# HG changeset patch
# User Alexandre Poirot <poirot.alex@gmail.com>

Bug 949549 - Ensure that CSP warnings reach webconsole for document hosted on app:// protocol. r=sstamm

diff --git a/content/base/public/nsIContentSecurityPolicy.idl b/content/base/public/nsIContentSecurityPolicy.idl
index 470f580..5e56e35 100644
--- a/content/base/public/nsIContentSecurityPolicy.idl
+++ b/content/base/public/nsIContentSecurityPolicy.idl
@@ -1,26 +1,26 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 
 interface nsIURI;
-interface nsIHttpChannel;
+interface nsIChannel;
 interface nsIDocShell;
 
 /**
  * nsIContentSecurityPolicy
  * Describes an XPCOM component used to model and enforce CSPs.  Instances of
  * this class may have multiple policies within them, but there should only be
  * one of these per document/principal.
  */
 
-[scriptable, uuid(ff46c14e-5b2d-4aca-8961-d0b0d987cb81)]
+[scriptable, uuid(2e7875a3-8cb5-4ebb-905b-af0a90dae594)]
 interface nsIContentSecurityPolicy : nsISupports
 {
 
   /**
    * Set to true when the CSP has been read in and parsed and is ready to
    * enforce.  This is a barrier for the nsDocument so it doesn't load any
    * sub-content until either it knows that a CSP is ready or will not be used.
    */
@@ -178,17 +178,17 @@ interface nsIContentSecurityPolicy : nsISupports
   const unsigned short VIOLATION_TYPE_NONCE_STYLE   = 5;
   const unsigned short VIOLATION_TYPE_HASH_SCRIPT   = 6;
   const unsigned short VIOLATION_TYPE_HASH_STYLE    = 7;
 
   /**
    * Called after the CSP object is created to fill in the appropriate request
    * and request header information needed in case a report needs to be sent.
    */
-  void scanRequestData(in nsIHttpChannel aChannel);
+  void scanRequestData(in nsIChannel aChannel);
 
   /**
    * Verifies ancestry as permitted by the policy.
    *
    * NOTE: Calls to this may trigger violation reports when queried, so this
    * value should not be cached.
    *
    * @param docShell
diff --git a/content/base/src/contentSecurityPolicy.js b/content/base/src/contentSecurityPolicy.js
index 6a02fbc..adcfb94 100644
--- a/content/base/src/contentSecurityPolicy.js
+++ b/content/base/src/contentSecurityPolicy.js
@@ -359,17 +359,17 @@ ContentSecurityPolicy.prototype = {
     this._request = uri.asciiSpec;
     this._requestOrigin = uri;
 
     //store a reference to the principal, that can later be used in shouldLoad
     this._weakRequestPrincipal = Cu.getWeakReference(Cc["@mozilla.org/scriptsecuritymanager;1"]
                                                        .getService(Ci.nsIScriptSecurityManager)
                                                        .getChannelPrincipal(aChannel));
 
-    if (aChannel.referrer) {
+    if (aChannel instanceof Ci.nsIHttpChannel && aChannel.referrer) {
       let referrer = aChannel.referrer.cloneIgnoringRef();
       try { // GetUserPass throws for some protocols without userPass
         referrer.userPass = '';
       } catch (ex) {}
       this._referrer = referrer.asciiSpec;
     }
   },
 
diff --git a/content/base/src/nsDocument.cpp b/content/base/src/nsDocument.cpp
index 71bdb61..49004fd 100644
--- a/content/base/src/nsDocument.cpp
+++ b/content/base/src/nsDocument.cpp
@@ -2686,17 +2686,17 @@ nsDocument::InitCSP(nsIChannel* aChannel)
     return rv;
   }
 
   // used as a "self" identifier for the CSP.
   nsCOMPtr<nsIURI> selfURI;
   aChannel->GetURI(getter_AddRefs(selfURI));
 
   // Store the request context for violation reports
-  csp->ScanRequestData(httpChannel);
+  csp->ScanRequestData(aChannel);
 
   // ----- if the doc is an app and we want a default CSP, apply it.
   if (applyAppDefaultCSP) {
     nsAdoptingString appCSP;
     if (appStatus ==  nsIPrincipal::APP_STATUS_PRIVILEGED) {
       appCSP = Preferences::GetString("security.apps.privileged.CSP.default");
       NS_ASSERTION(appCSP, "App, but no default CSP in security.apps.privileged.CSP.default");
     } else if (appStatus == nsIPrincipal::APP_STATUS_CERTIFIED) {
diff --git a/content/base/test/mochitest.ini b/content/base/test/mochitest.ini
index 25ffa92..e9b4ebc 100644
--- a/content/base/test/mochitest.ini
+++ b/content/base/test/mochitest.ini
@@ -576,8 +576,9 @@ support-files =
 [test_xbl_userdata.xhtml]
 [test_xhr_abort_after_load.html]
 [test_xhr_forbidden_headers.html]
 [test_xhr_progressevents.html]
 [test_xhr_send_readystate.html]
 [test_xhr_withCredentials.html]
 [test_file_from_blob.html]
 [test_warning_for_blocked_cross_site_request.html]
+[test_bug949549.html]
diff --git a/content/base/test/test_bug949549.html b/content/base/test/test_bug949549.html
new file mode 100644
index 0000000..8d4e71c
--- /dev/null
+++ b/content/base/test/test_bug949549.html
@@ -0,0 +1,68 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for Bug 949549</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=949549">Mozilla Bug 949549</a>
+<div id="content" style="display: none"></div>
+<pre id="test">
+<script type="application/javascript;version=1.8">
+  "use strict";
+
+  // Ensure that `scanRequestData` doesn't throw with app:// URLs
+
+  const csp = SpecialPowers.Cc["@mozilla.org/contentsecuritypolicy;1"]
+              .createInstance(SpecialPowers.Ci.nsIContentSecurityPolicy);
+
+  const gManifestURL = "http://www.example.com/chrome/dom/tests/mochitest/webapps/apps/basic.webapp";
+
+  SimpleTest.waitForExplicitFinish();
+  var launchableValue, app;
+
+  function setupTest() {
+    // We have to install an app in order for the app URL to be valid
+    // (otherwise we get a "DummyChannel" that throws NS_NOT_IMPLEMENTED)
+    launchableValue = SpecialPowers.setAllAppsLaunchable(true);
+    SpecialPowers.addPermission("webapps-manage", true, document);
+    SpecialPowers.autoConfirmAppInstall(function () {
+      let req = navigator.mozApps.install(gManifestURL);
+      req.onsuccess = function () {
+        app = this.result;
+        runTest();
+      }
+    });
+  }
+
+  function runTest() {
+    // We have to use a mochitest to test app:// urls,
+    // as app channels can't be instanciated in xpcshell.
+    // Because app protocol depends on webapps.jsm,
+    // which doesn't instanciate properly on xpcshell without many hacks
+    let appchan = SpecialPowers.Services.io.newChannel(gManifestURL, null, null);
+
+    try {
+      csp.scanRequestData(appchan);
+      ok(true, "scanRequestData hasn't thown");
+    } catch(e) {
+      ok(false, "scanRequestData throws");
+    }
+
+    cleanup()
+  }
+
+  function cleanup() {
+    SpecialPowers.setAllAppsLaunchable(launchableValue);
+    let req = navigator.mozApps.mgmt.uninstall(app);
+    req.onsuccess = function () {
+      SimpleTest.finish();
+    };
+  }
+
+  setupTest();
+</script>
+</pre>
+</body>
+</html>