1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsMixedContentBlocker.h"
#include "nsContentPolicyUtils.h"
#include "nsCSPContext.h"
#include "nsThreadUtils.h"
#include "nsINode.h"
#include "nsCOMPtr.h"
#include "nsDocShell.h"
#include "nsIWebProgressListener.h"
#include "nsContentUtils.h"
#include "mozilla/dom/BrowsingContext.h"
#include "mozilla/dom/WindowContext.h"
#include "mozilla/dom/Document.h"
#include "nsIChannel.h"
#include "nsIParentChannel.h"
#include "mozilla/Preferences.h"
#include "nsIScriptObjectPrincipal.h"
#include "nsIProtocolHandler.h"
#include "nsCharSeparatedTokenizer.h"
#include "nsISecureBrowserUI.h"
#include "nsIWebNavigation.h"
#include "nsLoadGroup.h"
#include "nsIScriptError.h"
#include "nsIURI.h"
#include "nsIChannelEventSink.h"
#include "nsNetUtil.h"
#include "nsAsyncRedirectVerifyHelper.h"
#include "mozilla/LoadInfo.h"
#include "nsISiteSecurityService.h"
#include "prnetdb.h"
#include "nsQueryObject.h"
#include "mozilla/BasePrincipal.h"
#include "mozilla/Logging.h"
#include "mozilla/StaticPrefs_dom.h"
#include "mozilla/StaticPrefs_fission.h"
#include "mozilla/StaticPrefs_security.h"
#include "mozilla/Telemetry.h"
#include "mozilla/dom/ContentChild.h"
#include "mozilla/ipc/URIUtils.h"
#include "mozilla/net/DNS.h"
#include "mozilla/net/DocumentLoadListener.h"
#include "mozilla/net/DocumentChannel.h"
#include "mozilla/dom/nsHTTPSOnlyUtils.h"
using namespace mozilla;
using namespace mozilla::dom;
static mozilla::LazyLogModule sMCBLog("MCBLog");
enum nsMixedContentBlockerMessageType { eBlocked = 0x00, eUserOverride = 0x01 };
// Allowlist of hostnames that should be considered secure contexts even when
// served over http:// or ws://
nsCString* nsMixedContentBlocker::sSecurecontextAllowlist = nullptr;
bool nsMixedContentBlocker::sSecurecontextAllowlistCached = false;
enum MixedContentHSTSState {
MCB_HSTS_PASSIVE_NO_HSTS = 0,
MCB_HSTS_PASSIVE_WITH_HSTS = 1,
MCB_HSTS_ACTIVE_NO_HSTS = 2,
MCB_HSTS_ACTIVE_WITH_HSTS = 3
};
nsMixedContentBlocker::~nsMixedContentBlocker() = default;
NS_IMPL_ISUPPORTS(nsMixedContentBlocker, nsIContentPolicy, nsIChannelEventSink)
static void LogMixedContentMessage(
MixedContentTypes aClassification, nsIURI* aContentLocation,
uint64_t aInnerWindowID, nsMixedContentBlockerMessageType aMessageType,
nsIURI* aRequestingLocation,
const nsACString& aOverruleMessageLookUpKeyWithThis = ""_ns) {
nsAutoCString messageCategory;
uint32_t severityFlag;
nsAutoCString messageLookupKey;
if (aMessageType == eBlocked) {
severityFlag = nsIScriptError::errorFlag;
messageCategory.AssignLiteral("Mixed Content Blocker");
if (aClassification == eMixedDisplay) {
messageLookupKey.AssignLiteral("BlockMixedDisplayContent");
} else {
messageLookupKey.AssignLiteral("BlockMixedActiveContent");
}
} else {
severityFlag = nsIScriptError::warningFlag;
messageCategory.AssignLiteral("Mixed Content Message");
if (aClassification == eMixedDisplay) {
messageLookupKey.AssignLiteral("LoadingMixedDisplayContent2");
} else {
messageLookupKey.AssignLiteral("LoadingMixedActiveContent2");
}
}
// if the callee explicitly wants to use a special message for this
// console report, then we allow to overrule the default with the
// explicitly provided one here.
if (!aOverruleMessageLookUpKeyWithThis.IsEmpty()) {
messageLookupKey = aOverruleMessageLookUpKeyWithThis;
}
nsAutoString localizedMsg;
AutoTArray<nsString, 1> params;
CopyUTF8toUTF16(aContentLocation->GetSpecOrDefault(),
*params.AppendElement());
nsContentUtils::FormatLocalizedString(nsContentUtils::eSECURITY_PROPERTIES,
messageLookupKey.get(), params,
localizedMsg);
nsContentUtils::ReportToConsoleByWindowID(localizedMsg, severityFlag,
messageCategory, aInnerWindowID,
aRequestingLocation);
}
/* nsIChannelEventSink implementation
* This code is called when a request is redirected.
