Bug 1254194: Apply a content security policy to all WebExtension docu…

…ments. r=gabor MozReview-Commit-ID: HsFFbWdq00b --HG-- extra : rebase_source : 07e4b6ec8c32f696d5b5987091ffc5ebde2c3061 extra : histedit_source : 20983fe6a9590d7f410276fac248c3d2f711caaa
mozilla-b2g · Apr 24, 2016 · 6d36833 · 6d36833
1 parent 623a4f8
commit 6d36833
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 2 deletions.
diff --git a/caps/BasePrincipal.cpp b/caps/BasePrincipal.cpp
@@ -515,6 +515,13 @@ BasePrincipal::GetAppId(uint32_t* aAppId)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+BasePrincipal::GetAddonId(nsAString& aAddonId)
+{
+  aAddonId.Assign(mOriginAttributes.mAddonId);
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 BasePrincipal::GetUserContextId(uint32_t* aUserContextId)
 {

diff --git a/caps/BasePrincipal.h b/caps/BasePrincipal.h
@@ -215,6 +215,7 @@ class BasePrincipal : public nsJSPrincipals
   NS_IMETHOD GetOriginSuffix(nsACString& aOriginSuffix) final;
   NS_IMETHOD GetAppStatus(uint16_t* aAppStatus) final;
   NS_IMETHOD GetAppId(uint32_t* aAppStatus) final;
+  NS_IMETHOD GetAddonId(nsAString& aAddonId) final;
   NS_IMETHOD GetIsInIsolatedMozBrowserElement(bool* aIsInIsolatedMozBrowserElement) final;
   NS_IMETHOD GetUnknownAppId(bool* aUnknownAppId) final;
   NS_IMETHOD GetUserContextId(uint32_t* aUserContextId) final;

diff --git a/caps/nsIPrincipal.idl b/caps/nsIPrincipal.idl
@@ -295,6 +295,11 @@ interface nsIPrincipal : nsISerializable
      */
     [infallible] readonly attribute unsigned long appId;
 
+    /**
+     * Gets the ID of the add-on this principal belongs to.
+     */
+    readonly attribute AString addonId;
+
     /**
      * Gets the id of the user context this principal is inside.  If this
      * principal is inside the default userContext, this returns

diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp
@@ -200,6 +200,7 @@
 #include "imgRequestProxy.h"
 #include "nsWrapperCacheInlines.h"
 #include "nsSandboxFlags.h"
+#include "nsIAddonPolicyService.h"
 #include "nsIAppsService.h"
 #include "mozilla/dom/AnimatableBinding.h"
 #include "mozilla/dom/AnonymousContent.h"
@@ -2814,12 +2815,18 @@ nsDocument::InitCSP(nsIChannel* aChannel)
     }
   }
 
- // Check if this is part of the Loop/Hello service
- bool applyLoopCSP = IsLoopDocument(aChannel);
+  // Check if this is a document from a WebExtension.
+  nsString addonId;
+  principal->GetAddonId(addonId);
+  bool applyAddonCSP = !addonId.IsEmpty();
+
+  // Check if this is part of the Loop/Hello service
+  bool applyLoopCSP = IsLoopDocument(aChannel);
 
   // If there's no CSP to apply, go ahead and return early
   if (!applyAppDefaultCSP &&
       !applyAppManifestCSP &&
+      !applyAddonCSP &&
       !applyLoopCSP &&
       cspHeaderValue.IsEmpty() &&
       cspROHeaderValue.IsEmpty()) {
@@ -2877,6 +2884,22 @@ nsDocument::InitCSP(nsIChannel* aChannel)
     csp->AppendPolicy(appManifestCSP, false, false);
   }
 
+  // ----- if the doc is an addon, apply its CSP.
+  if (applyAddonCSP) {
+    nsCOMPtr<nsIAddonPolicyService> aps = do_GetService("@mozilla.org/addons/policy-service;1");
+
+    nsAutoString addonCSP;
+    rv = aps->GetBaseCSP(addonCSP);
+    if (NS_SUCCEEDED(rv)) {
+      csp->AppendPolicy(addonCSP, false, false);
+    }
+
+    rv = aps->GetAddonCSP(addonId, addonCSP);
+    if (NS_SUCCEEDED(rv)) {
+      csp->AppendPolicy(addonCSP, false, false);
+    }
+  }
+
   // ----- if the doc is part of Loop, apply the loop CSP
   if (applyLoopCSP) {
     nsAdoptingString loopCSP;