Bug 1647825 - Part 2: Report the XFO and CSP: frame-ancestors error through the telemetry event. r=ckerschb,chutten,nhnt11

After user ticks the checkbox of allowing error reporting, we will report the error through the telemetry event. The event includes the error type, XFO policy, CSP policy, the frame uri and the top-level uri. Differential Revision: https://phabricator.services.mozilla.com/D82332
2020-07-22 15:12:38 +00:00
parent 84aff40d04
commit a75523fa49
6 changed files with 192 additions and 0 deletions
--- a/browser/base/content/aboutNetError.js
+++ b/browser/base/content/aboutNetError.js
@@ -480,6 +480,52 @@ function setupBlockingReportingUI() {
  }

  showBlockingErrorReporting();
+
+  if (reportingAutomatic) {
+    reportBlockingError();
+  }
+}
+
+function reportBlockingError() {
+  // We only report if we are in a frame.
+  if (window === window.top) {
+    return;
+  }
+
+  let err = getErrorCode();
+  // Ensure we only deal with XFO and CSP here.
+  if (!["xfoBlocked", "cspBlocked"].includes(err)) {
+    return;
+  }
+
+  let xfo_header = RPMGetHttpResponseHeader("X-Frame-Options");
+  let csp_header = RPMGetHttpResponseHeader("Content-Security-Policy");
+
+  // Extract the 'CSP: frame-ancestors' from the CSP header.
+  let reg = /(?:^|\s)frame-ancestors\s([^;]*)[$]*/i;
+  let match = reg.exec(csp_header);
+  csp_header = match ? match[1] : "";
+
+  // If it's the csp error page without the CSP: frame-ancestors, this means
+  // this error page is not triggered by CSP: frame-ancestors. So, we bail out
+  // early.
+  if (err === "cspBlocked" && !csp_header) {
+    return;
+  }
+
+  let xfoAndCspInfo = {
+    error_type: err === "xfoBlocked" ? "xfo" : "csp",
+    xfo_header,
+    csp_header,
+  };
+
+  RPMSendAsyncMessage("ReportBlockingError", {
+    scheme: document.location.protocol,
+    host: document.location.host,
+    port: parseInt(document.location.port) || -1,
+    path: document.location.pathname,
+    xfoAndCspInfo,
+  });
 }

 function onSetAutomatic(checked) {
@@ -501,6 +547,11 @@ function onSetAutomatic(checked) {

 function onSetBlockingReportAutomatic(checked) {
  RPMSetBoolPref("security.xfocsp.errorReporting.automatic", checked);
+
+  // If we're enabling reports, send a report for this failure.
+  if (checked) {
+    reportBlockingError();
+  }
 }

 async function setNetErrorMessageFromCode() {