summaryrefslogtreecommitdiffstats
path: root/toolkit/components/antitracking/AntiTrackingUtils.cpp
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 00:47:55 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 00:47:55 +0000
commit26a029d407be480d791972afb5975cf62c9360a6 (patch)
treef435a8308119effd964b339f76abb83a57c29483 /toolkit/components/antitracking/AntiTrackingUtils.cpp
parentInitial commit. (diff)
downloadfirefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz
firefox-26a029d407be480d791972afb5975cf62c9360a6.zip
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'toolkit/components/antitracking/AntiTrackingUtils.cpp')
-rw-r--r--toolkit/components/antitracking/AntiTrackingUtils.cpp1045
1 files changed, 1045 insertions, 0 deletions
diff --git a/toolkit/components/antitracking/AntiTrackingUtils.cpp b/toolkit/components/antitracking/AntiTrackingUtils.cpp
new file mode 100644
index 0000000000..2c530dc3da
--- /dev/null
+++ b/toolkit/components/antitracking/AntiTrackingUtils.cpp
@@ -0,0 +1,1045 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "AntiTrackingUtils.h"
+
+#include "AntiTrackingLog.h"
+#include "HttpBaseChannel.h"
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/Components.h"
+#include "mozilla/dom/BrowsingContext.h"
+#include "mozilla/dom/CanonicalBrowsingContext.h"
+#include "mozilla/net/CookieJarSettings.h"
+#include "mozilla/LoadInfo.h"
+#include "mozilla/dom/Document.h"
+#include "mozilla/dom/WindowGlobalParent.h"
+#include "mozilla/dom/WindowContext.h"
+#include "mozilla/net/NeckoChannelParams.h"
+#include "mozilla/PermissionManager.h"
+#include "mozIThirdPartyUtil.h"
+#include "nsEffectiveTLDService.h"
+#include "nsGlobalWindowInner.h"
+#include "nsIChannel.h"
+#include "nsICookieService.h"
+#include "nsIHttpChannel.h"
+#include "nsIPermission.h"
+#include "nsIURI.h"
+#include "nsNetUtil.h"
+#include "nsPIDOMWindow.h"
+#include "nsQueryObject.h"
+#include "nsRFPService.h"
+#include "nsSandboxFlags.h"
+#include "nsScriptSecurityManager.h"
+#include "PartitioningExceptionList.h"
+
+#define ANTITRACKING_PERM_KEY "3rdPartyStorage"
+#define ANTITRACKING_FRAME_PERM_KEY "3rdPartyFrameStorage"
+
+using namespace mozilla;
+using namespace mozilla::dom;
+
+/* static */ already_AddRefed<nsPIDOMWindowInner>
+AntiTrackingUtils::GetInnerWindow(BrowsingContext* aBrowsingContext) {
+ MOZ_ASSERT(aBrowsingContext);
+
+ nsCOMPtr<nsPIDOMWindowOuter> outer = aBrowsingContext->GetDOMWindow();
+ if (!outer) {
+ return nullptr;
+ }
+
+ nsCOMPtr<nsPIDOMWindowInner> inner = outer->GetCurrentInnerWindow();
+ return inner.forget();
+}
+
+/* static */ already_AddRefed<nsPIDOMWindowOuter>
+AntiTrackingUtils::GetTopWindow(nsPIDOMWindowInner* aWindow) {
+ Document* document = aWindow->GetExtantDoc();
+ if (!document) {
+ return nullptr;
+ }
+
+ nsIChannel* channel = document->GetChannel();
+ if (!channel) {
+ return nullptr;
+ }
+
+ nsCOMPtr<nsPIDOMWindowOuter> pwin =
+ aWindow->GetBrowsingContext()->Top()->GetDOMWindow();
+
+ if (!pwin) {
+ return nullptr;
+ }
+
+ return pwin.forget();
+}
+
+/* static */
+already_AddRefed<nsIURI> AntiTrackingUtils::MaybeGetDocumentURIBeingLoaded(
+ nsIChannel* aChannel) {
+ nsCOMPtr<nsIURI> uriBeingLoaded;
+ nsLoadFlags loadFlags = 0;
+ nsresult rv = aChannel->GetLoadFlags(&loadFlags);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return nullptr;
+ }
+ if (loadFlags & nsIChannel::LOAD_DOCUMENT_URI) {
+ // If the channel being loaded is a document channel, this call may be
+ // coming from an OnStopRequest notification, which might mean that our
+ // document may still be in the loading process, so we may need to pass in
+ // the uriBeingLoaded argument explicitly.
+ rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uriBeingLoaded));
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return nullptr;
+ }
+ }
+ return uriBeingLoaded.forget();
+}
+
+// static
+void AntiTrackingUtils::CreateStoragePermissionKey(
+ const nsACString& aTrackingOrigin, nsACString& aPermissionKey) {
+ MOZ_ASSERT(aPermissionKey.IsEmpty());
+
+ static const nsLiteralCString prefix =
+ nsLiteralCString(ANTITRACKING_PERM_KEY "^");
+
+ aPermissionKey.SetCapacity(prefix.Length() + aTrackingOrigin.Length());
+ aPermissionKey.Append(prefix);
+ aPermissionKey.Append(aTrackingOrigin);
+}
+
+// static
+bool AntiTrackingUtils::CreateStoragePermissionKey(nsIPrincipal* aPrincipal,
+ nsACString& aKey) {
+ if (!aPrincipal) {
+ return false;
+ }
+
+ nsAutoCString origin;
+ nsresult rv = aPrincipal->GetOriginNoSuffix(origin);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return false;
+ }
+
+ CreateStoragePermissionKey(origin, aKey);
+ return true;
+}
+
+// static
+void AntiTrackingUtils::CreateStorageFramePermissionKey(
+ const nsACString& aTrackingSite, nsACString& aPermissionKey) {
+ MOZ_ASSERT(aPermissionKey.IsEmpty());
+
+ static const nsLiteralCString prefix =
+ nsLiteralCString(ANTITRACKING_FRAME_PERM_KEY "^");
+
+ aPermissionKey.SetCapacity(prefix.Length() + aTrackingSite.Length());
+ aPermissionKey.Append(prefix);
+ aPermissionKey.Append(aTrackingSite);
+}
+
+// static
+bool AntiTrackingUtils::CreateStorageFramePermissionKey(
+ nsIPrincipal* aPrincipal, nsACString& aKey) {
+ MOZ_ASSERT(aPrincipal);
+
+ nsAutoCString site;
+ nsresult rv = aPrincipal->GetSiteOriginNoSuffix(site);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return false;
+ }
+
+ CreateStorageFramePermissionKey(site, aKey);
+ return true;
+}
+
+// static
+bool AntiTrackingUtils::CreateStorageRequestPermissionKey(
+ nsIURI* aURI, nsACString& aPermissionKey) {
+ MOZ_ASSERT(aPermissionKey.IsEmpty());
+ RefPtr<nsEffectiveTLDService> eTLDService =
+ nsEffectiveTLDService::GetInstance();
+ if (!eTLDService) {
+ return false;
+ }
+ nsCString site;
+ nsresult rv = eTLDService->GetSite(aURI, site);
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+ static const nsLiteralCString prefix =
+ nsLiteralCString("AllowStorageAccessRequest^");
+ aPermissionKey.SetCapacity(prefix.Length() + site.Length());
+ aPermissionKey.Append(prefix);
+ aPermissionKey.Append(site);
+ return true;
+}
+
+// static
+bool AntiTrackingUtils::IsStorageAccessPermission(nsIPermission* aPermission,
+ nsIPrincipal* aPrincipal) {
+ MOZ_ASSERT(aPermission);
+ MOZ_ASSERT(aPrincipal);
+
+ // The permission key may belong either to a tracking origin on the same
+ // origin as the granted origin, or on another origin as the granted origin
+ // (for example when a tracker in a third-party context uses window.open to
+ // open another origin where that second origin would be the granted origin.)
+ // But even in the second case, the type of the permission would still be
+ // formed by concatenating the granted origin to the end of the type name
+ // (see CreatePermissionKey). Therefore, we pass in the same argument to
+ // both tracking origin and granted origin here in order to compute the
+ // shorter permission key and will then do a prefix match on the type of the
+ // input permission to see if it is a storage access permission or not.
+ nsAutoCString permissionKey;
+ bool result = CreateStoragePermissionKey(aPrincipal, permissionKey);
+ if (NS_WARN_IF(!result)) {
+ return false;
+ }
+
+ nsAutoCString type;
+ nsresult rv = aPermission->GetType(type);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return false;
+ }
+
+ return StringBeginsWith(type, permissionKey);
+}
+
+// static
+Maybe<size_t> AntiTrackingUtils::CountSitesAllowStorageAccess(
+ nsIPrincipal* aPrincipal) {
+ PermissionManager* permManager = PermissionManager::GetInstance();
+ if (NS_WARN_IF(!permManager)) {
+ return Nothing();
+ }
+
+ nsAutoCString prefix;
+ AntiTrackingUtils::CreateStoragePermissionKey(aPrincipal, prefix);
+ nsAutoCString framePrefix;
+ AntiTrackingUtils::CreateStorageFramePermissionKey(aPrincipal, framePrefix);
+
+ using Permissions = nsTArray<RefPtr<nsIPermission>>;
+ Permissions perms;
+ nsresult rv = permManager->GetAllWithTypePrefix(prefix, perms);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return Nothing();
+ }
+ Permissions framePermissions;
+ rv = permManager->GetAllWithTypePrefix(framePrefix, framePermissions);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return Nothing();
+ }
+ if (!perms.AppendElements(framePermissions, fallible)) {
+ return Nothing();
+ }
+
+ // Create a set of unique origins
+ using Sites = nsTArray<nsCString>;
+ Sites sites;
+
+ // Iterate over all permissions that have a prefix equal to the expected
+ // permission we are looking for. This includes two things we need to remove:
+ // duplicates and origin strings that have a prefix of aPrincipal's origin
+ // string, e.g. https://example.company when aPrincipal is
+ // https://example.com.