* We check the channel associated with the new uri is allowed to load
* in the current context
*/
NS_IMETHODIMP
nsMixedContentBlocker::AsyncOnChannelRedirect(
nsIChannel* aOldChannel, nsIChannel* aNewChannel, uint32_t aFlags,
nsIAsyncVerifyRedirectCallback* aCallback) {
mozilla::net::nsAsyncRedirectAutoCallback autoCallback(aCallback);
if (!aOldChannel) {
NS_ERROR("No channel when evaluating mixed content!");
return NS_ERROR_FAILURE;
}
// If we are in the parent process in e10s, we don't have access to the
// document node, and hence ShouldLoad will fail when we try to get
// the docShell. If that's the case, ignore mixed content checks
// on redirects in the parent. Let the child check for mixed content.
nsCOMPtr<nsIParentChannel> is_ipc_channel;
NS_QueryNotificationCallbacks(aNewChannel, is_ipc_channel);
RefPtr<net::DocumentLoadListener> docListener =
do_QueryObject(is_ipc_channel);
if (is_ipc_channel && !docListener) {
return NS_OK;
}
// Don't do these checks if we're switching from DocumentChannel
// to a real channel. In that case, we should already have done
// the checks in the parent process. AsyncOnChannelRedirect
// isn't called in the content process if we switch process,
// so checking here would just hide bugs in the process switch
// cases.
if (RefPtr<net::DocumentChannel> docChannel = do_QueryObject(aOldChannel)) {
return NS_OK;
}
nsresult rv;
nsCOMPtr<nsIURI> oldUri;
rv = aOldChannel->GetURI(getter_AddRefs(oldUri));
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIURI> newUri;
rv = aNewChannel->GetURI(getter_AddRefs(newUri));
NS_ENSURE_SUCCESS(rv, rv);
// Get the loading Info from the old channel
nsCOMPtr<nsILoadInfo> loadInfo = aOldChannel->LoadInfo();
nsCOMPtr<nsIPrincipal> requestingPrincipal = loadInfo->GetLoadingPrincipal();
// Since we are calling shouldLoad() directly on redirects, we don't go
// through the code in nsContentPolicyUtils::NS_CheckContentLoadPolicy().
// Hence, we have to duplicate parts of it here.
if (requestingPrincipal) {
// We check to see if the loadingPrincipal is systemPrincipal and return
// early if it is
if (requestingPrincipal->IsSystemPrincipal()) {
return NS_OK;
}
}
int16_t decision = REJECT_REQUEST;
rv = ShouldLoad(newUri, loadInfo,
""_ns, // aMimeGuess
&decision);
if (NS_FAILED(rv)) {
autoCallback.DontCallback();
aOldChannel->Cancel(NS_ERROR_DOM_BAD_URI);
return NS_BINDING_FAILED;
}
// If the channel is about to load mixed content, abort the channel
if (!NS_CP_ACCEPTED(decision)) {
autoCallback.DontCallback();
aOldChannel->Cancel(NS_ERROR_DOM_BAD_URI);
return NS_BINDING_FAILED;
}
return NS_OK;
}
/* This version of ShouldLoad() is non-static and called by the Content Policy
* API and AsyncOnChannelRedirect(). See nsIContentPolicy::ShouldLoad()
* for detailed description of the parameters.
*/
NS_IMETHODIMP
nsMixedContentBlocker::ShouldLoad(nsIURI* aContentLocation,
nsILoadInfo* aLoadInfo,
const nsACString& aMimeGuess,
int16_t* aDecision) {
// We pass in false as the first parameter to ShouldLoad(), because the
// callers of this method don't know whether the load went through cached
// image redirects. This is handled by direct callers of the static
// ShouldLoad.
nsresult rv =
ShouldLoad(false, // aHadInsecureImageRedirect
aContentLocation, aLoadInfo, aMimeGuess, true, aDecision);
if (*aDecision == nsIContentPolicy::REJECT_REQUEST) {
NS_SetRequestBlockingReason(aLoadInfo,
nsILoadInfo::BLOCKING_REASON_MIXED_BLOCKED);
}
return rv;
}
bool nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackHost(
const nsACString& aAsciiHost) {
if (mozilla::net::IsLoopbackHostname(aAsciiHost)) {
return true;
}
PRNetAddr tempAddr;
memset(&tempAddr, 0, sizeof(PRNetAddr));
if (PR_StringToNetAddr(PromiseFlatCString(aAsciiHost).get(), &tempAddr) !=
PR_SUCCESS) {
return false;
}
using namespace mozilla::net;
NetAddr addr(&tempAddr);
// Step 4 of
// https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy says
// we should only consider [::1]/128 as a potentially trustworthy IPv6
// address, whereas for IPv4 127.0.0.1/8 are considered as potentially
// trustworthy.
return addr.IsLoopBackAddressWithoutIPv6Mapping();
}
bool nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(nsIURI* aURL) {
nsAutoCString asciiHost;
nsresult rv = aURL->GetAsciiHost(asciiHost);
NS_ENSURE_SUCCESS(rv, false);
return IsPotentiallyTrustworthyLoopbackHost(asciiHost);
}
/* Maybe we have a .onion URL. Treat it as trustworthy as well if
* `dom.securecontext.whitelist_onions` is `true`.
