Bug 1931288 - Implement EnsureCSPDoesNotBlockStringCompilation as per CSP spec. r=smaug,tschuster

See https://w3c.github.io/webappsec-csp/#can-compile-strings Differential Revision: https://phabricator.services.mozilla.com/D229624
2024-12-13 08:54:53 +00:00
parent 0f0df595a9
commit 8a29748fb2
14 changed files with 231 additions and 293 deletions
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -475,6 +475,21 @@ bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(

  nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();

+  if (aKind == JS::RuntimeCode::JS) {
+    ErrorResult error;
+    bool areArgumentsTrusted = TrustedTypeUtils::
+        AreArgumentsTrustedForEnsureCSPDoesNotBlockStringCompilation(
+            cx, aCodeString, aCompilationType, aParameterStrings, aBodyString,
+            aParameterArgs, aBodyArg, error);
+    if (error.MaybeSetPendingException(cx)) {
+      return false;
+    }
+    if (!areArgumentsTrusted) {
+      *aOutCanCompileStrings = false;
+      return true;
+    }
+  }
+
  // Check if Eval is allowed per firefox hardening policy
  bool contextForbidsEval =
      (subjectPrincipal->IsSystemPrincipal() || XRE_IsE10sParentProcess());
--- a/caps/nsScriptSecurityManager.h
+++ b/caps/nsScriptSecurityManager.h
@@ -88,7 +88,7 @@ class nsScriptSecurityManager final : public nsIScriptSecurityManager {
  virtual ~nsScriptSecurityManager();

  // Decides, based on CSP, whether or not eval() and stuff can be executed.
-  static bool ContentSecurityPolicyPermitsJSAction(
+  MOZ_CAN_RUN_SCRIPT static bool ContentSecurityPolicyPermitsJSAction(
      JSContext* aCx, JS::RuntimeCode aKind, JS::Handle<JSString*> aCodeString,
      JS::CompilationType aCompilationType,
      JS::Handle<JS::StackGCVector<JSString*>> aParameterStrings,