+ for (const auto& perm : perms) {
+ nsAutoCString type;
+ rv = perm->GetType(type);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return Nothing();
+ }
+
+ // Let's make sure that we're not looking at a permission for
+ // https://exampletracker.company when we mean to look for the
+ // permission for https://exampletracker.com!
+ if (type != prefix && type != framePrefix) {
+ continue;
+ }
+
+ nsCOMPtr<nsIPrincipal> principal;
+ rv = perm->GetPrincipal(getter_AddRefs(principal));
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return Nothing();
+ }
+
+ nsAutoCString site;
+ rv = principal->GetSiteOrigin(site);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return Nothing();
+ }
+
+ ToLowerCase(site);
+
+ // Append if it would not be a duplicate
+ if (sites.IndexOf(site) == Sites::NoIndex) {
+ sites.AppendElement(site);
+ }
+ }
+
+ return Some(sites.Length());
+}
+
+// static
+bool AntiTrackingUtils::CheckStoragePermission(nsIPrincipal* aPrincipal,
+ const nsAutoCString& aType,
+ bool aIsInPrivateBrowsing,
+ uint32_t* aRejectedReason,
+ uint32_t aBlockedReason) {
+ PermissionManager* permManager = PermissionManager::GetInstance();
+ if (NS_WARN_IF(!permManager)) {
+ LOG(("Failed to obtain the permission manager"));
+ return false;
+ }
+
+ uint32_t result = 0;
+ if (aIsInPrivateBrowsing) {
+ LOG_PRIN(("Querying the permissions for private modei looking for a "
+ "permission of type %s for %s",
+ aType.get(), _spec),
+ aPrincipal);
+ if (!permManager->PermissionAvailable(aPrincipal, aType)) {
+ LOG(
+ ("Permission isn't available for this principal in the current "
+ "process"));
+ return false;
+ }
+ nsTArray<RefPtr<nsIPermission>> permissions;
+ nsresult rv = permManager->GetAllForPrincipal(aPrincipal, permissions);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ LOG(("Failed to get the list of permissions"));
+ return false;
+ }
+
+ bool found = false;
+ for (const auto& permission : permissions) {
+ if (!permission) {
+ LOG(("Couldn't get the permission for unknown reasons"));
+ continue;
+ }
+
+ nsAutoCString permissionType;
+ if (NS_SUCCEEDED(permission->GetType(permissionType)) &&
+ permissionType != aType) {
+ LOG(("Non-matching permission type: %s", aType.get()));
+ continue;
+ }
+
+ uint32_t capability = 0;
+ if (NS_SUCCEEDED(permission->GetCapability(&capability)) &&
+ capability != nsIPermissionManager::ALLOW_ACTION) {
+ LOG(("Non-matching permission capability: %d", capability));
+ continue;
+ }
+
+ uint32_t expirationType = 0;
+ if (NS_SUCCEEDED(permission->GetExpireType(&expirationType)) &&
+ expirationType != nsIPermissionManager ::EXPIRE_SESSION) {
+ LOG(("Non-matching permission expiration type: %d", expirationType));
+ continue;
+ }
+
+ int64_t expirationTime = 0;
+ if (NS_SUCCEEDED(permission->GetExpireTime(&expirationTime)) &&
+ expirationTime != 0) {
+ LOG(("Non-matching permission expiration time: %" PRId64,
+ expirationTime));
+ continue;
+ }
+
+ LOG(("Found a matching permission"));
+ found = true;
+ break;
+ }
+
+ if (!found) {
+ if (aRejectedReason) {
+ *aRejectedReason = aBlockedReason;
+ }
+ return false;
+ }
+ } else {
+ nsresult rv = permManager->TestPermissionWithoutDefaultsFromPrincipal(
+ aPrincipal, aType, &result);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ LOG(("Failed to test the permission"));
+ return false;
+ }
+
+ LOG_PRIN(
+ ("Testing permission type %s for %s resulted in %d (%s)", aType.get(),
+ _spec, int(result),
+ result == nsIPermissionManager::ALLOW_ACTION ? "success" : "failure"),
+ aPrincipal);
+
+ if (result != nsIPermissionManager::ALLOW_ACTION) {
+ if (aRejectedReason) {
+ *aRejectedReason = aBlockedReason;
+ }
+ return false;
+ }
+ }
+
+ return true;
+}
+
+/* static */
+nsresult AntiTrackingUtils::TestStoragePermissionInParent(
+ nsIPrincipal* aTopPrincipal, nsIPrincipal* aPrincipal, uint32_t* aResult) {
+ NS_ENSURE_ARG(aResult);
+ *aResult = nsIPermissionManager::UNKNOWN_ACTION;
+ NS_ENSURE_ARG(aTopPrincipal);