*/
bool nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(nsIURI* aURL) {
if (!StaticPrefs::dom_securecontext_whitelist_onions()) {
return false;
}
nsAutoCString host;
nsresult rv = aURL->GetHost(host);
NS_ENSURE_SUCCESS(rv, false);
return StringEndsWith(host, ".onion"_ns);
}
// static
void nsMixedContentBlocker::OnPrefChange(const char* aPref, void* aClosure) {
MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(!strcmp(aPref, "dom.securecontext.whitelist"));
Preferences::GetCString("dom.securecontext.whitelist",
*sSecurecontextAllowlist);
}
// static
void nsMixedContentBlocker::GetSecureContextAllowList(nsACString& aList) {
MOZ_ASSERT(NS_IsMainThread());
if (!sSecurecontextAllowlistCached) {
MOZ_ASSERT(!sSecurecontextAllowlist);
sSecurecontextAllowlistCached = true;
sSecurecontextAllowlist = new nsCString();
Preferences::RegisterCallbackAndCall(OnPrefChange,
"dom.securecontext.whitelist");
}
aList = *sSecurecontextAllowlist;
}
// static
void nsMixedContentBlocker::Shutdown() {
if (sSecurecontextAllowlist) {
delete sSecurecontextAllowlist;
sSecurecontextAllowlist = nullptr;
}
}
bool nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(nsIURI* aURI) {
// The following implements:
// https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
nsAutoCString scheme;
nsresult rv = aURI->GetScheme(scheme);
if (NS_FAILED(rv)) {
return false;
}
// Blobs are expected to inherit their principal so we don't expect to have
// a content principal with scheme 'blob' here. We can't assert that though
// since someone could mess with a non-blob URI to give it that scheme.
NS_WARNING_ASSERTION(!scheme.EqualsLiteral("blob"),
"IsOriginPotentiallyTrustworthy ignoring blob scheme");
// According to the specification, the user agent may choose to extend the
// trust to other, vendor-specific URL schemes. We use this for "resource:",
// which is technically a substituting protocol handler that is not limited to
// local resource mapping, but in practice is never mapped remotely as this
// would violate assumptions a lot of code makes.
// We use nsIProtocolHandler flags to determine which protocols we consider a
// priori authenticated.
bool aPrioriAuthenticated = false;
if (NS_FAILED(NS_URIChainHasFlags(
aURI, nsIProtocolHandler::URI_IS_POTENTIALLY_TRUSTWORTHY,
&aPrioriAuthenticated))) {
return false;
}
if (aPrioriAuthenticated) {
return true;
}
nsAutoCString host;
rv = aURI->GetHost(host);
if (NS_FAILED(rv)) {
return false;
}
if (IsPotentiallyTrustworthyLoopbackURL(aURI)) {
return true;
}
// If a host is not considered secure according to the default algorithm, then
// check to see if it has been allowlisted by the user. We only apply this
// allowlist for network resources, i.e., those with scheme "http" or "ws".
// The pref should contain a comma-separated list of hostnames.
if (!scheme.EqualsLiteral("http") && !scheme.EqualsLiteral("ws")) {
return false;
}
nsAutoCString allowlist;
GetSecureContextAllowList(allowlist);
for (const nsACString& allowedHost :
nsCCharSeparatedTokenizer(allowlist, ',').ToRange()) {
if (host.Equals(allowedHost)) {
return true;
}
}
// Maybe we have a .onion URL. Treat it as trustworthy as well if
// `dom.securecontext.whitelist_onions` is `true`.
if (nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(aURI)) {
return true;
}
return false;
}
/* Static version of ShouldLoad() that contains all the Mixed Content Blocker
* logic. Called from non-static ShouldLoad().
*/
nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
nsIURI* aContentLocation,
nsILoadInfo* aLoadInfo,
const nsACString& aMimeGuess,
bool aReportError,
int16_t* aDecision) {
// Asserting that we are on the main thread here and hence do not have to lock
// and unlock security.mixed_content.block_active_content and
// security.mixed_content.block_display_content before reading/writing to
// them.
