summaryrefslogtreecommitdiffstats
path: root/toolkit/components/extensions/parent/ext-cookies.js
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 00:47:55 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 00:47:55 +0000
commit26a029d407be480d791972afb5975cf62c9360a6 (patch)
treef435a8308119effd964b339f76abb83a57c29483 /toolkit/components/extensions/parent/ext-cookies.js
parentInitial commit. (diff)
downloadfirefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz
firefox-26a029d407be480d791972afb5975cf62c9360a6.zip
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'toolkit/components/extensions/parent/ext-cookies.js')
-rw-r--r--toolkit/components/extensions/parent/ext-cookies.js696
1 files changed, 696 insertions, 0 deletions
diff --git a/toolkit/components/extensions/parent/ext-cookies.js b/toolkit/components/extensions/parent/ext-cookies.js
new file mode 100644
index 0000000000..9308a56cfd
--- /dev/null
+++ b/toolkit/components/extensions/parent/ext-cookies.js
@@ -0,0 +1,696 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+/* globals DEFAULT_STORE, PRIVATE_STORE */
+
+var { ExtensionError } = ExtensionUtils;
+
+const SAME_SITE_STATUSES = [
+ "no_restriction", // Index 0 = Ci.nsICookie.SAMESITE_NONE
+ "lax", // Index 1 = Ci.nsICookie.SAMESITE_LAX
+ "strict", // Index 2 = Ci.nsICookie.SAMESITE_STRICT
+];
+
+const isIPv4 = host => {
+ let match = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/.exec(host);
+
+ if (match) {
+ return match[1] < 256 && match[2] < 256 && match[3] < 256 && match[4] < 256;
+ }
+ return false;
+};
+const isIPv6 = host => host.includes(":");
+const addBracketIfIPv6 = host =>
+ isIPv6(host) && !host.startsWith("[") ? `[${host}]` : host;
+const dropBracketIfIPv6 = host =>
+ isIPv6(host) && host.startsWith("[") && host.endsWith("]")
+ ? host.slice(1, -1)
+ : host;
+
+// Converts the partitionKey format of the extension API (i.e. PartitionKey) to
+// a valid format for the "partitionKey" member of OriginAttributes.
+function fromExtPartitionKey(extPartitionKey) {
+ if (!extPartitionKey) {
+ // Unpartitioned by default.
+ return "";
+ }
+ const { topLevelSite } = extPartitionKey;
+ // TODO: Expand API to force the generation of a partitionKey that differs
+ // from the default that's specified by privacy.dynamic_firstparty.use_site.
+ if (topLevelSite) {
+ // If topLevelSite is set and a non-empty string (a site in a URL format).
+ try {
+ return ChromeUtils.getPartitionKeyFromURL(topLevelSite);
+ } catch (e) {
+ throw new ExtensionError("Invalid value for 'partitionKey' attribute");
+ }
+ }
+ // Unpartitioned.
+ return "";
+}
+// Converts an internal partitionKey (format used by OriginAttributes) to the
+// string value as exposed through the extension API.
+function toExtPartitionKey(partitionKey) {
+ if (!partitionKey) {
+ // Canonical representation of an empty partitionKey is null.
+ // In theory {topLevelSite: ""} also works, but alas.
+ return null;
+ }
+ // Parse partitionKey in order to generate the desired return type (URL).
+ // OriginAttributes::ParsePartitionKey cannot be used because it assumes that
+ // the input matches the format of the privacy.dynamic_firstparty.use_site
+ // pref, which is not necessarily the case for cookies before the pref flip.
+ if (!partitionKey.startsWith("(")) {
+ // A partitionKey generated with privacy.dynamic_firstparty.use_site=false.
+ return { topLevelSite: `https://${partitionKey}` };
+ }
+ // partitionKey starts with "(" and ends with ")".
