summaryrefslogtreecommitdiffstats
path: root/dom/security/nsContentSecurityUtils.cpp
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--dom/security/nsContentSecurityUtils.cpp1177
1 files changed, 1177 insertions, 0 deletions
diff --git a/dom/security/nsContentSecurityUtils.cpp b/dom/security/nsContentSecurityUtils.cpp
new file mode 100644
index 0000000000..400dea3877
--- /dev/null
+++ b/dom/security/nsContentSecurityUtils.cpp
@@ -0,0 +1,1177 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* A namespace class for static content security utilities. */
+
+#include "nsContentSecurityUtils.h"
+
+#include "mozilla/dom/nsMixedContentBlocker.h"
+#include "mozilla/dom/ScriptSettings.h"
+#include "nsComponentManagerUtils.h"
+#include "nsIContentSecurityPolicy.h"
+#include "nsIChannel.h"
+#include "nsIHttpChannel.h"
+#include "nsIMultiPartChannel.h"
+#include "nsIURI.h"
+#include "nsITransfer.h"
+#include "nsNetUtil.h"
+#include "nsSandboxFlags.h"
+#if defined(XP_WIN)
+# include "WinUtils.h"
+# include <wininet.h>
+#endif
+
+#include "FramingChecker.h"
+#include "js/Array.h" // JS::GetArrayLength
+#include "js/ContextOptions.h"
+#include "js/RegExp.h"
+#include "js/RegExpFlags.h" // JS::RegExpFlags
+#include "mozilla/ExtensionPolicyService.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/dom/Document.h"
+#include "mozilla/dom/nsCSPContext.h"
+#include "mozilla/StaticPrefs_security.h"
+#include "LoadInfo.h"
+#include "mozilla/StaticPrefs_extensions.h"
+#include "mozilla/StaticPrefs_dom.h"
+#include "mozilla/Telemetry.h"
+#include "mozilla/TelemetryComms.h"
+#include "mozilla/TelemetryEventEnums.h"
+#include "nsIConsoleService.h"
+#include "nsIStringBundle.h"
+
+using namespace mozilla;
+using namespace mozilla::dom;
+using namespace mozilla::Telemetry;
+
+extern mozilla::LazyLogModule sCSMLog;
+extern Atomic<bool, mozilla::Relaxed> sTelemetryEventEnabled;
+
+// Helper function for IsConsideredSameOriginForUIR which makes
+// Principals of scheme 'http' return Principals of scheme 'https'.
+static already_AddRefed<nsIPrincipal> MakeHTTPPrincipalHTTPS(
+ nsIPrincipal* aPrincipal) {
+ nsCOMPtr<nsIPrincipal> principal = aPrincipal;
+ // if the principal is not http, then it can also not be upgraded
+ // to https.
+ if (!principal->SchemeIs("http")) {
+ return principal.forget();
+ }
+
+ nsAutoCString spec;
+ aPrincipal->GetAsciiSpec(spec);
+ // replace http with https
+ spec.ReplaceLiteral(0, 4, "https");
+
+ nsCOMPtr<nsIURI> newURI;
+ nsresult rv = NS_NewURI(getter_AddRefs(newURI), spec);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return nullptr;
+ }
+
+ mozilla::OriginAttributes OA =
+ BasePrincipal::Cast(aPrincipal)->OriginAttributesRef();
+
+ principal = BasePrincipal::CreateContentPrincipal(newURI, OA);
+ return principal.forget();
+}
+
+/* static */
+bool nsContentSecurityUtils::IsConsideredSameOriginForUIR(
+ nsIPrincipal* aTriggeringPrincipal, nsIPrincipal* aResultPrincipal) {
+ MOZ_ASSERT(aTriggeringPrincipal);
+ MOZ_ASSERT(aResultPrincipal);
+ // we only have to make sure that the following truth table holds:
+ // aTriggeringPrincipal | aResultPrincipal | Result
+ // ----------------------------------------------------------------
+ // http://example.com/foo.html | http://example.com/bar.html | true
+ // http://example.com/foo.html | https://example.com/bar.html | true
+ // https://example.com/foo.html | https://example.com/bar.html | true
+ // https://example.com/foo.html | http://example.com/bar.html | true
+
+ // fast path if both principals are same-origin
+ if (aTriggeringPrincipal->Equals(aResultPrincipal)) {
+ return true;
+ }
+
+ // in case a principal uses a scheme of 'http' then we just upgrade to
+ // 'https' and use the principal equals comparison operator to check
+ // for same-origin.
+ nsCOMPtr<nsIPrincipal> compareTriggeringPrincipal =
+ MakeHTTPPrincipalHTTPS(aTriggeringPrincipal);
+
+ nsCOMPtr<nsIPrincipal> compareResultPrincipal =
+ MakeHTTPPrincipalHTTPS(aResultPrincipal);
+
+ return compareTriggeringPrincipal->Equals(compareResultPrincipal);
+}
+
+/*
+ * Performs a Regular Expression match, optionally returning the results.
+ * This function is not safe to use OMT.
+ *
+ * @param aPattern The regex pattern
+ * @param aString The string to compare against
+ * @param aOnlyMatch Whether we want match results or only a true/false for
+ * the match
+ * @param aMatchResult Out param for whether or not the pattern matched
+ * @param aRegexResults Out param for the matches of the regex, if requested
+ * @returns nsresult indicating correct function operation or error
+ */
+nsresult RegexEval(const nsAString& aPattern, const nsAString& aString,
+ bool aOnlyMatch, bool& aMatchResult,
+ nsTArray<nsString>* aRegexResults = nullptr) {
+ MOZ_ASSERT(NS_IsMainThread());
+ aMatchResult = false;
+
+ mozilla::dom::AutoJSAPI jsapi;
+ jsapi.Init();
+
+ JSContext* cx = jsapi.cx();
+ mozilla::AutoDisableJSInterruptCallback disabler(cx);
+
+ // We can use the junk scope here, because we're just using it for regexp
+ // evaluation, not actual script execution, and we disable statics so that the
+ // evaluation does not interact with the execution global.