MOZ_ASSERT(NS_IsMainThread());
if (MOZ_UNLIKELY(MOZ_LOG_TEST(sMCBLog, LogLevel::Verbose))) {
nsAutoCString asciiUrl;
aContentLocation->GetAsciiSpec(asciiUrl);
MOZ_LOG(sMCBLog, LogLevel::Verbose, ("shouldLoad:"));
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" - contentLocation: %s", asciiUrl.get()));
}
nsContentPolicyType internalContentType =
aLoadInfo->InternalContentPolicyType();
nsCOMPtr<nsIPrincipal> loadingPrincipal = aLoadInfo->GetLoadingPrincipal();
nsCOMPtr<nsIPrincipal> triggeringPrincipal = aLoadInfo->TriggeringPrincipal();
if (MOZ_UNLIKELY(MOZ_LOG_TEST(sMCBLog, LogLevel::Verbose))) {
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" - internalContentPolicyType: %s",
NS_CP_ContentTypeName(internalContentType)));
if (loadingPrincipal != nullptr) {
nsAutoCString loadingPrincipalAsciiUrl;
loadingPrincipal->GetAsciiSpec(loadingPrincipalAsciiUrl);
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" - loadingPrincipal: %s", loadingPrincipalAsciiUrl.get()));
} else {
MOZ_LOG(sMCBLog, LogLevel::Verbose, (" - loadingPrincipal: (nullptr)"));
}
nsAutoCString triggeringPrincipalAsciiUrl;
triggeringPrincipal->GetAsciiSpec(triggeringPrincipalAsciiUrl);
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" - triggeringPrincipal: %s", triggeringPrincipalAsciiUrl.get()));
}
RefPtr<WindowContext> requestingWindow =
WindowContext::GetById(aLoadInfo->GetInnerWindowID());
bool isPreload = nsContentUtils::IsPreloadType(internalContentType);
// The content policy type that we receive may be an internal type for
// scripts. Let's remember if we have seen a worker type, and reset it to the
// external type in all cases right now.
bool isWorkerType =
internalContentType == nsIContentPolicy::TYPE_INTERNAL_WORKER ||
internalContentType == nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER ||
internalContentType == nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER;
ExtContentPolicyType contentType =
nsContentUtils::InternalContentPolicyTypeToExternal(internalContentType);
// Assume active (high risk) content and blocked by default
MixedContentTypes classification = eMixedScript;
// Make decision to block/reject by default
*aDecision = REJECT_REQUEST;
// Notes on non-obvious decisions:
//
// TYPE_DTD: A DTD can contain entity definitions that expand to scripts.
//
// TYPE_FONT: The TrueType hinting mechanism is basically a scripting
// language that gets interpreted by the operating system's font rasterizer.
// Mixed content web fonts are relatively uncommon, and we can can fall back
// to built-in fonts with minimal disruption in almost all cases.
//
// TYPE_OBJECT_SUBREQUEST could actually be either active content (e.g. a
// script that a plugin will execute) or display content (e.g. Flash video
// content). Until we have a way to determine active vs passive content
// from plugin requests (bug 836352), we will treat this as passive content.
// This is to prevent false positives from causing users to become
// desensitized to the mixed content blocker.
//
// TYPE_CSP_REPORT: High-risk because they directly leak information about
// the content of the page, and because blocking them does not have any
// negative effect on the page loading.
//
// TYPE_PING: Ping requests are POSTS, not GETs like images and media.
// Also, PING requests have no bearing on the rendering or operation of
// the page when used as designed, so even though they are lower risk than
// scripts, blocking them is basically risk-free as far as compatibility is
// concerned.
//
// TYPE_STYLESHEET: XSLT stylesheets can insert scripts. CSS positioning
// and other advanced CSS features can possibly be exploited to cause
// spoofing attacks (e.g. make a "grant permission" button look like a
// "refuse permission" button).
//
// TYPE_BEACON: Beacon requests are similar to TYPE_PING, and are blocked by
// default.
//
// TYPE_WEBSOCKET: The Websockets API requires browsers to
// reject mixed-content websockets: "If secure is false but the origin of
// the entry script has a scheme component that is itself a secure protocol,
// e.g. HTTPS, then throw a SecurityError exception." We already block mixed
// content websockets within the websockets implementation, so we don't need
// to do any blocking here, nor do we need to provide a way to undo or
// override the blocking. Websockets without TLS are very flaky anyway in the
// face of many HTTP-aware proxies. Compared to passive content, there is
// additional risk that the script using WebSockets will disclose sensitive
// information from the HTTPS page and/or eval (directly or indirectly)
// received data.
//
// TYPE_XMLHTTPREQUEST: XHR requires either same origin or CORS, so most
// mixed-content XHR will already be blocked by that check. This will also
// block HTTPS-to-HTTP XHR with CORS. The same security concerns mentioned
// above for WebSockets apply to XHR, and XHR should have the same security
// properties as WebSockets w.r.t. mixed content. XHR's handling of redirects
// amplifies these concerns.
