Bug 1848315 - CSP: Introduce new and more detailed error messages. r=freddyb,devtools-reviewers,flod

Differential Revision: https://phabricator.services.mozilla.com/D186143

Author: evilpie

browser/base/content/test/static/browser_misused_characters_in_strings.js

@@ -68,6 +68,28 @@ let gExceptionsList = [
     key: "MathML_DeprecatedMathVariantWarning",
     type: "single-quote",
   },
+  // These error messages contain references to the CSP keywords 'unsafe-eval'/'wasm-unsafe-eval',
+  // and those keywords contain actual single-quotes: https://w3c.github.io/webappsec-csp/#grammardef-keyword-source
+  {
+    file: "csp.properties",
+    key: "CSPEvalScriptViolation",
+    type: "single-quote",
+  },
+  {
+    file: "csp.properties",
+    key: "CSPROEvalScriptViolation",
+    type: "single-quote",
+  },
+  {
+    file: "csp.properties",
+    key: "CSPWasmEvalScriptViolation",
+    type: "single-quote",
+  },
+  {
+    file: "csp.properties",
+    key: "CSPROWasmEvalScriptViolation",
+    type: "single-quote",
+  },
 ];
 
 /**

devtools/client/webconsole/test/browser/browser_webconsole_csp_too_many_reports.js

@@ -13,11 +13,18 @@ const TEST_URI =
 const TEST_VIOLATIONS =
   "https://example.com/browser/devtools/client/webconsole/" +
   "test/browser/test-csp-many-errors.html";
-const CSP_VIOLATION_MSG =
-  "Content-Security-Policy: The page\u2019s settings blocked the loading of a resource " +
-  "at inline (\u201cstyle-src\u201d).";
-const CSP_TOO_MANY_REPORTS_MSG =
-  "Content-Security-Policy: Prevented too many CSP reports from being sent within a short period of time.";
+
+const bundle = Services.strings.createBundle(
+  "chrome://global/locale/security/csp.properties"
+);
+const CSP_VIOLATION_MSG = bundle.formatStringFromName(
+  "CSPInlineStyleViolation",
+  ["style-src 'none'", "style-src-attr"]
+);
+const CSP_TOO_MANY_REPORTS_MSG = bundle.formatStringFromName(
+  "tooManyReports",
+  []
+);
 
 add_task(async function () {
   // Reduce the limit to reduce the log spam.

devtools/client/webconsole/test/browser/browser_webconsole_csp_violation.js

@@ -7,6 +7,10 @@
 "use strict";
 
