/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* A namespace class for static content utilities. */ #ifndef nsContentUtils_h___ #define nsContentUtils_h___ #if defined(XP_WIN) # include #endif #if defined(SOLARIS) # include #endif #include #include #include #include #include "ErrorList.h" #include "Units.h" #include "js/Id.h" #include "js/RootingAPI.h" #include "mozilla/AlreadyAddRefed.h" #include "mozilla/Assertions.h" #include "mozilla/Attributes.h" #include "mozilla/BasicEvents.h" #include "mozilla/CORSMode.h" #include "mozilla/CallState.h" #include "mozilla/Maybe.h" #include "mozilla/RefPtr.h" #include "mozilla/TaskCategory.h" #include "mozilla/TimeStamp.h" #include "mozilla/UniquePtr.h" #include "mozilla/dom/BindingDeclarations.h" #include "mozilla/dom/FromParser.h" #include "mozilla/fallible.h" #include "mozilla/gfx/Point.h" #include "nsCOMPtr.h" #include "nsIContentPolicy.h" #include "nsID.h" #include "nsINode.h" #include "nsIScriptError.h" #include "nsIThread.h" #include "nsLiteralString.h" #include "nsMargin.h" #include "nsPIDOMWindow.h" #include "nsStringFwd.h" #include "nsTArray.h" #include "nsTLiteralString.h" #include "prtime.h" #if defined(XP_WIN) // Undefine LoadImage to prevent naming conflict with Windows. # undef LoadImage #endif class JSObject; class imgICache; class imgIContainer; class imgINotificationObserver; class imgIRequest; class imgLoader; class imgRequestProxy; class nsAtom; class nsAttrValue; class nsAutoScriptBlockerSuppressNodeRemoved; class nsContentList; class nsCycleCollectionTraversalCallback; class nsDocShell; class nsGlobalWindowInner; class nsHtml5StringParser; class nsIArray; class nsIBidiKeyboard; class nsIChannel; class nsIConsoleService; class nsIContent; class nsIDocShell; class nsIDocShellTreeItem; class nsIDocumentLoaderFactory; class nsIDragSession; class nsIFile; class nsIFragmentContentSink; class nsIFrame; class nsIHttpChannel; class nsIIOService; class nsIImageLoadingContent; class nsIInterfaceRequestor; class nsILoadGroup; class nsILoadInfo; class nsIObserver; class nsIParser; class nsIPluginTag; class nsIPrincipal; class nsIReferrerInfo; class nsIRequest; class nsIRunnable; class nsIScreen; class nsIScriptContext; class nsIScriptSecurityManager; class nsISerialEventTarget; class nsIStringBundle; class nsIStringBundleService; class nsISupports; class nsITransferable; class nsIURI; class nsIUUIDGenerator; class nsIWidget; class nsIXPConnect; class nsNameSpaceManager; class nsNodeInfoManager; class nsPIWindowRoot; class nsPresContext; class nsStringBuffer; class nsStringHashKey; class nsTextFragment; class nsView; class nsWrapperCache; struct JSContext; struct nsPoint; template class nsDataHashtable; template class nsRefPtrHashKey; namespace IPC { class Message; } namespace JS { class Value; struct PropertyDescriptor; } // namespace JS namespace mozilla { class Dispatcher; class ErrorResult; class EventListenerManager; class HTMLEditor; class LazyLogModule; class LogModule; class PresShell; class TextEditor; class WidgetDragEvent; class WidgetKeyboardEvent; struct InputEventOptions; template class RangeBoundaryBase; template class NotNull; template class StaticRefPtr; namespace dom { struct AutocompleteInfo; class BrowserChild; class BrowserParent; class BrowsingContext; class BrowsingContextGroup; class ContentChild; class ContentFrameMessageManager; class ContentParent; struct CustomElementDefinition; class CustomElementRegistry; class DataTransfer; class Document; class DocumentFragment; class DOMArena; class Element; class Event; class EventTarget; class HTMLInputElement; class IPCDataTransfer; class IPCDataTransferItem; struct LifecycleCallbackArgs; struct LifecycleAdoptedCallbackArgs; class MessageBroadcaster; class NodeInfo; class Selection; class WorkerPrivate; enum class ElementCallbackType; enum class ReferrerPolicy : uint8_t; } // namespace dom namespace intl { class LineBreaker; class WordBreaker; } // namespace intl namespace ipc { class Shmem; class IShmemAllocator; } // namespace ipc namespace gfx { class DataSourceSurface; enum class SurfaceFormat : int8_t; } // namespace gfx namespace layers { class LayerManager; } // namespace layers } // namespace mozilla extern const char kLoadAsData[]; // Stolen from nsReadableUtils, but that's OK, since we can declare the same // name multiple times. const nsString& EmptyString(); const nsCString& EmptyCString(); enum EventNameType { EventNameType_None = 0x0000, EventNameType_HTML = 0x0001, EventNameType_XUL = 0x0002, EventNameType_SVGGraphic = 0x0004, // svg graphic elements EventNameType_SVGSVG = 0x0008, // the svg element EventNameType_SMIL = 0x0010, // smil elements EventNameType_HTMLBodyOrFramesetOnly = 0x0020, EventNameType_HTMLMarqueeOnly = 0x0040, EventNameType_HTMLXUL = 0x0003, EventNameType_All = 0xFFFF }; struct EventNameMapping { // This holds pointers to nsGkAtoms members, and is therefore safe as a // non-owning reference. nsAtom* MOZ_NON_OWNING_REF