+ NS_ENSURE_ARG(aPrincipal);
+
+ nsCOMPtr<nsIPermissionManager> permMgr =
+ components::PermissionManager::Service();
+ NS_ENSURE_TRUE(permMgr, NS_ERROR_FAILURE);
+
+ // Build the permission keys
+ nsAutoCString requestPermissionKey;
+ bool success = AntiTrackingUtils::CreateStoragePermissionKey(
+ aPrincipal, requestPermissionKey);
+ NS_ENSURE_TRUE(success, NS_ERROR_FAILURE);
+
+ nsAutoCString requestFramePermissionKey;
+ success = AntiTrackingUtils::CreateStorageFramePermissionKey(
+ aPrincipal, requestFramePermissionKey);
+ NS_ENSURE_TRUE(success, NS_ERROR_FAILURE);
+
+ // Test the permission
+ uint32_t access = nsIPermissionManager::UNKNOWN_ACTION;
+ nsresult rv = permMgr->TestPermissionFromPrincipal(
+ aTopPrincipal, requestPermissionKey, &access);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ if (access != nsIPermissionManager::UNKNOWN_ACTION) {
+ *aResult = access;
+ return NS_OK;
+ }
+
+ uint32_t frameAccess = nsIPermissionManager::UNKNOWN_ACTION;
+ rv = permMgr->TestPermissionFromPrincipal(
+ aTopPrincipal, requestFramePermissionKey, &frameAccess);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ *aResult = frameAccess;
+ return NS_OK;
+}
+
+/* static */
+nsILoadInfo::StoragePermissionState
+AntiTrackingUtils::GetStoragePermissionStateInParent(nsIChannel* aChannel) {
+ MOZ_ASSERT(aChannel);
+ MOZ_DIAGNOSTIC_ASSERT(XRE_IsParentProcess());
+
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+ nsCOMPtr<nsICookieJarSettings> cookieJarSettings;
+
+ auto policyType = loadInfo->GetExternalContentPolicyType();
+
+ // The channel is for the document load of the top-level window. The top-level
+ // window should always has 'hasStoragePermission' flag as false. So, we can
+ // return here directly.
+ if (policyType == ExtContentPolicy::TYPE_DOCUMENT) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+
+ nsresult rv =
+ loadInfo->GetCookieJarSettings(getter_AddRefs(cookieJarSettings));
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+
+ int32_t cookieBehavior = cookieJarSettings->GetCookieBehavior();
+
+ // We only need to check the storage permission if the cookie behavior is
+ // BEHAVIOR_REJECT_TRACKER, BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN or
+ // BEHAVIOR_REJECT_FOREIGN with exceptions. Because ContentBlocking wouldn't
+ // update or check the storage permission if the cookie behavior is not
+ // belongs to these three.
+ if (!net::CookieJarSettings::IsRejectThirdPartyContexts(cookieBehavior)) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+
+ RefPtr<BrowsingContext> bc;
+ rv = loadInfo->GetTargetBrowsingContext(getter_AddRefs(bc));
+ if (NS_WARN_IF(NS_FAILED(rv)) || !bc) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+
+ uint64_t targetWindowId = GetTopLevelAntiTrackingWindowId(bc);
+ nsCOMPtr<nsIPrincipal> targetPrincipal;
+
+ if (targetWindowId) {
+ RefPtr<WindowGlobalParent> wgp =
+ WindowGlobalParent::GetByInnerWindowId(targetWindowId);
+
+ if (NS_WARN_IF(!wgp)) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+
+ targetPrincipal = wgp->DocumentPrincipal();
+ } else {
+ // We try to use the loading principal if there is no AntiTrackingWindowId.
+ targetPrincipal = loadInfo->GetLoadingPrincipal();
+ }
+
+ if (!targetPrincipal) {
+ nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel);
+
+ if (httpChannel) {
+ // We don't have a loading principal, let's see if this is a document
+ // channel which belongs to a top-level window.
+ bool isDocument = false;
+ rv = httpChannel->GetIsMainDocumentChannel(&isDocument);
+ if (NS_SUCCEEDED(rv) && isDocument) {
+ nsIScriptSecurityManager* ssm =
+ nsScriptSecurityManager::GetScriptSecurityManager();
+ Unused << ssm->GetChannelResultPrincipal(
+ aChannel, getter_AddRefs(targetPrincipal));
+ }
+ }
+ }
+
+ // Let's use the triggering principal if we still have nothing on the hand.
+ if (!targetPrincipal) {
+ targetPrincipal = loadInfo->TriggeringPrincipal();
+ }
+
+ // Cannot get the target principal, bail out.