 add_task(async function () {
+  const bundle = Services.strings.createBundle(
+    "chrome://global/locale/security/csp.properties"
+  );
+
   const TEST_URI =
     "data:text/html;charset=utf8,<!DOCTYPE html>Web Console CSP violation test";
   const hud = await openNewTabAndConsole(TEST_URI);
@@ -15,10 +19,14 @@ add_task(async function () {
     const TEST_VIOLATION =
       "https://example.com/browser/devtools/client/webconsole/" +
       "test/browser/test-csp-violation.html";
-    const CSP_VIOLATION_MSG =
-      "Content-Security-Policy: The page\u2019s settings " +
-      "blocked the loading of a resource at " +
-      "http://some.example.com/test.png (\u201cimg-src\u201d).";
+    const CSP_VIOLATION_MSG = bundle.formatStringFromName(
+      "CSPGenericViolation",
+      [
+        "img-src https://example.com",
+        "http://some.example.com/test.png",
+        "img-src",
+      ]
+    );
     const onRepeatedMessage = waitForRepeatedMessageByType(
       hud,
       CSP_VIOLATION_MSG,
@@ -35,9 +43,10 @@ add_task(async function () {
     const TEST_VIOLATION =
       "https://example.com/browser/devtools/client/webconsole/" +
       "test/browser/test-csp-violation-inline.html";
-    const CSP_VIOLATION =
-      `Content-Security-Policy: The page’s settings blocked` +
-      ` the loading of a resource at inline (“style-src”).`;
+    const CSP_VIOLATION = bundle.formatStringFromName(
+      "CSPInlineStyleViolation",
+      ["style-src 'self'", "style-src-elem"]
+    );
     const VIOLATION_LOCATION_HTML = "test-csp-violation-inline.html:18:1";
     const VIOLATION_LOCATION_JS = "test-csp-violation-inline.html:14:25";
     await navigateTo(TEST_VIOLATION);
@@ -71,7 +80,11 @@ add_task(async function () {
     const TEST_VIOLATION =
       "https://example.com/browser/devtools/client/webconsole/" +
       "test/browser/test-csp-violation-base-uri.html";
-    const CSP_VIOLATION = `Content-Security-Policy: The page’s settings blocked the loading of a resource at https://evil.com/ (“base-uri”).`;
+    const CSP_VIOLATION = bundle.formatStringFromName("CSPGenericViolation", [
+      "base-uri 'self'",
+      "https://evil.com/",
+      "base-uri",
+    ]);
     const VIOLATION_LOCATION = "test-csp-violation-base-uri.html:15:25";
     await navigateTo(TEST_VIOLATION);
     let msg = await waitFor(() => findErrorMessage(hud, CSP_VIOLATION));
@@ -97,7 +110,11 @@ add_task(async function () {
     const TEST_VIOLATION =
       "https://example.com/browser/devtools/client/webconsole/" +
       "test/browser/test-csp-violation-form-action.html";
-    const CSP_VIOLATION = `Content-Security-Policy: The page’s settings blocked the loading of a resource at https://evil.com/evil.com (“form-action”).`;
+    const CSP_VIOLATION = bundle.formatStringFromName("CSPGenericViolation", [
+      "form-action 'self'",
+      "https://evil.com/evil.com",
+      "form-action",
+    ]);
     const VIOLATION_LOCATION = "test-csp-violation-form-action.html:14:40";
 
     await navigateTo(TEST_VIOLATION);
@@ -116,9 +133,11 @@ add_task(async function () {
     const TEST_VIOLATION =
       "https://example.com/browser/devtools/client/webconsole/" +
       "test/browser/test-csp-violation-frame-ancestor-parent.html";
-    const CSP_VIOLATION =
-      `Content-Security-Policy: The page’s settings blocked` +
-      ` the loading of a resource at ${TEST_VIOLATION} (“frame-ancestors”).`;
+    const CSP_VIOLATION = bundle.formatStringFromName("CSPGenericViolation", [
+      "frame-ancestors 'none'",
+      TEST_VIOLATION,
+      "frame-ancestors",
+    ]);
     await navigateTo(TEST_VIOLATION);
     const msg = await waitFor(() => findErrorMessage(hud, CSP_VIOLATION));
     ok(msg, "Frame-Ancestors violation by html was printed");
@@ -129,8 +148,11 @@ add_task(async function () {
     const TEST_VIOLATION =
       "https://example.com/browser/devtools/client/webconsole/" +
       "test/browser/test-csp-violation-event-handler.html";
-    const CSP_VIOLATION = `Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
-Source: document.body.textContent = 'JavaScript …`;
+    const CSP_VIOLATION =
+      bundle.formatStringFromName("CSPEventHandlerScriptViolation", [
+        "script-src 'self'",
+        "script-src-attr",
+      ]) + `\nSource: document.body.textContent = 'JavaScript …`;
     // Future-Todo: Include line and column number.
     const VIOLATION_LOCATION = "test-csp-violation-event-handler.html";
     await navigateTo(TEST_VIOLATION);