mAtom; int32_t mType; mozilla::EventMessage mMessage; mozilla::EventClassID mEventClassID; // True if mAtom is possibly used by special SVG/SMIL events, but // mMessage is eUnidentifiedEvent. See EventNameList.h bool mMaybeSpecialSVGorSMILEvent; }; class nsContentUtils { friend class nsAutoScriptBlockerSuppressNodeRemoved; typedef mozilla::dom::Element Element; typedef mozilla::dom::Document Document; typedef mozilla::Cancelable Cancelable; typedef mozilla::CanBubble CanBubble; typedef mozilla::Composed Composed; typedef mozilla::ChromeOnlyDispatch ChromeOnlyDispatch; typedef mozilla::EventMessage EventMessage; typedef mozilla::TimeDuration TimeDuration; typedef mozilla::Trusted Trusted; public: static nsresult Init(); static bool IsCallerChrome(); static bool ThreadsafeIsCallerChrome(); static bool IsCallerUAWidget(); static bool IsFuzzingEnabled() #ifndef FUZZING { return false; } #else ; #endif static bool IsErrorPage(nsIURI* aURI); static bool IsCallerChromeOrFuzzingEnabled(JSContext* aCx, JSObject*) { return ThreadsafeIsSystemCaller(aCx) || IsFuzzingEnabled(); } static bool IsCallerChromeOrElementTransformGettersEnabled(JSContext* aCx, JSObject*); // The APIs for checking whether the caller is system (in the sense of system // principal) should only be used when the JSContext is known to accurately // represent the caller. In practice, that means you should only use them in // two situations at the moment: // // 1) Functions used in WebIDL Func annotations. // 2) Bindings code or other code called directly from the JS engine. // // Use pretty much anywhere else is almost certainly wrong and should be // replaced with [NeedsCallerType] annotations in bindings. // Check whether the caller is system if you know you're on the main thread. static bool IsSystemCaller(JSContext* aCx); // Check whether the caller is system if you might be on a worker or worklet // thread. static bool ThreadsafeIsSystemCaller(JSContext* aCx); // In the traditional Gecko architecture, both C++ code and untrusted JS code // needed to rely on the same XPCOM method/getter/setter to get work done. // This required lots of security checks in the various exposed methods, which // in turn created difficulty in determining whether the caller was script // (whose access needed to be checked) and internal C++ platform code (whose // access did not need to be checked). To address this problem, Gecko had a // convention whereby the absence of script on the stack was interpretted as // "System Caller" and always granted unfettered access. // // Unfortunately, this created a bunch of footguns. For example, when the // implementation of a DOM method wanted to perform a privileged // sub-operation, it needed to "hide" the presence of script on the stack in // order for that sub-operation to be allowed. Additionally, if script could // trigger an API entry point to be invoked in some asynchronous way without // script on the stack, it could potentially perform privilege escalation. // // In the modern world, untrusted script should interact with the platform // exclusively over WebIDL APIs, and platform code has a lot more flexibility // in deciding whether or not to use XPCOM. This gives us the flexibility to // do something better. // // Going forward, APIs should be designed such that any security checks that // ask the question "is my caller allowed to do this?" should live in WebIDL // API entry points, with a separate method provided for internal callers // that just want to get the job done. // // To enforce this and catch bugs, nsContentUtils::SubjectPrincipal will crash // if it is invoked without script on the stack. To land that transition, it // was necessary to go through and whitelist a bunch of callers that were // depending on the old behavior. Those callers should be fixed up, and these // methods should not be used by new code without review from bholley or bz. static bool LegacyIsCallerNativeCode() { return !GetCurrentJSContext(); } static bool LegacyIsCallerChromeOrNativeCode() { return LegacyIsCallerNativeCode() || IsCallerChrome(); } static nsIPrincipal* SubjectPrincipalOrSystemIfNativeCaller() { if (!GetCurrentJSContext()) { return GetSystemPrincipal(); } return SubjectPrincipal(); } static bool LookupBindingMember( JSContext* aCx, nsIContent* aContent, JS::Handle aId, JS::MutableHandle aDesc); // Check whether we should avoid leaking distinguishing information to JS/CSS. // This function can be called both in the main thread and worker threads. static bool ShouldResistFingerprinting(); static bool ShouldResistFingerprinting(nsIDocShell* aDocShell); static bool ShouldResistFingerprinting(nsIPrincipal* aPrincipal); static bool ShouldResistFingerprinting( mozilla::dom::WorkerPrivate* aWorkerPrivate); static bool ShouldResistFingerprinting(const Document* aDoc); // Prevent system colors from being exposed to CSS or canvas. static bool UseStandinsForNativeColors(); // A helper