//
switch (contentType) {
// The top-level document cannot be mixed content by definition
case ExtContentPolicy::TYPE_DOCUMENT:
*aDecision = ACCEPT;
return NS_OK;
// Creating insecure websocket connections in a secure page is blocked
// already in the websocket constructor. We don't need to check the blocking
// here and we don't want to un-block
case ExtContentPolicy::TYPE_WEBSOCKET:
*aDecision = ACCEPT;
return NS_OK;
// TYPE_SAVEAS_DOWNLOAD: Save-link-as feature is used to download a
// resource
// without involving a docShell. This kind of loading must be
// allowed, if not disabled in the preferences.
// Creating insecure connections for a save-as link download is
// acceptable. This download is completely disconnected from the docShell,
// but still using the same loading principal.
case ExtContentPolicy::TYPE_SAVEAS_DOWNLOAD:
*aDecision = ACCEPT;
return NS_OK;
break;
// Static display content is considered moderate risk for mixed content so
// these will be blocked according to the mixed display preference
case ExtContentPolicy::TYPE_IMAGE:
case ExtContentPolicy::TYPE_MEDIA:
classification = eMixedDisplay;
break;
case ExtContentPolicy::TYPE_OBJECT_SUBREQUEST:
if (StaticPrefs::security_mixed_content_block_object_subrequest()) {
classification = eMixedScript;
} else {
classification = eMixedDisplay;
}
break;
// Active content (or content with a low value/risk-of-blocking ratio)
// that has been explicitly evaluated; listed here for documentation
// purposes and to avoid the assertion and warning for the default case.
case ExtContentPolicy::TYPE_BEACON:
case ExtContentPolicy::TYPE_CSP_REPORT:
case ExtContentPolicy::TYPE_DTD:
case ExtContentPolicy::TYPE_FETCH:
case ExtContentPolicy::TYPE_FONT:
case ExtContentPolicy::TYPE_IMAGESET:
case ExtContentPolicy::TYPE_OBJECT:
case ExtContentPolicy::TYPE_SCRIPT:
case ExtContentPolicy::TYPE_STYLESHEET:
case ExtContentPolicy::TYPE_SUBDOCUMENT:
case ExtContentPolicy::TYPE_PING:
case ExtContentPolicy::TYPE_WEB_MANIFEST:
case ExtContentPolicy::TYPE_XMLHTTPREQUEST:
case ExtContentPolicy::TYPE_XSLT:
case ExtContentPolicy::TYPE_OTHER:
case ExtContentPolicy::TYPE_SPECULATIVE:
break;
case ExtContentPolicy::TYPE_INVALID:
MOZ_ASSERT(false, "Mixed content of unknown type");
// Do not add default: so that compilers can catch the missing case.
}
// Make sure to get the URI the load started with. No need to check
// outer schemes because all the wrapping pseudo protocols inherit the
// security properties of the actual network request represented
// by the innerMost URL.
nsCOMPtr<nsIURI> innerContentLocation = NS_GetInnermostURI(aContentLocation);
if (!innerContentLocation) {
NS_ERROR("Can't get innerURI from aContentLocation");
*aDecision = REJECT_REQUEST;
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" -> decision: Request will be rejected because the innermost "
"URI could not be "
"retrieved"));
return NS_OK;
}
// TYPE_IMAGE redirects are cached based on the original URI, not the final
// destination and hence cache hits for images may not have the correct
// innerContentLocation. Check if the cached hit went through an http
// redirect, and if it did, we can't treat this as a secure subresource.
if (!aHadInsecureImageRedirect &&
URISafeToBeLoadedInSecureContext(innerContentLocation)) {
*aDecision = ACCEPT;
return NS_OK;
}
/*
* Most likely aLoadingPrincipal reflects the security context of the owning
* document for this mixed content check. There are cases where that is not
* true, hence we have to we process requests in the following order:
* 1) If the load is triggered by the SystemPrincipal, we allow the load.
* Content scripts from addon code do provide aTriggeringPrincipal, which
* is an ExpandedPrincipal. If encountered, we allow the load.
* 2) If aLoadingPrincipal does not yield to a requestingLocation, then we
* fall back to querying the requestingLocation from aTriggeringPrincipal.
* 3) If we still end up not having a requestingLocation, we reject the load.
*/
// 1) Check if the load was triggered by the system (SystemPrincipal) or
// a content script from addons code (ExpandedPrincipal) in which case the
// load is not subject to mixed content blocking.
if (triggeringPrincipal) {
if (triggeringPrincipal->IsSystemPrincipal()) {
*aDecision = ACCEPT;
return NS_OK;
}
nsCOMPtr<nsIExpandedPrincipal> expanded =
do_QueryInterface(triggeringPrincipal);
if (expanded) {
*aDecision = ACCEPT;
return NS_OK;
}
}
// 2) If aLoadingPrincipal does not provide a requestingLocation, then
// we fall back to to querying the requestingLocation from
// aTriggeringPrincipal.