+ let [scheme, domain, port] = partitionKey.slice(1, -1).split(",");
+ let topLevelSite = `${scheme}://${domain}`;
+ if (port) {
+ topLevelSite += `:${port}`;
+ }
+ return { topLevelSite };
+}
+
+const convertCookie = ({ cookie, isPrivate }) => {
+ let result = {
+ name: cookie.name,
+ value: cookie.value,
+ domain: addBracketIfIPv6(cookie.host),
+ hostOnly: !cookie.isDomain,
+ path: cookie.path,
+ secure: cookie.isSecure,
+ httpOnly: cookie.isHttpOnly,
+ sameSite: SAME_SITE_STATUSES[cookie.sameSite],
+ session: cookie.isSession,
+ firstPartyDomain: cookie.originAttributes.firstPartyDomain || "",
+ partitionKey: toExtPartitionKey(cookie.originAttributes.partitionKey),
+ };
+
+ if (!cookie.isSession) {
+ result.expirationDate = cookie.expiry;
+ }
+
+ if (cookie.originAttributes.userContextId) {
+ result.storeId = getCookieStoreIdForContainer(
+ cookie.originAttributes.userContextId
+ );
+ } else if (cookie.originAttributes.privateBrowsingId || isPrivate) {
+ result.storeId = PRIVATE_STORE;
+ } else {
+ result.storeId = DEFAULT_STORE;
+ }
+
+ return result;
+};
+
+const isSubdomain = (otherDomain, baseDomain) => {
+ return otherDomain == baseDomain || otherDomain.endsWith("." + baseDomain);
+};
+
+// Checks that the given extension has permission to set the given cookie for
+// the given URI.
+const checkSetCookiePermissions = (extension, uri, cookie) => {
+ // Permission checks:
+ //
+ // - If the extension does not have permissions for the specified
+ // URL, it cannot set cookies for it.
+ //
+ // - If the specified URL could not set the given cookie, neither can
+ // the extension.
+ //
+ // Ideally, we would just have the cookie service make the latter
+ // determination, but that turns out to be quite complicated. At the
+ // moment, it requires constructing a cookie string and creating a
+ // dummy channel, both of which can be problematic. It also triggers
+ // a whole set of additional permission and preference checks, which
+ // may or may not be desirable.
+ //
+ // So instead, we do a similar set of checks here. Exactly what
+ // cookies a given URL should be able to set is not well-documented,
+ // and is not standardized in any standard that anyone actually
+ // follows. So instead, we follow the rules used by the cookie
+ // service.
+ //
+ // See source/netwerk/cookie/CookieService.cpp, in particular
+ // CheckDomain() and SetCookieInternal().
+
+ if (uri.scheme != "http" && uri.scheme != "https") {
+ return false;
+ }
+
+ if (!extension.allowedOrigins.matches(uri)) {
+ return false;
+ }
+
+ if (!cookie.host) {
+ // If no explicit host is specified, this becomes a host-only cookie.
+ cookie.host = uri.host;
+ return true;
+ }
+
+ // A leading "." is not expected, but is tolerated if it's not the only
+ // character in the host. If there is one, start by stripping it off. We'll
+ // add a new one on success.
+ if (cookie.host.length > 1) {
+ cookie.host = cookie.host.replace(/^\./, "");
+ }
+ cookie.host = cookie.host.toLowerCase();
+ cookie.host = dropBracketIfIPv6(cookie.host);
+
+ if (cookie.host != uri.host) {
+ // Not an exact match, so check for a valid subdomain.
+ let baseDomain;
+ try {
+ baseDomain = Services.eTLD.getBaseDomain(uri);
+ } catch (e) {
+ if (
+ e.result == Cr.NS_ERROR_HOST_IS_IP_ADDRESS ||
+ e.result == Cr.NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS
+ ) {
+ // The cookie service uses these to determine whether the domain
+ // requires an exact match. We already know we don't have an exact
+ // match, so return false. In all other cases, re-raise the error.
+ return false;
+ }
+ throw e;
+ }
+
+ // The cookie domain must be a subdomain of the base domain. This prevents
+ // us from setting cookies for domains like ".co.uk".
+ // The domain of the requesting URL must likewise be a subdomain of the
+ // cookie domain. This prevents us from setting cookies for entirely
+ // unrelated domains.