function to calculate the rounded window size for fingerprinting // resistance. The rounded size is based on the chrome UI size and available // screen size. If the inputWidth/Height is greater than the available content // size, this will report the available content size. Otherwise, it will // round the size to the nearest upper 200x100. static void CalcRoundedWindowSizeForResistingFingerprinting( int32_t aChromeWidth, int32_t aChromeHeight, int32_t aScreenWidth, int32_t aScreenHeight, int32_t aInputWidth, int32_t aInputHeight, bool aSetOuterWidth, bool aSetOuterHeight, int32_t* aOutputWidth, int32_t* aOutputHeight); /** * Returns the parent node of aChild crossing document boundaries. * Uses the parent node in the composed document. */ static nsINode* GetCrossDocParentNode(nsINode* aChild); /** * Like GetCrossDocParentNode, but skips any cross-process parent frames and * continues with the nearest in-process frame in the hierarchy. */ static nsINode* GetNearestInProcessCrossDocParentNode(nsINode* aChild); /** * Similar to nsINode::IsInclusiveDescendantOf, except will treat an * HTMLTemplateElement or ShadowRoot as an ancestor of things in the * corresponding DocumentFragment. See the concept of "host-including * inclusive ancestor" in the DOM specification. */ static bool ContentIsHostIncludingDescendantOf( const nsINode* aPossibleDescendant, const nsINode* aPossibleAncestor); /** * Similar to nsINode::IsInclusiveDescendantOf except it crosses document * boundaries, this function uses ancestor/descendant relations in the * composed document (see shadow DOM spec). */ static bool ContentIsCrossDocDescendantOf(nsINode* aPossibleDescendant, nsINode* aPossibleAncestor); /** * As with ContentIsCrossDocDescendantOf but crosses shadow boundaries but not * cross document boundaries. * * @see nsINode::GetFlattenedTreeParentNode() */ static bool ContentIsFlattenedTreeDescendantOf( const nsINode* aPossibleDescendant, const nsINode* aPossibleAncestor); /** * Same as `ContentIsFlattenedTreeDescendantOf`, but from the flattened tree * point of view of the style system * * @see nsINode::GetFlattenedTreeParentNodeForStyle() */ static bool ContentIsFlattenedTreeDescendantOfForStyle( const nsINode* aPossibleDescendant, const nsINode* aPossibleAncestor); /** * Retarget an object A against an object B * @see https://dom.spec.whatwg.org/#retarget */ static nsINode* Retarget(nsINode* aTargetA, nsINode* aTargetB); /* * https://dom.spec.whatwg.org/#concept-tree-inclusive-ancestor. * * This method fills the |aArray| with all ancestor nodes of |aNode| * including |aNode| at the zero index. * */ static nsresult GetInclusiveAncestors(nsINode* aNode, nsTArray& aArray); /* * https://dom.spec.whatwg.org/#concept-tree-inclusive-ancestor. * * This method fills |aAncestorNodes| with all ancestor nodes of |aNode| * including |aNode| (QI'd to nsIContent) at the zero index. * For each ancestor, there is a corresponding element in |aAncestorOffsets| * which is the IndexOf the child in relation to its parent. * * This method just sucks. */ static nsresult GetInclusiveAncestorsAndOffsets( nsINode* aNode, int32_t aOffset, nsTArray* aAncestorNodes, nsTArray* aAncestorOffsets); /** * Returns the closest common inclusive ancestor * (https://dom.spec.whatwg.org/#concept-tree-inclusive-ancestor) , if any, * for two nodes. * * Returns null if the nodes are disconnected. */ static nsINode* GetClosestCommonInclusiveAncestor(nsINode* aNode1, nsINode* aNode2) { if (aNode1 == aNode2) { return aNode1; } return GetCommonAncestorHelper(aNode1, aNode2); } /** * Returns the common flattened tree ancestor, if any, for two given content * nodes. */ static nsIContent* GetCommonFlattenedTreeAncestor(nsIContent* aContent1, nsIContent* aContent2) { if (aContent1 == aContent2) { return aContent1; } return GetCommonFlattenedTreeAncestorHelper(aContent1, aContent2); } /** * Returns the common flattened tree ancestor from the point of view of the * style system, if any, for two given content nodes. */ static Element* GetCommonFlattenedTreeAncestorForStyle(Element* aElement1, Element* aElement2); /** * Returns the common ancestor under interactive content, if any. * If neither one has interactive content as ancestor, common ancestor will be * returned. If only one has interactive content as ancestor, null will be * returned. If the nodes are the same, that node is returned. */ static nsINode* GetCommonAncestorUnderInteractiveContent(nsINode* aNode1, nsINode* aNode2); /** * Returns the common BrowserParent ancestor, if any, for two given * BrowserParent. */ static mozilla::dom::BrowserParent* GetCommonBrowserParentAncestor( mozilla::dom::BrowserParent* aBrowserParent1, mozilla::dom::BrowserParent* aBrowserParent2); /** * Returns true if aNode1 is before aNode2 in the same connected * tree. * aNode1Index and aNode2Index are in/out arguments. If non-null, and value is * not -1, that value is used instead of calling slow ComputeIndexOf on