diff options
Diffstat (limited to 'dom/base/nsContentPolicyUtils.h')
-rw-r--r-- | dom/base/nsContentPolicyUtils.h | 323 |
1 files changed, 323 insertions, 0 deletions
diff --git a/dom/base/nsContentPolicyUtils.h b/dom/base/nsContentPolicyUtils.h new file mode 100644 index 0000000000..0581800966 --- /dev/null +++ b/dom/base/nsContentPolicyUtils.h @@ -0,0 +1,323 @@ +/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * Utility routines for checking content load/process policy settings, + * and routines helpful for content policy implementors. + * + * XXXbz it would be nice if some of this stuff could be out-of-lined in + * nsContentUtils. That would work for almost all the callers... + */ + +#ifndef __nsContentPolicyUtils_h__ +#define __nsContentPolicyUtils_h__ + +#include "mozilla/BasePrincipal.h" + +#include "nsContentUtils.h" +#include "nsIContentPolicy.h" +#include "nsIContent.h" +#include "nsIURI.h" +#include "nsServiceManagerUtils.h" +#include "nsStringFwd.h" +#include "mozilla/dom/nsCSPService.h" + +// XXXtw sadly, this makes consumers of nsContentPolicyUtils depend on widget +#include "mozilla/dom/Document.h" +#include "nsPIDOMWindow.h" + +#define NS_CONTENTPOLICY_CONTRACTID "@mozilla.org/layout/content-policy;1" +#define NS_CONTENTPOLICY_CATEGORY "content-policy" +#define NS_CONTENTPOLICY_CID \ + { \ + 0x0e3afd3d, 0xeb60, 0x4c2b, { \ + 0x96, 0x3b, 0x56, 0xd7, 0xc4, 0x39, 0xf1, 0x24 \ + } \ + } + +/** + * Evaluates to true if val is ACCEPT. + * + * @param val the status returned from shouldProcess/shouldLoad + */ +#define NS_CP_ACCEPTED(val) ((val) == nsIContentPolicy::ACCEPT) + +/** + * Evaluates to true if val is a REJECT_* status + * + * @param val the status returned from shouldProcess/shouldLoad + */ +#define NS_CP_REJECTED(val) ((val) != nsIContentPolicy::ACCEPT) + +// Offer convenient translations of constants -> const char* + +// convenience macro to reduce some repetative typing... +// name is the name of a constant from this interface +#define CASE_RETURN(name) \ + case nsIContentPolicy::name: \ + return #name + +/** + * Returns a string corresponding to the name of the response constant, or + * "<Unknown Response>" if an unknown response value is given. + * + * The return value is static and must not be freed. + * + * @param response the response code + * @return the name of the given response code + */ +inline const char* NS_CP_ResponseName(int16_t response) { + switch (response) { + CASE_RETURN(REJECT_REQUEST); + CASE_RETURN(REJECT_TYPE); + CASE_RETURN(REJECT_SERVER); + CASE_RETURN(REJECT_OTHER); + CASE_RETURN(ACCEPT); + default: + return "<Unknown Response>"; + } +} + +/** + * Returns a string corresponding to the name of the content type constant, or + * "<Unknown Type>" if an unknown content type value is given. + * + * The return value is static and must not be freed. + * + * @param contentType the content type code + * @return the name of the given content type code + */ +inline const char* NS_CP_ContentTypeName(nsContentPolicyType contentType) { + switch (contentType) { + CASE_RETURN(TYPE_OTHER); + CASE_RETURN(TYPE_SCRIPT); + CASE_RETURN(TYPE_IMAGE); + CASE_RETURN(TYPE_STYLESHEET); + CASE_RETURN(TYPE_OBJECT); + CASE_RETURN(TYPE_DOCUMENT); + CASE_RETURN(TYPE_SUBDOCUMENT); + CASE_RETURN(TYPE_PING); + CASE_RETURN(TYPE_XMLHTTPREQUEST); + CASE_RETURN(TYPE_OBJECT_SUBREQUEST); + CASE_RETURN(TYPE_DTD); + CASE_RETURN(TYPE_FONT); + CASE_RETURN(TYPE_MEDIA); + CASE_RETURN(TYPE_WEBSOCKET); + CASE_RETURN(TYPE_CSP_REPORT); + CASE_RETURN(TYPE_XSLT); + CASE_RETURN(TYPE_BEACON); + CASE_RETURN(TYPE_FETCH); + CASE_RETURN(TYPE_IMAGESET); + CASE_RETURN(TYPE_WEB_MANIFEST); + CASE_RETURN(TYPE_INTERNAL_SCRIPT); + CASE_RETURN(TYPE_INTERNAL_WORKER); + CASE_RETURN(TYPE_INTERNAL_SHARED_WORKER); + CASE_RETURN(TYPE_INTERNAL_EMBED); + CASE_RETURN(TYPE_INTERNAL_OBJECT); + CASE_RETURN(TYPE_INTERNAL_FRAME); + CASE_RETURN(TYPE_INTERNAL_IFRAME); + CASE_RETURN(TYPE_INTERNAL_AUDIO); + CASE_RETURN(TYPE_INTERNAL_VIDEO); + CASE_RETURN(TYPE_INTERNAL_TRACK); + CASE_RETURN(TYPE_INTERNAL_XMLHTTPREQUEST); + CASE_RETURN(TYPE_INTERNAL_EVENTSOURCE); + CASE_RETURN(TYPE_INTERNAL_SERVICE_WORKER); + CASE_RETURN(TYPE_INTERNAL_SCRIPT_PRELOAD); + CASE_RETURN(TYPE_INTERNAL_IMAGE); + CASE_RETURN(TYPE_INTERNAL_IMAGE_PRELOAD); + CASE_RETURN(TYPE_INTERNAL_IMAGE_FAVICON); + CASE_RETURN(TYPE_INTERNAL_STYLESHEET); + CASE_RETURN(TYPE_INTERNAL_STYLESHEET_PRELOAD); + CASE_RETURN(TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS); + CASE_RETURN(TYPE_SAVEAS_DOWNLOAD); + CASE_RETURN(TYPE_SPECULATIVE); + CASE_RETURN(TYPE_INTERNAL_MODULE); + CASE_RETURN(TYPE_INTERNAL_MODULE_PRELOAD); + CASE_RETURN(TYPE_INTERNAL_DTD); + CASE_RETURN(TYPE_INTERNAL_FORCE_ALLOWED_DTD); + CASE_RETURN(TYPE_INTERNAL_AUDIOWORKLET); + CASE_RETURN(TYPE_INTERNAL_PAINTWORKLET); + CASE_RETURN(TYPE_INTERNAL_FONT_PRELOAD); + CASE_RETURN(TYPE_INTERNAL_CHROMEUTILS_COMPILED_SCRIPT); + CASE_RETURN(TYPE_INTERNAL_FRAME_MESSAGEMANAGER_SCRIPT); + CASE_RETURN(TYPE_INTERNAL_FETCH_PRELOAD); + CASE_RETURN(TYPE_UA_FONT); + CASE_RETURN(TYPE_INTERNAL_WORKER_STATIC_MODULE); + CASE_RETURN(TYPE_PROXIED_WEBRTC_MEDIA); + CASE_RETURN(TYPE_WEB_IDENTITY); + CASE_RETURN(TYPE_WEB_TRANSPORT); + CASE_RETURN(TYPE_END); + case nsIContentPolicy::TYPE_INVALID: + break; + // Do not add default: so that compilers can catch the missing case. + } + return "<Unknown Type>"; +} + +#undef CASE_RETURN + +inline const char* NS_CP_ContentTypeName(ExtContentPolicyType contentType) { + return NS_CP_ContentTypeName(static_cast<nsContentPolicyType>(contentType)); +} + +/* Passes on parameters from its "caller"'s context. */ +#define CHECK_CONTENT_POLICY(action) \ + PR_BEGIN_MACRO \ + nsCOMPtr<nsIContentPolicy> policy = \ + do_GetService(NS_CONTENTPOLICY_CONTRACTID); \ + if (!policy) return NS_ERROR_FAILURE; \ + \ + return policy->action(contentLocation, loadInfo, decision); \ + PR_END_MACRO + +/* Passes on parameters from its "caller"'s context. */ +#define CHECK_CONTENT_POLICY_WITH_SERVICE(action, _policy) \ + PR_BEGIN_MACRO \ + return _policy->action(contentLocation, loadInfo, decision); \ + PR_END_MACRO + +/** + * Check whether we can short-circuit this check and bail out. If not, get the + * origin URI to use. + * + * Note: requestOrigin is scoped outside the PR_BEGIN_MACRO/PR_END_MACRO on + * purpose */ +#define CHECK_PRINCIPAL_CSP_AND_DATA(action) \ + PR_BEGIN_MACRO \ + if (loadingPrincipal && loadingPrincipal->IsSystemPrincipal()) { \ + /* We exempt most loads into any document with the system principal \ + * from content policy (except CSP) checks, mostly as an optimization. \ + * Which means that we need to apply this check to the loading principal, \ + * not the principal that triggered the load. */ \ + /* Check CSP for System Privileged pages */ \ + CSPService::ConsultCSP(contentLocation, loadInfo, decision); \ + if (NS_CP_REJECTED(*decision)) { \ + return NS_OK; \ + } \ + if (contentType != nsIContentPolicy::TYPE_DOCUMENT && \ + contentType != nsIContentPolicy::TYPE_UA_FONT) { \ + *decision = nsIContentPolicy::ACCEPT; \ + nsCOMPtr<nsINode> n = do_QueryInterface(context); \ + if (!n) { \ + nsCOMPtr<nsPIDOMWindowOuter> win = do_QueryInterface(context); \ + n = win ? win->GetExtantDoc() : nullptr; \ + } \ + if (n) { \ + mozilla::dom::Document* d = n->OwnerDoc(); \ + if (d->IsLoadedAsData() || d->IsBeingUsedAsImage() || \ + d->IsResourceDoc()) { \ + nsCOMPtr<nsIContentPolicy> dataPolicy = \ + do_GetService("@mozilla.org/data-document-content-policy;1"); \ + if (dataPolicy) { \ + dataPolicy->action(contentLocation, loadInfo, decision); \ + } \ + } \ + } \ + } \ + return NS_OK; \ + } \ + PR_END_MACRO + +/** + * Alias for calling ShouldLoad on the content policy service. Parameters are + * the same as nsIContentPolicy::shouldLoad, except for the loadingPrincipal + * and triggeringPrincipal parameters (which should be non-null if possible, + * and have the same semantics as in nsLoadInfo), and the last parameter, + * which can be used to pass in a pointer to a useful service if the caller + * already has it. The origin URI to pass to shouldLoad will be the URI of + * loadingPrincipal, unless loadingPrincipal is null (in which case a null + * origin URI will be passed). + */ +inline nsresult NS_CheckContentLoadPolicy( + nsIURI* contentLocation, nsILoadInfo* loadInfo, int16_t* decision, + nsIContentPolicy* policyService = nullptr) { + nsIPrincipal* loadingPrincipal = loadInfo->GetLoadingPrincipal(); + nsCOMPtr<nsISupports> context = loadInfo->GetLoadingContext(); + nsContentPolicyType contentType = loadInfo->InternalContentPolicyType(); + CHECK_PRINCIPAL_CSP_AND_DATA(ShouldLoad); + if (policyService) { + CHECK_CONTENT_POLICY_WITH_SERVICE(ShouldLoad, policyService); + } + CHECK_CONTENT_POLICY(ShouldLoad); +} + +/** + * Alias for calling ShouldProcess on the content policy service. + */ +inline nsresult NS_CheckContentProcessPolicy( + nsIURI* contentLocation, nsILoadInfo* loadInfo, int16_t* decision, + nsIContentPolicy* policyService = nullptr) { + nsIPrincipal* loadingPrincipal = loadInfo->GetLoadingPrincipal(); + nsCOMPtr<nsISupports> context = loadInfo->GetLoadingContext(); + nsContentPolicyType contentType = loadInfo->InternalContentPolicyType(); + CHECK_PRINCIPAL_CSP_AND_DATA(ShouldProcess); + if (policyService) { + CHECK_CONTENT_POLICY_WITH_SERVICE(ShouldProcess, policyService); + } + CHECK_CONTENT_POLICY(ShouldProcess); +} + +#undef CHECK_CONTENT_POLICY +#undef CHECK_CONTENT_POLICY_WITH_SERVICE + +/** + * Helper function to get an nsIDocShell given a context. + * If the context is a document or window, the corresponding docshell will be + * returned. + * If the context is a non-document DOM node, the docshell of its ownerDocument + * will be returned. + * + * @param aContext the context to find a docshell for (can be null) + * + * @return a WEAK pointer to the docshell, or nullptr if it could + * not be obtained + * + * @note As of this writing, calls to nsIContentPolicy::Should{Load,Process} + * for TYPE_DOCUMENT and TYPE_SUBDOCUMENT pass in an aContext that either + * points to the frameElement of the window the load is happening in + * (in which case NS_CP_GetDocShellFromContext will return the parent of the + * docshell the load is happening in), or points to the window the load is + * happening in (in which case NS_CP_GetDocShellFromContext will return + * the docshell the load is happening in). It's up to callers to QI aContext + * and handle things accordingly if they want the docshell the load is + * happening in. These are somewhat odd semantics, and bug 466687 has been + * filed to consider improving them. + */ +inline nsIDocShell* NS_CP_GetDocShellFromContext(nsISupports* aContext) { + if (!aContext) { + return nullptr; + } + + nsCOMPtr<nsPIDOMWindowOuter> window = do_QueryInterface(aContext); + + if (!window) { + // Our context might be a document. + nsCOMPtr<mozilla::dom::Document> doc = do_QueryInterface(aContext); + if (!doc) { + // we were not a document after all, get our ownerDocument, + // hopefully + nsCOMPtr<nsIContent> content = do_QueryInterface(aContext); + if (content) { + doc = content->OwnerDoc(); + } + } + + if (doc) { + if (doc->GetDisplayDocument()) { + doc = doc->GetDisplayDocument(); + } + + window = doc->GetWindow(); + } + } + + if (!window) { + return nullptr; + } + + return window->GetDocShell(); +} + +#endif /* __nsContentPolicyUtils_h__ */ |