+ if (
+ !isSubdomain(cookie.host, baseDomain) ||
+ !isSubdomain(uri.host, cookie.host)
+ ) {
+ return false;
+ }
+
+ // RFC2109 suggests that we may only add cookies for sub-domains 1-level
+ // below us, but enforcing that would break the web, so we don't.
+ }
+
+ // If the host is an IP address, avoid adding a leading ".".
+ // An IP address is not a domain name, and only supports host-only cookies.
+ if (isIPv6(cookie.host) || isIPv4(cookie.host)) {
+ return true;
+ }
+
+ // An explicit domain was passed, so add a leading "." to make this a
+ // domain cookie.
+ cookie.host = "." + cookie.host;
+
+ // We don't do any significant checking of path permissions. RFC2109
+ // suggests we only allow sites to add cookies for sub-paths, similar to
+ // same origin policy enforcement, but no-one implements this.
+
+ return true;
+};
+
+/**
+ * Converts the details received from the cookies API to the OriginAttributes
+ * format, using default values when needed (firstPartyDomain/partitionKey).
+ *
+ * If allowPattern is true, an OriginAttributesPattern may be returned instead.
+ *
+ * @param {object} details
+ * The details received from the extension.
+ * @param {BaseContext} context
+ * @param {boolean} allowPattern
+ * Whether to potentially return an OriginAttributesPattern instead of
+ * OriginAttributes. The get/set/remove cookie methods operate on exact
+ * OriginAttributes, the getAll method allows a partial pattern and may
+ * potentially match cookies with distinct origin attributes.
+ * @returns {object} An object with the following properties:
+ * - originAttributes {OriginAttributes|OriginAttributesPattern}
+ * - isPattern {boolean} Whether originAttributes is a pattern.
+ * - isPrivate {boolean} Whether the cookie belongs to private browsing mode.
+ * - storeId {string} The storeId of the cookie.
+ */
+const oaFromDetails = (details, context, allowPattern) => {
+ // Default values, may be filled in based on details.
+ let originAttributes = {
+ userContextId: 0,
+ privateBrowsingId: 0,
+ // The following two keys may be deleted if allowPattern=true
+ firstPartyDomain: details.firstPartyDomain ?? "",
+ partitionKey: fromExtPartitionKey(details.partitionKey),
+ };
+
+ let isPrivate = context.incognito;
+ let storeId = isPrivate ? PRIVATE_STORE : DEFAULT_STORE;
+ if (details.storeId) {
+ storeId = details.storeId;
+ if (isDefaultCookieStoreId(storeId)) {
+ isPrivate = false;
+ } else if (isPrivateCookieStoreId(storeId)) {
+ isPrivate = true;
+ } else {
+ isPrivate = false;
+ let userContextId = getContainerForCookieStoreId(storeId);
+ if (!userContextId) {
+ throw new ExtensionError(`Invalid cookie store id: "${storeId}"`);
+ }
+ originAttributes.userContextId = userContextId;
+ }
+ }
+
+ if (isPrivate) {
+ originAttributes.privateBrowsingId = 1;
+ if (!context.privateBrowsingAllowed) {
+ throw new ExtensionError(
+ "Extension disallowed access to the private cookies storeId."
+ );
+ }
+ }
+
+ // If any of the originAttributes's keys are deleted, this becomes true.
+ let isPattern = false;
+ if (allowPattern) {
+ // firstPartyDomain is unset / void / string.
+ // If unset, then we default to non-FPI cookies (or if FPI is enabled,
+ // an error is thrown by validateFirstPartyDomain). We are able to detect
+ // whether the property is set due to "omit-key-if-missing" in cookies.json.
+ // If set to a string, we keep the filter.
+ // If set to void (undefined / null), we drop the FPI filter:
+ if ("firstPartyDomain" in details && details.firstPartyDomain == null) {
+ delete originAttributes.firstPartyDomain;
+ isPattern = true;
+ }
+
+ // partitionKey is an object or null.
+ // null implies the default (unpartitioned cookies).