+ if (NS_WARN_IF(!targetPrincipal)) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+
+ nsCOMPtr<nsIURI> trackingURI;
+ rv = aChannel->GetURI(getter_AddRefs(trackingURI));
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+
+ nsCOMPtr<nsIPrincipal> trackingPrincipal =
+ BasePrincipal::CreateContentPrincipal(trackingURI,
+ loadInfo->GetOriginAttributes());
+
+ if (IsThirdPartyChannel(aChannel)) {
+ nsAutoCString targetOrigin;
+ nsAutoCString trackingOrigin;
+ if (NS_FAILED(targetPrincipal->GetOriginNoSuffix(targetOrigin)) ||
+ NS_FAILED(trackingPrincipal->GetOriginNoSuffix(trackingOrigin))) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+
+ if (PartitioningExceptionList::Check(targetOrigin, trackingOrigin)) {
+ return nsILoadInfo::StoragePermissionAllowListed;
+ }
+ }
+
+ nsAutoCString type;
+ AntiTrackingUtils::CreateStoragePermissionKey(trackingPrincipal, type);
+
+ uint32_t unusedReason = 0;
+
+ if (AntiTrackingUtils::CheckStoragePermission(targetPrincipal, type,
+ NS_UsePrivateBrowsing(aChannel),
+ &unusedReason, unusedReason)) {
+ return nsILoadInfo::HasStoragePermission;
+ }
+
+ WindowContext* wc = bc->GetCurrentWindowContext();
+ if (!wc) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+ WindowGlobalParent* wgp = wc->Canonical();
+ if (!wgp) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+ nsIPrincipal* framePrincipal = wgp->DocumentPrincipal();
+ if (!framePrincipal) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+
+ if (policyType == ExtContentPolicy::TYPE_SUBDOCUMENT) {
+ // For loads of framed documents, we only use storage access
+ // if the load is the result of a same-origin, self-initiated
+ // navigation of the frame.
+ uint64_t targetWindowIdNoTop = bc->GetCurrentInnerWindowId();
+ uint64_t triggeringWindowId;
+ rv = loadInfo->GetTriggeringWindowId(&triggeringWindowId);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+ bool triggeringWindowHasStorageAccess;
+ rv =
+ loadInfo->GetTriggeringStorageAccess(&triggeringWindowHasStorageAccess);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return nsILoadInfo::NoStoragePermission;
+ }
+ RefPtr<net::HttpBaseChannel> httpChannel = do_QueryObject(aChannel);
+
+ if (targetWindowIdNoTop == triggeringWindowId &&
+ triggeringWindowHasStorageAccess &&
+ trackingPrincipal->Equals(framePrincipal) && httpChannel &&
+ !httpChannel->HasRedirectTaintedOrigin()) {
+ return nsILoadInfo::HasStoragePermission;
+ }
+ } else if (!bc->IsTop()) {
+ // For subframe resources, check if the document has storage access
+ // and that the resource being loaded is same-site to the page.
+ bool isThirdParty = true;
+ nsresult rv = framePrincipal->IsThirdPartyURI(trackingURI, &isThirdParty);
+ if (NS_SUCCEEDED(rv) && wc->GetUsingStorageAccess() && !isThirdParty) {
+ return nsILoadInfo::HasStoragePermission;
+ }
+ }
+
+ return nsILoadInfo::NoStoragePermission;
+}
+
+uint64_t AntiTrackingUtils::GetTopLevelAntiTrackingWindowId(
+ BrowsingContext* aBrowsingContext) {
+ MOZ_ASSERT(aBrowsingContext);
+
+ RefPtr<WindowContext> winContext =
+ aBrowsingContext->GetCurrentWindowContext();
+ if (!winContext || winContext->GetCookieBehavior().isNothing()) {
+ return 0;
+ }
+
+ // Do not check BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN her because when
+ // a third-party subresource is inside the main frame, we need to return the
+ // top-level window id to partition its cookies correctly.
+ uint32_t behavior = *winContext->GetCookieBehavior();
+ if (behavior == nsICookieService::BEHAVIOR_REJECT_TRACKER &&
+ aBrowsingContext->IsTop()) {
+ return 0;
+ }
+
+ return aBrowsingContext->Top()->GetCurrentInnerWindowId();
+}
+
+uint64_t AntiTrackingUtils::GetTopLevelStorageAreaWindowId(
+ BrowsingContext* aBrowsingContext) {
+ MOZ_ASSERT(aBrowsingContext);
+
+ if (Document::StorageAccessSandboxed(aBrowsingContext->GetSandboxFlags())) {
+ return 0;
+ }
+
+ BrowsingContext* parentBC = aBrowsingContext->GetParent();
+ if (!parentBC) {
+ // No parent browsing context available!
+ return 0;
+ }
+
+ if (!parentBC->IsTop()) {
+ return 0;
+ }
+
+ return parentBC->GetCurrentInnerWindowId();
+}
+
+/* static */
+already_AddRefed<nsIPrincipal> AntiTrackingUtils::GetPrincipal(
+ BrowsingContext* aBrowsingContext) {
+ MOZ_ASSERT(aBrowsingContext);
+
+ nsCOMPtr<nsIPrincipal> principal;
+
+ if (XRE_IsContentProcess()) {
+ // Passing an out-of-process browsing context in child processes to
+ // this API won't get any result, so just assert.
