Closed Bug 515433 Opened 16 years ago Closed 16 years ago

(CSP) Implement core CSP elements

Categories

(Core :: DOM: Core & HTML, enhancement, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a1

People

(Reporter: geekboy, Assigned: geekboy)

References

(Blocks 1 open bug,
URL
)

Details

Attachments

(1 file, 8 obsolete files)

CSP Core Modules (v7.6) [Checkin: Comment 17]
83.55 KB, patch
dveditz
: review+
geekboy
: superreview+
Details | Diff | Splinter Review
Attached patch Core CSP modules (obsolete) — Splinter Review
In splitting CSP into manageable pieces, this is the core of CSP upon which all other parts will depend. It includes the parser and model data structure for policy representation. This core piece shouldn't affect the operation of other Mozilla code, but simply provide structures and interfaces for CSP. Initial patch (including some xpcshell unit tests) is attached.
Blocks: 515437
Severity: normal → enhancement
Attached patch CSP Core Modules (v7) (obsolete) — Splinter Review
Core modules for version 7 of CSP patch. Updated in this version: - all violation reports are triggered inside the contentSecurityPolicy.js XPCOM component (not from outside)
Attachment #399517 - Attachment is obsolete: true
Blocks: 515797
Attached patch CSP Core Modules (v7.1) (obsolete) — Splinter Review
Fixed a problem where directives would think they're implicit (not stated in the HTTP header, but rather calculated) when they really aren't.
Attachment #401109 - Attachment is obsolete: true
Attachment #402241 - Flags: review?(jst)
Attached patch CSP Core Modules (v7.2) (obsolete) — Splinter Review
Misc. bug fixes in this version. Brought in support for the observer topic.
Attachment #402241 - Attachment is obsolete: true
Attachment #402241 - Flags: review?(jst)
Attachment #403664 - Flags: review?(jst)
Depends on: 520959
Attached patch CSP Core Modules (v7.3) (obsolete) — Splinter Review
Fixed some dotless hosts parsing issues and basics.
Attachment #403664 - Attachment is obsolete: true
Attachment #407903 - Flags: review?(mrbkap)
Attachment #403664 - Flags: review?(jst)
Depends on: 524066
Comment on attachment 407903 [details] [diff] [review] CSP Core Modules (v7.3) Some comments: * I'm not well versed in JS style, but I prefer overbraced if statements and spaces after 'if' and 'while'. * On the same vain spaces after open parens and before close parens are generally eschewed. * There are a few uses of == when === would work. * You use 'with' for (as far as I can tell) two identifiers. Please spell out the common identifier. * In CSPSource.create, the aData instanceof CSPSource case doesn't return a source (it clones one and then returns null). * strings have a .trim function, no need for the two .replace calls with regexps.
Attachment #407903 - Flags: review?(mrbkap) → review+
(In reply to comment #5) > * I'm not well versed in JS style, but I prefer overbraced if statements and > spaces after 'if' and 'while'. I don't think this is a common JS style. I'm trying to think of idiomatic code I've seen that does this, and I can only come up with C++, not with JS, which is perhaps notable because that JS isn't limited to just Mozilla's JS. > * You use 'with' for (as far as I can tell) two identifiers. Please spell out > the common identifier. Adding a little more detail, |with| causes any function which contains it to be deoptimized, because name lookups inside the body of the |with| can't be fast-pathed as accessing arguments, local variables, global variables, etc. Abbreviation doesn't have this characteristic.
(In reply to comment #6) > (In reply to comment #5) > > * I'm not well versed in JS style, but I prefer overbraced if statements and > > spaces after 'if' and 'while'. > > I don't think this is a common JS style. Er, I referred only to overbracing there. |if (foo)| and |while (foo)| and |for (var i in o)| and |for (var i = 0; i < n; i++)| and |do { } while (foo)| all have spaces between keyword and parenthesis in the most common Mozilla JS style. (I'm not sure if I've seen the cramped-spacing style in Mozilla JS, to be honest.)
Attached patch CSP Core Modules (v7.4) (obsolete) — Splinter Review
