diff options
Diffstat (limited to 'toolkit/components/antitracking/AntiTrackingUtils.cpp')
| -rw-r--r-- | toolkit/components/antitracking/AntiTrackingUtils.cpp | 1045 |
1 files changed, 1045 insertions, 0 deletions
diff --git a/toolkit/components/antitracking/AntiTrackingUtils.cpp b/toolkit/components/antitracking/AntiTrackingUtils.cpp new file mode 100644 index 0000000000..2c530dc3da --- /dev/null +++ b/toolkit/components/antitracking/AntiTrackingUtils.cpp @@ -0,0 +1,1045 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "AntiTrackingUtils.h" + +#include "AntiTrackingLog.h" +#include "HttpBaseChannel.h" +#include "mozilla/BasePrincipal.h" +#include "mozilla/Components.h" +#include "mozilla/dom/BrowsingContext.h" +#include "mozilla/dom/CanonicalBrowsingContext.h" +#include "mozilla/net/CookieJarSettings.h" +#include "mozilla/LoadInfo.h" +#include "mozilla/dom/Document.h" +#include "mozilla/dom/WindowGlobalParent.h" +#include "mozilla/dom/WindowContext.h" +#include "mozilla/net/NeckoChannelParams.h" +#include "mozilla/PermissionManager.h" +#include "mozIThirdPartyUtil.h" +#include "nsEffectiveTLDService.h" +#include "nsGlobalWindowInner.h" +#include "nsIChannel.h" +#include "nsICookieService.h" +#include "nsIHttpChannel.h" +#include "nsIPermission.h" +#include "nsIURI.h" +#include "nsNetUtil.h" +#include "nsPIDOMWindow.h" +#include "nsQueryObject.h" +#include "nsRFPService.h" +#include "nsSandboxFlags.h" +#include "nsScriptSecurityManager.h" +#include "PartitioningExceptionList.h" + +#define ANTITRACKING_PERM_KEY "3rdPartyStorage" +#define ANTITRACKING_FRAME_PERM_KEY "3rdPartyFrameStorage" + +using namespace mozilla; +using namespace mozilla::dom; + +/* static */ already_AddRefed<nsPIDOMWindowInner> +AntiTrackingUtils::GetInnerWindow(BrowsingContext* aBrowsingContext) { + MOZ_ASSERT(aBrowsingContext); + + nsCOMPtr<nsPIDOMWindowOuter> outer = aBrowsingContext->GetDOMWindow(); + if (!outer) { + return nullptr; + } + + nsCOMPtr<nsPIDOMWindowInner> inner = outer->GetCurrentInnerWindow(); + return inner.forget(); +} + +/* static */ already_AddRefed<nsPIDOMWindowOuter> +AntiTrackingUtils::GetTopWindow(nsPIDOMWindowInner* aWindow) { + Document* document = aWindow->GetExtantDoc(); + if (!document) { + return nullptr; + } + + nsIChannel* channel = document->GetChannel(); + if (!channel) { + return nullptr; + } + + nsCOMPtr<nsPIDOMWindowOuter> pwin = + aWindow->GetBrowsingContext()->Top()->GetDOMWindow(); + + if (!pwin) { + return nullptr; + } + + return pwin.forget(); +} + +/* static */ +already_AddRefed<nsIURI> AntiTrackingUtils::MaybeGetDocumentURIBeingLoaded( + nsIChannel* aChannel) { + nsCOMPtr<nsIURI> uriBeingLoaded; + nsLoadFlags loadFlags = 0; + nsresult rv = aChannel->GetLoadFlags(&loadFlags); + if (NS_WARN_IF(NS_FAILED(rv))) { + return nullptr; + } + if (loadFlags & nsIChannel::LOAD_DOCUMENT_URI) { + // If the channel being loaded is a document channel, this call may be + // coming from an OnStopRequest notification, which might mean that our + // document may still be in the loading process, so we may need to pass in + // the uriBeingLoaded argument explicitly. + rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uriBeingLoaded)); + if (NS_WARN_IF(NS_FAILED(rv))) { + return nullptr; + } + } + return uriBeingLoaded.forget(); +} + +// static +void AntiTrackingUtils::CreateStoragePermissionKey( + const