# HG changeset patch
# User Jason Tarka <jason@tarka.ca>
# Date 1500315597 14400
#      Mon Aug 21 11:36:57 2017 -0400
# Node ID 804e848e3bab98f99c82012501ae1ed23afb274b
# Parent  a6a1f5c1d971dbee67ba6eec7ead7902351ddca2
Bug 1380755 - Examine & report on frame-ancestors CSP in report-only mode

Despite what the comment here says, there is nowhere in the W3C CSP spec stating
that frame-ancestors should be ignored in report-only mode.

diff -r a6a1f5c1d971 -r 804e848e3bab dom/security/nsCSPContext.cpp
--- a/dom/security/nsCSPContext.cpp	Thu Aug 17 16:16:51 2017 -0700
+++ b/dom/security/nsCSPContext.cpp	Mon Aug 21 11:36:57 2017 -0400
@@ -224,14 +224,6 @@
 
   nsAutoString violatedDirective;
   for (uint32_t p = 0; p < mPolicies.Length(); p++) {
-
-    // According to the W3C CSP spec, frame-ancestors checks are ignored for
-    // report-only policies (when "monitoring").
-    if (aDir == nsIContentSecurityPolicy::FRAME_ANCESTORS_DIRECTIVE &&
-        mPolicies[p]->getReportOnlyFlag()) {
-      continue;
-    }
-
     if (!mPolicies[p]->permits(aDir,
                                aContentLocation,
                                aNonce,
diff -r a6a1f5c1d971 -r 804e848e3bab dom/security/test/csp/file_bug1380755_child.html
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/dom/security/test/csp/file_bug1380755_child.html	Mon Aug 21 11:36:57 2017 -0400
@@ -0,0 +1,10 @@
+<html>
+  <head>
+    <link rel='stylesheet' type='text/css'
+          href='/tests/dom/security/test/csp/file_CSP.sjs?testid=css_self&type=text/css' />
+
+  </head>
+  <body>
+    <img src="/tests/dom/security/test/csp/file_CSP.sjs?testid=img_self&type=img/png"> </img>
+  </body>
+</html>
diff -r a6a1f5c1d971 -r 804e848e3bab dom/security/test/csp/file_bug1380755_child.html^headers^
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/dom/security/test/csp/file_bug1380755_child.html^headers^	Mon Aug 21 11:36:57 2017 -0400
@@ -0,0 +1,1 @@
+Content-Security-Policy-Report-Only: frame-ancestors 'none'; report-uri http://mochi.test:8888/foo.sjs
diff -r a6a1f5c1d971 -r 804e848e3bab dom/security/test/csp/mochitest.ini
--- a/dom/security/test/csp/mochitest.ini	Thu Aug 17 16:16:51 2017 -0700
+++ b/dom/security/test/csp/mochitest.ini	Mon Aug 21 11:36:57 2017 -0400
@@ -90,6 +90,8 @@
   file_bug941404.html
   file_bug941404_xhr.html
   file_bug941404_xhr.html^headers^
+  file_bug1380755_child.html
+  file_bug1380755_child.html^headers^
   file_hash_source.html
   file_dual_header_testserver.sjs
   file_hash_source.html^headers^
@@ -245,6 +247,7 @@
 [test_bug910139.html]
 [test_bug909029.html]
 [test_bug1229639.html]
+[test_bug1380755.html]
 [test_policyuri_regression_from_multipolicy.html]
 [test_nonce_source.html]
 [test_bug941404.html]
diff -r a6a1f5c1d971 -r 804e848e3bab dom/security/test/csp/test_bug1380755.html
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/dom/security/test/csp/test_bug1380755.html	Mon Aug 21 11:36:57 2017 -0400
@@ -0,0 +1,79 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for frame-ancestors support in Content-Security-Policy-Report-Only</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width: 100%" id="cspframe"></iframe>
+<script type="text/javascript">
+const docUri = "http://mochi.test:8888/tests/dom/security/test/csp/file_bug1380755_child.html";
+const frame = document.getElementById("cspframe");
+
+let testResults = {
+  reportFired: false,
+  frameLoaded: false
+};
+
+function checkResults(reportObj) {
+  let cspReport = reportObj["csp-report"];
+  
+  is(cspReport["document-uri"], docUri, "Incorrect document-uri");
+
+  // we can not test for the whole referrer since it includes platform specific information
+  is(cspReport["referrer"], document.location.toString(), "Incorrect referrer");
+
+  is(cspReport["blocked-uri"], document.location.toString(), "Incorrect blocked-uri");
+
+  is(cspReport["violated-directive"], "frame-ancestors 'none'", "Incorrect violated-directive");
+
+  is(cspReport["original-policy"], "frame-ancestors 'none'; report-uri http://mochi.test:8888/foo.sjs",
+     "Incorrect original-policy");
+     
+  testResults.reportFired = true;
+}
+
+let chromeScriptUrl = SimpleTest.getTestFileURL("file_report_chromescript.js");
+let script = SpecialPowers.loadChromeScript(chromeScriptUrl);
+
+script.addMessageListener('opening-request-completed', function ml(msg) {
+  if (msg.error) {
+    ok(false, "Could not query report (exception: " + msg.error + ")");
+  } else {
+    try {
+      var reportObj = JSON.parse(msg.report);
+    } catch (e) {
+      ok(false, "Could not parse JSON (exception: " + e + ")");
+    }
+    try {
+      // test for the proper values in the report object
+      checkResults(reportObj);
+    } catch (e) {
+      ok(false, "Could not query report (exception: " + e + ")");
+    }
+  }
+
+  script.removeMessageListener('opening-request-completed', ml);
+  script.sendAsyncMessage("finish");
+  checkTestResults();
+});
+
+frame.addEventListener( 'load', () => {
+  // Make sure the frame is still loaded
+  testResults.frameLoaded = true;
+  checkTestResults()
+} );
+
+function checkTestResults() {
+  if( testResults.reportFired && testResults.frameLoaded ) {
+    SimpleTest.finish();
+  }
+}
+
+SimpleTest.waitForExplicitFinish();
+frame.src = docUri;
+
+</script>
+</body>
+</html>