the * parent node. If value is -1, the value will be set to the return value of * ComputeIndexOf. */ static bool PositionIsBefore(nsINode* aNode1, nsINode* aNode2, int32_t* aNode1Index = nullptr, int32_t* aNode2Index = nullptr); struct ComparePointsCache { int32_t ComputeIndexOf(const nsINode* aParent, const nsINode* aChild) { if (aParent == mParent && aChild == mChild) { return mIndex; } mIndex = aParent->ComputeIndexOf(aChild); mParent = aParent; mChild = aChild; return mIndex; } private: const nsINode* mParent = nullptr; const nsINode* mChild = nullptr; int32_t mIndex = 0; }; /** * Utility routine to compare two "points", where a point is a node/offset * pair. * Pass a cache object as aParent1Cache if you expect to repeatedly * call this function with the same value as aParent1. * * XXX aOffset1 and aOffset2 should be uint32_t since valid offset value is * between 0 - UINT32_MAX. However, these methods work even with * negative offset values! E.g., when aOffset1 is -1 and aOffset is 0, * these methods return -1. Some root callers depend on this behavior. * * @return -1 if point1 < point2, * 1 if point1 > point2, * 0 if point1 == point2. * `Nothing` if the two nodes aren't in the same connected subtree. */ static mozilla::Maybe ComparePoints( const nsINode* aParent1, int32_t aOffset1, const nsINode* aParent2, int32_t aOffset2, ComparePointsCache* aParent1Cache = nullptr); template static mozilla::Maybe ComparePoints( const mozilla::RangeBoundaryBase& aFirstBoundary, const mozilla::RangeBoundaryBase& aSecondBoundary); /** * Utility routine to compare two "points", where a point is a * node/offset pair * Returns -1 if point1 < point2, 1, if point1 > point2, * 0 if error or if point1 == point2. * NOTE! If the two nodes aren't in the same connected subtree, * the result is 1, and the optional aDisconnected parameter * is set to true. * * Pass a cache object as aParent1Cache if you expect to repeatedly * call this function with the same value as aParent1. * * XXX aOffset1 and aOffset2 should be uint32_t since valid offset value is * between 0 - UINT32_MAX. However, these methods work even with * negative offset values! E.g., when aOffset1 is -1 and aOffset is 0, * these methods return -1. Some root callers depend on this behavior. * On the other hand, nsINode can have ATTRCHILD_ARRAY_MAX_CHILD_COUN * (0x3FFFFF) at most. Therefore, they can be int32_t for now. */ static int32_t ComparePoints_Deprecated( const nsINode* aParent1, int32_t aOffset1, const nsINode* aParent2, int32_t aOffset2, bool* aDisconnected = nullptr, ComparePointsCache* aParent1Cache = nullptr); template static int32_t ComparePoints_Deprecated( const mozilla::RangeBoundaryBase& aFirstBoundary, const mozilla::RangeBoundaryBase& aSecondBoundary, bool* aDisconnected = nullptr); /** * Brute-force search of the element subtree rooted at aContent for * an element with the given id. aId must be nonempty, otherwise * this method may return nodes even if they have no id! */ static Element* MatchElementId(nsIContent* aContent, const nsAString& aId); /** * Similar to above, but to be used if one already has an atom for the ID */ static Element* MatchElementId(nsIContent* aContent, const nsAtom* aId); /** * Reverses the document position flags passed in. * * @param aDocumentPosition The document position flags to be reversed. * * @return The reversed document position flags. * * @see Node */ static uint16_t ReverseDocumentPosition(uint16_t aDocumentPosition); static const nsDependentSubstring TrimCharsInSet(const char* aSet, const nsAString& aValue); template static const nsDependentSubstring TrimWhitespace(const nsAString& aStr, bool aTrimTrailing = true); /** * Returns true if aChar is of class Ps, Pi, Po, Pf, or Pe. */ static bool IsFirstLetterPunctuation(uint32_t aChar); /** * Returns true if aChar is of class Lu, Ll, Lt, Lm, Lo, Nd, Nl or No */ static bool IsAlphanumeric(uint32_t aChar); static bool IsAlphanumericAt(const nsTextFragment* aFrag, uint32_t aOffset); /* * Is the character an HTML whitespace character? * * We define whitespace using the list in HTML5 and css3-selectors: * U+0009, U+000A, U+000C, U+000D, U+0020 * * HTML 4.01 also lists U+200B (zero-width space). */ static bool IsHTMLWhitespace(char16_t aChar); /* * Returns whether the character is an HTML whitespace (see IsHTMLWhitespace) * or a nbsp character (U+00A0). */ static bool IsHTMLWhitespaceOrNBSP(char16_t aChar); /** * https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements */ static bool IsHTMLBlockLevelElement(nsIContent* aContent); enum ParseHTMLIntegerResultFlags { eParseHTMLInteger_NoFlags = 0, // eParseHTMLInteger_NonStandard is set if the string representation of the // integer was not the canonical one, but matches at least one of the // following: // * had leading whitespaces // * had '+' sign // * had leading '0' // * was '-0' eParseHTMLInteger_NonStandard = 1 << 0, eParseHTMLInteger_DidNotConsumeAllInput = 1 << 1, // Set if one or more error flags were set. eParseHTMLInteger_Error = 1 << 2, eParseHTMLInteger_ErrorNoValue = 1 << 3, eParseHTMLInteger_ErrorOverflow = 1 << 4, // Use this flag to detect the difference between overflow and underflow eParseHTMLInteger_Negative = 1 << 5, }; static int32_t ParseHTMLInteger(const nsAString& aValue, ParseHTMLIntegerResultFlags* aResult); static int32_t ParseHTMLInteger(const nsACString& aValue, ParseHTMLIntegerResultFlags* aResult); private: template static int32_t ParseHTMLIntegerImpl(const StringT& aValue, ParseHTMLIntegerResultFlags* aResult); public: /** * Parse a margin string of format 'top, right, bottom, left' into * an nsIntMargin. * * @param aString the string to parse * @param aResult the resulting integer * @return whether the value could be parsed */ static bool ParseIntMarginValue(const nsAString& aString, nsIntMargin& aResult); /** * Parse the value of the attribute according to the HTML5 * spec as of April 16, 2012. * * @param aValue the value to parse * @return 1 to 7, or 0 if the value couldn't be parsed */ static int32_t ParseLegacyFontSize(const nsAString& aValue); static void Shutdown(); /** * Checks whether two nodes come from the same origin. */ static nsresult CheckSameOrigin(const nsINode* aTrustedNode, const nsINode* unTrustedNode); // Check if the (JS) caller can access aNode. static bool CanCallerAccess(const nsINode* aNode); // Check if the (JS) caller can access aWindow. // aWindow can be either outer or inner window. static bool CanCallerAccess(nsPIDOMWindowInner* aWindow); // Check if the principal is chrome or an addon with the permission. static bool PrincipalHasPermission(nsIPrincipal& aPrincipal, const nsAtom* aPerm); // Check if the JS caller is chrome or an addon with the permission. static bool CallerHasPermission(JSContext* aCx, const nsAtom* aPerm); /** * Returns the triggering principal which should be used for the given URL * attribute value with the given subject principal. * * If the attribute value is not an absolute URL, the subject principal will * be ignored, and the node principal of aContent will be used instead. * If aContent is non-null, this function will always return a principal. * Otherewise, it may return null if aSubjectPrincipal is null or is rejected * based on the attribute value. * * @param aContent The content on which the attribute is being set. * @param aAttrValue The URL value of the attribute. For parsed attribute * values, such as `srcset`, this function should be called separately * for each URL value it contains. * @param aSubjectPrincipal The subject principal of the scripted caller * responsible for setting the attribute, or null if no scripted caller * can be determined. */ static nsIPrincipal* GetAttrTriggeringPrincipal( nsIContent* aContent, const nsAString& aAttrValue, nsIPrincipal* aSubjectPrincipal); /** * Returns true if the given string is guaranteed to be treated as an absolute * URL, rather than a relative URL. In practice, this means any complete URL * as supported by nsStandardURL, or any string beginning with a valid scheme * which is known to the IO service, and has the URI_NORELATIVE flag. * * If the URL may be treated as absolute in some cases, but relative in others * (for instance, "http:foo", which can be either an absolute or relative URL, * depending on the context), this function returns false. */ static bool IsAbsoluteURL(const nsACString& aURL); // Check if a node is in the document prolog, i.e. before the document // element. static bool InProlog(nsINode* aNode); static nsNameSpaceManager* NameSpaceManager() { return sNameSpaceManager; } static nsIIOService* GetIOService() { return sIOService; } static nsIBidiKeyboard* GetBidiKeyboard(); /** * Get the cache security manager service. Can return null if the layout * module has been shut down. */ static nsIScriptSecurityManager* GetSecurityManager() { return sSecurityManager; } // Returns the subject principal from the JSContext. May only be called // from the main thread and assumes an existing compartment. static nsIPrincipal* SubjectPrincipal(JSContext* aCx); // Returns the subject principal. Guaranteed to return non-null. May only // be called when nsContentUtils is initialized. static nsIPrincipal* SubjectPrincipal(); // Returns the prinipal of the given JS object. This may only be called on // the main thread for objects from the main thread's JSRuntime. The object // must not be a cross-compartment wrapper, because CCWs are not associated // with a single realm. static nsIPrincipal* ObjectPrincipal(JSObject* aObj); static void GenerateStateKey(nsIContent* aContent, Document* aDocument, nsACString& aKey); /** * Create a new nsIURI from aSpec, using aBaseURI as the base. The * origin charset of the new nsIURI will be the document charset of * aDocument. */ static nsresult NewURIWithDocumentCharset(nsIURI** aResult, const nsAString& aSpec, Document* aDocument, nsIURI* aBaseURI); /** * Returns true