+ JSAutoRealm ar(cx, xpc::PrivilegedJunkScope());
+
+ JS::RootedObject regexp(
+ cx, JS::NewUCRegExpObject(cx, aPattern.BeginReading(), aPattern.Length(),
+ JS::RegExpFlag::Unicode));
+ if (!regexp) {
+ return NS_ERROR_ILLEGAL_VALUE;
+ }
+
+ JS::RootedValue regexResult(cx, JS::NullValue());
+
+ size_t index = 0;
+ if (!JS::ExecuteRegExpNoStatics(cx, regexp, aString.BeginReading(),
+ aString.Length(), &index, aOnlyMatch,
+ &regexResult)) {
+ return NS_ERROR_FAILURE;
+ }
+
+ if (regexResult.isNull()) {
+ // On no match, ExecuteRegExpNoStatics returns Null
+ return NS_OK;
+ }
+ if (aOnlyMatch) {
+ // On match, with aOnlyMatch = true, ExecuteRegExpNoStatics returns boolean
+ // true.
+ MOZ_ASSERT(regexResult.isBoolean() && regexResult.toBoolean());
+ aMatchResult = true;
+ return NS_OK;
+ }
+ if (aRegexResults == nullptr) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ // Now we know we have a result, and we need to extract it so we can read it.
+ uint32_t length;
+ JS::RootedObject regexResultObj(cx, &regexResult.toObject());
+ if (!JS::GetArrayLength(cx, regexResultObj, &length)) {
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+ MOZ_LOG(sCSMLog, LogLevel::Verbose, ("Regex Matched %i strings", length));
+
+ for (uint32_t i = 0; i < length; i++) {
+ JS::RootedValue element(cx);
+ if (!JS_GetElement(cx, regexResultObj, i, &element)) {
+ return NS_ERROR_NO_CONTENT;
+ }
+
+ nsAutoJSString value;
+ if (!value.init(cx, element)) {
+ return NS_ERROR_NO_CONTENT;
+ }
+
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ ("Regex Matching: %i: %s", i, NS_ConvertUTF16toUTF8(value).get()));
+ aRegexResults->AppendElement(value);
+ }
+
+ aMatchResult = true;
+ return NS_OK;
+}
+
+/*
+ * Telemetry Events extra data only supports 80 characters, so we optimize the
+ * filename to be smaller and collect more data.
+ */
+nsString OptimizeFileName(const nsAString& aFileName) {
+ nsString optimizedName(aFileName);
+
+ MOZ_LOG(
+ sCSMLog, LogLevel::Verbose,
+ ("Optimizing FileName: %s", NS_ConvertUTF16toUTF8(optimizedName).get()));
+
+ optimizedName.ReplaceSubstring(u".xpi!"_ns, u"!"_ns);
+ optimizedName.ReplaceSubstring(u"shield.mozilla.org!"_ns, u"s!"_ns);
+ optimizedName.ReplaceSubstring(u"mozilla.org!"_ns, u"m!"_ns);
+ if (optimizedName.Length() > 80) {
+ optimizedName.Truncate(80);
+ }
+
+ MOZ_LOG(
+ sCSMLog, LogLevel::Verbose,
+ ("Optimized FileName: %s", NS_ConvertUTF16toUTF8(optimizedName).get()));
+ return optimizedName;
+}
+
+/*
+ * FilenameToFilenameType takes a fileName and returns a Pair of strings.
+ * The First entry is a string indicating the type of fileName
+ * The Second entry is a Maybe<string> that can contain additional details to
+ * report.
+ *
+ * The reason we use strings (instead of an int/enum) is because the Telemetry
+ * Events API only accepts strings.
+ *
+ * Function is a static member of the class to enable gtests.
+ */
+
+/* static */
+FilenameTypeAndDetails nsContentSecurityUtils::FilenameToFilenameType(
+ const nsString& fileName, bool collectAdditionalExtensionData) {
+ // These are strings because the Telemetry Events API only accepts strings
+ static constexpr auto kChromeURI = "chromeuri"_ns;
+ static constexpr auto kResourceURI = "resourceuri"_ns;
+ static constexpr auto kBlobUri = "bloburi"_ns;
+ static constexpr auto kDataUri = "dataurl"_ns;
+ static constexpr auto kSingleString = "singlestring"_ns;
+ static constexpr auto kMozillaExtension = "mozillaextension"_ns;
+ static constexpr auto kOtherExtension = "otherextension"_ns;
+ static constexpr auto kSuspectedUserChromeJS = "suspectedUserChromeJS"_ns;
+#if defined(XP_WIN)
+ static constexpr auto kSanitizedWindowsURL = "sanitizedWindowsURL"_ns;
+ static constexpr auto kSanitizedWindowsPath = "sanitizedWindowsPath"_ns;
+#endif
+ static constexpr auto kOther = "other"_ns;
+ static constexpr auto kOtherWorker = "other-on-worker"_ns;
+ static constexpr auto kRegexFailure = "regexfailure"_ns;
+
+ static constexpr auto kUCJSRegex = u"(.+).uc.js\\?*[0-9]*$"_ns;
+ static constexpr auto kExtensionRegex = u"extensions/(.+)@(.+)!(.+)$"_ns;
+ static constexpr auto kSingleFileRegex = u"^[a-zA-Z0-9.?]+$"_ns;
+
+ if (fileName.IsEmpty()) {
+ return FilenameTypeAndDetails(kOther, Nothing());
+ }
+
+ // resource:// and chrome://
+ if (StringBeginsWith(fileName, u"chrome://"_ns)) {
+ return FilenameTypeAndDetails(kChromeURI, Some(fileName));
+ }
+ if (StringBeginsWith(fileName, u"resource://"_ns)) {
+ return FilenameTypeAndDetails(kResourceURI, Some(fileName));
+ }
+
+ // blob: and data:
+ if (StringBeginsWith(fileName, u"blob:"_ns)) {
+ return FilenameTypeAndDetails(kBlobUri, Nothing());
+ }
+ if (StringBeginsWith(fileName, u"data:"_ns)) {
+ return FilenameTypeAndDetails(kDataUri, Nothing());
+ }
+
+ if (!NS_IsMainThread()) {
+ // We can't do Regex matching off the main thread; so just report.