+ // An object is a filter for partitionKey; currently we require topLevelSite
+ // to be set to determine the exact partitionKey. Without it, we drop the
+ // dFPI filter:
+ if (details.partitionKey && details.partitionKey.topLevelSite == null) {
+ delete originAttributes.partitionKey;
+ isPattern = true;
+ }
+ }
+ return { originAttributes, isPattern, isPrivate, storeId };
+};
+
+/**
+ * Query the cookie store for matching cookies.
+ *
+ * @param {object} detailsIn
+ * @param {Array} props Properties the extension is interested in matching against.
+ * The firstPartyDomain / partitionKey / storeId
+ * props are always accounted for.
+ * @param {BaseContext} context The context making the query.
+ * @param {boolean} allowPattern Whether to allow the query to match distinct
+ * origin attributes instead of falling back to
+ * default values. See the oaFromDetails method.
+ */
+const query = function* (detailsIn, props, context, allowPattern) {
+ let details = {};
+ props.forEach(property => {
+ if (detailsIn[property] !== null) {
+ details[property] = detailsIn[property];
+ }
+ });
+
+ let parsedOA;
+ try {
+ parsedOA = oaFromDetails(detailsIn, context, allowPattern);
+ } catch (e) {
+ if (e.message.startsWith("Invalid cookie store id")) {
+ // For backwards-compatibility with previous versions of Firefox, fail
+ // silently (by not returning any results) instead of throwing an error.
+ return;
+ }
+ throw e;
+ }
+ let { originAttributes, isPattern, isPrivate, storeId } = parsedOA;
+
+ if ("domain" in details) {
+ details.domain = details.domain.toLowerCase().replace(/^\./, "");
+ details.domain = dropBracketIfIPv6(details.domain);
+ }
+
+ // We can use getCookiesFromHost for faster searching.
+ let cookies;
+ let host;
+ let url;
+ if ("url" in details) {
+ try {
+ url = new URL(details.url);
+ host = dropBracketIfIPv6(url.hostname);
+ } catch (ex) {
+ // This often happens for about: URLs
+ return;
+ }
+ } else if ("domain" in details) {
+ host = details.domain;
+ }
+
+ if (host && !isPattern) {
+ // getCookiesFromHost is more efficient than getCookiesWithOriginAttributes
+ // if the host and all origin attributes are known.
+ cookies = Services.cookies.getCookiesFromHost(host, originAttributes);
+ } else {
+ cookies = Services.cookies.getCookiesWithOriginAttributes(
+ JSON.stringify(originAttributes),
+ host
+ );
+ }
+
+ // Based on CookieService::GetCookieStringFromHttp
+ function matches(cookie) {
+ function domainMatches(host) {
+ return (
+ cookie.rawHost == host ||
+ (cookie.isDomain && host.endsWith(cookie.host))
+ );
+ }
+
+ function pathMatches(path) {
+ let cookiePath = cookie.path.replace(/\/$/, "");
+
+ if (!path.startsWith(cookiePath)) {
+ return false;
+ }
+
+ // path == cookiePath, but without the redundant string compare.
+ if (path.length == cookiePath.length) {
+ return true;
+ }
+
+ // URL path is a substring of the cookie path, so it matches if, and
+ // only if, the next character is a path delimiter.
+ return path[cookiePath.length] === "/";
+ }
+
+ // "Restricts the retrieved cookies to those that would match the given URL."
+ if (url) {
+ if (!domainMatches(host)) {
+ return false;
+ }
+
+ if (cookie.isSecure && url.protocol != "https:") {
+ return false;
+ }
+
+ if (!pathMatches(url.pathname)) {
+ return false;
+ }
+ }
+
+ if ("name" in details && details.name != cookie.name) {
+ return false;
+ }
+
+ // "Restricts the retrieved cookies to those whose domains match or are subdomains of this one."
+ if ("domain" in details && !isSubdomain(cookie.rawHost, details.domain)) {
+ return false;
+ }
+
+ // "Restricts the retrieved cookies to those whose path exactly matches this string.""
+ if ("path" in details && details.path != cookie.path) {
+ return false;
+ }
+
+ if ("secure" in details && details.secure != cookie.isSecure) {
+ return false;
+ }
+
+ if ("session" in details && details.session != cookie.isSession) {
+ return false;
+ }
+
+ // Check that the extension has permissions for this host.
