The Tor Browser: content/base/src/CSPUtils.jsm@6474c204b198 (annotated)

content/base/src/CSPUtils.jsm@6474c204b198 (annotated)

content/base/src/CSPUtils.jsm

Wed, 31 Dec 2014 06:09:35 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 31 Dec 2014 06:09:35 +0100
changeset 0: 6474c204b198
permissions: -rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /**
  * Content Security Policy Utilities
  *
  * Overview
  * This contains a set of classes and utilities for CSP.  It is in this
  * separate file for testing purposes.
  */
 const Cu = Components.utils;
 const Ci = Components.interfaces;
 const WARN_FLAG = Ci.nsIScriptError.warningFlag;
 const ERROR_FLAG = Ci.nsIScriptError.ERROR_FLAG;
 Cu.import("resource://gre/modules/XPCOMUtils.jsm");
 Cu.import("resource://gre/modules/Services.jsm");
 XPCOMUtils.defineLazyModuleGetter(this, "Services",
                                   "resource://gre/modules/Services.jsm");
 // Module stuff
 this.EXPORTED_SYMBOLS = ["CSPRep", "CSPSourceList", "CSPSource", "CSPHost",
                          "CSPdebug", "CSPViolationReportListener", "CSPLocalizer",
                          "CSPPrefObserver"];
 var STRINGS_URI = "chrome://global/locale/security/csp.properties";
 // these are not exported
 var gIoService = Components.classes["@mozilla.org/network/io-service;1"]
                  .getService(Ci.nsIIOService);
 var gETLDService = Components.classes["@mozilla.org/network/effective-tld-service;1"]
                    .getService(Ci.nsIEffectiveTLDService);
 // These regexps represent the concrete syntax on the w3 spec as of 7-5-2012
 // scheme          = <scheme production from RFC 3986>
 const R_SCHEME     = new RegExp ("([a-zA-Z0-9\\-]+)", 'i');
 const R_GETSCHEME  = new RegExp ("^" + R_SCHEME.source + "(?=\\:)", 'i');
 // scheme-source   = scheme ":"
 const R_SCHEMESRC  = new RegExp ("^" + R_SCHEME.source + "\\:$", 'i');
 // host-char       = ALPHA / DIGIT / "-"
 // For the app: protocol, we need to add {} to the valid character set
 const HOSTCHAR     = "{}a-zA-Z0-9\\-";
 const R_HOSTCHAR   = new RegExp ("[" + HOSTCHAR + "]", 'i');
 // Complementary character set of HOSTCHAR (characters that can't appear)
 const R_COMP_HCHAR = new RegExp ("[^" + HOSTCHAR + "]", "i");
 // Invalid character set for host strings (which can include dots and star)
 const R_INV_HCHAR  = new RegExp ("[^" + HOSTCHAR + "\\.\\*]", 'i');
 // host            = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
 const R_HOST       = new RegExp ("\\*|(((\\*\\.)?" + R_HOSTCHAR.source +
                               "+)" + "(\\." + R_HOSTCHAR.source + "+)*)", 'i');
 // port            = ":" ( 1*DIGIT / "*" )
 const R_PORT       = new RegExp ("(\\:([0-9]+|\\*))", 'i');
 // host-source     = [ scheme "://" ] host [ port path file ]
 const R_HOSTSRC    = new RegExp ("^((" + R_SCHEME.source + "\\:\\/\\/)?("
                                          + R_HOST.source + ")"
                                          + R_PORT.source + "?)$", 'i');
 function STRIP_INPUTDELIM(re) {
   return re.replace(/(^\^)|(\$$)/g, "");
 }
 // ext-host-source = host-source "/" *( <VCHAR except ";" and ","> )
 //                 ; ext-host-source is reserved for future use.
 const R_VCHAR_EXCEPT = new RegExp("[!-+--:<-~]"); // ranges exclude , and ;
 const R_EXTHOSTSRC   = new RegExp ("^" + STRIP_INPUTDELIM(R_HOSTSRC.source)
                                        + "\\/"
                                        + R_VCHAR_EXCEPT.source + "*$", 'i');
 // keyword-source  = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"
 const R_KEYWORDSRC = new RegExp ("^('self'|'unsafe-inline'|'unsafe-eval')$", 'i');
 const R_BASE64     = new RegExp ("([a-zA-Z0-9+/]+={0,2})");
 // nonce-source      = "'nonce-" nonce-value "'"
 // nonce-value       = 1*( ALPHA / DIGIT / "+" / "/" )
 const R_NONCESRC = new RegExp ("^'nonce-" + R_BASE64.source + "'$");
 // hash-source       = "'" hash-algo "-" hash-value "'"
 // hash-algo         = "sha256" / "sha384" / "sha512"
 // hash-value        = 1*( ALPHA / DIGIT / "+" / "/" / "=" )
 // Each algo must be a valid argument to nsICryptoHash.init
 const R_HASH_ALGOS = new RegExp ("(sha256|sha384|sha512)");
 const R_HASHSRC    = new RegExp ("^'" + R_HASH_ALGOS.source + "-" + R_BASE64.source + "'$");
 // source-exp      = scheme-source / host-source / keyword-source
 const R_SOURCEEXP  = new RegExp (R_SCHEMESRC.source + "|" +
                                    R_HOSTSRC.source + "|" +
                                 R_EXTHOSTSRC.source + "|" +
                                 R_KEYWORDSRC.source + "|" +
                                   R_NONCESRC.source + "|" +
                                    R_HASHSRC.source,  'i');
 const R_QUOTELESS_KEYWORDS = new RegExp ("^(self|unsafe-inline|unsafe-eval|" +
                                          "inline-script|eval-script|none)$", 'i');
 this.CSPPrefObserver = {
   get debugEnabled () {
     if (!this._branch)
       this._initialize();
     return this._debugEnabled;
   },
   get experimentalEnabled () {
     if (!this._branch)
       this._initialize();
     return this._experimentalEnabled;
   },
   _initialize: function() {
     var prefSvc = Components.classes["@mozilla.org/preferences-service;1"]
                     .getService(Ci.nsIPrefService);
     this._branch = prefSvc.getBranch("security.csp.");
     this._branch.addObserver("", this, false);
     this._debugEnabled = this._branch.getBoolPref("debug");
     this._experimentalEnabled = this._branch.getBoolPref("experimentalEnabled");
   },
   unregister: function() {
     if (!this._branch) return;
     this._branch.removeObserver("", this);
   },
   observe: function(aSubject, aTopic, aData) {
     if (aTopic != "nsPref:changed") return;
     if (aData === "debug")
       this._debugEnabled = this._branch.getBoolPref("debug");
     if (aData === "experimentalEnabled")
       this._experimentalEnabled = this._branch.getBoolPref("experimentalEnabled");
   },
 };
 this.CSPdebug = function CSPdebug(aMsg) {
   if (!CSPPrefObserver.debugEnabled) return;
   aMsg = 'CSP debug: ' + aMsg + "\n";
   Components.classes["@mozilla.org/consoleservice;1"]
                     .getService(Ci.nsIConsoleService)
                     .logStringMessage(aMsg);
 }
 // Callback to resume a request once the policy-uri has been fetched
 function CSPPolicyURIListener(policyURI, docRequest, csp, reportOnly) {
   this._policyURI = policyURI;    // location of remote policy
   this._docRequest = docRequest;  // the parent document request
   this._csp = csp;                // parent document's CSP
   this._policy = "";              // contents fetched from policyURI
   this._wrapper = null;           // nsIScriptableInputStream
   this._docURI = docRequest.QueryInterface(Ci.nsIChannel)
                  .URI;    // parent document URI (to be used as 'self')
   this._reportOnly = reportOnly;
 }
 CSPPolicyURIListener.prototype = {
   QueryInterface: function(iid) {
     if (iid.equals(Ci.nsIStreamListener) ||
         iid.equals(Ci.nsIRequestObserver) ||
         iid.equals(Ci.nsISupports))
       return this;
     throw Components.results.NS_ERROR_NO_INTERFACE;
   },
   onStartRequest:
   function(request, context) {},
   onDataAvailable:
   function(request, context, inputStream, offset, count) {
     if (this._wrapper == null) {
       this._wrapper = Components.classes["@mozilla.org/scriptableinputstream;1"]
                       .createInstance(Ci.nsIScriptableInputStream);
       this._wrapper.init(inputStream);
     }
     // store the remote policy as it becomes available
     this._policy += this._wrapper.read(count);
   },
   onStopRequest:
   function(request, context, status) {
     if (Components.isSuccessCode(status)) {
       // send the policy we received back to the parent document's CSP
       // for parsing
       this._csp.appendPolicy(this._policy, this._docURI,
                              this._reportOnly, this._csp._specCompliant);
     }
     else {
       // problem fetching policy so fail closed by appending a "block it all"
       // policy.  Also toss an error into the console so developers can see why
       // this policy is used.
       this._csp.log(WARN_FLAG, CSPLocalizer.getFormatStr("errorFetchingPolicy",
                                                          [status]));
       this._csp.appendPolicy("default-src 'none'", this._docURI,
                              this._reportOnly, this._csp._specCompliant);
     }
     // resume the parent document request
     this._docRequest.resume();
   }
 };
 //:::::::::::::::::::::::: CLASSES :::::::::::::::::::::::::://
 /**
  * Class that represents a parsed policy structure.
  *
  * @param aSpecCompliant: true: this policy is a CSP 1.0 spec
  *                   compliant policy and should be parsed as such.
  *                   false or undefined: this is a policy using
  *                   our original implementation's CSP syntax.
  */
 this.CSPRep = function CSPRep(aSpecCompliant) {
   // this gets set to true when the policy is done parsing, or when a
   // URI-borne policy has finished loading.
   this._isInitialized = false;
   this._allowEval = false;
   this._allowInlineScripts = false;
   this._reportOnlyMode = false;
   // don't auto-populate _directives, so it is easier to find bugs
   this._directives = {};
   // Is this a 1.0 spec compliant CSPRep ?
   // Default to false if not specified.
   this._specCompliant = (aSpecCompliant !== undefined) ? aSpecCompliant : false;
   // Only CSP 1.0 spec compliant policies block inline styles by default.
   this._allowInlineStyles = !aSpecCompliant;
 }
 // Source directives for our original CSP implementation.
 // These can be removed when the original implementation is deprecated.
 CSPRep.SRC_DIRECTIVES_OLD = {
   DEFAULT_SRC:      "default-src",
   SCRIPT_SRC:       "script-src",
   STYLE_SRC:        "style-src",
   MEDIA_SRC:        "media-src",
   IMG_SRC:          "img-src",
   OBJECT_SRC:       "object-src",
   FRAME_SRC:        "frame-src",
   FRAME_ANCESTORS:  "frame-ancestors",
   FONT_SRC:         "font-src",
   XHR_SRC:          "xhr-src"
 };
 // Source directives for our CSP 1.0 spec compliant implementation.
 CSPRep.SRC_DIRECTIVES_NEW = {
   DEFAULT_SRC:      "default-src",
   SCRIPT_SRC:       "script-src",
   STYLE_SRC:        "style-src",
   MEDIA_SRC:        "media-src",
   IMG_SRC:          "img-src",
   OBJECT_SRC:       "object-src",
   FRAME_SRC:        "frame-src",
   FRAME_ANCESTORS:  "frame-ancestors",
   FONT_SRC:         "font-src",
   CONNECT_SRC:      "connect-src"
 };
 CSPRep.URI_DIRECTIVES = {
   REPORT_URI:       "report-uri", /* list of URIs */
   POLICY_URI:       "policy-uri"  /* single URI */
 };
 // These directives no longer exist in CSP 1.0 and
 // later and will eventually be removed when we no longer
 // support our original implementation's syntax.
 CSPRep.OPTIONS_DIRECTIVE = "options";
 CSPRep.ALLOW_DIRECTIVE   = "allow";
 /**
   * Factory to create a new CSPRep, parsed from a string.
   *
   * @param aStr
   *        string rep of a CSP
   * @param self (optional)
   *        URI representing the "self" source
   * @param reportOnly (optional)
   *        whether or not this CSP is report-only (defaults to false)
   * @param docRequest (optional)
   *        request for the parent document which may need to be suspended
   *        while the policy-uri is asynchronously fetched
   * @param csp (optional)
   *        the CSP object to update once the policy has been fetched
   * @param enforceSelfChecks (optional)
   *        if present, and "true", will check to be sure "self" has the
   *        appropriate values to inherit when they are omitted from the source.
   * @returns
   *        an instance of CSPRep
   */
 CSPRep.fromString = function(aStr, self, reportOnly, docRequest, csp,
                              enforceSelfChecks) {
   var SD = CSPRep.SRC_DIRECTIVES_OLD;
   var UD = CSPRep.URI_DIRECTIVES;
   var aCSPR = new CSPRep();
   aCSPR._originalText = aStr;
   aCSPR._innerWindowID = innerWindowFromRequest(docRequest);
   if (typeof reportOnly === 'undefined') reportOnly = false;
   aCSPR._reportOnlyMode = reportOnly;
   var selfUri = null;
   if (self instanceof Ci.nsIURI) {
     selfUri = self.cloneIgnoringRef();
     // clean userpass out of the URI (not used for CSP origin checking, but
     // shows up in prePath).
     try {
       // GetUserPass throws for some protocols without userPass
       selfUri.userPass = '';
     } catch (ex) {}
   }
   var dirs = aStr.split(";");
   directive:
   for each(var dir in dirs) {
     dir = dir.trim();
     if (dir.length < 1) continue;
     var dirname = dir.split(/\s+/)[0].toLowerCase();
     var dirvalue = dir.substring(dirname.length).trim();
     if (aCSPR._directives.hasOwnProperty(dirname)) {
       // Check for (most) duplicate directives
       cspError(aCSPR, CSPLocalizer.getFormatStr("duplicateDirective",
                                                 [dirname]));
       CSPdebug("Skipping duplicate directive: \"" + dir + "\"");
       continue directive;
     }
     // OPTIONS DIRECTIVE ////////////////////////////////////////////////
     if (dirname === CSPRep.OPTIONS_DIRECTIVE) {
       if (aCSPR._allowInlineScripts || aCSPR._allowEval) {
         // Check for duplicate options directives
         cspError(aCSPR, CSPLocalizer.getFormatStr("duplicateDirective",
                                                   [dirname]));
         CSPdebug("Skipping duplicate directive: \"" + dir + "\"");
         continue directive;
       }
       // grab value tokens and interpret them
       var options = dirvalue.split(/\s+/);
       for each (var opt in options) {
         if (opt === "inline-script")
           aCSPR._allowInlineScripts = true;
         else if (opt === "eval-script")
           aCSPR._allowEval = true;
         else
           cspWarn(aCSPR, CSPLocalizer.getFormatStr("ignoringUnknownOption",
                                                    [opt]));
       }
       continue directive;
     }
     // ALLOW DIRECTIVE //////////////////////////////////////////////////
     // parse "allow" as equivalent to "default-src", at least until the spec
     // stabilizes, at which time we can stop parsing "allow"
     if (dirname === CSPRep.ALLOW_DIRECTIVE) {
       cspWarn(aCSPR, CSPLocalizer.getStr("allowDirectiveIsDeprecated"));
       if (aCSPR._directives.hasOwnProperty(SD.DEFAULT_SRC)) {
         // Check for duplicate default-src and allow directives
         cspError(aCSPR, CSPLocalizer.getFormatStr("duplicateDirective",
                                                   [dirname]));
         CSPdebug("Skipping duplicate directive: \"" + dir + "\"");
         continue directive;
       }
       var dv = CSPSourceList.fromString(dirvalue, aCSPR, selfUri,
                                         enforceSelfChecks);
       if (dv) {
         aCSPR._directives[SD.DEFAULT_SRC] = dv;
         continue directive;
       }
     }
     // SOURCE DIRECTIVES ////////////////////////////////////////////////
     for each(var sdi in SD) {
       if (dirname === sdi) {
         // process dirs, and enforce that 'self' is defined.
         var dv = CSPSourceList.fromString(dirvalue, aCSPR, selfUri,
                                           enforceSelfChecks);
         if (dv) {
           aCSPR._directives[sdi] = dv;
           continue directive;
         }
       }
     }
     // REPORT URI ///////////////////////////////////////////////////////
     if (dirname === UD.REPORT_URI) {
       // might be space-separated list of URIs
       var uriStrings = dirvalue.split(/\s+/);
       var okUriStrings = [];
       for (let i in uriStrings) {
         var uri = null;
         try {
           // Relative URIs are okay, but to ensure we send the reports to the
           // right spot, the relative URIs are expanded here during parsing.
           // The resulting CSPRep instance will have only absolute URIs.
           uri = gIoService.newURI(uriStrings[i],null,selfUri);
           // if there's no host, this will throw NS_ERROR_FAILURE, causing a
           // parse failure.
           uri.host;
           // warn about, but do not prohibit non-http and non-https schemes for
           // reporting URIs.  The spec allows unrestricted URIs resolved
           // relative to "self", but we should let devs know if the scheme is
           // abnormal and may fail a POST.
           if (!uri.schemeIs("http") && !uri.schemeIs("https")) {
             cspWarn(aCSPR, CSPLocalizer.getFormatStr("reportURInotHttpsOrHttp2",
                                                      [uri.asciiSpec]));
           }
         } catch(e) {
           switch (e.result) {
             case Components.results.NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS:
             case Components.results.NS_ERROR_HOST_IS_IP_ADDRESS:
               if (uri.host !== selfUri.host) {
                 cspWarn(aCSPR,
                         CSPLocalizer.getFormatStr("pageCannotSendReportsTo",
                                                   [selfUri.host, uri.host]));
                 continue;
               }
               break;
             default:
               cspWarn(aCSPR, CSPLocalizer.getFormatStr("couldNotParseReportURI",
                                                        [uriStrings[i]]));
               continue;
           }
         }
         // all verification passed
         okUriStrings.push(uri.asciiSpec);
       }
       aCSPR._directives[UD.REPORT_URI] = okUriStrings.join(' ');
       continue directive;
     }
     // POLICY URI //////////////////////////////////////////////////////////
     if (dirname === UD.POLICY_URI) {
       // POLICY_URI can only be alone
       if (aCSPR._directives.length > 0 || dirs.length > 1) {
         cspError(aCSPR, CSPLocalizer.getStr("policyURINotAlone"));
         return CSPRep.fromString("default-src 'none'", null, reportOnly);
       }
       // if we were called without a reference to the parent document request
       // we won't be able to suspend it while we fetch the policy -> fail closed
       if (!docRequest || !csp) {
         cspError(aCSPR, CSPLocalizer.getStr("noParentRequest"));
         return CSPRep.fromString("default-src 'none'", null, reportOnly);
       }
       var uri = '';
       try {
         uri = gIoService.newURI(dirvalue, null, selfUri);
       } catch(e) {
         cspError(aCSPR, CSPLocalizer.getFormatStr("policyURIParseError",
                                                   [dirvalue]));
         return CSPRep.fromString("default-src 'none'", null, reportOnly);
       }
       // Verify that policy URI comes from the same origin
       if (selfUri) {
         if (selfUri.host !== uri.host) {
           cspError(aCSPR, CSPLocalizer.getFormatStr("nonMatchingHost",
                                                     [uri.host]));
           return CSPRep.fromString("default-src 'none'", null, reportOnly);
         }
         if (selfUri.port !== uri.port) {
           cspError(aCSPR, CSPLocalizer.getFormatStr("nonMatchingPort",
                                                     [uri.port.toString()]));
           return CSPRep.fromString("default-src 'none'", null, reportOnly);
         }
         if (selfUri.scheme !== uri.scheme) {
           cspError(aCSPR, CSPLocalizer.getFormatStr("nonMatchingScheme",
                                                     [uri.scheme]));
           return CSPRep.fromString("default-src 'none'", null, reportOnly);
         }
       }
       // suspend the parent document request while we fetch the policy-uri
       try {
         docRequest.suspend();
         var chan = gIoService.newChannel(uri.asciiSpec, null, null);
         // make request anonymous (no cookies, etc.) so the request for the
         // policy-uri can't be abused for CSRF
         chan.loadFlags |= Ci.nsIChannel.LOAD_ANONYMOUS;
         chan.loadGroup = docRequest.loadGroup;
         chan.asyncOpen(new CSPPolicyURIListener(uri, docRequest, csp, reportOnly), null);
       }
       catch (e) {
         // resume the document request and apply most restrictive policy
         docRequest.resume();
         cspError(aCSPR, CSPLocalizer.getFormatStr("errorFetchingPolicy",
                                                   [e.toString()]));
         return CSPRep.fromString("default-src 'none'", null, reportOnly);
       }
       // return a fully-open policy to be used until the contents of the
       // policy-uri come back.
       return CSPRep.fromString("default-src *", null, reportOnly);
     }
     // UNIDENTIFIED DIRECTIVE /////////////////////////////////////////////
     cspWarn(aCSPR, CSPLocalizer.getFormatStr("couldNotProcessUnknownDirective",
                                              [dirname]));
   } // end directive: loop
   // the X-Content-Security-Policy syntax requires an allow or default-src
   // directive to be present.
   if (!aCSPR._directives[SD.DEFAULT_SRC]) {
     cspWarn(aCSPR, CSPLocalizer.getStr("allowOrDefaultSrcRequired"));
     return CSPRep.fromString("default-src 'none'", null, reportOnly);
   }
   // If this is a Report-Only header and report-uri is not in the directive
   // list, tell developer either specify report-uri directive or use
   // a non-Report-Only CSP header.
   if (aCSPR._reportOnlyMode && !aCSPR._directives.hasOwnProperty(UD.REPORT_URI)) {
     cspWarn(aCSPR, CSPLocalizer.getFormatStr("reportURInotInReportOnlyHeader",
                                              [selfUri ? selfUri.prePath : "undefined"]))
   }
   return aCSPR;
 };
 /**
   * Factory to create a new CSPRep, parsed from a string, compliant
   * with the CSP 1.0 spec.
   *
   * @param aStr
   *        string rep of a CSP
   * @param self (optional)
   *        URI representing the "self" source
   * @param reportOnly (optional)
   *        whether or not this CSP is report-only (defaults to false)
   * @param docRequest (optional)
   *        request for the parent document which may need to be suspended
   *        while the policy-uri is asynchronously fetched
   * @param csp (optional)
   *        the CSP object to update once the policy has been fetched
   * @param enforceSelfChecks (optional)
   *        if present, and "true", will check to be sure "self" has the
   *        appropriate values to inherit when they are omitted from the source.
   * @returns
   *        an instance of CSPRep
   */
 // When we deprecate our original CSP implementation, we rename this to
 // CSPRep.fromString and remove the existing CSPRep.fromString above.
 CSPRep.fromStringSpecCompliant = function(aStr, self, reportOnly, docRequest, csp,
                                           enforceSelfChecks) {
   var SD = CSPRep.SRC_DIRECTIVES_NEW;
   var UD = CSPRep.URI_DIRECTIVES;
   var aCSPR = new CSPRep(true);
   aCSPR._originalText = aStr;
   aCSPR._innerWindowID = innerWindowFromRequest(docRequest);
   if (typeof reportOnly === 'undefined') reportOnly = false;
   aCSPR._reportOnlyMode = reportOnly;
   var selfUri = null;
   if (self instanceof Ci.nsIURI) {
     selfUri = self.cloneIgnoringRef();
     // clean userpass out of the URI (not used for CSP origin checking, but
     // shows up in prePath).
     try {
       // GetUserPass throws for some protocols without userPass
       selfUri.userPass = '';
     } catch (ex) {}
   }
   var dirs_list = aStr.split(";");
   var dirs = {};
   for each(var dir in dirs_list) {
     dir = dir.trim();
     if (dir.length < 1) continue;
     var dirname = dir.split(/\s+/)[0].toLowerCase();
     var dirvalue = dir.substring(dirname.length).trim();
     dirs[dirname] = dirvalue;
   }
   // Spec compliant policies have different default behavior for inline
   // scripts, styles, and eval. Bug 885433
   aCSPR._allowEval = true;
   aCSPR._allowInlineScripts = true;
   aCSPR._allowInlineStyles = true;
   // In CSP 1.0, you need to opt-in to blocking inline scripts and eval by
   // specifying either default-src or script-src, and to blocking inline
   // styles by specifying either default-src or style-src.
   if ("default-src" in dirs) {
     // Parse the source list (look ahead) so we can set the defaults properly,
     // honoring the 'unsafe-inline' and 'unsafe-eval' keywords
     var defaultSrcValue = CSPSourceList.fromString(dirs["default-src"], null, self);
     if (!defaultSrcValue._allowUnsafeInline) {
       aCSPR._allowInlineScripts = false;
       aCSPR._allowInlineStyles = false;
     }
     if (!defaultSrcValue._allowUnsafeEval) {
       aCSPR._allowEval = false;
     }
   }
   if ("script-src" in dirs) {
     aCSPR._allowInlineScripts = false;
     aCSPR._allowEval = false;
   }
   if ("style-src" in dirs) {
     aCSPR._allowInlineStyles = false;
   }
   directive:
   for (var dirname in dirs) {
     var dirvalue = dirs[dirname];
     if (aCSPR._directives.hasOwnProperty(dirname)) {
       // Check for (most) duplicate directives
       cspError(aCSPR, CSPLocalizer.getFormatStr("duplicateDirective",
                                                 [dirname]));
       CSPdebug("Skipping duplicate directive: \"" + dir + "\"");
       continue directive;
     }
     // SOURCE DIRECTIVES ////////////////////////////////////////////////
     for each(var sdi in SD) {
       if (dirname === sdi) {
         // process dirs, and enforce that 'self' is defined.
         var dv = CSPSourceList.fromString(dirvalue, aCSPR, self,
                                           enforceSelfChecks);
         if (dv) {
           // Check for unsafe-inline in style-src
           if (sdi === "style-src" && dv._allowUnsafeInline) {
              aCSPR._allowInlineStyles = true;
           } else if (sdi === "script-src") {
             // Check for unsafe-inline and unsafe-eval in script-src
             if (dv._allowUnsafeInline) {
               aCSPR._allowInlineScripts = true;
             }
             if (dv._allowUnsafeEval) {
               aCSPR._allowEval = true;
             }
           }
           aCSPR._directives[sdi] = dv;
           continue directive;
         }
       }
     }
     // REPORT URI ///////////////////////////////////////////////////////
     if (dirname === UD.REPORT_URI) {
       // might be space-separated list of URIs
       var uriStrings = dirvalue.split(/\s+/);
       var okUriStrings = [];
       for (let i in uriStrings) {
         var uri = null;
         try {
           // Relative URIs are okay, but to ensure we send the reports to the
           // right spot, the relative URIs are expanded here during parsing.
           // The resulting CSPRep instance will have only absolute URIs.
           uri = gIoService.newURI(uriStrings[i],null,selfUri);
           // if there's no host, this will throw NS_ERROR_FAILURE, causing a
           // parse failure.
           uri.host;
           // warn about, but do not prohibit non-http and non-https schemes for
           // reporting URIs.  The spec allows unrestricted URIs resolved
           // relative to "self", but we should let devs know if the scheme is
           // abnormal and may fail a POST.
           if (!uri.schemeIs("http") && !uri.schemeIs("https")) {
             cspWarn(aCSPR, CSPLocalizer.getFormatStr("reportURInotHttpsOrHttp2",
                                                      [uri.asciiSpec]));
           }
         } catch(e) {
           switch (e.result) {
             case Components.results.NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS:
             case Components.results.NS_ERROR_HOST_IS_IP_ADDRESS:
               if (uri.host !== selfUri.host) {
                 cspWarn(aCSPR, CSPLocalizer.getFormatStr("pageCannotSendReportsTo",
                                                          [selfUri.host, uri.host]));
                 continue;
               }
               break;
             default:
               cspWarn(aCSPR, CSPLocalizer.getFormatStr("couldNotParseReportURI",
                                                        [uriStrings[i]]));
               continue;
           }
         }
         // all verification passed.
        okUriStrings.push(uri.asciiSpec);
       }
       aCSPR._directives[UD.REPORT_URI] = okUriStrings.join(' ');
       continue directive;
     }
     // POLICY URI //////////////////////////////////////////////////////////
     if (dirname === UD.POLICY_URI) {
       // POLICY_URI can only be alone
       if (aCSPR._directives.length > 0 || dirs.length > 1) {
         cspError(aCSPR, CSPLocalizer.getStr("policyURINotAlone"));
         return CSPRep.fromStringSpecCompliant("default-src 'none'", null, reportOnly);
       }
       // if we were called without a reference to the parent document request
       // we won't be able to suspend it while we fetch the policy -> fail closed
       if (!docRequest || !csp) {
         cspError(aCSPR, CSPLocalizer.getStr("noParentRequest"));
         return CSPRep.fromStringSpecCompliant("default-src 'none'", null, reportOnly);
       }
       var uri = '';
       try {
         uri = gIoService.newURI(dirvalue, null, selfUri);
       } catch(e) {
         cspError(aCSPR, CSPLocalizer.getFormatStr("policyURIParseError", [dirvalue]));
         return CSPRep.fromStringSpecCompliant("default-src 'none'", null, reportOnly);
       }
       // Verify that policy URI comes from the same origin
       if (selfUri) {
         if (selfUri.host !== uri.host){
           cspError(aCSPR, CSPLocalizer.getFormatStr("nonMatchingHost", [uri.host]));
           return CSPRep.fromStringSpecCompliant("default-src 'none'", null, reportOnly);
         }
         if (selfUri.port !== uri.port){
           cspError(aCSPR, CSPLocalizer.getFormatStr("nonMatchingPort", [uri.port.toString()]));
           return CSPRep.fromStringSpecCompliant("default-src 'none'", null, reportOnly);
         }
         if (selfUri.scheme !== uri.scheme){
           cspError(aCSPR, CSPLocalizer.getFormatStr("nonMatchingScheme", [uri.scheme]));
           return CSPRep.fromStringSpecCompliant("default-src 'none'", null, reportOnly);
         }
       }
       // suspend the parent document request while we fetch the policy-uri
       try {
         docRequest.suspend();
         var chan = gIoService.newChannel(uri.asciiSpec, null, null);
         // make request anonymous (no cookies, etc.) so the request for the
         // policy-uri can't be abused for CSRF
         chan.loadFlags |= Components.interfaces.nsIChannel.LOAD_ANONYMOUS;
         chan.loadGroup = docRequest.loadGroup;
         chan.asyncOpen(new CSPPolicyURIListener(uri, docRequest, csp, reportOnly), null);
       }
       catch (e) {
         // resume the document request and apply most restrictive policy
         docRequest.resume();
         cspError(aCSPR, CSPLocalizer.getFormatStr("errorFetchingPolicy", [e.toString()]));
         return CSPRep.fromStringSpecCompliant("default-src 'none'", null, reportOnly);
       }
       // return a fully-open policy to be used until the contents of the
       // policy-uri come back
       return CSPRep.fromStringSpecCompliant("default-src *", null, reportOnly);
     }
     // UNIDENTIFIED DIRECTIVE /////////////////////////////////////////////
     cspWarn(aCSPR, CSPLocalizer.getFormatStr("couldNotProcessUnknownDirective", [dirname]));
   } // end directive: loop
   // If this is a Report-Only header and report-uri is not in the directive
   // list, tell developer either specify report-uri directive or use
   // a non-Report-Only CSP header.
   if (aCSPR._reportOnlyMode && !aCSPR._directives.hasOwnProperty(UD.REPORT_URI)) {
     cspWarn(aCSPR, CSPLocalizer.getFormatStr("reportURInotInReportOnlyHeader",
                                              [selfUri ? selfUri.prePath : "undefined"]));
   }
   return aCSPR;
 };
 CSPRep.prototype = {
   /**
    * Returns a space-separated list of all report uris defined, or 'none' if there are none.
    */
   getReportURIs:
   function() {
     if (!this._directives[CSPRep.URI_DIRECTIVES.REPORT_URI])
       return "";
     return this._directives[CSPRep.URI_DIRECTIVES.REPORT_URI];
   },
   /**
    * Compares this CSPRep instance to another.
    */
   equals:
   function(that) {
     if (this._directives.length != that._directives.length) {
       return false;
     }
     for (var i in this._directives) {
       if (!that._directives[i] || !this._directives[i].equals(that._directives[i])) {
         return false;
       }
     }
     return (this.allowsInlineScripts === that.allowsInlineScripts)
         && (this.allowsEvalInScripts === that.allowsEvalInScripts)
         && (this.allowsInlineStyles === that.allowsInlineStyles);
   },
   /**
    * Generates canonical string representation of the policy.
    */
   toString:
   function csp_toString() {
     var dirs = [];
     if (!this._specCompliant && (this._allowEval || this._allowInlineScripts)) {
       dirs.push("options" + (this._allowEval ? " eval-script" : "")
                            + (this._allowInlineScripts ? " inline-script" : ""));
     }
     for (var i in this._directives) {
       if (this._directives[i]) {
         dirs.push(i + " " + this._directives[i].toString());
       }
     }
     return dirs.join("; ");
   },
   permitsNonce:
   function csp_permitsNonce(aNonce, aDirective) {
     if (!this._directives.hasOwnProperty(aDirective)) return false;
     return this._directives[aDirective]._sources.some(function (source) {
       return source instanceof CSPNonceSource && source.permits(aNonce);
     });
   },
   permitsHash:
   function csp_permitsHash(aContent, aDirective) {
     if (!this._directives.hasOwnProperty(aDirective)) return false;
     return this._directives[aDirective]._sources.some(function (source) {
       return source instanceof CSPHashSource && source.permits(aContent);
     });
   },
   /**
    * Determines if this policy accepts a URI.
    * @param aURI
    *        URI of the requested resource
    * @param aDirective
    *        one of the SRC_DIRECTIVES defined above
    * @returns
    *        true if the policy permits the URI in given context.
    */
   permits:
   function csp_permits(aURI, aDirective) {
     if (!aURI) return false;
     // GLOBALLY ALLOW "about:" SCHEME
     if (aURI instanceof String && aURI.substring(0,6) === "about:")
       return true;
     if (aURI instanceof Ci.nsIURI && aURI.scheme === "about")
       return true;
     // make sure the right directive set is used
     let DIRS = this._specCompliant ? CSPRep.SRC_DIRECTIVES_NEW : CSPRep.SRC_DIRECTIVES_OLD;
     let directiveInPolicy = false;
     for (var i in DIRS) {
       if (DIRS[i] === aDirective) {
         // for catching calls with invalid contexts (below)
         directiveInPolicy = true;
         if (this._directives.hasOwnProperty(aDirective)) {
           return this._directives[aDirective].permits(aURI);
         }
         //found matching dir, can stop looking
         break;
       }
     }
     // frame-ancestors is a special case; it doesn't fall back to default-src.
     if (aDirective === DIRS.FRAME_ANCESTORS)
       return true;
     // All directives that don't fall back to default-src should have an escape
     // hatch above (like frame-ancestors).
     if (!directiveInPolicy) {
       // if this code runs, there's probably something calling permits() that
       // shouldn't be calling permits().
       CSPdebug("permits called with invalid load type: " + aDirective);
       return false;
     }
     // no directives specifically matched, fall back to default-src.
     // (default-src may not be present for CSP 1.0-compliant policies, and
     // indicates no relevant directives were present and the load should be
     // permitted).
     if (this._directives.hasOwnProperty(DIRS.DEFAULT_SRC)) {
       return this._directives[DIRS.DEFAULT_SRC].permits(aURI);
     }
     // no relevant directives present -- this means for CSP 1.0 that the load
     // should be permitted (and for the old CSP, to block it).
     return this._specCompliant;
   },
   /**
    * Returns true if "eval" is enabled through the "eval" keyword.
    */
   get allowsEvalInScripts () {
     return this._allowEval;
   },
   /**
    * Returns true if inline scripts are enabled through the "inline"
    * keyword.
    */
   get allowsInlineScripts () {
     return this._allowInlineScripts;
   },
   /**
    * Returns true if inline styles are enabled through the "inline-style"
    * keyword.
    */
   get allowsInlineStyles () {
     return this._allowInlineStyles;
   },
   /**
    * Sends a message to the error console and web developer console.
    * @param aFlag
    *        The nsIScriptError flag constant indicating severity
    * @param aMsg
    *        The message to send
    * @param aSource (optional)
    *        The URL of the file in which the error occurred
    * @param aScriptLine (optional)
    *        The line in the source file which the error occurred
    * @param aLineNum (optional)
    *        The number of the line where the error occurred
    */
   log:
   function cspd_log(aFlag, aMsg, aSource, aScriptLine, aLineNum) {
     var textMessage = "Content Security Policy: " + aMsg;
     var consoleMsg = Components.classes["@mozilla.org/scripterror;1"]
                                .createInstance(Ci.nsIScriptError);
     if (this._innerWindowID) {
       consoleMsg.initWithWindowID(textMessage, aSource, aScriptLine, aLineNum,
 , aFlag,
                                   "CSP",
                                   this._innerWindowID);
     } else {
       consoleMsg.init(textMessage, aSource, aScriptLine, aLineNum, 0,
                       aFlag,
                       "CSP");
     }
     Components.classes["@mozilla.org/consoleservice;1"]
               .getService(Ci.nsIConsoleService).logMessage(consoleMsg);
   },
 };
 //////////////////////////////////////////////////////////////////////
 /**
  * Class to represent a list of sources
  */
 this.CSPSourceList = function CSPSourceList() {
   this._sources = [];
   this._permitAllSources = false;
   // When this is true, the source list contains 'unsafe-inline'.
   this._allowUnsafeInline = false;
   // When this is true, the source list contains 'unsafe-eval'.
   this._allowUnsafeEval = false;
   // When this is true, the source list contains at least one nonce-source
   this._hasNonceSource = false;
   // When this is true, the source list contains at least one hash-source
   this._hasHashSource = false;
 }
 /**
  * Factory to create a new CSPSourceList, parsed from a string.
  *
  * @param aStr
  *        string rep of a CSP Source List
  * @param aCSPRep
  *        the CSPRep to which this souce list belongs. If null, CSP errors and
  *        warnings will not be sent to the web console.
  * @param self (optional)
  *        URI or CSPSource representing the "self" source
  * @param enforceSelfChecks (optional)
  *        if present, and "true", will check to be sure "self" has the
  *        appropriate values to inherit when they are omitted from the source.
  * @returns
  *        an instance of CSPSourceList
  */
 CSPSourceList.fromString = function(aStr, aCSPRep, self, enforceSelfChecks) {
   // source-list = *WSP [ source-expression *( 1*WSP source-expression ) *WSP ]
   //             / *WSP "'none'" *WSP
   /* If self parameter is passed, convert to CSPSource,
      unless it is already a CSPSource. */
   if (self && !(self instanceof CSPSource)) {
      self = CSPSource.create(self, aCSPRep);
   }
   var slObj = new CSPSourceList();
   slObj._CSPRep = aCSPRep;
   aStr = aStr.trim();
   // w3 specifies case insensitive equality
   if (aStr.toLowerCase() === "'none'") {
     slObj._permitAllSources = false;
     return slObj;
   }
   var tokens = aStr.split(/\s+/);
   for (var i in tokens) {
     if (!R_SOURCEEXP.test(tokens[i])) {
       cspWarn(aCSPRep,
               CSPLocalizer.getFormatStr("failedToParseUnrecognizedSource",
                                         [tokens[i]]));
       continue;
     }
     var src = CSPSource.create(tokens[i], aCSPRep, self, enforceSelfChecks);
     if (!src) {
       cspWarn(aCSPRep,
               CSPLocalizer.getFormatStr("failedToParseUnrecognizedSource",
                                         [tokens[i]]));
       continue;
     }
     // if a source allows unsafe-inline, set our flag to indicate this.
     if (src._allowUnsafeInline)
       slObj._allowUnsafeInline = true;
     // if a source allows unsafe-eval, set our flag to indicate this.
     if (src._allowUnsafeEval)
       slObj._allowUnsafeEval = true;
     if (src instanceof CSPNonceSource)
       slObj._hasNonceSource = true;
     if (src instanceof CSPHashSource)
       slObj._hasHashSource = true;
     // if a source is a *, then we can permit all sources
     if (src.permitAll) {
       slObj._permitAllSources = true;
     } else {
       slObj._sources.push(src);
     }
   }
   return slObj;
 };
 CSPSourceList.prototype = {
   /**
    * Compares one CSPSourceList to another.
    *
    * @param that
    *        another CSPSourceList
    * @returns
    *        true if they have the same data
    */
   equals:
   function(that) {
     // special case to default-src * and 'none' to look different
     // (both have a ._sources.length of 0).
     if (that._permitAllSources != this._permitAllSources) {
       return false;
     }
     if (that._sources.length != this._sources.length) {
       return false;
     }
     // sort both arrays and compare like a zipper
     // XXX (sid): I think we can make this more efficient
     var sortfn = function(a,b) {
       return a.toString.toLowerCase() > b.toString.toLowerCase();
     };
     var a_sorted = this._sources.sort(sortfn);
     var b_sorted = that._sources.sort(sortfn);
     for (var i in a_sorted) {
       if (!a_sorted[i].equals(b_sorted[i])) {
         return false;
       }
     }
     return true;
   },
   /**
    * Generates canonical string representation of the Source List.
    */
   toString:
   function() {
     if (this.isNone()) {
       return "'none'";
     }
     if (this._permitAllSources) {
       return "*";
     }
     return this._sources.map(function(x) { return x.toString(); }).join(" ");
   },
   /**
    * Returns whether or not this source list represents the "'none'" special
    * case.
    */
   isNone:
   function() {
     return (!this._permitAllSources) && (this._sources.length < 1);
   },
   /**
    * Returns whether or not this source list permits all sources (*).
    */
   isAll:
   function() {
     return this._permitAllSources;
   },
   /**
    * Makes a new deep copy of this object.
    * @returns
    *      a new CSPSourceList
    */
   clone:
   function() {
     var aSL = new CSPSourceList();
     aSL._permitAllSources = this._permitAllSources;
     aSL._CSPRep = this._CSPRep;
     for (var i in this._sources) {
       aSL._sources[i] = this._sources[i].clone();
     }
     return aSL;
   },
   /**
    * Determines if this directive accepts a URI.
    * @param aURI
    *        the URI in question
    * @returns
    *        true if the URI matches a source in this source list.
    */
   permits:
   function cspsd_permits(aURI) {
     if (this.isNone())    return false;
     if (this.isAll())     return true;
     for (var i in this._sources) {
       if (this._sources[i].permits(aURI)) {
         return true;
       }
     }
     return false;
   }
 }
 //////////////////////////////////////////////////////////////////////
 /**
  * Class to model a source (scheme, host, port)
  */
 this.CSPSource = function CSPSource() {
   this._scheme = undefined;
   this._port = undefined;
   this._host = undefined;
   //when set to true, this allows all source
   this._permitAll = false;
   // when set to true, this source represents 'self'
   this._isSelf = false;
   // when set to true, this source allows inline scripts or styles
   this._allowUnsafeInline = false;
   // when set to true, this source allows eval to be used
   this._allowUnsafeEval = false;
 }
 /**
  * General factory method to create a new source from one of the following
  * types:
  *  - nsURI
  *  - string
  *  - CSPSource (clone)
  * @param aData
  *        string, nsURI, or CSPSource
  * @param aCSPRep
  *        The CSPRep this source belongs to. If null, CSP errors and warnings
  *        will not be sent to the web console.
  * @param self (optional)
  *	  if present, string, URI, or CSPSource representing the "self" resource
  * @param enforceSelfChecks (optional)
  *	  if present, and "true", will check to be sure "self" has the
  *        appropriate values to inherit when they are omitted from the source.
  * @returns
  *        an instance of CSPSource
  */
 CSPSource.create = function(aData, aCSPRep, self, enforceSelfChecks) {
   if (typeof aData === 'string')
     return CSPSource.fromString(aData, aCSPRep, self, enforceSelfChecks);
   if (aData instanceof Ci.nsIURI) {
     // clean userpass out of the URI (not used for CSP origin checking, but
     // shows up in prePath).
     let cleanedUri = aData.cloneIgnoringRef();
     try {
       // GetUserPass throws for some protocols without userPass
       cleanedUri.userPass = '';
     } catch (ex) {}
     return CSPSource.fromURI(cleanedUri, aCSPRep, self, enforceSelfChecks);
   }
   if (aData instanceof CSPSource) {
     var ns = aData.clone();
     ns._self = CSPSource.create(self);
     return ns;
   }
   return null;
 }
 /**
  * Factory to create a new CSPSource, from a nsIURI.
  *
  * Don't use this if you want to wildcard ports!
  *
  * @param aURI
  *        nsIURI rep of a URI
  * @param aCSPRep
  *        The policy this source belongs to. If null, CSP errors and warnings
  *        will not be sent to the web console.
  * @param self (optional)
  *        string or CSPSource representing the "self" source
  * @param enforceSelfChecks (optional)
  *        if present, and "true", will check to be sure "self" has the
  *        appropriate values to inherit when they are omitted from aURI.
  * @returns
  *        an instance of CSPSource
  */
 CSPSource.fromURI = function(aURI, aCSPRep, self, enforceSelfChecks) {
   if (!(aURI instanceof Ci.nsIURI)) {
     cspError(aCSPRep, CSPLocalizer.getStr("cspSourceNotURI"));
     return null;
   }
   if (!self && enforceSelfChecks) {
     cspError(aCSPRep, CSPLocalizer.getStr("selfDataNotProvided"));
     return null;
   }
   if (self && !(self instanceof CSPSource)) {
     self = CSPSource.create(self, aCSPRep, undefined, false);
   }
   var sObj = new CSPSource();
   sObj._self = self;
   sObj._CSPRep = aCSPRep;
   // PARSE
   // If 'self' is undefined, then use default port for scheme if there is one.
   // grab scheme (if there is one)
   try {
     sObj._scheme = aURI.scheme;
   } catch(e) {
     sObj._scheme = undefined;
     cspError(aCSPRep, CSPLocalizer.getFormatStr("uriWithoutScheme",
                                                 [aURI.asciiSpec]));
     return null;
   }
   // grab host (if there is one)
   try {
     // if there's no host, an exception will get thrown
     // (NS_ERROR_FAILURE)
     sObj._host = CSPHost.fromString(aURI.host);
   } catch(e) {
     sObj._host = undefined;
   }
   // grab port (if there is one)
   // creating a source from an nsURI is limited in that one cannot specify "*"
   // for port.  In fact, there's no way to represent "*" differently than
   // a blank port in an nsURI, since "*" turns into -1, and so does an
   // absence of port declaration.
   // port is never inherited from self -- this gets too confusing.
   // Instead, whatever scheme is used (an explicit one or the inherited
   // one) dictates the port if no port is explicitly stated.
   // Set it to undefined here and the default port will be resolved in the
   // getter for .port.
   sObj._port = undefined;
   try {
     // if there's no port, an exception will get thrown
     // (NS_ERROR_FAILURE)
     if (aURI.port > 0) {
       sObj._port = aURI.port;
     }
   } catch(e) {
     sObj._port = undefined;
   }
   return sObj;
 };
 /**
  * Factory to create a new CSPSource, parsed from a string.
  *
  * @param aStr
  *        string rep of a CSP Source
  * @param aCSPRep
  *        the CSPRep this CSPSource belongs to
  * @param self (optional)
  *        string, URI, or CSPSource representing the "self" source
  * @param enforceSelfChecks (optional)
  *        if present, and "true", will check to be sure "self" has the
  *        appropriate values to inherit when they are omitted from aURI.
  * @returns
  *        an instance of CSPSource
  */
 CSPSource.fromString = function(aStr, aCSPRep, self, enforceSelfChecks) {
   if (!aStr)
     return null;
   if (!(typeof aStr === 'string')) {
     cspError(aCSPRep, CSPLocalizer.getStr("argumentIsNotString"));
     return null;
   }
   var sObj = new CSPSource();
   sObj._self = self;
   sObj._CSPRep = aCSPRep;
   // if equal, return does match
   if (aStr === "*") {
     sObj._permitAll = true;
     return sObj;
   }
   if (!self && enforceSelfChecks) {
     cspError(aCSPRep, CSPLocalizer.getStr("selfDataNotProvided"));
     return null;
   }
   if (self && !(self instanceof CSPSource)) {
     self = CSPSource.create(self, aCSPRep, undefined, false);
   }
   // check for 'unsafe-inline' (case insensitive)
   if (aStr.toLowerCase() === "'unsafe-inline'"){
     sObj._allowUnsafeInline = true;
     return sObj;
   }
   // check for 'unsafe-eval' (case insensitive)
   if (aStr.toLowerCase() === "'unsafe-eval'"){
     sObj._allowUnsafeEval = true;
     return sObj;
   }
   // Check for scheme-source match - this only matches if the source
   // string is just a scheme with no host.
   if (R_SCHEMESRC.test(aStr)) {
     var schemeSrcMatch = R_GETSCHEME.exec(aStr);
     sObj._scheme = schemeSrcMatch[0];
     if (!sObj._host) sObj._host = CSPHost.fromString("*");
     if (!sObj._port) sObj._port = "*";
     return sObj;
   }
   // check for host-source or ext-host-source match
   if (R_HOSTSRC.test(aStr) || R_EXTHOSTSRC.test(aStr)) {
     var schemeMatch = R_GETSCHEME.exec(aStr);
     // check that the scheme isn't accidentally matching the host. There should
     // be '://' if there is a valid scheme in an (EXT)HOSTSRC
     if (!schemeMatch || aStr.indexOf("://") == -1) {
       sObj._scheme = self.scheme;
       schemeMatch = null;
     } else {
       sObj._scheme = schemeMatch[0];
     }
     // Bug 916054: in CSP 1.0, source-expressions that are paths should have
     // the path after the origin ignored and only the origin enforced.
     if (R_EXTHOSTSRC.test(aStr)) {
       var extHostMatch = R_EXTHOSTSRC.exec(aStr);
       aStr = extHostMatch[1];
     }
     var hostMatch = R_HOSTSRC.exec(aStr);
     if (!hostMatch) {
       cspError(aCSPRep, CSPLocalizer.getFormatStr("couldntParseInvalidSource",
                                                   [aStr]));
       return null;
     }
     // Host regex gets scheme, so remove scheme from aStr. Add 3 for '://'
     if (schemeMatch) {
       hostMatch = R_HOSTSRC.exec(aStr.substring(schemeMatch[0].length + 3));
     }
     var portMatch = R_PORT.exec(hostMatch);
     // Host regex also gets port, so remove the port here.
     if (portMatch) {
       hostMatch = R_HOSTSRC.exec(hostMatch[0].substring(0, hostMatch[0].length - portMatch[0].length));
     }
     sObj._host = CSPHost.fromString(hostMatch[0]);
     if (!portMatch) {
       // gets the default port for the given scheme
       var defPort = Services.io.getProtocolHandler(sObj._scheme).defaultPort;
       if (!defPort) {
         cspError(aCSPRep,
                  CSPLocalizer.getFormatStr("couldntParseInvalidSource",
                                            [aStr]));
         return null;
       }
       sObj._port = defPort;
     }
     else {
       // strip the ':' from the port
       sObj._port = portMatch[0].substr(1);
     }
     // A CSP keyword without quotes is a valid hostname, but this can also be a mistake.
     // Raise a CSP warning in the web console to developer to check his/her intent.
     if (R_QUOTELESS_KEYWORDS.test(aStr)) {
       cspWarn(aCSPRep, CSPLocalizer.getFormatStr("hostNameMightBeKeyword",
                                                  [aStr, aStr.toLowerCase()]));
     }
     return sObj;
   }
   // check for a nonce-source match
   if (R_NONCESRC.test(aStr)) {
     return CSPNonceSource.fromString(aStr, aCSPRep);
   }
   // check for a hash-source match
   if (R_HASHSRC.test(aStr)) {
     return CSPHashSource.fromString(aStr, aCSPRep);
   }
   // check for 'self' (case insensitive)
   if (aStr.toLowerCase() === "'self'") {
     if (!self) {
       cspError(aCSPRep, CSPLocalizer.getStr("selfKeywordNoSelfData"));
       return null;
     }
     sObj._self = self.clone();
     sObj._isSelf = true;
     return sObj;
   }
   cspError(aCSPRep, CSPLocalizer.getFormatStr("couldntParseInvalidSource",
                                               [aStr]));
   return null;
 };
 CSPSource.validSchemeName = function(aStr) {
   // <scheme-name>       ::= <alpha><scheme-suffix>
   // <scheme-suffix>     ::= <scheme-chr>
   //                      | <scheme-suffix><scheme-chr>
   // <scheme-chr>        ::= <letter> | <digit> | "+" | "." | "-"
   return aStr.match(/^[a-zA-Z][a-zA-Z0-9+.-]*$/);
 };
 CSPSource.prototype = {
   get scheme () {
     if (this._isSelf && this._self)
       return this._self.scheme;
     if (!this._scheme && this._self)
       return this._self.scheme;
     return this._scheme;
   },
   get host () {
     if (this._isSelf && this._self)
       return this._self.host;
     if (!this._host && this._self)
       return this._self.host;
     return this._host;
   },
   get permitAll () {
     if (this._isSelf && this._self)
       return this._self.permitAll;
     return this._permitAll;
   },
   /**
    * If this doesn't have a nonstandard port (hard-defined), use the default
    * port for this source's scheme. Should never inherit port from 'self'.
    */
   get port () {
     if (this._isSelf && this._self)
       return this._self.port;
     if (this._port) return this._port;
     // if no port, get the default port for the scheme
     // (which may be inherited from 'self')
     if (this.scheme) {
       try {
         var port = gIoService.getProtocolHandler(this.scheme).defaultPort;
         if (port > 0) return port;
       } catch(e) {
         // if any errors happen, fail gracefully.
       }
     }
     return undefined;
   },
   /**
    * Generates canonical string representation of the Source.
    */
   toString:
   function() {
     if (this._isSelf)
       return this._self.toString();
     if (this._allowUnsafeInline)
       return "'unsafe-inline'";
     if (this._allowUnsafeEval)
       return "'unsafe-eval'";
     var s = "";
     if (this.scheme)
       s = s + this.scheme + "://";
     if (this._host)
       s = s + this._host;
     if (this.port)
       s = s + ":" + this.port;
     return s;
   },
   /**
    * Makes a new deep copy of this object.
    * @returns
    *      a new CSPSource
    */
   clone:
   function() {
     var aClone = new CSPSource();
     aClone._self = this._self ? this._self.clone() : undefined;
     aClone._scheme = this._scheme;
     aClone._port = this._port;
     aClone._host = this._host ? this._host.clone() : undefined;
     aClone._isSelf = this._isSelf;
     aClone._CSPRep = this._CSPRep;
     return aClone;
   },
   /**
    * Determines if this Source accepts a URI.
    * @param aSource
    *        the URI, or CSPSource in question
    * @returns
    *        true if the URI matches a source in this source list.
    */
   permits:
   function(aSource) {
     if (!aSource) return false;
     if (!(aSource instanceof CSPSource))
       aSource = CSPSource.create(aSource, this._CSPRep);
     // verify scheme
     if (this.scheme.toLowerCase() != aSource.scheme.toLowerCase())
       return false;
     // port is defined in 'this' (undefined means it may not be relevant
     // to the scheme) AND this port (implicit or explicit) matches
     // aSource's port
     if (this.port && this.port !== "*" && this.port != aSource.port)
       return false;
     // host is defined in 'this' (undefined means it may not be relevant
     // to the scheme) AND this host (implicit or explicit) permits
     // aSource's host.
     if (this.host && !this.host.permits(aSource.host))
       return false;
     // all scheme, host and port matched!
     return true;
   },
   /**
    * Compares one CSPSource to another.
    *
    * @param that
    *        another CSPSource
    * @param resolveSelf (optional)
    *        if present, and 'true', implied values are obtained from 'self'
    *        instead of assumed to be "anything"
    * @returns
    *        true if they have the same data
    */
   equals:
   function(that, resolveSelf) {
     // 1. schemes match
     // 2. ports match
     // 3. either both hosts are undefined, or one equals the other.
     if (resolveSelf)
       return this.scheme.toLowerCase() === that.scheme.toLowerCase()
           && this.port === that.port
           && (!(this.host || that.host) ||
                (this.host && this.host.equals(that.host)));
     // otherwise, compare raw (non-self-resolved values)
     return this._scheme.toLowerCase() === that._scheme.toLowerCase()
         && this._port === that._port
         && (!(this._host || that._host) ||
               (this._host && this._host.equals(that._host)));
   },
 };
 //////////////////////////////////////////////////////////////////////
 /**
  * Class to model a host *.x.y.
  */
 this.CSPHost = function CSPHost() {
   this._segments = [];
 }
 /**
  * Factory to create a new CSPHost, parsed from a string.
  *
  * @param aStr
  *        string rep of a CSP Host
  * @returns
  *        an instance of CSPHost
  */
 CSPHost.fromString = function(aStr) {
   if (!aStr) return null;
   // host string must be LDH with dots and stars.
   var invalidChar = aStr.match(R_INV_HCHAR);
   if (invalidChar) {
     CSPdebug("Invalid character '" + invalidChar + "' in host " + aStr);
     return null;
   }
   var hObj = new CSPHost();
   hObj._segments = aStr.split(/\./);
   if (hObj._segments.length < 1)
     return null;
   // validate data in segments
   for (var i in hObj._segments) {
     var seg = hObj._segments[i];
     if (seg == "*") {
       if (i > 0) {
         // Wildcard must be FIRST
         CSPdebug("Wildcard char located at invalid position in '" + aStr + "'");
         return null;
       }
     }
     else if (seg.match(R_COMP_HCHAR)) {
       // Non-wildcard segment must be LDH string
       CSPdebug("Invalid segment '" + seg + "' in host value");
       return null;
     }
   }
   return hObj;
 };
 CSPHost.prototype = {
   /**
    * Generates canonical string representation of the Host.
    */
   toString:
   function() {
     return this._segments.join(".");
   },
   /**
    * Makes a new deep copy of this object.
    * @returns
    *      a new CSPHost
    */
   clone:
   function() {
     var aHost = new CSPHost();
     for (var i in this._segments) {
       aHost._segments[i] = this._segments[i];
     }
     return aHost;
   },
   /**
    * Returns true if this host accepts the provided host (or the other way
    * around).
    * @param aHost
    *        the FQDN in question (CSPHost or String)
    * @returns
    */
   permits:
   function(aHost) {
     if (!aHost) {
       aHost = CSPHost.fromString("*");
     }
     if (!(aHost instanceof CSPHost)) {
       // -- compare CSPHost to String
       aHost =  CSPHost.fromString(aHost);
     }
     var thislen = this._segments.length;
     var thatlen = aHost._segments.length;
     // don't accept a less specific host:
     //   \--> *.b.a doesn't accept b.a.
     if (thatlen < thislen) { return false; }
     // check for more specific host (and wildcard):
     //   \--> *.b.a accepts d.c.b.a.
     //   \--> c.b.a doesn't accept d.c.b.a.
     if ((thatlen > thislen) && this._segments[0] != "*") {
       return false;
     }
     // Given the wildcard condition (from above),
     // only necessary to compare elements that are present
     // in this host.  Extra tokens in aHost are ok.
     // * Compare from right to left.
     for (var i=1; i <= thislen; i++) {
       if (this._segments[thislen-i] != "*" &&
           (this._segments[thislen-i].toLowerCase() !=
            aHost._segments[thatlen-i].toLowerCase())) {
         return false;
       }
     }
     // at this point, all conditions are met, so the host is allowed
     return true;
   },
   /**
    * Compares one CSPHost to another.
    *
    * @param that
    *        another CSPHost
    * @returns
    *        true if they have the same data
    */
   equals:
   function(that) {
     if (this._segments.length != that._segments.length)
       return false;
     for (var i=0; i<this._segments.length; i++) {
       if (this._segments[i].toLowerCase() !=
           that._segments[i].toLowerCase()) {
         return false;
       }
     }
     return true;
   }
 };
 this.CSPNonceSource = function CSPNonceSource() {
   this._nonce = undefined;
 }
 CSPNonceSource.fromString = function(aStr, aCSPRep) {
   let nonce = R_NONCESRC.exec(aStr)[1];
   if (!nonce) {
     cspError(aCSPRep, "Error in parsing nonce-source from string: nonce was empty");
     return null;
   }
   let nonceSourceObj = new CSPNonceSource();
   nonceSourceObj._nonce = nonce;
   return nonceSourceObj;
 };
 CSPNonceSource.prototype = {
   permits: function(aContext) {
     if (aContext instanceof Ci.nsIDOMHTMLElement) {
       return this._nonce === aContext.getAttribute('nonce');
     } else if (typeof aContext === 'string') {
       return this._nonce === aContext;
     }
     CSPdebug("permits called on nonce-source, but aContext was not nsIDOMHTMLElement or string (was " + typeof(aContext) + ")");
     return false;
   },
   toString: function() {
     return "'nonce-" + this._nonce + "'";
   },
   clone: function() {
     let clone = new CSPNonceSource();
     clone._nonce = this._nonce;
     return clone;
   },
   equals: function(that) {
     return this._nonce === that._nonce;
   }
 };
 this.CSPHashSource = function CSPHashSource() {
   this._algo = undefined;
   this._hash = undefined;
 }
 CSPHashSource.fromString = function(aStr, aCSPRep) {
   let hashSrcMatch = R_HASHSRC.exec(aStr);
   let algo = hashSrcMatch[1];
   let hash = hashSrcMatch[2];
   if (!algo) {
     cspError(aCSPRep, "Error parsing hash-source from string: algo was empty");
     return null;
   }
   if (!hash) {
     cspError(aCSPRep, "Error parsing hash-source from string: hash was empty");
     return null;
   }
   let hashSourceObj = new CSPHashSource();
   hashSourceObj._algo = algo;
   hashSourceObj._hash = hash;
   return hashSourceObj;
 };
 CSPHashSource.prototype = {
   permits: function(aContext) {
     let ScriptableUnicodeConverter =
       Components.Constructor("@mozilla.org/intl/scriptableunicodeconverter",
                              "nsIScriptableUnicodeConverter");
     let converter = new ScriptableUnicodeConverter();
     converter.charset = 'utf8';
     let utf8InnerHTML = converter.convertToByteArray(aContext);
     let CryptoHash =
       Components.Constructor("@mozilla.org/security/hash;1",
                              "nsICryptoHash",
                              "initWithString");
     let hash = new CryptoHash(this._algo);
     hash.update(utf8InnerHTML, utf8InnerHTML.length);
     // passing true causes a base64-encoded hash to be returned
     let contentHash = hash.finish(true);
     // The NSS Base64 encoder automatically adds linebreaks "\r\n" every 64
     // characters. We need to remove these so we can properly validate longer
     // (SHA-512) base64-encoded hashes
     contentHash = contentHash.replace('\r\n', '');
     return contentHash === this._hash;
   },
   toString: function() {
     return "'" + this._algo + '-' + this._hash + "'";
   },
   clone: function() {
     let clone = new CSPHashSource();
     clone._algo = this._algo;
     clone._hash = this._hash;
     return clone;
   },
   equals: function(that) {
     return this._algo === that._algo && this._hash === that._hash;
   }
 };
 //////////////////////////////////////////////////////////////////////
 /**
  * Class that listens to violation report transmission and logs errors.
  */
 this.CSPViolationReportListener = function CSPViolationReportListener(reportURI) {
   this._reportURI = reportURI;
 }
 CSPViolationReportListener.prototype = {
   _reportURI:   null,
   QueryInterface: function(iid) {
     if (iid.equals(Ci.nsIStreamListener) ||
         iid.equals(Ci.nsIRequestObserver) ||
         iid.equals(Ci.nsISupports))
       return this;
     throw Components.results.NS_ERROR_NO_INTERFACE;
   },
   onStopRequest:
   function(request, context, status) {
     if (!Components.isSuccessCode(status)) {
       CSPdebug("error " + status.toString(16) +
                 " while sending violation report to " +
                 this._reportURI);
     }
   },
   onStartRequest:
   function(request, context) { },
   onDataAvailable:
   function(request, context, inputStream, offset, count) {
     // We MUST read equal to count from the inputStream to avoid an assertion.
     var input = Components.classes['@mozilla.org/scriptableinputstream;1']
                 .createInstance(Ci.nsIScriptableInputStream);
     input.init(inputStream);
     input.read(count);
   },
 };
 //////////////////////////////////////////////////////////////////////
 function innerWindowFromRequest(docRequest) {
   let win = null;
   let loadContext = null;
   try {
     loadContext = docRequest.notificationCallbacks.getInterface(Ci.nsILoadContext);
   } catch (ex) {
     try {
       loadContext = docRequest.loadGroup.notificationCallbacks.getInterface(Ci.nsILoadContext);
     } catch (ex) {
       return null;
     }
   }
   if (loadContext) {
     win = loadContext.associatedWindow;
   }
   if (win) {
     try {
        let winUtils = win.QueryInterface(Ci.nsIInterfaceRequestor).getInterface(Ci.nsIDOMWindowUtils);
        return winUtils.currentInnerWindowID;
     } catch (ex) {
       return null;
     }
   }
   return null;
 }
 function cspError(aCSPRep, aMessage) {
   if (aCSPRep) {
     aCSPRep.log(ERROR_FLAG, aMessage);
   } else {
     (new CSPRep()).log(ERROR_FLAG, aMessage);
   }
 }
 function cspWarn(aCSPRep, aMessage) {
   if (aCSPRep) {
     aCSPRep.log(WARN_FLAG, aMessage);
   } else {
     (new CSPRep()).log(WARN_FLAG, aMessage);
   }
 }
 //////////////////////////////////////////////////////////////////////
 this.CSPLocalizer = {
   /**
    * Retrieve a localized string.
    *
    * @param string aName
    *        The string name you want from the CSP string bundle.
    * @return string
    *         The localized string.
    */
   getStr: function CSPLoc_getStr(aName)
   {
     let result;
     try {
       result = this.stringBundle.GetStringFromName(aName);
     }
     catch (ex) {
       Cu.reportError("Failed to get string: " + aName);
       throw ex;
     }
     return result;
   },
   /**
    * Retrieve a localized string formatted with values coming from the given
    * array.
    *
    * @param string aName
    *        The string name you want from the CSP string bundle.
    * @param array aArray
    *        The array of values you want in the formatted string.
    * @return string
    *         The formatted local string.
    */
   getFormatStr: function CSPLoc_getFormatStr(aName, aArray)
   {
     let result;
     try {
       result = this.stringBundle.formatStringFromName(aName, aArray, aArray.length);
     }
     catch (ex) {
       Cu.reportError("Failed to format string: " + aName);
       throw ex;
     }
     return result;
   },
 };
 XPCOMUtils.defineLazyGetter(CSPLocalizer, "stringBundle", function() {
   return Services.strings.createBundle(STRINGS_URI);
 });

The Tor Browser / annotate

content/base/src/CSPUtils.jsm@6474c204b198 (annotated)

content/base/src/CSPUtils.jsm