+ MOZ_ASSERT(aBrowsingContext->IsInProcess());
+
+ nsPIDOMWindowOuter* outer = aBrowsingContext->GetDOMWindow();
+ if (NS_WARN_IF(!outer)) {
+ return nullptr;
+ }
+
+ nsPIDOMWindowInner* inner = outer->GetCurrentInnerWindow();
+ if (NS_WARN_IF(!inner)) {
+ return nullptr;
+ }
+
+ principal = nsGlobalWindowInner::Cast(inner)->GetPrincipal();
+ } else {
+ WindowGlobalParent* wgp =
+ aBrowsingContext->Canonical()->GetCurrentWindowGlobal();
+ if (NS_WARN_IF(!wgp)) {
+ return nullptr;
+ }
+
+ principal = wgp->DocumentPrincipal();
+ }
+ return principal.forget();
+}
+
+/* static */
+bool AntiTrackingUtils::GetPrincipalAndTrackingOrigin(
+ BrowsingContext* aBrowsingContext, nsIPrincipal** aPrincipal,
+ nsACString& aTrackingOrigin) {
+ MOZ_ASSERT(aBrowsingContext);
+
+ // Passing an out-of-process browsing context in child processes to
+ // this API won't get any result, so just assert.
+ MOZ_ASSERT_IF(XRE_IsContentProcess(), aBrowsingContext->IsInProcess());
+
+ // Let's take the principal and the origin of the tracker.
+ nsCOMPtr<nsIPrincipal> principal =
+ AntiTrackingUtils::GetPrincipal(aBrowsingContext);
+ if (NS_WARN_IF(!principal)) {
+ return false;
+ }
+
+ nsresult rv = principal->GetOriginNoSuffix(aTrackingOrigin);
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return false;
+ }
+
+ if (aPrincipal) {
+ principal.forget(aPrincipal);
+ }
+
+ return true;
+};
+
+/* static */
+uint32_t AntiTrackingUtils::GetCookieBehavior(
+ BrowsingContext* aBrowsingContext) {
+ MOZ_ASSERT(aBrowsingContext);
+
+ RefPtr<dom::WindowContext> win = aBrowsingContext->GetCurrentWindowContext();
+ if (!win || win->GetCookieBehavior().isNothing()) {
+ return nsICookieService::BEHAVIOR_REJECT;
+ }
+
+ return *win->GetCookieBehavior();
+}
+
+/* static */
+already_AddRefed<WindowGlobalParent>
+AntiTrackingUtils::GetTopWindowExcludingExtensionAccessibleContentFrames(
+ CanonicalBrowsingContext* aBrowsingContext, nsIURI* aURIBeingLoaded) {
+ MOZ_ASSERT(XRE_IsParentProcess());
+ MOZ_ASSERT(aBrowsingContext);
+
+ CanonicalBrowsingContext* bc = aBrowsingContext;
+ RefPtr<WindowGlobalParent> prev;
+ while (RefPtr<WindowGlobalParent> parent = bc->GetParentWindowContext()) {
+ CanonicalBrowsingContext* parentBC = parent->BrowsingContext();
+
+ nsIPrincipal* parentPrincipal = parent->DocumentPrincipal();
+ nsIURI* uri = prev ? prev->GetDocumentURI() : aURIBeingLoaded;
+
+ // If the new parent has permission to load the current page, we're
+ // at a moz-extension:// frame which has a host permission that allows
+ // it to load the document that we've loaded. In that case, stop at
+ // this frame and consider it the top-level frame.
+ if (uri &&
+ BasePrincipal::Cast(parentPrincipal)->AddonAllowsLoad(uri, true)) {
+ break;
+ }
+
+ bc = parentBC;
+ prev = parent;
+ }
+ if (!prev) {
+ prev = bc->GetCurrentWindowGlobal();
+ }
+ return prev.forget();
+}
+
+/* static */
+void AntiTrackingUtils::ComputeIsThirdPartyToTopWindow(nsIChannel* aChannel) {
+ MOZ_ASSERT(aChannel);
+ MOZ_ASSERT(XRE_IsParentProcess());
+
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+
+ // When a top-level load is opened by window.open, BrowsingContext from
+ // LoadInfo is its opener, which may make the third-party caculation code
+ // below returns an incorrect result. So we use TYPE_DOCUMENT to
+ // ensure a top-level load is not considered 3rd-party.
+ auto policyType = loadInfo->GetExternalContentPolicyType();
+ if (policyType == ExtContentPolicy::TYPE_DOCUMENT) {
+ loadInfo->SetIsThirdPartyContextToTopWindow(false);
+ return;
+ }
+
+ RefPtr<BrowsingContext> bc;
+ loadInfo->GetBrowsingContext(getter_AddRefs(bc));
+
+ nsCOMPtr<nsIURI> uri;
+ Unused << aChannel->GetURI(getter_AddRefs(uri));
+
+ // In some cases we don't have a browsingContext. For example, in xpcshell
+ // tests, channels that are used to download images and channels for loading
+ // worker script.
+ if (!bc) {
+ // If the flag was set before, we don't need to compute again. This could
+ // happen for the channels used to load worker scripts.
+ //
+ // Note that we cannot stop computing the flag in general even it has set
+ // before because sometimes we need to get the up-to-date flag, e.g.
+ // redirects.
+ if (static_cast<net::LoadInfo*>(loadInfo.get())
+ ->HasIsThirdPartyContextToTopWindowSet()) {
+ return;
+ }
+
+ // We turn to check the loading principal if there is no browsing context.