nsCOMPtr<nsIURI> requestingLocation;
auto* baseLoadingPrincipal = BasePrincipal::Cast(loadingPrincipal);
if (baseLoadingPrincipal) {
baseLoadingPrincipal->GetURI(getter_AddRefs(requestingLocation));
}
if (!requestingLocation) {
auto* baseTriggeringPrincipal = BasePrincipal::Cast(triggeringPrincipal);
if (baseTriggeringPrincipal) {
baseTriggeringPrincipal->GetURI(getter_AddRefs(requestingLocation));
}
}
// 3) Giving up. We still don't have a requesting location, therefore we can't
// tell if this is a mixed content load. Deny to be safe.
if (!requestingLocation) {
*aDecision = REJECT_REQUEST;
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" -> decision: Request will be rejected because no requesting "
"location could be "
"gathered."));
return NS_OK;
}
// Check the parent scheme. If it is not an HTTPS page then mixed content
// restrictions do not apply.
nsCOMPtr<nsIURI> innerRequestingLocation =
NS_GetInnermostURI(requestingLocation);
if (!innerRequestingLocation) {
NS_ERROR("Can't get innerURI from requestingLocation");
*aDecision = REJECT_REQUEST;
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" -> decision: Request will be rejected because the innermost "
"URI of the "
"requesting location could be gathered."));
return NS_OK;
}
bool parentIsHttps = innerRequestingLocation->SchemeIs("https");
if (!parentIsHttps) {
*aDecision = ACCEPT;
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" -> decision: Request will be allowed because the requesting "
"location is not using "
"HTTPS."));
return NS_OK;
}
// Disallow mixed content loads for workers, shared workers and service
// workers.
if (isWorkerType) {
// For workers, we can assume that we're mixed content at this point, since
// the parent is https, and the protocol associated with
// innerContentLocation doesn't map to the secure URI flags checked above.
// Assert this for sanity's sake
#ifdef DEBUG
bool isHttpsScheme = innerContentLocation->SchemeIs("https");
MOZ_ASSERT(!isHttpsScheme);
#endif
*aDecision = REJECT_REQUEST;
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" -> decision: Request will be rejected, trying to load a worker "
"from an insecure origin."));
return NS_OK;
}
bool isHttpScheme = innerContentLocation->SchemeIs("http");
if (isHttpScheme && IsPotentiallyTrustworthyOrigin(innerContentLocation)) {
*aDecision = ACCEPT;
return NS_OK;
}
// Check if https-only mode upgrades this later anyway
if (nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(aLoadInfo)) {
*aDecision = ACCEPT;
return NS_OK;
}
// The page might have set the CSP directive 'upgrade-insecure-requests'. In
// such a case allow the http: load to succeed with the promise that the
// channel will get upgraded to https before fetching any data from the
// netwerk. Please see: nsHttpChannel::Connect()
//
// Please note that the CSP directive 'upgrade-insecure-requests' only applies
// to http: and ws: (for websockets). Websockets are not subject to mixed
// content blocking since insecure websockets are not allowed within secure
// pages. Hence, we only have to check against http: here. Skip mixed content
// blocking if the subresource load uses http: and the CSP directive
// 'upgrade-insecure-requests' is present on the page.
// Carve-out: if we're in the parent and we're loading media, e.g. through
// webbrowserpersist, don't reject it if we can't find a docshell.
if (XRE_IsParentProcess() && !requestingWindow &&
(contentType == ExtContentPolicy::TYPE_IMAGE ||
contentType == ExtContentPolicy::TYPE_MEDIA)) {
*aDecision = ACCEPT;
return NS_OK;
}
// Otherwise, we must have a window
NS_ENSURE_TRUE(requestingWindow, NS_OK);
if (isHttpScheme && aLoadInfo->GetUpgradeInsecureRequests()) {
*aDecision = ACCEPT;
return NS_OK;
}
// Allow http: mixed content if we are choosing to upgrade them when the
// pref "security.mixed_content.upgrade_display_content" is true.
// This behaves like GetUpgradeInsecureRequests above in that the channel will
// be upgraded to https before fetching any data from the netwerk.
bool isUpgradableDisplayType =
nsContentUtils::IsUpgradableDisplayType(contentType) &&
StaticPrefs::security_mixed_content_upgrade_display_content();
if (isHttpScheme && isUpgradableDisplayType) {
*aDecision = ACCEPT;
return NS_OK;
}
// The page might have set the CSP directive 'block-all-mixed-content' which
// should block not only active mixed content loads but in fact all mixed
// content loads, see https://www.w3.org/TR/mixed-content/#strict-checking
// Block all non secure loads in case the CSP directive is present. Please
// note that at this point we already know, based on |schemeSecure| that the
// load is not secure, so we can bail out early at this point.
if (aLoadInfo->GetBlockAllMixedContent()) {
// log a message to the console before returning.