+ return FilenameTypeAndDetails(kOtherWorker, Nothing());
+ }
+
+ // Extension
+ bool regexMatch;
+ nsTArray<nsString> regexResults;
+ nsresult rv = RegexEval(kExtensionRegex, fileName, /* aOnlyMatch = */ false,
+ regexMatch, &regexResults);
+ if (NS_FAILED(rv)) {
+ return FilenameTypeAndDetails(kRegexFailure, Nothing());
+ }
+ if (regexMatch) {
+ nsCString type = StringEndsWith(regexResults[2], u"mozilla.org.xpi"_ns)
+ ? kMozillaExtension
+ : kOtherExtension;
+ auto& extensionNameAndPath =
+ Substring(regexResults[0], ArrayLength("extensions/") - 1);
+ return FilenameTypeAndDetails(type,
+ Some(OptimizeFileName(extensionNameAndPath)));
+ }
+
+ // Single File
+ rv = RegexEval(kSingleFileRegex, fileName, /* aOnlyMatch = */ true,
+ regexMatch);
+ if (NS_FAILED(rv)) {
+ return FilenameTypeAndDetails(kRegexFailure, Nothing());
+ }
+ if (regexMatch) {
+ return FilenameTypeAndDetails(kSingleString, Some(fileName));
+ }
+
+ // Suspected userChromeJS script
+ rv = RegexEval(kUCJSRegex, fileName, /* aOnlyMatch = */ true, regexMatch);
+ if (NS_FAILED(rv)) {
+ return FilenameTypeAndDetails(kRegexFailure, Nothing());
+ }
+ if (regexMatch) {
+ return FilenameTypeAndDetails(kSuspectedUserChromeJS, Nothing());
+ }
+
+#if defined(XP_WIN)
+ auto flags = mozilla::widget::WinUtils::PathTransformFlags::Default |
+ mozilla::widget::WinUtils::PathTransformFlags::RequireFilePath;
+ nsAutoString strSanitizedPath(fileName);
+ if (widget::WinUtils::PreparePathForTelemetry(strSanitizedPath, flags)) {
+ DWORD cchDecodedUrl = INTERNET_MAX_URL_LENGTH;
+ WCHAR szOut[INTERNET_MAX_URL_LENGTH];
+ HRESULT hr;
+ SAFECALL_URLMON_FUNC(CoInternetParseUrl, fileName.get(), PARSE_SCHEMA, 0,
+ szOut, INTERNET_MAX_URL_LENGTH, &cchDecodedUrl, 0);
+ if (hr == S_OK && cchDecodedUrl) {
+ nsAutoString sanitizedPathAndScheme;
+ sanitizedPathAndScheme.Append(szOut);
+ if (sanitizedPathAndScheme == u"file"_ns) {
+ sanitizedPathAndScheme.Append(u"://.../"_ns);
+ sanitizedPathAndScheme.Append(strSanitizedPath);
+ } else if (sanitizedPathAndScheme == u"moz-extension"_ns &&
+ collectAdditionalExtensionData) {
+ sanitizedPathAndScheme.Append(u"://["_ns);
+
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv = NS_NewURI(getter_AddRefs(uri), fileName);
+ if (NS_FAILED(rv)) {
+ // Return after adding ://[ so we know we failed here.
+ return FilenameTypeAndDetails(kSanitizedWindowsURL,
+ Some(sanitizedPathAndScheme));
+ }
+
+ mozilla::extensions::URLInfo url(uri);
+ if (NS_IsMainThread()) {
+ // EPS is only usable on main thread
+ auto* policy =
+ ExtensionPolicyService::GetSingleton().GetByHost(url.Host());
+ if (policy) {
+ nsString addOnId;
+ policy->GetId(addOnId);
+
+ sanitizedPathAndScheme.Append(addOnId);
+ sanitizedPathAndScheme.Append(u": "_ns);
+ sanitizedPathAndScheme.Append(policy->Name());
+ } else {
+ sanitizedPathAndScheme.Append(u"failed finding addon by host"_ns);
+ }
+ } else {
+ sanitizedPathAndScheme.Append(u"can't get addon off main thread"_ns);
+ }
+ sanitizedPathAndScheme.Append(u"]"_ns);
+ sanitizedPathAndScheme.Append(url.FilePath());
+ }
+ return FilenameTypeAndDetails(kSanitizedWindowsURL,
+ Some(sanitizedPathAndScheme));
+ } else {
+ return FilenameTypeAndDetails(kSanitizedWindowsPath,
+ Some(strSanitizedPath));
+ }
+ }
+#endif
+
+ return FilenameTypeAndDetails(kOther, Nothing());
+}
+
+class EvalUsageNotificationRunnable final : public Runnable {
+ public:
+ EvalUsageNotificationRunnable(bool aIsSystemPrincipal,
+ NS_ConvertUTF8toUTF16& aFileNameA,
+ uint64_t aWindowID, uint32_t aLineNumber,
+ uint32_t aColumnNumber)
+ : mozilla::Runnable("EvalUsageNotificationRunnable"),
+ mIsSystemPrincipal(aIsSystemPrincipal),
+ mFileNameA(aFileNameA),
+ mWindowID(aWindowID),
+ mLineNumber(aLineNumber),
+ mColumnNumber(aColumnNumber) {}
+
+ NS_IMETHOD Run() override {
+ nsContentSecurityUtils::NotifyEvalUsage(
+ mIsSystemPrincipal, mFileNameA, mWindowID, mLineNumber, mColumnNumber);
+ return NS_OK;
+ }
+
+ void Revoke() {}
+
+ private:
+ bool mIsSystemPrincipal;
+ NS_ConvertUTF8toUTF16 mFileNameA;
+ uint64_t mWindowID;
+ uint32_t mLineNumber;
+ uint32_t mColumnNumber;
+};
+
+/* static */
+bool nsContentSecurityUtils::IsEvalAllowed(JSContext* cx,
+ bool aIsSystemPrincipal,
+ const nsAString& aScript) {
+ // This allowlist contains files that are permanently allowed to use
+ // eval()-like functions. It will ideally be restricted to files that are
+ // exclusively used in testing contexts.
