Bug 1289085: CSP - Bail early if referrer directive has no valid src.…

… r=dveditz
dothq · Jul 31, 2016 · ec59af8 · ec59af8
1 parent 4e75fef
commit ec59af8
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 11 deletions.
diff --git a/dom/security/nsCSPParser.cpp b/dom/security/nsCSPParser.cpp
@@ -901,27 +901,30 @@ nsCSPParser::sourceList(nsTArray<nsCSPBaseSrc*>& outSrcs)
 }
 
 void
-nsCSPParser::referrerDirectiveValue()
+nsCSPParser::referrerDirectiveValue(nsCSPDirective* aDir)
 {
   // directive-value   = "none" / "none-when-downgrade" / "origin" / "origin-when-cross-origin" / "unsafe-url"
   // directive name is token 0, we need to examine the remaining tokens (and
   // there should only be one token in the value).
   CSPPARSERLOG(("nsCSPParser::referrerDirectiveValue"));
 
-  if (mCurDir.Length() > 2) {
-    CSPPARSERLOG(("Too many tokens in referrer directive, got %d expected 1",
+  if (mCurDir.Length() != 2) {
+    CSPPARSERLOG(("Incorrect number of tokens in referrer directive, got %d expected 1",
                  mCurDir.Length() - 1));
+    delete aDir;
     return;
   }
 
   if (!mozilla::net::IsValidReferrerPolicy(mCurDir[1])) {
     CSPPARSERLOG(("invalid value for referrer directive: %s",
                   NS_ConvertUTF16toUTF8(mCurDir[1]).get()));
+    delete aDir;
     return;
   }
 
   // the referrer policy is valid, so go ahead and use it.
   mPolicy->setReferrerPolicy(&mCurDir[1]);
+  mPolicy->addDirective(aDir);
 }
 
 void
@@ -1043,13 +1046,6 @@ nsCSPParser::directiveValue(nsTArray<nsCSPBaseSrc*>& outSrcs)
     return;
   }
 
-  // special case handling of the referrer directive (since it doesn't contain
-  // source lists)
-  if (CSP_IsDirective(mCurDir[0], nsIContentSecurityPolicy::REFERRER_DIRECTIVE)) {
-    referrerDirectiveValue();
-    return;
-  }
-
   // For the sandbox flag the source list is a list of flags, so we're special
   // casing this directive
   if (CSP_IsDirective(mCurDir[0], nsIContentSecurityPolicy::SANDBOX_DIRECTIVE)) {
@@ -1209,6 +1205,13 @@ nsCSPParser::directive()
     return;
   }
 
+  // special case handling of the referrer directive (since it doesn't contain
+  // source lists)
+  if (cspDir->equals(nsIContentSecurityPolicy::REFERRER_DIRECTIVE)) {
+    referrerDirectiveValue(cspDir);
+    return;
+  }
+
   // make sure to reset cache variables when trying to invalidate unsafe-inline;
   // unsafe-inline might not only appear in script-src, but also in default-src
   mHasHashOrNonce = false;

diff --git a/dom/security/nsCSPParser.h b/dom/security/nsCSPParser.h
@@ -122,7 +122,7 @@ class nsCSPParser {
     nsCSPDirective*     directiveName();
     void                directiveValue(nsTArray<nsCSPBaseSrc*>& outSrcs);
     void                requireSRIForDirectiveValue(nsRequireSRIForDirective* aDir);
-    void                referrerDirectiveValue();
+    void                referrerDirectiveValue(nsCSPDirective* aDir);
     void                sourceList(nsTArray<nsCSPBaseSrc*>& outSrcs);
     nsCSPBaseSrc*       sourceExpression();
     nsCSPSchemeSrc*     schemeSource();