nsAutoCString spec;
nsresult rv = aContentLocation->GetSpec(spec);
NS_ENSURE_SUCCESS(rv, rv);
AutoTArray<nsString, 1> params;
CopyUTF8toUTF16(spec, *params.AppendElement());
CSP_LogLocalizedStr("blockAllMixedContent", params,
u""_ns, // aSourceFile
u""_ns, // aScriptSample
0, // aLineNumber
0, // aColumnNumber
nsIScriptError::errorFlag, "blockAllMixedContent"_ns,
requestingWindow->Id(),
!!aLoadInfo->GetOriginAttributes().mPrivateBrowsingId);
*aDecision = REJECT_REQUEST;
MOZ_LOG(
sMCBLog, LogLevel::Verbose,
(" -> decision: Request will be rejected because the CSP directive "
"'block-all-mixed-content' was set while trying to load data from "
"a non-secure origin."));
return NS_OK;
}
// Determine if the rootDoc is https and if the user decided to allow Mixed
// Content
WindowContext* topWC = requestingWindow->TopWindowContext();
bool rootHasSecureConnection = topWC->GetIsSecure();
bool allowMixedContent = topWC->GetAllowMixedContent();
// When navigating an iframe, the iframe may be https
// but its parents may not be. Check the parents to see if any of them are
// https. If none of the parents are https, allow the load.
if (contentType == ExtContentPolicyType::TYPE_SUBDOCUMENT &&
!rootHasSecureConnection) {
bool httpsParentExists = false;
RefPtr<WindowContext> curWindow = requestingWindow;
while (!httpsParentExists && curWindow) {
httpsParentExists = curWindow->GetIsSecure();
curWindow = curWindow->GetParentWindowContext();
}
if (!httpsParentExists) {
*aDecision = nsIContentPolicy::ACCEPT;
return NS_OK;
}
}
OriginAttributes originAttributes;
if (loadingPrincipal) {
originAttributes = loadingPrincipal->OriginAttributesRef();
} else if (triggeringPrincipal) {
originAttributes = triggeringPrincipal->OriginAttributesRef();
}
// At this point we know that the request is mixed content, and the only
// question is whether we block it. Record telemetry at this point as to
// whether HSTS would have fixed things by making the content location
// into an HTTPS URL.
//
// Note that we count this for redirects as well as primary requests. This
// will cause some degree of double-counting, especially when mixed content
// is not blocked (e.g., for images). For more detail, see:
// https://bugzilla.mozilla.org/show_bug.cgi?id=1198572#c19
//
// We do not count requests aHadInsecureImageRedirect=true, since these are
// just an artifact of the image caching system.
bool active = (classification == eMixedScript);
if (!aHadInsecureImageRedirect) {
if (XRE_IsParentProcess()) {
AccumulateMixedContentHSTS(innerContentLocation, active,
originAttributes);
} else {
// Ask the parent process to do the same call
mozilla::dom::ContentChild* cc =
mozilla::dom::ContentChild::GetSingleton();
if (cc) {
cc->SendAccumulateMixedContentHSTS(innerContentLocation, active,
originAttributes);
}
}
}
// set hasMixedContentObjectSubrequest on this object if necessary
if (contentType == ExtContentPolicyType::TYPE_OBJECT_SUBREQUEST &&
aReportError) {
if (!StaticPrefs::security_mixed_content_block_object_subrequest()) {
nsAutoCString messageLookUpKey(
"LoadingMixedDisplayObjectSubrequestDeprecation");
LogMixedContentMessage(classification, aContentLocation, topWC->Id(),
eUserOverride, requestingLocation,
messageLookUpKey);
}
}
uint32_t newState = 0;
// If the content is display content, and the pref says display content should
// be blocked, block it.
if (classification == eMixedDisplay) {
if (!StaticPrefs::security_mixed_content_block_display_content() ||
allowMixedContent) {
*aDecision = nsIContentPolicy::ACCEPT;
// User has overriden the pref and the root is not https;
// mixed display content was allowed on an https subframe.
newState |= nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT;
} else {
*aDecision = nsIContentPolicy::REJECT_REQUEST;
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" -> decision: Request will be rejected because the content is "
"display "
"content (blocked by pref "
"security.mixed_content.block_display_content)."));
newState |= nsIWebProgressListener::STATE_BLOCKED_MIXED_DISPLAY_CONTENT;
}
} else {
MOZ_ASSERT(classification == eMixedScript);
// If the content is active content, and the pref says active content should
// be blocked, block it unless the user has choosen to override the pref
if (!StaticPrefs::security_mixed_content_block_active_content() ||
allowMixedContent) {
*aDecision = nsIContentPolicy::ACCEPT;
// User has already overriden the pref and the root is not https;
// mixed active content was allowed on an https subframe.
newState |= nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT;
} else {
// User has not overriden the pref by Disabling protection. Reject the
// request and update the security state.
