Page MenuHomePhabricator
Differential D182563

Bug 1313937 - CSP: Reimplement 'strict-dynamic'. r?freddyb
ClosedPublic
Actions

Authored by tschuster on Jun 30 2023, 1:04 PM.
Tags
Referenced Files
Unknown Object (File)
Sun, Nov 2, 1:45 PM
Unknown Object (File)
Wed, Oct 15, 12:09 AM
Unknown Object (File)
Mon, Oct 13, 1:16 AM
Unknown Object (File)
Sep 27 2025, 9:31 PM
Unknown Object (File)
Apr 11 2025, 3:22 PM
Unknown Object (File)
Apr 4 2025, 11:16 AM
Unknown Object (File)
Mar 15 2025, 12:17 PM
Unknown Object (File)
Jan 10 2025, 9:17 PM
View All 52 Files
Subscribers
reviewbot

Details

Reviewers
freddyb
Commits
rMOZILLACENTRAL28cf03c9738a: Bug 1313937 - CSP: Reimplement 'strict-dynamic'. r=freddyb
rMOZILLACENTRAL7cab9a1ea25f: Bug 1313937 - CSP: Reimplement 'strict-dynamic'. r=freddyb
Bugzilla Bug ID
1313937

Diff Detail

Repository
rMOZILLACENTRAL mozilla-central
Branch
default

Event Timeline

evilpie planned changes to this revision.Jun 30 2023, 1:04 PM
evilpie created this revision.
Herald added a project: secure-revision. · View Herald TranscriptJun 30 2023, 1:04 PM
Harbormaster completed remote builds in B555449: Diff 737813.Jun 30 2023, 1:04 PM
evilpie added a child revision: D182564: Bug 1313937 - CSP: Remove aParserCreated. r?freddyb.Jun 30 2023, 1:04 PM
phab-bot changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 30 2023, 1:05 PM
phab-bot changed the edit policy from "Custom Policy" to "Restricted Project (Project)".
phab-bot removed a project: secure-revision.
tschuster updated this revision to Diff 737815.Jun 30 2023, 1:06 PM
tschuster edited the summary of this revision. (Show Details)
Harbormaster completed remote builds in B555451: Diff 737815.Jun 30 2023, 1:06 PM
tschuster commandeered this revision.Jun 30 2023, 1:08 PM
tschuster added a reviewer: evilpie.
tschuster removed a reviewer: evilpie.
reviewbot added a subscriber: reviewbot.Jun 30 2023, 1:26 PM

Code analysis found 5 defects in diff 737815:

  • 1 defect found by clang-format
  • 1 defect found by clang-tidy
  • 3 defects found by clang-format (Mozlint)
WARNING: Found 5 defects (warning level) that can be dismissed.

You can run this analysis locally with:

  • ./mach static-analysis check --outgoing (C/C++)
  • ./mach lint --warnings --outgoing
  • ./mach clang-format -p dom/security/nsCSPParser.cpp

For your convenience, here is a patch that fixes all the clang-format defects (use it in your repository with hg import or git apply -p0).

If you see a problem in this automated review, please report it here.

You can view these defects in the Diff Detail section of Phabricator diff 737815.

tschuster planned changes to this revision.Jul 5 2023, 12:30 PM
tschuster updated this revision to Diff 738662.
tschuster retitled this revision from WIP: Bug 1313937 - CSP: Reimplemnt 'strict-dynamic' to WIP: Bug 1313937 - CSP: Reimplement 'strict-dynamic'.
Harbormaster completed remote builds in B556183: Diff 738662.Jul 5 2023, 12:30 PM
tschuster requested review of this revision.Jul 12 2023, 1:53 PM
tschuster updated this revision to Diff 741433.
tschuster retitled this revision from WIP: Bug 1313937 - CSP: Reimplement 'strict-dynamic' to Bug 1313937 - CSP: Reimplement 'strict-dynamic'. r?freddyb.
tschuster added a reviewer: freddyb.
Harbormaster completed remote builds in B558480: Diff 741433.Jul 12 2023, 1:53 PM
reviewbot added a comment.Jul 12 2023, 2:18 PM

Code analysis found 1 defect in diff 741433:

  • 1 defect found by clang-tidy

1 defect unresolved and 4 defects closed compared to the previous diff 738662.

WARNING: Found 1 defect (warning level) that can be dismissed.

You can run this analysis locally with:

  • ./mach static-analysis check --outgoing (C/C++)

If you see a problem in this automated review, please report it here.

You can view these defects in the Diff Detail section of Phabricator diff 741433.

freddyb accepted this revision.Jul 13 2023, 12:56 PM
freddyb added a project: testing-approved.
freddyb added inline comments.
dom/security/nsCSPContext.cpp
654–663

Can you give an example of a failing tests case?

dom/security/nsCSPUtils.cpp
1131

Nit: Could you break once you have found a single occurrence?

This revision is now accepted and ready to land.Jul 13 2023, 12:56 PM
tschuster added inline comments.Jul 14 2023, 12:31 PM
dom/security/nsCSPContext.cpp
654–663

Good question. We fail /content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html and /content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html with

  • Script injected via appendChild populated via textContent is allowed with strict-dynamic
  • Script injected via appendChild populated via textContent is allowed with strict-dynamic, even if it carries an incorrect nonce.
dom/security/nsCSPUtils.cpp
1131

No, because we still need to collect all hashes in the directive even after find an instance of 'strict-dynamic'.

tschuster updated this revision to Diff 742440.Jul 14 2023, 1:20 PM
Harbormaster completed remote builds in B559364: Diff 742440.Jul 14 2023, 1:20 PM
tschuster updated this revision to Diff 744095.Jul 19 2023, 9:51 AM
Harbormaster completed remote builds in B560693: Diff 744095.Jul 19 2023, 9:51 AM
tschuster updated this revision to Diff 745155.Jul 21 2023, 11:46 AM
Harbormaster completed remote builds in B561583: Diff 745155.Jul 21 2023, 11:46 AM
Closed by commit rMOZILLACENTRAL7cab9a1ea25f: Bug 1313937 - CSP: Reimplement 'strict-dynamic'. r=freddyb (authored by tschuster). · Explain WhyJul 21 2023, 12:38 PM
This revision was automatically updated to reflect the committed changes.
tschuster added a commit: rMOZILLACENTRAL7cab9a1ea25f: Bug 1313937 - CSP: Reimplement 'strict-dynamic'. r=freddyb.
sstanca reopened this revision.Jul 21 2023, 2:48 PM
This revision is now accepted and ready to land.Jul 21 2023, 2:48 PM
sstanca added a reverting change: rMOZILLACENTRALd7abb2ee50b5: Backed out 6 changesets (bug 1313937, bug 1843066, bug 1843002) for causing….Jul 21 2023, 2:48 PM
tschuster updated this revision to Diff 745401.Jul 21 2023, 3:32 PM
Harbormaster completed remote builds in B561806: Diff 745401.Jul 21 2023, 3:32 PM
tschuster updated this revision to Diff 745459.Jul 21 2023, 5:26 PM
Harbormaster completed remote builds in B561849: Diff 745459.Jul 21 2023, 5:26 PM
Closed by commit rMOZILLACENTRAL28cf03c9738a: Bug 1313937 - CSP: Reimplement 'strict-dynamic'. r=freddyb (authored by tschuster). · Explain WhyJul 21 2023, 5:56 PM
This revision was automatically updated to reflect the committed changes.
tschuster added a commit: rMOZILLACENTRAL28cf03c9738a: Bug 1313937 - CSP: Reimplement 'strict-dynamic'. r=freddyb.
Harbormaster completed remote builds in B561994: Diff 745476.Jul 24 2023, 5:23 PM

Revision Contents
Changeset List

PathSize
dom/
security/
42 lines
47 lines
39 lines
162 lines
test/
gtest/
2 lines
testing/
web-platform/
meta/
content-security-policy/
default-src/

Diff 745401

View Options

dom/security/nsCSPContext.cpp

Loading...
View Options

dom/security/nsCSPParser.cpp

Loading...
View Options

dom/security/nsCSPUtils.h

Loading...
View Options

dom/security/nsCSPUtils.cpp

Loading...
View Options

dom/security/test/gtest/TestCSPParser.cpp

Loading...
View Options

testing/web-platform/meta/content-security-policy/default-src/default-src-strict_dynamic_and_unsafe_inline.html.ini

Loading...
Privacy · Cookies · Legal