devtools/client/webconsole/test/browser/browser_webconsole_cspro.js

@@ -21,13 +21,20 @@ const TEST_URI =
 const TEST_VIOLATION =
   "http://example.com/browser/devtools/client/webconsole/" +
   "test/browser/test-cspro.html";
-const CSP_VIOLATION_MSG =
-  "Content-Security-Policy: The page\u2019s settings blocked the loading of a resource " +
-  "at http://some.example.com/cspro.png (\u201cimg-src\u201d).";
-const CSP_REPORT_MSG =
-  "Content-Security-Policy: The page\u2019s settings observed the loading of a " +
-  "resource at http://some.example.com/cspro.js " +
-  "(\u201cscript-src\u201d). A CSP report is being sent.";
+
+const bundle = Services.strings.createBundle(
+  "chrome://global/locale/security/csp.properties"
+);
+const CSP_VIOLATION_MSG = bundle.formatStringFromName("CSPGenericViolation", [
+  "img-src 'self'",
+  "http://some.example.com/cspro.png",
+  "img-src",
+]);
+const CSP_REPORT_MSG = bundle.formatStringFromName("CSPROScriptViolation", [
+  "script-src 'self'",
+  "http://some.example.com/cspro.js",
+  "script-src-elem",
+]);
 
 add_task(async function () {
   const hud = await openNewTabAndConsole(TEST_URI);