if |aName| is a name with dashes. */ static bool IsNameWithDash(nsAtom* aName); /** * Returns true if |aName| is a valid name to be registered via * customElements.define. */ static bool IsCustomElementName(nsAtom* aName, uint32_t aNameSpaceID); static nsresult CheckQName(const nsAString& aQualifiedName, bool aNamespaceAware = true, const char16_t** aColon = nullptr); static nsresult SplitQName(const nsIContent* aNamespaceResolver, const nsString& aQName, int32_t* aNamespace, nsAtom** aLocalName); static nsresult GetNodeInfoFromQName(const nsAString& aNamespaceURI, const nsAString& aQualifiedName, nsNodeInfoManager* aNodeInfoManager, uint16_t aNodeType, mozilla::dom::NodeInfo** aNodeInfo); static void SplitExpatName(const char16_t* aExpatName, nsAtom** aPrefix, nsAtom** aTagName, int32_t* aNameSpaceID); // Get a permission-manager setting for the given principal and type. // If the pref doesn't exist or if it isn't ALLOW_ACTION, false is // returned, otherwise true is returned. Always returns true for the // system principal, and false for a null principal. static bool IsSitePermAllow(nsIPrincipal* aPrincipal, const nsACString& aType); // Get a permission-manager setting for the given principal and type. // If the pref doesn't exist or if it isn't DENY_ACTION, false is // returned, otherwise true is returned. Always returns false for the // system principal, and true for a null principal. static bool IsSitePermDeny(nsIPrincipal* aPrincipal, const nsACString& aType); // Get a permission-manager setting for the given principal and type. // If the pref doesn't exist or if it isn't ALLOW_ACTION, false is // returned, otherwise true is returned. Always returns true for the // system principal, and false for a null principal. // This version checks the permission for an exact host match on // the principal static bool IsExactSitePermAllow(nsIPrincipal* aPrincipal, const nsACString& aType); // Get a permission-manager setting for the given principal and type. // If the pref doesn't exist or if it isn't DENY_ACTION, false is // returned, otherwise true is returned. Always returns false for the // system principal, and true for a null principal. // This version checks the permission for an exact host match on // the principal static bool IsExactSitePermDeny(nsIPrincipal* aPrincipal, const nsACString& aType); // Returns true if aDoc1 and aDoc2 have equal NodePrincipal()s. static bool HaveEqualPrincipals(Document* aDoc1, Document* aDoc2); static mozilla::intl::LineBreaker* LineBreaker() { return sLineBreaker.get(); } static mozilla::intl::WordBreaker* WordBreaker() { return sWordBreaker.get(); } /** * Regster aObserver as a shutdown observer. A strong reference is held * to aObserver until UnregisterShutdownObserver is called. */ static void RegisterShutdownObserver(nsIObserver* aObserver); static void UnregisterShutdownObserver(nsIObserver* aObserver); /** * @return true if aContent has an attribute aName in namespace aNameSpaceID, * and the attribute value is non-empty. */ static bool HasNonEmptyAttr(const nsIContent* aContent, int32_t aNameSpaceID, nsAtom* aName); /** * Method that gets the primary presContext for the node. * * @param aContent The content node. * @return the presContext, or nullptr if the content is not in a document * (if GetComposedDoc returns nullptr) */ static nsPresContext* GetContextForContent(const nsIContent* aContent); /** * Method that gets the pres shell for the node. * * @param aContent The content node. * @return the pres shell, or nullptr if the content is not in a document * (if GetComposedDoc returns nullptr) */ static mozilla::PresShell* GetPresShellForContent(const nsIContent* aContent); /** * Method to do security and content policy checks on the image URI * * @param aURI uri of the image to be loaded * @param aNode, the context the image is loaded in (eg an element) * @param aLoadingDocument the document we belong to * @param aLoadingPrincipal the principal doing the load * @param [aContentPolicyType=nsIContentPolicy::TYPE_INTERNAL_IMAGE] * (Optional) The CP content type to use * @param aImageBlockingStatus the nsIContentPolicy blocking status for this * image. This will be set even if a security check fails for the * image, to some reasonable REJECT_* value. This out param will only * be set if it's non-null. * @return true if the load can proceed, or false if it is blocked. * Note that aImageBlockingStatus, if set will always be an ACCEPT * status if true is returned and always be a REJECT_* status if * false is returned. */ static bool CanLoadImage(nsIURI* aURI, nsINode* aNode, Document* aLoadingDocument, nsIPrincipal* aLoadingPrincipal); /** * Returns true if objects in aDocument shouldn't initiate image loads. */ static bool DocumentInactiveForImageLoads(Document* aDocument); /** * Convert a CORSMode into the corresponding imgILoader flags for * passing to LoadImage. * @param aMode CORS mode to convert * @return a bitfield suitable