+ if (!context.extension.allowedOrigins.matchesCookie(cookie)) {
+ return false;
+ }
+
+ return true;
+ }
+
+ for (const cookie of cookies) {
+ if (matches(cookie)) {
+ yield { cookie, isPrivate, storeId };
+ }
+ }
+};
+
+const validateFirstPartyDomain = details => {
+ if (details.firstPartyDomain != null) {
+ return;
+ }
+ if (Services.prefs.getBoolPref("privacy.firstparty.isolate")) {
+ throw new ExtensionError(
+ "First-Party Isolation is enabled, but the required 'firstPartyDomain' attribute was not set."
+ );
+ }
+};
+
+this.cookies = class extends ExtensionAPIPersistent {
+ PERSISTENT_EVENTS = {
+ onChanged({ fire }) {
+ let observer = (subject, topic) => {
+ let notify = (removed, cookie, cause) => {
+ cookie.QueryInterface(Ci.nsICookie);
+
+ if (this.extension.allowedOrigins.matchesCookie(cookie)) {
+ fire.async({
+ removed,
+ cookie: convertCookie({
+ cookie,
+ isPrivate: topic == "private-cookie-changed",
+ }),
+ cause,
+ });
+ }
+ };
+
+ let notification = subject.QueryInterface(Ci.nsICookieNotification);
+ let { cookie } = notification;
+
+ let {
+ COOKIE_DELETED,
+ COOKIE_ADDED,
+ COOKIE_CHANGED,
+ COOKIES_BATCH_DELETED,
+ } = Ci.nsICookieNotification;
+
+ // We do our best effort here to map the incompatible states.
+ switch (notification.action) {
+ case COOKIE_DELETED:
+ notify(true, cookie, "explicit");
+ break;
+ case COOKIE_ADDED:
+ notify(false, cookie, "explicit");
+ break;
+ case COOKIE_CHANGED:
+ notify(true, cookie, "overwrite");
+ notify(false, cookie, "explicit");
+ break;
+ case COOKIES_BATCH_DELETED:
+ let cookieArray = notification.batchDeletedCookies.QueryInterface(
+ Ci.nsIArray
+ );
+ for (let i = 0; i < cookieArray.length; i++) {
+ let cookie = cookieArray.queryElementAt(i, Ci.nsICookie);
+ if (!cookie.isSession && cookie.expiry * 1000 <= Date.now()) {
+ notify(true, cookie, "expired");
+ } else {
+ notify(true, cookie, "evicted");
+ }
+ }
+ break;
+ }
+ };
+
+ const { privateBrowsingAllowed } = this.extension;
+ Services.obs.addObserver(observer, "cookie-changed");
+ if (privateBrowsingAllowed) {
+ Services.obs.addObserver(observer, "private-cookie-changed");
+ }
+ return {
+ unregister() {
+ Services.obs.removeObserver(observer, "cookie-changed");
+ if (privateBrowsingAllowed) {
+ Services.obs.removeObserver(observer, "private-cookie-changed");
+ }
+ },
+ convert(_fire) {
+ fire = _fire;
+ },
+ };
+ },
+ };
+ getAPI(context) {
+ let { extension } = context;
+ let self = {
+ cookies: {
+ get: function (details) {
+ validateFirstPartyDomain(details);
+
+ // TODO bug 1818968: We don't sort by length of path and creation time.
+ let allowed = ["url", "name"];
+ for (let cookie of query(details, allowed, context)) {
+ return Promise.resolve(convertCookie(cookie));
+ }
+
+ // Found no match.
+ return Promise.resolve(null);
+ },
+
+ getAll: function (details) {
+ if (!("firstPartyDomain" in details)) {
+ // Check and throw an error if firstPartyDomain is required.