+ auto* loadingPrincipal =
+ BasePrincipal::Cast(loadInfo->GetLoadingPrincipal());
+
+ if (uri && loadingPrincipal) {
+ bool isThirdParty = true;
+ nsresult rv = loadingPrincipal->IsThirdPartyURI(uri, &isThirdParty);
+
+ if (NS_SUCCEEDED(rv)) {
+ loadInfo->SetIsThirdPartyContextToTopWindow(isThirdParty);
+ }
+ }
+ return;
+ }
+
+ RefPtr<WindowGlobalParent> topWindow =
+ GetTopWindowExcludingExtensionAccessibleContentFrames(bc->Canonical(),
+ uri);
+
+ if (NS_WARN_IF(!topWindow)) {
+ return;
+ }
+
+ nsCOMPtr<nsIPrincipal> topWindowPrincipal = topWindow->DocumentPrincipal();
+ if (topWindowPrincipal && !topWindowPrincipal->GetIsNullPrincipal()) {
+ auto* basePrin = BasePrincipal::Cast(topWindowPrincipal);
+ bool isThirdParty = true;
+
+ // For about:blank and about:srcdoc, we can't just compare uri to determine
+ // whether the page is third-party, so we use channel result principal
+ // instead. By doing this, an the resource inherits the principal from
+ // its parent is considered not a third-party.
+ if (NS_IsAboutBlank(uri) || NS_IsAboutSrcdoc(uri)) {
+ nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
+ if (NS_WARN_IF(!ssm)) {
+ return;
+ }
+
+ nsCOMPtr<nsIPrincipal> principal;
+ nsresult rv =
+ ssm->GetChannelResultPrincipal(aChannel, getter_AddRefs(principal));
+ if (NS_WARN_IF(NS_FAILED(rv))) {
+ return;
+ }
+
+ basePrin->IsThirdPartyPrincipal(principal, &isThirdParty);
+ } else {
+ basePrin->IsThirdPartyURI(uri, &isThirdParty);
+ }
+
+ loadInfo->SetIsThirdPartyContextToTopWindow(isThirdParty);
+ }
+}
+
+/* static */
+bool AntiTrackingUtils::IsThirdPartyChannel(nsIChannel* aChannel) {
+ MOZ_ASSERT(aChannel);
+
+ // We only care whether the channel is 3rd-party with respect to
+ // the top-level.
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+ return loadInfo->GetIsThirdPartyContextToTopWindow();
+}
+
+/* static */
+bool AntiTrackingUtils::IsThirdPartyWindow(nsPIDOMWindowInner* aWindow,
+ nsIURI* aURI) {
+ MOZ_ASSERT(aWindow);
+
+ // We assume that the window is foreign to the URI by default.
+ bool thirdParty = true;
+
+ // We will skip checking URIs for about:blank and about:srcdoc because they
+ // have no domain. So, comparing them will always fail.
+ if (aURI && !NS_IsAboutBlank(aURI) && !NS_IsAboutSrcdoc(aURI)) {
+ nsCOMPtr<nsIScriptObjectPrincipal> scriptObjPrin =
+ do_QueryInterface(aWindow);
+ if (!scriptObjPrin) {
+ return thirdParty;
+ }
+
+ nsCOMPtr<nsIPrincipal> prin = scriptObjPrin->GetPrincipal();
+ if (!prin) {
+ return thirdParty;
+ }
+
+ // Determine whether aURI is foreign with respect to the current principal.
+ nsresult rv = prin->IsThirdPartyURI(aURI, &thirdParty);
+ if (NS_FAILED(rv)) {
+ return thirdParty;
+ }
+
+ if (thirdParty) {
+ return thirdParty;
+ }
+ }
+
+ RefPtr<Document> doc = aWindow->GetDoc();
+ if (!doc) {
+ // If we can't get the document from the window, ex, about:blank, fallback
+ // to use IsThirdPartyWindow check that examine the whole hierarchy.
+ nsCOMPtr<mozIThirdPartyUtil> thirdPartyUtil =
+ components::ThirdPartyUtil::Service();
+ Unused << thirdPartyUtil->IsThirdPartyWindow(aWindow->GetOuterWindow(),
+ nullptr, &thirdParty);
+ return thirdParty;
+ }
+
+ return IsThirdPartyDocument(doc);
+}
+
+/* static */
+bool AntiTrackingUtils::IsThirdPartyDocument(Document* aDocument) {
+ MOZ_ASSERT(aDocument);
+ if (!aDocument->GetChannel()) {
+ // If we can't get the channel from the document, i.e. initial about:blank
+ // page, we use the browsingContext of the document to check if it's in the
+ // third-party context. If the browsing context is still not available, we
+ // will treat the window as third-party.
+ RefPtr<BrowsingContext> bc = aDocument->GetBrowsingContext();
+ return bc ? IsThirdPartyContext(bc) : true;
+ }
+
+ // We only care whether the channel is 3rd-party with respect to
+ // the top-level.
