From bd87ffd1eb0774c11bb09a3fe70a893730a316b1 Mon Sep 17 00:00:00 2001
From: K4sum1 <k4sum1@eclipse.cx>
Date: Mon, 12 Aug 2024 10:10:45 -0500
Subject: [PATCH] Add back security.csp.enable

---
 dom/base/Document.cpp                     |  5 +++++
 dom/security/nsCSPService.cpp             |  6 ++++--
 dom/security/nsCSPUtils.cpp               |  2 +-
 dom/workers/loader/NetworkLoadHandler.cpp | 15 +++++++++------
 modules/libpref/init/StaticPrefList.yaml  |  5 +++++
 parser/html/nsHtml5TreeOpExecutor.cpp     |  4 ++++
 6 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/dom/base/Document.cpp b/dom/base/Document.cpp
index 09053ed976b202..08ba7e53bccd1a 100644
--- a/dom/base/Document.cpp
+++ b/dom/base/Document.cpp
@@ -3813,6 +3813,11 @@ void Document::ApplySettingsFromCSP(bool aSpeculative) {
 nsresult Document::InitCSP(nsIChannel* aChannel) {
   MOZ_ASSERT(!mScriptGlobalObject,
              "CSP must be initialized before mScriptGlobalObject is set!");
+  if (!StaticPrefs::security_csp_enable()) {
+    MOZ_LOG(gCspPRLog, LogLevel::Debug,
+            ("CSP is disabled, skipping CSP init for document %p", this));
+    return NS_OK;
+  }
 
   // If this is a data document - no need to set CSP.
   if (mLoadedAsData) {
diff --git a/dom/security/nsCSPService.cpp b/dom/security/nsCSPService.cpp
index 75e8ec19332eb0..12cffec311c607 100644
--- a/dom/security/nsCSPService.cpp
+++ b/dom/security/nsCSPService.cpp
@@ -130,7 +130,8 @@ bool subjectToCSP(nsIURI* aURI, nsContentPolicyType aContentType) {
   // Please note, the correct way to opt-out of CSP using a custom
   // protocolHandler is to set one of the nsIProtocolHandler flags
   // that are allowlistet in subjectToCSP()
-  if (!subjectToCSP(aContentLocation, contentType)) {
+  if (!StaticPrefs::security_csp_enable() ||
+      !subjectToCSP(aContentLocation, contentType)) {
     return NS_OK;
   }
 
@@ -314,7 +315,8 @@ nsresult CSPService::ConsultCSPForRedirect(nsIURI* aOriginalURI,
   // protocolHandler is to set one of the nsIProtocolHandler flags
   // that are allowlistet in subjectToCSP()
   nsContentPolicyType policyType = aLoadInfo->InternalContentPolicyType();
-  if (!subjectToCSP(aNewURI, policyType)) {
+  if (!StaticPrefs::security_csp_enable() ||
+      !subjectToCSP(aNewURI, policyType)) {
     return NS_OK;
   }
 
diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp
index 17a205b2607208..7269ce303faff9 100644
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -130,7 +130,7 @@ bool CSP_ShouldResponseInheritCSP(nsIChannel* aChannel) {
 
 void CSP_ApplyMetaCSPToDoc(mozilla::dom::Document& aDoc,
                            const nsAString& aPolicyStr) {
-  if (aDoc.IsLoadedAsData()) {
+  if (!mozilla::StaticPrefs::security_csp_enable() || aDoc.IsLoadedAsData()) {
     return;
   }
 
diff --git a/dom/workers/loader/NetworkLoadHandler.cpp b/dom/workers/loader/NetworkLoadHandler.cpp
index 07398dac0a29b9..67190e76039388 100644
--- a/dom/workers/loader/NetworkLoadHandler.cpp
+++ b/dom/workers/loader/NetworkLoadHandler.cpp
@@ -16,6 +16,7 @@
 #include "nsNetUtil.h"
 
 #include "mozilla/Encoding.h"
+#include "mozilla/StaticPrefs_security.h"
 #include "mozilla/dom/BlobURLProtocolHandler.h"
 #include "mozilla/dom/InternalResponse.h"
 #include "mozilla/dom/ServiceWorkerBinding.h"
@@ -238,12 +239,14 @@ nsresult NetworkLoadHandler::DataReceivedFromNetwork(nsIStreamLoader* aLoader,
     nsCOMPtr<nsIContentSecurityPolicy> csp = mWorkerRef->Private()->GetCsp();
     // We did inherit CSP in bug 1223647. If we do not already have a CSP, we
     // should get it from the HTTP headers on the worker script.
-    if (!csp) {
-      rv = mWorkerRef->Private()->SetCSPFromHeaderValues(tCspHeaderValue,
-                                                         tCspROHeaderValue);
-      NS_ENSURE_SUCCESS(rv, rv);
-    } else {
-      csp->EnsureEventTarget(mWorkerRef->Private()->MainThreadEventTarget());
+      if (StaticPrefs::security_csp_enable()) {
+        if (!csp) {
+            rv = mWorkerRef->Private()->SetCSPFromHeaderValues(tCspHeaderValue,
+                                                               tCspROHeaderValue);
+            NS_ENSURE_SUCCESS(rv, rv);
+          } else {
+            csp->EnsureEventTarget(mWorkerRef->Private()->MainThreadEventTarget());
+        }
     }
 
     mWorkerRef->Private()->UpdateReferrerInfoFromHeader(tRPHeaderCValue);
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
index 72331c7b81e40c..4107b01b4c4aba 100644
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@@ -15281,6 +15281,11 @@
   value: 100
   mirror: always
 
+- name: security.csp.enable
+  type: bool
+  value: true
+  mirror: always
+
 # Time span in seconds for reporting limit.
 - name: security.csp.reporting.limit.timespan
   type: uint32_t
diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp
index d05b06c3f9ddba..5cba4eb0490ccb 100644
--- a/parser/html/nsHtml5TreeOpExecutor.cpp
+++ b/parser/html/nsHtml5TreeOpExecutor.cpp
@@ -1332,6 +1332,10 @@ void nsHtml5TreeOpExecutor::UpdateReferrerInfoFromMeta(
 }
 
 void nsHtml5TreeOpExecutor::AddSpeculationCSP(const nsAString& aCSP) {
+  if (!StaticPrefs::security_csp_enable()) {
+    return;
+  }
+
   NS_ASSERTION(NS_IsMainThread(), "Wrong thread!");
 
   nsresult rv = NS_OK;