+ validateFirstPartyDomain(details);
+ }
+
+ let allowed = ["url", "name", "domain", "path", "secure", "session"];
+ let result = Array.from(
+ query(details, allowed, context, /* allowPattern = */ true),
+ convertCookie
+ );
+
+ return Promise.resolve(result);
+ },
+
+ set: function (details) {
+ validateFirstPartyDomain(details);
+ if (details.firstPartyDomain && details.partitionKey) {
+ // FPI and dFPI are mutually exclusive, so it does not make sense
+ // to accept non-empty (i.e. non-default) values for both.
+ throw new ExtensionError(
+ "Partitioned cookies cannot have a 'firstPartyDomain' attribute."
+ );
+ }
+
+ let uri = Services.io.newURI(details.url);
+
+ let path;
+ if (details.path !== null) {
+ path = details.path;
+ } else {
+ // This interface essentially emulates the behavior of the
+ // Set-Cookie header. In the case of an omitted path, the cookie
+ // service uses the directory path of the requesting URL, ignoring
+ // any filename or query parameters.
+ path = uri.QueryInterface(Ci.nsIURL).directory;
+ }
+
+ let name = details.name !== null ? details.name : "";
+ let value = details.value !== null ? details.value : "";
+ let secure = details.secure !== null ? details.secure : false;
+ let httpOnly = details.httpOnly !== null ? details.httpOnly : false;
+ let isSession = details.expirationDate === null;
+ let expiry = isSession
+ ? Number.MAX_SAFE_INTEGER
+ : details.expirationDate;
+
+ let { originAttributes } = oaFromDetails(details, context);
+
+ let cookieAttrs = {
+ host: details.domain,
+ path: path,
+ isSecure: secure,
+ };
+ if (!checkSetCookiePermissions(extension, uri, cookieAttrs)) {
+ return Promise.reject({
+ message: `Permission denied to set cookie ${JSON.stringify(
+ details
+ )}`,
+ });
+ }
+
+ let sameSite = SAME_SITE_STATUSES.indexOf(details.sameSite);
+
+ let schemeType = Ci.nsICookie.SCHEME_UNSET;
+ if (uri.scheme === "https") {
+ schemeType = Ci.nsICookie.SCHEME_HTTPS;
+ } else if (uri.scheme === "http") {
+ schemeType = Ci.nsICookie.SCHEME_HTTP;
+ } else if (uri.scheme === "file") {
+ schemeType = Ci.nsICookie.SCHEME_FILE;
+ }
+
+ // The permission check may have modified the domain, so use
+ // the new value instead.
+ Services.cookies.add(
+ cookieAttrs.host,
+ path,
+ name,
+ value,
+ secure,
+ httpOnly,
+ isSession,
+ expiry,
+ originAttributes,
+ sameSite,
+ schemeType
+ );
+
+ return self.cookies.get(details);
+ },
+
+ remove: function (details) {
+ validateFirstPartyDomain(details);
+
+ let allowed = ["url", "name"];
+ for (let { cookie, storeId } of query(details, allowed, context)) {
+ Services.cookies.remove(
+ cookie.host,
+ cookie.name,
+ cookie.path,
+ cookie.originAttributes
+ );
+
+ // TODO Bug 1387957: could there be multiple per subdomain?
+ return Promise.resolve({
+ url: details.url,
+ name: details.name,
+ storeId,
+ firstPartyDomain: cookie.originAttributes.firstPartyDomain,
+ partitionKey: toExtPartitionKey(
+ cookie.originAttributes.partitionKey
+ ),
+ });
+ }
+
+ return Promise.resolve(null);
+ },
+
+ getAllCookieStores: function () {
+ let data = {};
+ for (let tab of extension.tabManager.query()) {
+ if (!(tab.cookieStoreId in data)) {
+ data[tab.cookieStoreId] = [];
+ }
+ data[tab.cookieStoreId].push(tab.id);
+ }
+
+ let result = [];
+ for (let key in data) {
+ result.push({
+ id: key,
+ tabIds: data[key],
+ incognito: key == PRIVATE_STORE,
+ });
+ }
+ return Promise.resolve(result);
+ },
+
+ onChanged: new EventManager({
+ context,
+ module: "cookies",
+ event: "onChanged",
+ extensionApi: this,
+ }).api(),
+ },
+ };
+
+ return self;
+ }
+};