dom/locales/en-US/chrome/security/csp.properties

@@ -4,14 +4,102 @@
 
 # CSP Warnings:
 
-# LOCALIZATION NOTE (CSPViolationWithURI):
-# %1$S is the directive that has been violated.
+# LOCALIZATION NOTE (CSPInlineStyleViolation):
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the type of directive used by the resource (e.g. style-src-elem)
+CSPInlineStyleViolation = The page’s settings blocked an inline style (%2$S) from being applied because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPROInlineStyleViolation):
+# Don't translate "Report-Only" as it's part of the name Content-Security-Policy-Report-Only.
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the type of directive used by the resource (e.g. style-src-elem)
+CSPROInlineStyleViolation = (Report-Only policy) The page’s settings would block an inline style (%2$S) from being applied because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPInlineScriptViolation):
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the type of directive used by the resource (e.g. script-src-elem)
+CSPInlineScriptViolation = The page’s settings blocked an inline script (%2$S) from being executed because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPROInlineScriptViolation):
+# Don't translate "Report-Only" as it's part of the name Content-Security-Policy-Report-Only.
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the type of directive used by the resource (e.g. script-src-elem)
+CSPROInlineScriptViolation = (Report-Only policy) The page’s settings would block an inline script (%2$S) from being executed because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPEventHandlerScriptViolation):
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the type of directive used by the resource (e.g. script-src-attr)
+CSPEventHandlerScriptViolation = The page’s settings blocked an event handler (%2$S) from being executed because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPROEventHandlerScriptViolation):
+# Don't translate "Report-Only" as it's part of the name Content-Security-Policy-Report-Only.
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the type of directive used by the resource (e.g. script-src-attr)
+CSPROEventHandlerScriptViolation = (Report-Only policy) The page’s settings would block an event handler (%2$S) from being executed because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPEvalScriptViolation):
+# Don't translate/change "'unsafe-eval'", including the single quote.
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the type of directive used by the resource (e.g. script-src)
+CSPEvalScriptViolation = The page’s settings blocked a JavaScript eval (%2$S) from being executed because it violates the following directive: “%1$S” (Missing 'unsafe-eval')
+# LOCALIZATION NOTE (CSPROEvalScriptViolation):
+# Don't translate "Report-Only" as it's part of the name Content-Security-Policy-Report-Only.
+# Don't translate/change "'unsafe-eval'", including the single quote.
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the type of directive used by the resource (e.g. script-src)
+CSPROEvalScriptViolation = (Report-Only policy) The page’s settings would block a JavaScript eval (%2$S) from being executed because it violates the following directive: “%1$S” (Missing 'unsafe-eval')
+# LOCALIZATION NOTE (CSPWasmEvalScriptViolation):
+# WebAssembly is a feature name.
+# Don't translate/change "'wasm-unsafe-eval'" or "'unsafe-eval'", including the single quote.
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the type of directive used by the resource (e.g. script-src)
+CSPWasmEvalScriptViolation = The page’s settings blocked WebAssembly (%2$S) from being executed because it violates the following directive: “%1$S” (Missing 'wasm-unsafe-eval' or 'unsafe-eval')
+# LOCALIZATION NOTE (CSPROWasmEvalScriptViolation):
+# Don't translate "Report-Only" as it's part of the name Content-Security-Policy-Report-Only.
+# WebAssembly is a feature name.
+# Don't translate/change "'wasm-unsafe-eval'" or "'unsafe-eval'", including the single quote.
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the type of directive used by the resource (e.g. script-src)
+CSPROWasmEvalScriptViolation = (Report-Only policy) The page’s settings would block WebAssembly (%2$S) from being executed because it violates the following directive: “%1$S” (Missing 'wasm-unsafe-eval' or 'unsafe-eval')
+# LOCALIZATION NOTE (CSPStyleViolation):
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
 # %2$S is the URI of the resource which violated the directive.
-CSPViolationWithURI = The page’s settings blocked the loading of a resource at %2$S (“%1$S”).
-# LOCALIZATION NOTE (CSPROViolationWithURI):
-# %1$S is the directive that has been violated.
+# %3$S is the type of directive used by the resource (e.g. style-src)
+CSPStyleViolation = The page’s settings blocked a style (%3$S) at %2$S from being applied because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPROStyleViolation):
+# Don't translate "Report-Only" as it's part of the name Content-Security-Policy-Report-Only.
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
 # %2$S is the URI of the resource which violated the directive.
-CSPROViolationWithURI = The page’s settings observed the loading of a resource at %2$S (“%1$S”). A CSP report is being sent.
+# %3$S is the type of directive used by the resource (e.g. style-src)
+CSPROStyleViolation = (Report-Only policy) The page’s settings would block a style (%3$S) at %2$S from being applied because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPScriptViolation):
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the URI of the resource which violated the directive.
+# %3$S is the type of directive used by the resource (e.g. script-src-elem)
+CSPScriptViolation = The page’s settings blocked a script (%3$S) at %2$S from being executed because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPROScriptViolation):
+# Don't translate "Report-Only" as it's part of the name Content-Security-Policy-Report-Only.
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the URI of the resource which violated the directive.
+# %3$S is the type of directive used by the resource (e.g. script-src-elem)
+CSPROScriptViolation = (Report-Only policy) The page’s settings would block a script (%3$S) at %2$S from being executed because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPWorkerViolation):
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the URI of the resource which violated the directive.
+# %3$S is the type of directive used by the resource (e.g. worker-src)
+CSPWorkerViolation = The page’s settings blocked a worker script (%3$S) at %2$S from being executed because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPROWorkerViolation):
+# Don't translate "Report-Only" as it's part of the name Content-Security-Policy-Report-Only.
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the URI of the resource which violated the directive.
+# %3$S is the type of directive used by the resource (e.g. worker-src)
+CSPROWorkerViolation = (Report-Only policy) The page’s settings would block a worker script (%3$S) at %2$S from being executed because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPGenericViolation):
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the URI of the resource which violated the directive.
+# %3$S is the type of directive used by the resource (e.g. image-src)
+CSPGenericViolation = The page’s settings blocked the loading of a resource (%3$S) at %2$S because it violates the following directive: “%1$S”
+# LOCALIZATION NOTE (CSPROGenericViolation):
+# Don't translate "Report-Only" as it's part of the name Content-Security-Policy-Report-Only.
+# %1$S is the entire directive that has been violated. (e.g. "default-src 'none'")
+# %2$S is the URI of the resource which violated the directive.
+# %3$S is the type of directive used by the resource (e.g. image-src)
+CSPROGenericViolation = (Report-Only policy) The page’s settings would block the loading of a resource (%3$S) at %2$S because it violates the following directive: “%1$S”
+
 # LOCALIZATION NOTE (triedToSendReport):
 # %1$S is the URI we attempted to send a report to.
 triedToSendReport = Tried to send report to invalid URI: “%1$S”