in which
+ // case we allow the load if the script is not parser created!
+ srcs[i]->invalidate();
+ // Log a message to the console that src will be ignored.
+ nsAutoString srcStr;
+ srcs[i]->toString(srcStr);
+ // Even though we invalidate all of the srcs internally, we don't want to
+ // log messages for the srcs: 'strict-dynamic', 'unsafe-inline',
+ // 'unsafe-hashes', nonces, and hashes, because those still apply even
+ // with 'strict-dynamic'.
+ // TODO the comment seems wrong 'unsafe-eval' vs 'unsafe-inline'.
+ if (!srcStr.EqualsASCII(CSP_EnumToUTF8Keyword(CSP_STRICT_DYNAMIC)) &&
+ !srcStr.EqualsASCII(CSP_EnumToUTF8Keyword(CSP_UNSAFE_EVAL)) &&
+ !srcStr.EqualsASCII(CSP_EnumToUTF8Keyword(CSP_UNSAFE_HASHES)) &&
+ !StringBeginsWith(
+ srcStr, nsDependentString(CSP_EnumToUTF16Keyword(CSP_NONCE))) &&
+ !StringBeginsWith(srcStr, u"'sha"_ns)) {
+ AutoTArray<nsString, 2> params = {srcStr, mCurDir[0]};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "ignoringScriptSrcForStrictDynamic", params);
+ }
+ }
+ // Log a warning that all scripts might be blocked because the policy
+ // contains 'strict-dynamic' but no valid nonce or hash.
+ if (!mHasHashOrNonce) {
+ AutoTArray<nsString, 1> params = {mCurDir[0]};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "strictDynamicButNoHashOrNonce", params);
+ }
+ }
+
+ // From https://w3c.github.io/webappsec-csp/#allow-all-inline
+ // follows that when either a hash or nonce is specified, 'unsafe-inline'
+ // should not apply.
+ if (mHasHashOrNonce && mUnsafeInlineKeywordSrc &&
+ (cspDir->isDefaultDirective() ||
+ cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) ||
+ cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) ||
+ cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE) ||
+ cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_DIRECTIVE) ||
+ cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_ELEM_DIRECTIVE) ||
+ cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_ATTR_DIRECTIVE))) {
+ mUnsafeInlineKeywordSrc->invalidate();
+
+ // Log to the console that unsafe-inline will be ignored.
+ AutoTArray<nsString, 2> params = {u"'unsafe-inline'"_ns, mCurDir[0]};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "ignoringSrcWithinNonceOrHashDirective", params);
+ }
+
+ if (mHasAnyUnsafeEval &&
+ (cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) ||
+ cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE))) {
+ // Log to the console that (wasm-)unsafe-eval will be ignored.
+ AutoTArray<nsString, 1> params = {mCurDir[0]};
+ logWarningErrorToConsole(nsIScriptError::warningFlag, "ignoringUnsafeEval",
+ params);
+ }
+
+ // Add the newly created srcs to the directive and add the directive to the
+ // policy
+ cspDir->addSrcs(srcs);
+ mPolicy->addDirective(cspDir);
+}
+
+// policy = [ directive *( ";" [ directive ] ) ]
+nsCSPPolicy* nsCSPParser::policy() {
+ CSPPARSERLOG(("nsCSPParser::policy"));
+
+ mPolicy = new nsCSPPolicy();
+ for (uint32_t i = 0; i < mTokens.Length(); i++) {
+ // https://w3c.github.io/webappsec-csp/#parse-serialized-policy
+ // Step 2.2. ..., or if token is not an ASCII string, continue.
+ //
+ // Note: In the spec the token isn't split by whitespace yet.
+ bool isAscii = true;
+ for (const auto& token : mTokens[i]) {
+ if (!IsAscii(token)) {
+ AutoTArray<nsString, 1> params = {mTokens[i][0], token};
+ logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "ignoringNonAsciiToken", params);
+ isAscii = false;
+ break;
+ }
+ }
+ if (!isAscii) {
+ continue;
+ }
+
+ // All input is already tokenized; set one tokenized array in the form of
+ // [ name, src, src, ... ]
+ // to mCurDir and call directive which processes the current directive.
+ mCurDir = mTokens[i].Clone();
+ directive();
+ }
+
+ if (mChildSrc) {
+ if (!mFrameSrc) {
+ // if frame-src is specified explicitly for that policy than child-src
+ // should not restrict frames; if not, than child-src needs to restrict
+ // frames.
+ mChildSrc->setRestrictFrames();
+ }
+ if (!mWorkerSrc) {
+ // if worker-src is specified explicitly for that policy than child-src
+ // should not restrict workers; if not, than child-src needs to restrict
+ // workers.
+ mChildSrc->setRestrictWorkers();
+ }
+ }
+
+ // if script-src is specified, but not worker-src and also no child-src, then
+ // script-src has to govern workers.