+ static nsLiteralCString evalAllowlist[] = {
+ // Test-only third-party library
+ "resource://testing-common/sinon-7.2.7.js"_ns,
+ // Test-only third-party library
+ "resource://testing-common/ajv-4.1.1.js"_ns,
+ // Test-only utility
+ "resource://testing-common/content-task.js"_ns,
+
+ // Tracked by Bug 1584605
+ "resource:///modules/translation/cld-worker.js"_ns,
+
+ // require.js implements a script loader for workers. It uses eval
+ // to load the script; but injection is only possible in situations
+ // that you could otherwise control script that gets executed, so
+ // it is okay to allow eval() as it adds no additional attack surface.
+ // Bug 1584564 tracks requiring safe usage of require.js
+ "resource://gre/modules/workers/require.js"_ns,
+
+ // The Browser Toolbox/Console
+ "debugger"_ns,
+ };
+
+ // We also permit two specific idioms in eval()-like contexts. We'd like to
+ // elminate these too; but there are in-the-wild Mozilla privileged extensions
+ // that use them.
+ static constexpr auto sAllowedEval1 = u"this"_ns;
+ static constexpr auto sAllowedEval2 =
+ u"function anonymous(\n) {\nreturn this\n}"_ns;
+
+ if (MOZ_LIKELY(!aIsSystemPrincipal && !XRE_IsE10sParentProcess())) {
+ // We restrict eval in the system principal and parent process.
+ // Other uses (like web content and null principal) are allowed.
+ return true;
+ }
+
+ if (JS::ContextOptionsRef(cx).disableEvalSecurityChecks()) {
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("Allowing eval() because this JSContext was set to allow it"));
+ return true;
+ }
+
+ if (aIsSystemPrincipal &&
+ StaticPrefs::security_allow_eval_with_system_principal()) {
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("Allowing eval() with System Principal because allowing pref is "
+ "enabled"));
+ return true;
+ }
+
+ if (XRE_IsE10sParentProcess() &&
+ StaticPrefs::security_allow_eval_in_parent_process()) {
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("Allowing eval() in parent process because allowing pref is "
+ "enabled"));
+ return true;
+ }
+
+ // We only perform a check of this preference on the Main Thread
+ // (because a String-based preference check is only safe on Main Thread.)
+ // The consequence of this is that if a user is using userChromeJS _and_
+ // the scripts they use start a worker and that worker uses eval - we will
+ // enter this function, skip over this pref check that would normally cause
+ // us to allow the eval usage - and we will block it.
+ // While not ideal, we do not officially support userChromeJS, and hopefully
+ // the usage of workers and eval in workers is even lower that userChromeJS
+ // usage.
+ if (NS_IsMainThread()) {
+ // This preference is a file used for autoconfiguration of Firefox
+ // by administrators. It has also been (ab)used by the userChromeJS
+ // project to run legacy-style 'extensions', some of which use eval,
+ // all of which run in the System Principal context.
+ nsAutoString jsConfigPref;
+ Preferences::GetString("general.config.filename", jsConfigPref);
+ if (!jsConfigPref.IsEmpty()) {
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("Allowing eval() %s because of "
+ "general.config.filename",
+ (aIsSystemPrincipal ? "with System Principal"
+ : "in parent process")));
+ return true;
+ }
+ }
+
+ if (XRE_IsE10sParentProcess() &&
+ !StaticPrefs::extensions_webextensions_remote()) {
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("Allowing eval() in parent process because the web extension "
+ "process is disabled"));
+ return true;
+ }
+
+ // We permit these two common idioms to get access to the global JS object
+ if (!aScript.IsEmpty() &&
+ (aScript == sAllowedEval1 || aScript == sAllowedEval2)) {
+ MOZ_LOG(
+ sCSMLog, LogLevel::Debug,
+ ("Allowing eval() %s because a key string is "
+ "provided",
+ (aIsSystemPrincipal ? "with System Principal" : "in parent process")));
+ return true;
+ }
+
+ // Check the allowlist for the provided filename. getFilename is a helper
+ // function
+ nsAutoCString fileName;
+ uint32_t lineNumber = 0, columnNumber = 0;
+ nsJSUtils::GetCallingLocation(cx, fileName, &lineNumber, &columnNumber);
+ if (fileName.IsEmpty()) {
+ fileName = "unknown-file"_ns;
+ }
+
+ NS_ConvertUTF8toUTF16 fileNameA(fileName);
+ for (const nsLiteralCString& allowlistEntry : evalAllowlist) {
+ // checking if current filename begins with entry, because JS Engine
+ // gives us additional stuff for code inside eval or Function ctor
+ // e.g., "require.js > Function"
+ if (StringBeginsWith(fileName, allowlistEntry)) {
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("Allowing eval() %s because the containing "
+ "file is in the allowlist",
+ (aIsSystemPrincipal ? "with System Principal"
+ : "in parent process")));
+ return true;
+ }
+ }
+
+ // Send Telemetry and Log to the Console
+ uint64_t windowID = nsJSUtils::GetCurrentlyRunningCodeInnerWindowID(cx);
+ if (NS_IsMainThread()) {
+ nsContentSecurityUtils::NotifyEvalUsage(aIsSystemPrincipal, fileNameA,
+ windowID, lineNumber, columnNumber);
+ } else {
+ auto runnable = new EvalUsageNotificationRunnable(
+ aIsSystemPrincipal, fileNameA, windowID, lineNumber, columnNumber);
+ NS_DispatchToMainThread(runnable);
+ }
+
+ // Log to MOZ_LOG
+ MOZ_LOG(sCSMLog, LogLevel::Warning,
+ ("Blocking eval() %s from file %s and script "
+ "provided %s",
+ (aIsSystemPrincipal ? "with System Principal" : "in parent process"),
+ fileName.get(), NS_ConvertUTF16toUTF8(aScript).get()));
+
+ // Maybe Crash
+#ifdef DEBUG
+ // MOZ_CRASH_UNSAFE_PRINTF gives us at most 1024 characters to print.
+ // The given string literal leaves us with ~950, so I'm leaving
+ // each 475 for fileName and aScript each.
