tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit a7b3748dfc3d43ff7c8f32b8b6299fdb153e0c10
parent 256e8bad1a52af07e29574baf4aaf02f05b39d93
Author: Simon Farre <sfarre@mozilla.com>
Date:   Tue,  2 Dec 2025 07:48:01 +0000

Bug 2002654 - Initialize about:blank policy container in edge case. r=dom-core,smaug

The bug introduces itself in edge cases where we open a new tab that has
about:blank. In those cases `StartDocumentLoad` doesn't get called for
the document and initialization of policy container does not happen.

Which is why we make sure to initialize it properly here.

Differential Revision: https://phabricator.services.mozilla.com/D274472

Diffstat:

Mdocshell/base/nsDocShell.cpp | 25++++++++++++-------------


Mdocshell/test/browser/browser.toml | 2++


Adocshell/test/browser/browser_bug2002654.js | 31+++++++++++++++++++++++++++++++


3 files changed, 45 insertions(+), 13 deletions(-)

diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
@@ -6819,23 +6819,22 @@ nsresult nsDocShell::CreateAboutBlankDocumentViewer(
       // same reference) otherwise modifying the new container (such as
       // appending a new policy to CSP) within the new document will be
       // incorrectly propagated to the opening doc.
+      RefPtr<PolicyContainer> policyContainerToInherit = new PolicyContainer();
       if (aPolicyContainer) {
-        RefPtr<PolicyContainer> policyContainerToInherit =
-            new PolicyContainer();
         policyContainerToInherit->InitFromOther(
             PolicyContainer::Cast(aPolicyContainer));
-        blankDoc->SetPolicyContainer(policyContainerToInherit);
-        nsIContentSecurityPolicy* csp =
-            PolicyContainer::GetCSP(policyContainerToInherit);
-        if (!csp) {
-          csp = new nsCSPContext();
-          policyContainerToInherit->SetCSP(csp);
-        };
-        nsresult rv = csp->SetRequestContextWithDocument(blankDoc);
-        if (NS_WARN_IF(NS_FAILED(rv))) {
-          return rv;
-        }
       }
+      blankDoc->SetPolicyContainer(policyContainerToInherit);
+      nsIContentSecurityPolicy* csp =
+          PolicyContainer::GetCSP(policyContainerToInherit);
+      if (!csp) {
+        csp = new nsCSPContext();
+        policyContainerToInherit->SetCSP(csp);
+      }
+
+      // This call should only fail if blankDoc == nullptr. Which it isn't.
+      MOZ_DIAGNOSTIC_ASSERT(
+          NS_SUCCEEDED(csp->SetRequestContextWithDocument(blankDoc)));
 
       blankDoc->SetInitialStatus(
           aIsInitialDocument ? Document::InitialStatus::IsInitialUncommitted
diff --git a/docshell/test/browser/browser.toml b/docshell/test/browser/browser.toml
@@ -274,6 +274,8 @@ skip-if = [
 
 ["browser_bug1798780.js"]
 
+["browser_bug2002654.js"]
+
 ["browser_click_link_within_view_source.js"]
 
 ["browser_closewatcher_integration.js"]
diff --git a/docshell/test/browser/browser_bug2002654.js b/docshell/test/browser/browser_bug2002654.js
@@ -0,0 +1,31 @@
+"use strict";
+
+// This test makes sure that a policy container & content security policy is initialized for frontend created documents
+// see bug https://bugzilla.mozilla.org/show_bug.cgi?id=2002654
+add_task(async function test_policy_container_and_csp_in_about_blank() {
+  let tab = await BrowserTestUtils.openNewForegroundTab(
+    gBrowser,
+    "about:blank"
+  );
+  try {
+    await ContentTask.spawn(tab.linkedBrowser, null, function () {
+      let meta = content.document.createElement("meta");
+      meta.httpEquiv = "Content-Security-Policy";
+      meta.content = "script-src 'none'";
+      content.document.head.appendChild(meta);
+      Assert.ok(
+        (() => {
+          try {
+            content.window.eval("1 + 1");
+            return false;
+          } catch (ex) {
+            return true;
+          }
+        })(),
+        "CSP set for frontend created document"
+      );
+    });
+  } finally {
+    BrowserTestUtils.removeTab(tab);
+  }
+});