Bug 1564527 - Enable AssertEvalNotUsingSystemPrincipal on Nightly builds r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D37460
2019-07-18 18:22:06 +00:00
parent ee745352ec
commit b3804d474c
4 changed files with 21 additions and 10 deletions
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -400,7 +400,7 @@ bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
    JSContext* cx, JS::HandleValue aValue) {
  MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
-#if defined(DEBUG) && !defined(ANDROID)
+#if !defined(ANDROID) && (defined(NIGHTLY_BUILD) || defined(DEBUG))
  nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
  nsContentSecurityManager::AssertEvalNotUsingSystemPrincipal(subjectPrincipal,
                                                              cx);
--- a/dom/security/CSPEvalChecker.cpp
+++ b/dom/security/CSPEvalChecker.cpp
@@ -31,7 +31,7 @@ nsresult CheckInternal(nsIContentSecurityPolicy* aCSP,
  MOZ_ASSERT(NS_IsMainThread());
  MOZ_ASSERT(aAllowed);
-#if defined(DEBUG) && !defined(ANDROID)
+#if !defined(ANDROID) && (defined(NIGHTLY_BUILD) || defined(DEBUG))
  JSContext* cx = nsContentUtils::GetCurrentJSContext();
  nsContentSecurityManager::AssertEvalNotUsingSystemPrincipal(aSubjectPrincipal,
                                                              cx);
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -201,27 +201,30 @@ void nsContentSecurityManager::AssertEvalNotUsingSystemPrincipal(
    return;
  }
  nsAutoCString fileName;
  JS::AutoFilename scriptFilename;
  if (JS::DescribeScriptedCaller(cx, &scriptFilename)) {
-    nsDependentCSubstring fileName(scriptFilename.get(),
+    nsDependentCSubstring fileName_(scriptFilename.get(),
                                    strlen(scriptFilename.get()));
-
+    ToLowerCase(fileName_);
    ToLowerCase(fileName);
    // Extract file name alone if scriptFilename contains line number
    // separated by multiple space delimiters in few cases.
-    int32_t fileNameIndex = fileName.FindChar(' ');
+    int32_t fileNameIndex = fileName_.FindChar(' ');
    if (fileNameIndex != -1) {
-      fileName.SetLength(fileNameIndex);
+      fileName_.SetLength(fileNameIndex);
    }
    for (const nsLiteralCString& whitelistEntry : evalWhitelist) {
-      if (fileName.Equals(whitelistEntry)) {
+      if (fileName_.Equals(whitelistEntry)) {
        return;
      }
    }
    fileName = fileName_;
  }
-  MOZ_ASSERT(false, "do not use eval with system privileges");
+  MOZ_CRASH_UNSAFE_PRINTF("do not use eval with system privileges: %s",
                          fileName.get());
 }
 /* static */
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2453,6 +2453,14 @@ pref("csp.overrule_about_uris_without_csp_whitelist", false);
 pref("csp.skip_about_page_has_csp_assert", false);
 #endif
 #if !defined(ANDROID)
 #if defined(NIGHTLY_BUILD) || defined(DEBUG)
 // assertion flag will be set to false after fixing Bug 1473549
 pref("security.allow_eval_with_system_principal", false);
 pref("security.uris_using_eval_with_system_principal", "autocomplete.xml,redux.js,react-redux.js,content-task.js,lodash.js,jszip.js,sinon-7.2.7.js,ajv-4.1.1.js,jsol.js");
 #endif
 #endif
 #ifdef EARLY_BETA_OR_EARLIER
 // Disallow web documents loaded with the SystemPrincipal
 pref("security.disallow_non_local_systemprincipal_in_tests", false);