+ if (fileName.Length() > 475) {
+ fileName.SetLength(475);
+ }
+ nsAutoCString trimmedScript = NS_ConvertUTF16toUTF8(aScript);
+ if (trimmedScript.Length() > 475) {
+ trimmedScript.SetLength(475);
+ }
+ MOZ_CRASH_UNSAFE_PRINTF(
+ "Blocking eval() %s from file %s and script provided "
+ "%s",
+ (aIsSystemPrincipal ? "with System Principal" : "in parent process"),
+ fileName.get(), trimmedScript.get());
+#endif
+
+ return false;
+}
+
+/* static */
+void nsContentSecurityUtils::NotifyEvalUsage(bool aIsSystemPrincipal,
+ NS_ConvertUTF8toUTF16& aFileNameA,
+ uint64_t aWindowID,
+ uint32_t aLineNumber,
+ uint32_t aColumnNumber) {
+ // Send Telemetry
+ Telemetry::EventID eventType =
+ aIsSystemPrincipal ? Telemetry::EventID::Security_Evalusage_Systemcontext
+ : Telemetry::EventID::Security_Evalusage_Parentprocess;
+
+ FilenameTypeAndDetails fileNameTypeAndDetails =
+ FilenameToFilenameType(aFileNameA, false);
+ mozilla::Maybe<nsTArray<EventExtraEntry>> extra;
+ if (fileNameTypeAndDetails.second.isSome()) {
+ extra = Some<nsTArray<EventExtraEntry>>({EventExtraEntry{
+ "fileinfo"_ns,
+ NS_ConvertUTF16toUTF8(fileNameTypeAndDetails.second.value())}});
+ } else {
+ extra = Nothing();
+ }
+ if (!sTelemetryEventEnabled.exchange(true)) {
+ sTelemetryEventEnabled = true;
+ Telemetry::SetEventRecordingEnabled("security"_ns, true);
+ }
+ Telemetry::RecordEvent(eventType, mozilla::Some(fileNameTypeAndDetails.first),
+ extra);
+
+ // Report an error to console
+ nsCOMPtr<nsIConsoleService> console(
+ do_GetService(NS_CONSOLESERVICE_CONTRACTID));
+ if (!console) {
+ return;
+ }
+ nsCOMPtr<nsIScriptError> error(do_CreateInstance(NS_SCRIPTERROR_CONTRACTID));
+ if (!error) {
+ return;
+ }
+ nsCOMPtr<nsIStringBundle> bundle;
+ nsCOMPtr<nsIStringBundleService> stringService =
+ mozilla::services::GetStringBundleService();
+ if (!stringService) {
+ return;
+ }
+ stringService->CreateBundle(
+ "chrome://global/locale/security/security.properties",
+ getter_AddRefs(bundle));
+ if (!bundle) {
+ return;
+ }
+ nsAutoString message;
+ AutoTArray<nsString, 1> formatStrings = {aFileNameA};
+ nsresult rv = bundle->FormatStringFromName("RestrictBrowserEvalUsage",
+ formatStrings, message);
+ if (NS_FAILED(rv)) {
+ return;
+ }
+
+ rv = error->InitWithWindowID(message, aFileNameA, u""_ns, aLineNumber,
+ aColumnNumber, nsIScriptError::errorFlag,
+ "BrowserEvalUsage", aWindowID,
+ true /* From chrome context */);
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ console->LogMessage(error);
+}
+
+/* static */
+nsresult nsContentSecurityUtils::GetHttpChannelFromPotentialMultiPart(
+ nsIChannel* aChannel, nsIHttpChannel** aHttpChannel) {
+ nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel);
+ if (httpChannel) {
+ httpChannel.forget(aHttpChannel);
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsIMultiPartChannel> multipart = do_QueryInterface(aChannel);
+ if (!multipart) {
+ *aHttpChannel = nullptr;
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsIChannel> baseChannel;
+ nsresult rv = multipart->GetBaseChannel(getter_AddRefs(baseChannel));
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return rv;
+ }
+
+ httpChannel = do_QueryInterface(baseChannel);
+ httpChannel.forget(aHttpChannel);
+
+ return NS_OK;
+}
+
+nsresult ParseCSPAndEnforceFrameAncestorCheck(
+ nsIChannel* aChannel, nsIContentSecurityPolicy** aOutCSP) {
+ MOZ_ASSERT(aChannel);
+
+ // CSP can only hang off an http channel, if this channel is not
+ // an http channel then there is nothing to do here.
+ nsCOMPtr<nsIHttpChannel> httpChannel;
+ nsresult rv = nsContentSecurityUtils::GetHttpChannelFromPotentialMultiPart(
+ aChannel, getter_AddRefs(httpChannel));
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return rv;
+ }
+
+ if (!httpChannel) {
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+ ExtContentPolicyType contentType = loadInfo->GetExternalContentPolicyType();
+ // frame-ancestor check only makes sense for subdocument and object loads,
+ // if this is not a load of such type, there is nothing to do here.
+ if (contentType != ExtContentPolicy::TYPE_SUBDOCUMENT &&
+ contentType != ExtContentPolicy::TYPE_OBJECT) {
+ return NS_OK;
+ }
+
+ nsAutoCString tCspHeaderValue, tCspROHeaderValue;
+
+ Unused << httpChannel->GetResponseHeader("content-security-policy"_ns,
+ tCspHeaderValue);
+
+ Unused << httpChannel->GetResponseHeader(
+ "content-security-policy-report-only"_ns, tCspROHeaderValue);
+
+ // if there are no CSP values, then there is nothing to do here.
+ if (tCspHeaderValue.IsEmpty() && tCspROHeaderValue.IsEmpty()) {
+ return NS_OK;
+ }
+
+ NS_ConvertASCIItoUTF16 cspHeaderValue(tCspHeaderValue);
+ NS_ConvertASCIItoUTF16 cspROHeaderValue(tCspROHeaderValue);
+
+ RefPtr<nsCSPContext> csp = new nsCSPContext();
+ nsCOMPtr<nsIPrincipal> resultPrincipal;
+ rv = nsContentUtils::GetSecurityManager()->GetChannelResultPrincipal(
+ aChannel, getter_AddRefs(resultPrincipal));
+ NS_ENSURE_SUCCESS(rv, rv);
+ nsCOMPtr<nsIURI> selfURI;
+ aChannel->GetURI(getter_AddRefs(selfURI));
+
+ nsCOMPtr<nsIReferrerInfo> referrerInfo = httpChannel->GetReferrerInfo();
+ nsAutoString referrerSpec;
+ if (referrerInfo) {
+ referrerInfo->GetComputedReferrerSpec(referrerSpec);
+ }
+ uint64_t innerWindowID = loadInfo->GetInnerWindowID();
+
+ rv = csp->SetRequestContextWithPrincipal(resultPrincipal, selfURI,
+ referrerSpec, innerWindowID);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return rv;
+ }
+
+ // ----- if there's a full-strength CSP header, apply it.
+ if (!cspHeaderValue.IsEmpty()) {
+ rv = CSP_AppendCSPFromHeader(csp, cspHeaderValue, false);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ // ----- if there's a report-only CSP header, apply it.
+ if (!cspROHeaderValue.IsEmpty()) {
+ rv = CSP_AppendCSPFromHeader(csp, cspROHeaderValue, true);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ // ----- Enforce frame-ancestor policy on any applied policies
+ bool safeAncestry = false;
+ // PermitsAncestry sends violation reports when necessary
+ rv = csp->PermitsAncestry(loadInfo, &safeAncestry);
+
+ if (NS_FAILED(rv) || !safeAncestry) {
+ // stop! ERROR page!
+ aChannel->Cancel(NS_ERROR_CSP_FRAME_ANCESTOR_VIOLATION);
+ return NS_ERROR_CSP_FRAME_ANCESTOR_VIOLATION;
+ }
+
+ // return the CSP for x-frame-options check
+ csp.forget(aOutCSP);
+
+ return NS_OK;
+}
+
+void EnforceXFrameOptionsCheck(nsIChannel* aChannel,
+ nsIContentSecurityPolicy* aCsp) {
+ MOZ_ASSERT(aChannel);
+ if (!FramingChecker::CheckFrameOptions(aChannel, aCsp)) {
+ // stop! ERROR page!
+ aChannel->Cancel(NS_ERROR_XFO_VIOLATION);
+ }
+}
+
+/* static */
+void nsContentSecurityUtils::PerformCSPFrameAncestorAndXFOCheck(
+ nsIChannel* aChannel) {
+ nsCOMPtr<nsIContentSecurityPolicy> csp;
+ nsresult rv =
+ ParseCSPAndEnforceFrameAncestorCheck(aChannel, getter_AddRefs(csp));
+ if (NS_FAILED(rv)) {
+ return;
+ }
+
+ // X-Frame-Options needs to be enforced after CSP frame-ancestors
+ // checks because if frame-ancestors is present, then x-frame-options
+ // will be discarded
+ EnforceXFrameOptionsCheck(aChannel, csp);
+}
+
+#if defined(DEBUG)
+/* static */
+void nsContentSecurityUtils::AssertAboutPageHasCSP(Document* aDocument) {
+ // We want to get to a point where all about: pages ship with a CSP. This
+ // assertion ensures that we can not deploy new about: pages without a CSP.
+ // Please note that any about: page should not use inline JS or inline CSS,
+ // and instead should load JS and CSS from an external file (*.js, *.css)
+ // which allows us to apply a strong CSP omitting 'unsafe-inline'. Ideally,
+ // the CSP allows precisely the resources that need to be loaded; but it
+ // should at least be as strong as:
+ // <meta http-equiv="Content-Security-Policy" content="default-src chrome:;
+ // object-src 'none'"/>
+
+ // Check if we should skip the assertion
+ if (StaticPrefs::dom_security_skip_about_page_has_csp_assert()) {
+ return;
+ }
+
+ // Check if we are loading an about: URI at all
+ nsCOMPtr<nsIURI> documentURI = aDocument->GetDocumentURI();
+ if (!documentURI->SchemeIs("about")) {
+ return;
+ }
+
+ nsCOMPtr<nsIContentSecurityPolicy> csp = aDocument->GetCsp();
+ bool foundDefaultSrc = false;
+ bool foundObjectSrc = false;
+ bool foundUnsafeEval = false;
+ bool foundUnsafeInline = false;
+ bool foundScriptSrc = false;
+ bool foundWorkerSrc = false;
+ bool foundWebScheme = false;
+ if (csp) {
+ uint32_t policyCount = 0;
+ csp->GetPolicyCount(&policyCount);
+ nsAutoString parsedPolicyStr;
+ for (uint32_t i = 0; i < policyCount; ++i) {
+ csp->GetPolicyString(i, parsedPolicyStr);
+ if (parsedPolicyStr.Find("default-src") >= 0) {
+ foundDefaultSrc = true;
+ }
+ if (parsedPolicyStr.Find("object-src 'none'") >= 0) {
+ foundObjectSrc = true;
+ }
+ if (parsedPolicyStr.Find("'unsafe-eval'") >= 0) {
+ foundUnsafeEval = true;
+ }
+ if (parsedPolicyStr.Find("'unsafe-inline'") >= 0) {
+ foundUnsafeInline = true;
+ }
+ if (parsedPolicyStr.Find("script-src") >= 0) {
+ foundScriptSrc = true;
+ }
+ if (parsedPolicyStr.Find("worker-src") >= 0) {
+ foundWorkerSrc = true;
+ }
+ if (parsedPolicyStr.Find("http:") >= 0 ||
+ parsedPolicyStr.Find("https:") >= 0) {
+ foundWebScheme = true;
+ }
+ }
+ }
+
+ // Check if we should skip the allowlist and assert right away. Please note
+ // that this pref can and should only be set for automated testing.
+ if (StaticPrefs::dom_security_skip_about_page_csp_allowlist_and_assert()) {
+ NS_ASSERTION(foundDefaultSrc, "about: page must have a CSP");
+ return;
+ }
+
+ nsAutoCString aboutSpec;
+ documentURI->GetSpec(aboutSpec);
+ ToLowerCase(aboutSpec);
+
+ // This allowlist contains about: pages that are permanently allowed to
+ // render without a CSP applied.
+ static nsLiteralCString sAllowedAboutPagesWithNoCSP[] = {
+ // about:blank is a special about page -> no CSP
+ "about:blank"_ns,
+ // about:srcdoc is a special about page -> no CSP
+ "about:srcdoc"_ns,
+ // about:sync-log displays plain text only -> no CSP
+ "about:sync-log"_ns,
+ // about:printpreview displays plain text only -> no CSP
+ "about:printpreview"_ns,
+ // about:logo just displays the firefox logo -> no CSP
+ "about:logo"_ns,
+# if defined(ANDROID)
+ "about:config"_ns,
+# endif
+ };
+
+ for (const nsLiteralCString& allowlistEntry : sAllowedAboutPagesWithNoCSP) {
+ // please note that we perform a substring match here on purpose,
+ // so we don't have to deal and parse out all the query arguments
+ // the various about pages rely on.
+ if (StringBeginsWith(aboutSpec, allowlistEntry)) {
+ return;
+ }
+ }
+
+ MOZ_ASSERT(foundDefaultSrc,
+ "about: page must contain a CSP including default-src");
+ MOZ_ASSERT(foundObjectSrc,
+ "about: page must contain a CSP denying object-src");
+
+ // preferences and downloads allow legacy inline scripts through hash src.
+ MOZ_ASSERT(!foundScriptSrc ||
+ StringBeginsWith(aboutSpec, "about:preferences"_ns) ||
+ StringBeginsWith(aboutSpec, "about:downloads"_ns) ||
+ StringBeginsWith(aboutSpec, "about:newtab"_ns) ||
+ StringBeginsWith(aboutSpec, "about:logins"_ns) ||
+ StringBeginsWith(aboutSpec, "about:compat"_ns) ||
+ StringBeginsWith(aboutSpec, "about:welcome"_ns) ||
+ StringBeginsWith(aboutSpec, "about:profiling"_ns) ||
+ StringBeginsWith(aboutSpec, "about:studies"_ns) ||
+ StringBeginsWith(aboutSpec, "about:home"_ns),
+ "about: page must not contain a CSP including script-src");
+
+ MOZ_ASSERT(!foundWorkerSrc,
+ "about: page must not contain a CSP including worker-src");
+
+ // addons, preferences, debugging, newinstall, ion, devtools all have
+ // to allow some remote web resources
+ MOZ_ASSERT(!foundWebScheme ||
+ StringBeginsWith(aboutSpec, "about:preferences"_ns) ||
+ StringBeginsWith(aboutSpec, "about:addons"_ns) ||
+ StringBeginsWith(aboutSpec, "about:newtab"_ns) ||
+ StringBeginsWith(aboutSpec, "about:debugging"_ns) ||
+ StringBeginsWith(aboutSpec, "about:newinstall"_ns) ||
+ StringBeginsWith(aboutSpec, "about:ion"_ns) ||
+ StringBeginsWith(aboutSpec, "about:compat"_ns) ||
+ StringBeginsWith(aboutSpec, "about:logins"_ns) ||
+ StringBeginsWith(aboutSpec, "about:home"_ns) ||
+ StringBeginsWith(aboutSpec, "about:welcome"_ns) ||
+ StringBeginsWith(aboutSpec, "about:devtools"_ns),
+ "about: page must not contain a CSP including a web scheme");
+
+ if (aDocument->IsExtensionPage()) {
+ // Extensions have two CSP policies applied where the baseline CSP
+ // includes 'unsafe-eval' and 'unsafe-inline', hence we have to skip
+ // the 'unsafe-eval' and 'unsafe-inline' assertions for extension
+ // pages.
+ return;
+ }
+
+ MOZ_ASSERT(!foundUnsafeEval,
+ "about: page must not contain a CSP including 'unsafe-eval'");
+
+ static nsLiteralCString sLegacyUnsafeInlineAllowList[] = {
+ // Bug 1579160: Remove 'unsafe-inline' from style-src within
+ // about:preferences
+ "about:preferences"_ns,
+ // Bug 1571346: Remove 'unsafe-inline' from style-src within about:addons
+ "about:addons"_ns,
+ // Bug 1584485: Remove 'unsafe-inline' from style-src within:
+ // * about:newtab
+ // * about:welcome
+ // * about:home
+ "about:newtab"_ns,
+ "about:welcome"_ns,
+ "about:home"_ns,
+ };
+
+ for (const nsLiteralCString& aUnsafeInlineEntry :
+ sLegacyUnsafeInlineAllowList) {
+ // please note that we perform a substring match here on purpose,
+ // so we don't have to deal and parse out all the query arguments
+ // the various about pages rely on.
+ if (StringBeginsWith(aboutSpec, aUnsafeInlineEntry)) {
+ return;
+ }
+ }
+
+ MOZ_ASSERT(!foundUnsafeInline,
+ "about: page must not contain a CSP including 'unsafe-inline'");
+}
+#endif
+
+/* static */
+bool nsContentSecurityUtils::ValidateScriptFilename(const char* aFilename,
+ bool aIsSystemRealm) {
+ static Maybe<bool> sGeneralConfigFilenameSet;
+ // If the pref is permissive, allow everything
+ if (StaticPrefs::security_allow_parent_unrestricted_js_loads()) {
+ return true;
+ }
+
+ // If we're not in the parent process allow everything (presently)
+ if (!XRE_IsE10sParentProcess()) {
+ return true;
+ }
+
+ // We only perform a check of this preference on the Main Thread
+ // (because a String-based preference check is only safe on Main Thread.)
+ // The consequence of this is that if a user is using userChromeJS _and_
+ // the scripts they use start a worker - we will enter this function,
+ // skip over this pref check that would normally cause us to allow the
+ // load - and we will block it.
+ // While not ideal, we do not officially support userChromeJS, and hopefully
+ // the usage of workers is even lower than userChromeJS usage.
+ if (NS_IsMainThread()) {
+ // This preference is a file used for autoconfiguration of Firefox
+ // by administrators. It will also run in the parent process and throw
+ // assumptions about what can run where out of the window.
+ if (!sGeneralConfigFilenameSet.isSome()) {
+ nsAutoString jsConfigPref;
+ Preferences::GetString("general.config.filename", jsConfigPref);
+ sGeneralConfigFilenameSet.emplace(!jsConfigPref.IsEmpty());
+ }
+ if (sGeneralConfigFilenameSet.value()) {
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("Allowing a javascript load of %s because "
+ "general.config.filename is set",
+ aFilename));
+ return true;
+ }
+ }
+
+ if (XRE_IsE10sParentProcess() &&
+ !StaticPrefs::extensions_webextensions_remote()) {
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("Allowing a javascript load of %s because the web extension "
+ "process is disabled.",
+ aFilename));
+ return true;
+ }
+
+ NS_ConvertUTF8toUTF16 filenameU(aFilename);
+ if (StringBeginsWith(filenameU, u"chrome://"_ns)) {
+ // If it's a chrome:// url, allow it
+ return true;
+ }
+ if (StringBeginsWith(filenameU, u"resource://"_ns)) {
+ // If it's a resource:// url, allow it
+ return true;
+ }
+ if (StringBeginsWith(filenameU, u"file://"_ns)) {
+ // We will temporarily allow all file:// URIs through for now
+ return true;
+ }
+ if (StringBeginsWith(filenameU, u"jar:file://"_ns)) {
+ // We will temporarily allow all jar URIs through for now
+ return true;
+ }
+ if (filenameU.Equals(u"about:sync-log"_ns)) {
+ // about:sync-log runs in the parent process and displays a directory
+ // listing. The listing has inline javascript that executes on load.
+ return true;
+ }
+
+ // Log to MOZ_LOG
+ MOZ_LOG(sCSMLog, LogLevel::Info,
+ ("ValidateScriptFilename System:%i %s\n", (aIsSystemRealm ? 1 : 0),
+ aFilename));
+
+ // Send Telemetry
+ FilenameTypeAndDetails fileNameTypeAndDetails =
+ FilenameToFilenameType(filenameU, true);
+
+ Telemetry::EventID eventType =
+ Telemetry::EventID::Security_Javascriptload_Parentprocess;
+
+ mozilla::Maybe<nsTArray<EventExtraEntry>> extra;
+ if (fileNameTypeAndDetails.second.isSome()) {
+ extra = Some<nsTArray<EventExtraEntry>>({EventExtraEntry{
+ "fileinfo"_ns,
+ NS_ConvertUTF16toUTF8(fileNameTypeAndDetails.second.value())}});
+ } else {
+ extra = Nothing();
+ }
+
+ if (!sTelemetryEventEnabled.exchange(true)) {
+ sTelemetryEventEnabled = true;
+ Telemetry::SetEventRecordingEnabled("security"_ns, true);
+ }
+ Telemetry::RecordEvent(eventType, mozilla::Some(fileNameTypeAndDetails.first),
+ extra);
+
+ // Presently we are not enforcing any restrictions for the script filename,
+ // we're only reporting Telemetry. In the future we will assert in debug
+ // builds and return false to prevent execution in non-debug builds.
+ return true;
+}
+
+/* static */
+void nsContentSecurityUtils::LogMessageToConsole(nsIHttpChannel* aChannel,
+ const char* aMsg) {
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv = aChannel->GetURI(getter_AddRefs(uri));
+ if (NS_FAILED(rv)) {
+ return;
+ }
+
+ uint64_t windowID = 0;
+ rv = aChannel->GetTopLevelContentWindowId(&windowID);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return;
+ }
+ if (!windowID) {
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+ loadInfo->GetInnerWindowID(&windowID);
+ }
+
+ nsAutoString localizedMsg;
+ nsAutoCString spec;
+ uri->GetSpec(spec);
+ AutoTArray<nsString, 1> params = {NS_ConvertUTF8toUTF16(spec)};
+ rv = nsContentUtils::FormatLocalizedString(
+ nsContentUtils::eSECURITY_PROPERTIES, aMsg, params, localizedMsg);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return;
+ }
+
+ nsContentUtils::ReportToConsoleByWindowID(
+ localizedMsg, nsIScriptError::warningFlag, "Security"_ns, windowID, uri);
+}
+
+/* static */
+long nsContentSecurityUtils::ClassifyDownload(
+ nsIChannel* aChannel, const nsAutoCString& aMimeTypeGuess) {
+ MOZ_ASSERT(aChannel, "IsDownloadAllowed without channel?");
+
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+
+ nsCOMPtr<nsIURI> contentLocation;
+ aChannel->GetURI(getter_AddRefs(contentLocation));
+
+ nsCOMPtr<nsIPrincipal> loadingPrincipal = loadInfo->GetLoadingPrincipal();
+ if (!loadingPrincipal) {
+ loadingPrincipal = loadInfo->TriggeringPrincipal();
+ }
+ // Creating a fake Loadinfo that is just used for the MCB check.
+ nsCOMPtr<nsILoadInfo> secCheckLoadInfo = new mozilla::net::LoadInfo(
+ loadingPrincipal, loadInfo->TriggeringPrincipal(), nullptr,
+ nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+ nsIContentPolicy::TYPE_FETCH);
+
+ int16_t decission = nsIContentPolicy::ACCEPT;
+ nsMixedContentBlocker::ShouldLoad(false, // aHadInsecureImageRedirect
+ contentLocation, // aContentLocation,
+ secCheckLoadInfo, // aLoadinfo
+ aMimeTypeGuess, // aMimeGuess,
+ false, // aReportError
+ &decission // aDecision
+ );
+ Telemetry::Accumulate(mozilla::Telemetry::MIXED_CONTENT_DOWNLOADS,
+ decission != nsIContentPolicy::ACCEPT);
+
+ if (StaticPrefs::dom_block_download_insecure() &&
+ decission != nsIContentPolicy::ACCEPT) {
+ nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel);
+ if (httpChannel) {
+ LogMessageToConsole(httpChannel, "MixedContentBlockedDownload");
+ }
+ return nsITransfer::DOWNLOAD_POTENTIALLY_UNSAFE;
+ }
+
+ if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal()) {
+ return nsITransfer::DOWNLOAD_ACCEPTABLE;
+ }
+
+ if (!StaticPrefs::dom_block_download_in_sandboxed_iframes()) {
+ return nsITransfer::DOWNLOAD_ACCEPTABLE;
+ }
+
+ uint32_t triggeringFlags = loadInfo->GetTriggeringSandboxFlags();
+ uint32_t currentflags = loadInfo->GetSandboxFlags();
+
+ if ((triggeringFlags & SANDBOXED_ALLOW_DOWNLOADS) ||
+ (currentflags & SANDBOXED_ALLOW_DOWNLOADS)) {
+ nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel);
+ if (httpChannel) {
+ LogMessageToConsole(httpChannel, "IframeSandboxBlockedDownload");
+ }
+ return nsITransfer::DOWNLOAD_FORBIDDEN;
+ }
+
+ return nsITransfer::DOWNLOAD_ACCEPTABLE;
+}