+ if (mScriptSrc && !mWorkerSrc && !mChildSrc) {
+ mScriptSrc->setRestrictWorkers();
+ }
+
+ // If script-src is specified and script-src-elem is not specified, then
+ // script-src has to govern script requests and script blocks.
+ if (mScriptSrc && !mPolicy->hasDirective(
+ nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE)) {
+ mScriptSrc->setRestrictScriptElem();
+ }
+
+ // If script-src is specified and script-src-attr is not specified, then
+ // script-src has to govern script attr (event handlers).
+ if (mScriptSrc && !mPolicy->hasDirective(
+ nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE)) {
+ mScriptSrc->setRestrictScriptAttr();
+ }
+
+ // If style-src is specified and style-src-elem is not specified, then
+ // style-src serves as a fallback.
+ if (mStyleSrc && !mPolicy->hasDirective(
+ nsIContentSecurityPolicy::STYLE_SRC_ELEM_DIRECTIVE)) {
+ mStyleSrc->setRestrictStyleElem();
+ }
+
+ // If style-src is specified and style-attr-elem is not specified, then
+ // style-src serves as a fallback.
+ if (mStyleSrc && !mPolicy->hasDirective(
+ nsIContentSecurityPolicy::STYLE_SRC_ATTR_DIRECTIVE)) {
+ mStyleSrc->setRestrictStyleAttr();
+ }
+
+ return mPolicy;
+}
+
+nsCSPPolicy* nsCSPParser::parseContentSecurityPolicy(
+ const nsAString& aPolicyString, nsIURI* aSelfURI, bool aReportOnly,
+ nsCSPContext* aCSPContext, bool aDeliveredViaMetaTag,
+ bool aSuppressLogMessages) {
+ if (CSPPARSERLOGENABLED()) {
+ CSPPARSERLOG(("nsCSPParser::parseContentSecurityPolicy, policy: %s",
+ NS_ConvertUTF16toUTF8(aPolicyString).get()));
+ CSPPARSERLOG(("nsCSPParser::parseContentSecurityPolicy, selfURI: %s",
+ aSelfURI->GetSpecOrDefault().get()));
+ CSPPARSERLOG(("nsCSPParser::parseContentSecurityPolicy, reportOnly: %s",
+ (aReportOnly ? "true" : "false")));
+ CSPPARSERLOG(
+ ("nsCSPParser::parseContentSecurityPolicy, deliveredViaMetaTag: %s",
+ (aDeliveredViaMetaTag ? "true" : "false")));
+ }
+
+ NS_ASSERTION(aSelfURI, "Can not parseContentSecurityPolicy without aSelfURI");
+
+ // Separate all input into tokens and store them in the form of:
+ // [ [ name, src, src, ... ], [ name, src, src, ... ], ... ]
+ // The tokenizer itself can not fail; all eventual errors
+ // are detected in the parser itself.
+
+ nsTArray<CopyableTArray<nsString> > tokens;
+ PolicyTokenizer::tokenizePolicy(aPolicyString, tokens);
+
+ nsCSPParser parser(tokens, aSelfURI, aCSPContext, aDeliveredViaMetaTag,
+ aSuppressLogMessages);
+
+ // Start the parser to generate a new CSPPolicy using the generated tokens.
+ nsCSPPolicy* policy = parser.policy();
+
+ // Check that report-only policies define a report-uri, otherwise log warning.
+ if (aReportOnly) {
+ policy->setReportOnlyFlag(true);
+ if (!policy->hasDirective(nsIContentSecurityPolicy::REPORT_URI_DIRECTIVE)) {
+ nsAutoCString prePath;
+ nsresult rv = aSelfURI->GetPrePath(prePath);
+ NS_ENSURE_SUCCESS(rv, policy);
+ AutoTArray<nsString, 1> params;
+ CopyUTF8toUTF16(prePath, *params.AppendElement());
+ parser.logWarningErrorToConsole(nsIScriptError::warningFlag,
+ "reportURInotInReportOnlyHeader", params);
+ }
+ }
+
+ policy->setDeliveredViaMetaTagFlag(aDeliveredViaMetaTag);
+
+ if (policy->getNumDirectives() == 0) {
+ // Individual errors were already reported in the parser, but if
+ // we do not have an enforcable directive at all, we return null.
+ delete policy;
+ return nullptr;
+ }
+
+ if (CSPPARSERLOGENABLED()) {
+ nsString parsedPolicy;
+ policy->toString(parsedPolicy);
+ CSPPARSERLOG(("nsCSPParser::parseContentSecurityPolicy, parsedPolicy: %s",
+ NS_ConvertUTF16toUTF8(parsedPolicy).get()));
+ }
+
+ return policy;
+}