to bitwise OR with other nsIRequest flags */ static int32_t CORSModeToLoadImageFlags(mozilla::CORSMode aMode); /** * Method to start an image load. This does not do any security checks. * This method will attempt to make aURI immutable; a caller that wants to * keep a mutable version around should pass in a clone. * * @param aURI uri of the image to be loaded * @param aContext element of document where the result of this request * will be used. * @param aLoadingDocument the document we belong to * @param aLoadingPrincipal the principal doing the load * @param aReferrerInfo the referrerInfo use on channel creation * @param aObserver the observer for the image load * @param aLoadFlags the load flags to use. See nsIRequest * @param [aContentPolicyType=nsIContentPolicy::TYPE_INTERNAL_IMAGE] * (Optional) The CP content type to use * @param aUseUrgentStartForChannel,(Optional) a flag to mark on channel if it * is triggered by user input events. * @return the imgIRequest for the image load */ static nsresult LoadImage( nsIURI* aURI, nsINode* aContext, Document* aLoadingDocument, nsIPrincipal* aLoadingPrincipal, uint64_t aRequestContextID, nsIReferrerInfo* aReferrerInfo, imgINotificationObserver* aObserver, int32_t aLoadFlags, const nsAString& initiatorType, imgRequestProxy** aRequest, nsContentPolicyType aContentPolicyType = nsIContentPolicy::TYPE_INTERNAL_IMAGE, bool aUseUrgentStartForChannel = false, bool aLinkPreload = false); /** * Obtain an image loader that respects the given document/channel's privacy * status. Null document/channel arguments return the public image loader. */ static imgLoader* GetImgLoaderForDocument(Document* aDoc); static imgLoader* GetImgLoaderForChannel(nsIChannel* aChannel, Document* aContext); /** * Returns whether the given URI is in the image cache. */ static bool IsImageInCache(nsIURI* aURI, Document* aDocument); /** * Method to get an imgIContainer from an image loading content * * @param aContent The image loading content. Must not be null. * @param aRequest The image request [out] * @return the imgIContainer corresponding to the first frame of the image */ static already_AddRefed GetImageFromContent( nsIImageLoadingContent* aContent, imgIRequest** aRequest = nullptr); /** * Method that decides whether a content node is draggable * * @param aContent The content node to test. * @return whether it's draggable */ static bool ContentIsDraggable(nsIContent* aContent); /** * Method that decides whether a content node is a draggable image * * @param aContent The content node to test. * @return whether it's a draggable image */ static bool IsDraggableImage(nsIContent* aContent); /** * Method that decides whether a content node is a draggable link * * @param aContent The content node to test. * @return whether it's a draggable link */ static bool IsDraggableLink(const nsIContent* aContent); /** * Convenience method to create a new nodeinfo that differs only by prefix and * name from aNodeInfo. The new nodeinfo's name is set to aName, and prefix is * set to null. */ static nsresult QNameChanged(mozilla::dom::NodeInfo* aNodeInfo, nsAtom* aName, mozilla::dom::NodeInfo** aResult); /** * Returns the appropriate event argument names for the specified * namespace and event name. Added because we need to switch between * SVG's "evt" and the rest of the world's "event", and because onerror * on window takes 5 args. */ static void GetEventArgNames(int32_t aNameSpaceID, nsAtom* aEventName, bool aIsForWindow, uint32_t* aArgCount, const char*** aArgNames); /** * Returns true if this document is in a Private Browsing window. */ static bool IsInPrivateBrowsing(Document* aDoc); /** * Returns true if this loadGroup uses Private Browsing. */ static bool IsInPrivateBrowsing(nsILoadGroup* aLoadGroup); /** * If aNode is not an element, return true exactly when aContent's binding * parent is null. * * If aNode is an element, return true exactly when aContent's binding parent * is the same as aNode's. * * This method is particularly useful for callers who are trying to ensure * that they are working with a non-anonymous descendant of a given node. If * aContent is a descendant of aNode, a return value of false from this * method means that it's an anonymous descendant from aNode's point of view. * * Both arguments to this method must be non-null. */ static bool IsInSameAnonymousTree(const nsINode* aNode, const nsIContent* aContent); /* * Traverse the parent chain from aElement up to aStop, and return true if * there's an interactive html content; false otherwise. * * Note: This crosses shadow boundaries but not document boundaries. */ static bool IsInInteractiveHTMLContent(const Element* aElement, const Element* aStop); /** * Return the nsIXPConnect service. */ static nsIXPConnect* XPConnect() { return sXPConnect; } /** * Report simple error message to the browser console * @param aErrorText the error message * @param aCategory Name of the module reporting error * @param