> * I'm not well versed in JS style, but I prefer overbraced > if statements and spaces after 'if' and 'while'. > * On the same vain spaces after open parens and before > close parens are generally eschewed. I updated the bracing to be more uniform in the files and also fixed spacing after keywords and within parens. > * You use 'with' for (as far as I can tell) two identifiers. > Please spell out the common identifier. Not sure why I was using with() ... un-with()'ed it. > * In CSPSource.create, the aData instanceof CSPSource case > doesn't return a source (it clones one and then returns null). Good catch. I must have stopped working on that mid-thought. Fixed. > * strings have a .trim function, no need for the two > .replace calls with regexps. I think I got them all. This is new in 1.9.0, right? The version of smjs I have installed on my desktop must be the old one, for it doesn't know about trim(). I fixed a couple of minor bugs in this patch update including: * Reports were not being sent out because of a parsing issue (well, intersecting issue that ignored the report-uri directive). That's fixed now. * ports are inherited differently (minor logical change in the parser for source expressions). I requested sr=?mrbkap because of the IDL. I don't think this new interface will change any existing stuff, but I want to make sure it's looked at carefully. Thanks for the review!
Attachment #407903 - Attachment is obsolete: true
Attachment #419332 - Flags: superreview?(mrbkap)
Attachment #419332 - Flags: review+
Comment on attachment 419332 [details] [diff] [review] CSP Core Modules (v7.4) Flipping the superreview over to jst since mrbkap did the initial review.
Attachment #419332 - Flags: superreview?(mrbkap) → superreview?(jst)
Attached patch core 7.4 adjustment (obsolete) — Splinter Review
This tiny patch should be added on top of csp-core v7.4 to fix some major report bustage that becomes evident in later mochitests.
Attachment #420376 - Flags: review?(jst)
> Created an attachment (id=420376) [details] > core 7.4 adjustment One of the hunks (js/src/jsobj.cpp) will fail in that patch, just ignore the failed hunk, it's not important for this change anyway. (That's what I get for hastily uploading a patch!)
Status: NEW → ASSIGNED
Looks like the adjustment patch missed a small bug: content/base/src/contentSecurityPolicy.js:268 " <blocked-uri>" + blockedUri + "</blocked-uri>\n" + should check the type of blockedUri first (could be string or nsIURI): " <blocked-uri>" + (typeof blockedUri === "nsIURI" ? blockedUri.asciiSpec : blockedUri) + "</blocked-uri>\n" + blockedUri is a string when the URI is "self", such as when a base restriction is violated.
Comment on attachment 419332 [details] [diff] [review] CSP Core Modules (v7.4) Looks good!
Attachment #419332 - Flags: superreview?(jst) → superreview+
Attachment #420376 - Flags: review?(jst) → review+
Attached patch CSP Core Modules (v7.5) (obsolete) — Splinter Review
Minor tweaks as requested by reviewers, and ready to land. Carried over the r+ and sr+ from mrbkap and jst.
Attachment #419332 - Attachment is obsolete: true
Attachment #420376 - Attachment is obsolete: true
Attachment #421172 - Flags: superreview+
Attachment #421172 - Flags: review+
Moved IContentSecurityPolicy into the mozilla namespace (nsIContentSecurityPolicy). https://bugzilla.mozilla.org/show_bug.cgi?id=515437#c14 Also properly unwrap "blockedUri" when it's an nsIURI in sendReports (was using typeof and === instead of instanceof, and the type comparison wasn't working right).
Attachment #421172 - Attachment is obsolete: true
Attachment #422647 - Flags: superreview+
Attachment #422647 - Flags: review?(dveditz)
Comment on attachment 422647 [details] [diff] [review] CSP Core Modules (v7.6) [Checkin: Comment 17] r=dveditz on the incremental change
Attachment #422647 - Flags: review?(dveditz) → review+
Comment on attachment 422647 [details] [diff] [review] CSP Core Modules (v7.6) [Checkin: Comment 17] http://hg.mozilla.org/mozilla-central/rev/c551e8a012d7
Attachment #422647 - Attachment description: CSP Core Modules (v7.6) → CSP Core Modules (v7.6) [Checkin: Comment 17]
Checked-in yesterday
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Target Milestone: --- → mozilla1.9.3a1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: