Bug 1286290 - CSP compliant bug modal

author: Dylan William Hardison <dylan@hardison.net> 2017-01-25 21:04:07 +0100
committer: Dylan William Hardison <dylan@hardison.net> 2017-01-25 21:04:21 +0100
commit: 6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5 (patch)
tree: 28aea39d85e63a901744c6319f6dc06884040daf /Bugzilla
parent: ec963661fb29c191fec645a956cbddc670cfa3da (diff)
download: bugzilla-6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5.tar.gz
bugzilla-6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5.tar.xz
3 files changed, 44 insertions, 8 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 78987ab71..91dec7e72 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -33,13 +33,41 @@ BEGIN {
 
 use constant DEFAULT_CSP => (
     default_src => [ 'self' ],
-    script_src  => [ 'self', 'https://login.persona.org', 'unsafe-inline', 'unsafe-eval' ],
-    child_src   => [ 'self', 'https://login.persona.org' ],
+    script_src  => [ 'self', 'unsafe-inline', 'unsafe-eval' ],
+    child_src   => [ 'self', ],
     img_src     => [ 'self', 'https://secure.gravatar.com' ],
     style_src   => [ 'self', 'unsafe-inline' ],
-    disable     => 1,
+    object_src  => [ 'none' ],
+    form_action => [
+        'self',
+        # used in template/en/default/search/search-google.html.tmpl
+        'https://www.google.com/search'
+    ],
+    frame_ancestors => [ 'none' ],
+    disable         => 1,
 );
 
+# Because show_bug code lives in many different .cgi files,
+# we needed a centralized place to define the policy.
+# normally the policy would just live in one .cgi file.
+# Additionally, correct_urlbase() cannot be called at compile time, so this can't be a constant.
+sub SHOW_BUG_MODAL_CSP {
+    return (
+        script_src  => ['self', 'nonce', 'unsafe-inline', 'unsafe-eval' ],
+        object_src  => [correct_urlbase() . "extensions/BugModal/web/ZeroClipboard/ZeroClipboard.swf"],
+        connect_src => [
+            'self',
+            # This is from extensions/OrangeFactor/web/js/orange_factor.js
+            'https://brasstacks.mozilla.com/orangefactor/api/count',
+        ],
+        child_src   => [
+            'self',
+            # This is for the socorro lens addon and is to be removed by Bug 1332016
+            'https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm'
+        ],
+    );
+}
+
 sub _init_bz_cgi_globals {
     my $invocant = shift;
     # We need to disable output buffering - see bug 179174
@@ -143,9 +171,9 @@ sub content_security_policy {
     my ($self, %add_params) = @_;
     if (Bugzilla->has_feature('csp')) {
         require Bugzilla::CGI::ContentSecurityPolicy;
-        return $self->{Bugzilla_csp} if $self->{Bugzilla_csp};
-        my %params = DEFAULT_CSP;
-        if (%add_params) {
+        if (%add_params || !$self->{Bugzilla_csp}) {
+            my %params = DEFAULT_CSP;
+            delete $params{disable} if %add_params && !$add_params{disable};
             foreach my $key (keys %add_params) {
                 if (defined $add_params{$key}) {
                     $params{$key} = $add_params{$key};
@@ -154,8 +182,10 @@ sub content_security_policy {
                     delete $params{$key};
                 }
             }
+            $self->{Bugzilla_csp} = Bugzilla::CGI::ContentSecurityPolicy->new(%params);
         }
-        return $self->{Bugzilla_csp} = Bugzilla::CGI::ContentSecurityPolicy->new(%params);
+
+        return $self->{Bugzilla_csp};
     }
     return undef;
 }
@@ -455,7 +485,7 @@ sub header {
     $headers{'-x_content_type_options'} = 'nosniff';
 
     my $csp = $self->content_security_policy;
-    $csp->add_cgi_headers(\%headers) if defined $csp;
+    $csp->add_cgi_headers(\%headers) if defined $csp && !$csp->disable;
 
     Bugzilla::Hook::process('cgi_headers',
         { cgi => $self, headers => \%headers }
diff --git a/Bugzilla/CGI/ContentSecurityPolicy.pm b/Bugzilla/CGI/ContentSecurityPolicy.pm
index 74bce6374..022d49b44 100644
--- a/Bugzilla/CGI/ContentSecurityPolicy.pm
+++ b/Bugzilla/CGI/ContentSecurityPolicy.pm
@@ -37,6 +37,7 @@ my @ALL_SRC = qw(
     default_src child_src  connect_src
     font_src    img_src    media_src
     object_src  script_src style_src
+    frame_ancestors form_action
 );
 
 has \@ALL_SRC     => ( is => 'ro', isa => $SOURCE_LIST, predicate => 1 );
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index eb1496fca..2887f0138 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -1000,6 +1000,11 @@ sub create {
             # Currenly active language
             'current_language' => sub { return Bugzilla->current_language; },
 
+            'script_nonce' => sub {
+                my $cgi = Bugzilla->cgi;
+                return $cgi->csp_nonce ? sprintf('nonce="%s"', $cgi->csp_nonce) : '';
+            },
+
             # If an sudo session is in progress, this is the user who
             # started the session.
             'sudoer' => sub { return Bugzilla->sudoer; },
author	Dylan William Hardison <dylan@hardison.net>	2017-01-25 21:04:07 +0100
committer	Dylan William Hardison <dylan@hardison.net>	2017-01-25 21:04:21 +0100
commit	6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5 (patch)
tree	28aea39d85e63a901744c6319f6dc06884040daf /Bugzilla
parent	ec963661fb29c191fec645a956cbddc670cfa3da (diff)
download	bugzilla-6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5.tar.gz bugzilla-6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5.tar.xz