Bug 1668071: Use Principal URI instead of document URI when doing CSP frame-ancestors checks so origins which inherit the security context work correctly. r=smaug

Differential Revision: https://phabricator.services.mozilla.com/D93214

Author: Christoph Kerschbaumer

dom/security/nsCSPContext.cpp

@@ -1550,7 +1550,7 @@ nsCSPContext::PermitsAncestry(nsILoadInfo* aLoadInfo,
   nsCOMPtr<nsIURI> uriClone;
 
   while (ctx) {
-    nsCOMPtr<nsIURI> currentURI;
+    nsCOMPtr<nsIPrincipal> currentPrincipal;
     // Generally permitsAncestry is consulted from within the
     // DocumentLoadListener in the parent process. For loads of type object
     // and embed it's called from the Document in the content process.
@@ -1559,28 +1559,37 @@ nsCSPContext::PermitsAncestry(nsILoadInfo* aLoadInfo,
     if (XRE_IsParentProcess()) {
       WindowGlobalParent* window = ctx->Canonical()->GetCurrentWindowGlobal();
       if (window) {
-        currentURI = window->GetDocumentURI();
+        // Using the URI of the Principal and not the document because e.g.
+        // about:blank inherits the principal and hence the URI of the
+        // document does not reflect the security context of the document.
+        currentPrincipal = window->DocumentPrincipal();
       }
     } else if (nsPIDOMWindowOuter* windowOuter = ctx->GetDOMWindow()) {
-      currentURI = windowOuter->GetDocumentURI();
+      currentPrincipal = nsGlobalWindowOuter::Cast(windowOuter)->GetPrincipal();
     }
 
-    if (currentURI) {
-      nsAutoCString spec;
-      currentURI->GetSpec(spec);
-      // delete the userpass from the URI.
-      rv = NS_MutateURI(currentURI)
-               .SetRef(""_ns)
-               .SetUserPass(""_ns)
-               .Finalize(uriClone);
-
-      // If setUserPass fails for some reason, just return a clone of the
-      // current URI
-      if (NS_FAILED(rv)) {
-        rv = NS_GetURIWithoutRef(currentURI, getter_AddRefs(uriClone));
-        NS_ENSURE_SUCCESS(rv, rv);
+    if (currentPrincipal) {
+      nsCOMPtr<nsIURI> currentURI;
+      auto* currentBasePrincipal = BasePrincipal::Cast(currentPrincipal);
+      currentBasePrincipal->GetURI(getter_AddRefs(currentURI));
+
+      if (currentURI) {
+        nsAutoCString spec;
+        currentURI->GetSpec(spec);
+        // delete the userpass from the URI.
+        rv = NS_MutateURI(currentURI)
+                 .SetRef(""_ns)
+                 .SetUserPass(""_ns)
+                 .Finalize(uriClone);
+
+        // If setUserPass fails for some reason, just return a clone of the
+        // current URI
+        if (NS_FAILED(rv)) {
+          rv = NS_GetURIWithoutRef(currentURI, getter_AddRefs(uriClone));
+          NS_ENSURE_SUCCESS(rv, rv);
+        }
+        ancestorsArray.AppendElement(uriClone);
       }
-      ancestorsArray.AppendElement(uriClone);
     }
     ctx = ctx->GetParent();
   }

dom/security/test/csp/file_csp_frame_ancestors_about_blank.html

@@ -0,0 +1,9 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Helper file for Bug 1668071 - CSP frame-ancestors in about:blank</title>
+</head>
+<body>
+  CSP frame-ancestors in about:blank
+</body>
+</html>

dom/security/test/csp/file_csp_frame_ancestors_about_blank.html^headers^

@@ -0,0 +1,2 @@
+Cache-Control: no-cache
+Content-Security-Policy: frame-ancestors http://mochi.test:8888

dom/security/test/csp/mochitest.ini

@@ -433,3 +433,7 @@ support-files =
   file_upgrade_insecure_navigation_redirect_same_origin.html
   file_upgrade_insecure_navigation_redirect_cross_origin.html
 [test_csp_style_src_empty_hash.html]
+[test_csp_frame_ancestors_about_blank.html]
+support-files =
+  file_csp_frame_ancestors_about_blank.html
+  file_csp_frame_ancestors_about_blank.html^headers^

dom/security/test/csp/test_csp_frame_ancestors_about_blank.html

@@ -0,0 +1,59 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1668071 - CSP frame-ancestors in about:blank</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We dynamically load an about:blank iframe which then loads a testframe
+ * including a CSP frame-ancestors directive which matches the including
+ * security context. We make sure that we not incorrectly block on
+ * about:blank which should inherit the security context.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+let aboutBlankFrame = document.createElement("iframe");
+document.body.appendChild(aboutBlankFrame);
+
+aboutBlankFrame.onload = function() {
+  ok(true, "aboutBlankFrame onload should fire");
+  let aboutBlankDoc = aboutBlankFrame.contentDocument;
+  is(aboutBlankDoc.documentURI, "about:blank",
+    "sanity: aboutBlankFrame URI should be about:blank");
+
+  let testframe = aboutBlankDoc.createElement("iframe");
+  aboutBlankDoc.body.appendChild(testframe);
+  testframe.onload = function() {
+    ok(true, "testframe onload should fire");
+    let testDoc = SpecialPowers.wrap(testframe.contentDocument);
+    ok(testDoc.documentURI.endsWith("file_csp_frame_ancestors_about_blank.html"),
+       "sanity: document in testframe should be the testfile");
+
+    let cspJSON = testDoc.cspJSON;
+    ok(cspJSON.includes("frame-ancestors"), "found frame-ancestors directive");
+    ok(cspJSON.includes("http://mochi.test:8888"), "found frame-ancestors value");
+
+    SimpleTest.finish();
+  }
+
+  testframe.onerror = function() {
+    ok(false, "testframe onerror should not fire");
+  }
+  testframe.src = "file_csp_frame_ancestors_about_blank.html";
+}
+
+aboutBlankFrame.onerror = function() {
+  ok(false, "aboutBlankFrame onerror should not be called");
+}
+aboutBlankFrame.src = "about:blank";
+
+</script>
+</body>
+</html>