+ nsCOMPtr<nsILoadInfo> loadInfo = aDocument->GetChannel()->LoadInfo();
+ return loadInfo->GetIsThirdPartyContextToTopWindow();
+}
+
+/* static */
+bool AntiTrackingUtils::IsThirdPartyContext(BrowsingContext* aBrowsingContext) {
+ MOZ_ASSERT(aBrowsingContext);
+ MOZ_ASSERT(aBrowsingContext->IsInProcess());
+
+ if (aBrowsingContext->IsTopContent()) {
+ return false;
+ }
+
+ // If the top browsing context is not in the same process, it's cross-origin.
+ if (!aBrowsingContext->Top()->IsInProcess()) {
+ return true;
+ }
+
+ nsIDocShell* docShell = aBrowsingContext->GetDocShell();
+ if (!docShell) {
+ return true;
+ }
+ Document* doc = docShell->GetExtantDocument();
+ if (!doc) {
+ return true;
+ }
+ nsIPrincipal* principal = doc->NodePrincipal();
+
+ nsIDocShell* topDocShell = aBrowsingContext->Top()->GetDocShell();
+ if (!topDocShell) {
+ return true;
+ }
+ Document* topDoc = topDocShell->GetDocument();
+ if (!topDoc) {
+ return true;
+ }
+ nsIPrincipal* topPrincipal = topDoc->NodePrincipal();
+
+ auto* topBasePrin = BasePrincipal::Cast(topPrincipal);
+ bool isThirdParty = true;
+
+ topBasePrin->IsThirdPartyPrincipal(principal, &isThirdParty);
+
+ return isThirdParty;
+}
+
+/* static */
+nsCString AntiTrackingUtils::GrantedReasonToString(
+ ContentBlockingNotifier::StorageAccessPermissionGrantedReason aReason) {
+ switch (aReason) {
+ case ContentBlockingNotifier::eOpener:
+ return "opener"_ns;
+ case ContentBlockingNotifier::eOpenerAfterUserInteraction:
+ return "user interaction"_ns;
+ default:
+ return "stroage access API"_ns;
+ }
+}
+
+/* static */
+void AntiTrackingUtils::UpdateAntiTrackingInfoForChannel(nsIChannel* aChannel) {
+ MOZ_ASSERT(aChannel);
+
+ if (!XRE_IsParentProcess()) {
+ return;
+ }
+
+ MOZ_DIAGNOSTIC_ASSERT(XRE_IsParentProcess());
+
+ AntiTrackingUtils::ComputeIsThirdPartyToTopWindow(aChannel);
+
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+
+ Unused << loadInfo->SetStoragePermission(
+ AntiTrackingUtils::GetStoragePermissionStateInParent(aChannel));
+
+ // Note that we need to put this after computing the IsThirdPartyToTopWindow
+ // flag because it will be used when getting the granular fingerprinting
+ // protections.
+ Maybe<RFPTarget> overriddenFingerprintingSettings =
+ nsRFPService::GetOverriddenFingerprintingSettingsForChannel(aChannel);
+
+ if (overriddenFingerprintingSettings) {
+ loadInfo->SetOverriddenFingerprintingSettings(
+ overriddenFingerprintingSettings.ref());
+ }
+#ifdef DEBUG
+ static_cast<mozilla::net::LoadInfo*>(loadInfo.get())
+ ->MarkOverriddenFingerprintingSettingsAsSet();
+#endif
+
+ // We only update the IsOnContentBlockingAllowList flag and the partition key
+ // for the top-level http channel.
+ //
+ // The IsOnContentBlockingAllowList is only for http. For other types of
+ // channels, such as 'file:', there will be no interface to modify this. So,
+ // we only update it in http channels.
+ //
+ // The partition key is computed based on the site, so it's no point to set it
+ // for channels other than http channels.
+ nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel);
+ if (!httpChannel || loadInfo->GetExternalContentPolicyType() !=
+ ExtContentPolicy::TYPE_DOCUMENT) {
+ return;
+ }
+
+ nsCOMPtr<nsICookieJarSettings> cookieJarSettings;
+ Unused << loadInfo->GetCookieJarSettings(getter_AddRefs(cookieJarSettings));
+
+ // Update the IsOnContentBlockingAllowList flag in the CookieJarSettings
+ // if this is a top level loading. For sub-document loading, this flag
+ // would inherit from the parent.
+ net::CookieJarSettings::Cast(cookieJarSettings)
+ ->UpdateIsOnContentBlockingAllowList(aChannel);
+
+ // We only need to set FPD for top-level loads. FPD will automatically be
+ // propagated to non-top level loads via CookieJarSetting.
+ nsCOMPtr<nsIURI> uri;
+ Unused << aChannel->GetURI(getter_AddRefs(uri));
+ net::CookieJarSettings::Cast(cookieJarSettings)->SetPartitionKey(uri);
+
+ // Generate the fingerprinting randomization key for top-level loads. The key
+ // will automatically be propagated to sub loads.
+ auto RFPRandomKey = nsRFPService::GenerateKey(aChannel);
+ if (RFPRandomKey) {
+ net::CookieJarSettings::Cast(cookieJarSettings)
+ ->SetFingerprintingRandomizationKey(RFPRandomKey.ref());
+ }
+}