*aDecision = nsIContentPolicy::REJECT_REQUEST;
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" -> decision: Request will be rejected because the content is "
"active "
"content (blocked by pref "
"security.mixed_content.block_active_content)."));
// The user has not overriden the pref, so make sure they still have an
// option by calling nativeDocShell which will invoke the doorhanger
newState |= nsIWebProgressListener::STATE_BLOCKED_MIXED_ACTIVE_CONTENT;
}
}
// To avoid duplicate errors on the console, we do not report blocked
// preloads to the console.
if (!isPreload && aReportError) {
LogMixedContentMessage(classification, aContentLocation, topWC->Id(),
(*aDecision == nsIContentPolicy::REJECT_REQUEST)
? eBlocked
: eUserOverride,
requestingLocation);
}
// Notify the top WindowContext of the flags we've computed, and it
// will handle updating any relevant security UI.
topWC->AddSecurityState(newState);
return NS_OK;
}
bool nsMixedContentBlocker::URISafeToBeLoadedInSecureContext(nsIURI* aURI) {
/* Returns a bool if the URI can be loaded as a sub resource safely.
*
* Check Protocol Flags to determine if scheme is safe to load:
* URI_DOES_NOT_RETURN_DATA - e.g.
* "mailto"
* URI_IS_LOCAL_RESOURCE - e.g.
* "data",
* "resource",
* "moz-icon"
* URI_INHERITS_SECURITY_CONTEXT - e.g.
* "javascript"
* URI_IS_POTENTIALLY_TRUSTWORTHY - e.g.
* "https",
* "moz-safe-about"
*
*/
bool schemeLocal = false;
bool schemeNoReturnData = false;
bool schemeInherits = false;
bool schemeSecure = false;
if (NS_FAILED(NS_URIChainHasFlags(
aURI, nsIProtocolHandler::URI_IS_LOCAL_RESOURCE, &schemeLocal)) ||
NS_FAILED(NS_URIChainHasFlags(
aURI, nsIProtocolHandler::URI_DOES_NOT_RETURN_DATA,
&schemeNoReturnData)) ||
NS_FAILED(NS_URIChainHasFlags(
aURI, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT,
&schemeInherits)) ||
NS_FAILED(NS_URIChainHasFlags(
aURI, nsIProtocolHandler::URI_IS_POTENTIALLY_TRUSTWORTHY,
&schemeSecure))) {
return false;
}
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" - URISafeToBeLoadedInSecureContext:"));
MOZ_LOG(sMCBLog, LogLevel::Verbose, (" - schemeLocal: %i", schemeLocal));
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" - schemeNoReturnData: %i", schemeNoReturnData));
MOZ_LOG(sMCBLog, LogLevel::Verbose,
(" - schemeInherits: %i", schemeInherits));
MOZ_LOG(sMCBLog, LogLevel::Verbose, (" - schemeSecure: %i", schemeSecure));
return (schemeLocal || schemeNoReturnData || schemeInherits || schemeSecure);
}
NS_IMETHODIMP
nsMixedContentBlocker::ShouldProcess(nsIURI* aContentLocation,
nsILoadInfo* aLoadInfo,
const nsACString& aMimeGuess,
int16_t* aDecision) {
if (!aContentLocation) {
// aContentLocation may be null when a plugin is loading without an
// associated URI resource
if (aLoadInfo->GetExternalContentPolicyType() ==
ExtContentPolicyType::TYPE_OBJECT) {
*aDecision = ACCEPT;
return NS_OK;
}
NS_SetRequestBlockingReason(aLoadInfo,
nsILoadInfo::BLOCKING_REASON_MIXED_BLOCKED);
*aDecision = REJECT_REQUEST;
return NS_ERROR_FAILURE;
}
return ShouldLoad(aContentLocation, aLoadInfo, aMimeGuess, aDecision);
}
// Record information on when HSTS would have made mixed content not mixed
// content (regardless of whether it was actually blocked)
void nsMixedContentBlocker::AccumulateMixedContentHSTS(
nsIURI* aURI, bool aActive, const OriginAttributes& aOriginAttributes) {
// This method must only be called in the parent, because
// nsSiteSecurityService is only available in the parent
if (!XRE_IsParentProcess()) {
MOZ_ASSERT(false);
return;
}
bool hsts;
nsresult rv;
nsCOMPtr<nsISiteSecurityService> sss =
do_GetService(NS_SSSERVICE_CONTRACTID, &rv);
if (NS_FAILED(rv)) {
return;
}
rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS, aURI, 0,
aOriginAttributes, nullptr, nullptr, &hsts);
if (NS_FAILED(rv)) {
return;
}
// states: would upgrade, would prime, hsts info cached
// active, passive
//
if (!aActive) {
if (!hsts) {
Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS,
MCB_HSTS_PASSIVE_NO_HSTS);
} else {
Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS,
MCB_HSTS_PASSIVE_WITH_HSTS);
}
} else {
if (!hsts) {
Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS,
MCB_HSTS_ACTIVE_NO_HSTS);
} else {
Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS,
MCB_HSTS_ACTIVE_WITH_HSTS);
}
}
}
|