aFromPrivateWindow Whether from private window or not * @param aFromChromeContext Whether from chrome context or not * @param [aErrorFlags] See nsIScriptError. */ static void LogSimpleConsoleError( const nsAString& aErrorText, const char* aCategory, bool aFromPrivateWindow, bool aFromChromeContext, uint32_t aErrorFlags = nsIScriptError::errorFlag); /** * Report a non-localized error message to the error console. * @param aErrorText the error message * @param aErrorFlags See nsIScriptError. * @param aCategory Name of module reporting error. * @param aDocument Reference to the document which triggered the message. * @param [aURI=nullptr] (Optional) URI of resource containing error. * @param [aSourceLine=u""_ns] (Optional) The text of the line that contains the error (may be empty). * @param [aLineNumber=0] (Optional) Line number within resource containing error. * @param [aColumnNumber=0] (Optional) Column number within resource containing error. If aURI is null, then aDocument->GetDocumentURI() is used. * @param [aLocationMode] (Optional) Specifies the behavior if error location information is omitted. */ enum MissingErrorLocationMode { // Don't show location information in the error console. eOMIT_LOCATION, // Get location information from the currently executing script. eUSE_CALLING_LOCATION }; static nsresult ReportToConsoleNonLocalized( const nsAString& aErrorText, uint32_t aErrorFlags, const nsACString& aCategory, const Document* aDocument, nsIURI* aURI = nullptr, const nsString& aSourceLine = u""_ns, uint32_t aLineNumber = 0, uint32_t aColumnNumber = 0, MissingErrorLocationMode aLocationMode = eUSE_CALLING_LOCATION); /** * Report a non-localized error message to the error console base on the * innerWindowID. * @param aErrorText the error message * @param aErrorFlags See nsIScriptError. * @param aCategory Name of module reporting error. * @param [aInnerWindowID] Inner window ID for document which triggered the * message. * @param [aURI=nullptr] (Optional) URI of resource containing error. * @param [aSourceLine=u""_ns] (Optional) The text of the line that contains the error (may be empty). * @param [aLineNumber=0] (Optional) Line number within resource containing error. * @param [aColumnNumber=0] (Optional) Column number within resource containing error. If aURI is null, then aDocument->GetDocumentURI() is used. * @param [aLocationMode] (Optional) Specifies the behavior if error location information is omitted. */ static nsresult ReportToConsoleByWindowID( const nsAString& aErrorText, uint32_t aErrorFlags, const nsACString& aCategory, uint64_t aInnerWindowID, nsIURI* aURI = nullptr, const nsString& aSourceLine = u""_ns, uint32_t aLineNumber = 0, uint32_t aColumnNumber = 0, MissingErrorLocationMode aLocationMode = eUSE_CALLING_LOCATION); /** * Report a localized error message to the error console. * @param aErrorFlags See nsIScriptError. * @param aCategory Name of module reporting error. * @param aDocument Reference to the document which triggered the message. * @param aFile Properties file containing localized message. * @param aMessageName Name of localized message. * @param [aParams=empty-array] (Optional) Parameters to be substituted into localized message. * @param [aURI=nullptr] (Optional) URI of resource containing error. * @param [aSourceLine=u""_ns] (Optional) The text of the line that contains the error (may be empty). * @param [aLineNumber=0] (Optional) Line number within resource containing error. * @param [aColumnNumber=0] (Optional) Column number within resource containing error. If aURI is null, then aDocument->GetDocumentURI() is used. */ enum PropertiesFile { eCSS_PROPERTIES, eXUL_PROPERTIES, eLAYOUT_PROPERTIES, eFORMS_PROPERTIES, ePRINTING_PROPERTIES, eDOM_PROPERTIES, eHTMLPARSER_PROPERTIES, eSVG_PROPERTIES, eBRAND_PROPERTIES, eCOMMON_DIALOG_PROPERTIES, eMATHML_PROPERTIES, eSECURITY_PROPERTIES, eNECKO_PROPERTIES, eFORMS_PROPERTIES_en_US, eDOM_PROPERTIES_en_US, PropertiesFile_COUNT }; static nsresult ReportToConsole( uint32_t aErrorFlags, const nsACString& aCategory, const Document* aDocument, PropertiesFile aFile, const char* aMessageName, const nsTArray& aParams = nsTArray(), nsIURI* aURI = nullptr, const nsString& aSourceLine = u""_ns, uint32_t aLineNumber = 0, uint32_t aColumnNumber = 0); static void ReportEmptyGetElementByIdArg(const Document* aDoc); static void LogMessageToConsole(const char* aMsg); static bool SpoofLocaleEnglish(); /** * Get the localized string named |aKey| in properties file |aFile|. */ static nsresult GetLocalizedString(PropertiesFile aFile, const char* aKey, nsAString& aResult); /** * Same as GetLocalizedString, except that it might use en-US locale depending * on SpoofLocaleEnglish() and whether the document is a built-in browser * page. */ static nsresult GetMaybeLocalizedString(PropertiesFile aFile, const char* aKey, Document* aDocument, nsAString& aResult); /** * A helper function that parses a sandbox attribute (of an