nsACString& aTrackingOrigin, nsACString& aPermissionKey) { + MOZ_ASSERT(aPermissionKey.IsEmpty()); + + static const nsLiteralCString prefix = + nsLiteralCString(ANTITRACKING_PERM_KEY "^"); + + aPermissionKey.SetCapacity(prefix.Length() + aTrackingOrigin.Length()); + aPermissionKey.Append(prefix); + aPermissionKey.Append(aTrackingOrigin); +} + +// static +bool AntiTrackingUtils::CreateStoragePermissionKey(nsIPrincipal* aPrincipal, + nsACString& aKey) { + if (!aPrincipal) { + return false; + } + + nsAutoCString origin; + nsresult rv = aPrincipal->GetOriginNoSuffix(origin); + if (NS_WARN_IF(NS_FAILED(rv))) { + return false; + } + + CreateStoragePermissionKey(origin, aKey); + return true; +} + +// static +void AntiTrackingUtils::CreateStorageFramePermissionKey( + const nsACString& aTrackingSite, nsACString& aPermissionKey) { + MOZ_ASSERT(aPermissionKey.IsEmpty()); + + static const nsLiteralCString prefix = + nsLiteralCString(ANTITRACKING_FRAME_PERM_KEY "^"); + + aPermissionKey.SetCapacity(prefix.Length() + aTrackingSite.Length()); + aPermissionKey.Append(prefix); + aPermissionKey.Append(aTrackingSite); +} + +// static +bool AntiTrackingUtils::CreateStorageFramePermissionKey( + nsIPrincipal* aPrincipal, nsACString& aKey) { + MOZ_ASSERT(aPrincipal); + + nsAutoCString site; + nsresult rv = aPrincipal->GetSiteOriginNoSuffix(site); + if (NS_WARN_IF(NS_FAILED(rv))) { + return false; + } + + CreateStorageFramePermissionKey(site, aKey); + return true; +} + +// static +bool AntiTrackingUtils::CreateStorageRequestPermissionKey( + nsIURI* aURI, nsACString& aPermissionKey) { + MOZ_ASSERT(aPermissionKey.IsEmpty()); + RefPtr<nsEffectiveTLDService> eTLDService = + nsEffectiveTLDService::GetInstance(); + if (!eTLDService) { + return false; + } + nsCString site; + nsresult rv = eTLDService->GetSite(aURI, site); + if (NS_FAILED(rv)) { + return false; + } + static const nsLiteralCString prefix = + nsLiteralCString("AllowStorageAccessRequest^"); + aPermissionKey.SetCapacity(prefix.Length() + site.Length()); + aPermissionKey.Append(prefix); + aPermissionKey.Append(site); + return true; +} + +// static +bool AntiTrackingUtils::IsStorageAccessPermission(nsIPermission* aPermission, + nsIPrincipal* aPrincipal) { + MOZ_ASSERT(aPermission); + MOZ_ASSERT(aPrincipal); + + // The permission key may belong either to a tracking origin on the same + // origin as the granted origin, or on another origin as the granted origin + // (for example when a tracker in a third-party context uses window.open to + // open another origin where that second origin would be the granted origin.) + // But even in the second case, the type of the permission would still be + // formed by concatenating the granted origin to the end of the type name + // (see CreatePermissionKey). Therefore, we pass in the same argument to + // both tracking origin and granted origin here in order to compute the + // shorter permission key and will then do a prefix match on the type of the + // input permission to see if it is a storage access permission or not. + nsAutoCString permissionKey; + bool result = CreateStoragePermissionKey(aPrincipal, permissionKey); + if (NS_WARN_IF(!result)) { + return false; + } + + nsAutoCString type; + nsresult rv = aPermission->GetType(type); + if (NS_WARN_IF(NS_FAILED(rv))) { + return false; + } + + return StringBeginsWith(type, permissionKey); +} + +// static +Maybe<size_t> AntiTrackingUtils::CountSitesAllowStorageAccess( + nsIPrincipal* aPrincipal) { + PermissionManager* permManager = PermissionManager::GetInstance(); + if (NS_WARN_IF(!permManager)) { + return Nothing(); + } + + nsAutoCString prefix; + AntiTrackingUtils::CreateStoragePermissionKey(aPrincipal, prefix); + nsAutoCString framePrefix; + AntiTrackingUtils::CreateStorageFramePermissionKey(aPrincipal, framePrefix); + + using Permissions = nsTArray<RefPtr<nsIPermission>>; + Permissions perms; + nsresult rv = permManager->GetAllWithTypePrefix(prefix, perms); + if (NS_WARN_IF(NS_FAILED(rv))) { + return Nothing(); + } + Permissions framePermissions; + rv = permManager->GetAllWithTypePrefix(framePrefix, framePermissions); + if (NS_WARN_IF(NS_FAILED(rv))) { + return Nothing(); + } + if (!perms.AppendElements(framePermissions, fallible)) { + return Nothing(); + } + + // Create a set of unique origins + using Sites = nsTArray<nsCString>; + Sites sites; + + // Iterate over all permissions that have a prefix equal to the expected + // permission we are looking for. This includes two things we need to remove: + // duplicates and origin strings that have a prefix of aPrincipal's origin + // string, e.g. https://example.company when aPrincipal is + // https://example.com. + for (const auto& perm : perms) { + nsAutoCString type; + rv = perm->GetType(type); + if (NS_WARN_IF(NS_FAILED(rv))) { + return Nothing(); + } + + // Let's make sure that we're not looking at a permission for + // https://exampletracker.company when we mean to look for the + // permission for https://exampletracker.com! + if (type != prefix && type != framePrefix) { + continue; + } + + nsCOMPtr<nsIPrincipal> principal; + rv = perm->GetPrincipal(getter_AddRefs(principal)); + if (NS_WARN_IF(NS_FAILED(rv))) { + return Nothing(); + } + + nsAutoCString site; + rv = principal->GetSiteOrigin(site); + if (NS_WARN_IF(NS_FAILED(rv))) { + return Nothing(); + } + + ToLowerCase(site); + + // Append if it would not be a duplicate + if (sites.IndexOf(site) == Sites::NoIndex) { + sites.AppendElement(site); + } + } + + return Some(sites.Length()); +} + +// static +bool AntiTrackingUtils::CheckStoragePermission(nsIPrincipal* aPrincipal, + const nsAutoCString& aType, + bool aIsInPrivateBrowsing, + uint32_t* aRejectedReason, + uint32_t aBlockedReason) { + PermissionManager* permManager = PermissionManager::GetInstance(); + if (NS_WARN_IF(!permManager)) { + LOG(("Failed to obtain the permission manager")); + return false; + } + + uint32_t result = 0; + if (aIsInPrivateBrowsing) { + LOG_PRIN(("Querying the permissions for private modei looking for a " + "permission of type %s for %s", + aType.get(), _spec), + aPrincipal); + if (!permManager->PermissionAvailable(aPrincipal, aType)) { + LOG( + ("Permission isn't available for this principal in the current " + "process")); + return false; + } + nsTArray<RefPtr<nsIPermission>> permissions; + nsresult rv = permManager->GetAllForPrincipal(aPrincipal, permissions); + if (NS_WARN_IF(NS_FAILED(rv))) { + LOG(("Failed to get the list of permissions")); + return false; + } + + bool found = false; + for (const auto& permission : permissions) { + if (!permission) { + LOG(("Couldn't get the permission for unknown reasons")); + continue; + } + + nsAutoCString permissionType; + if (NS_SUCCEEDED(permission->GetType(permissionType)) && + permissionType != aType) { + LOG(("Non-matching permission type: %s", aType.get())); + continue; + } + + uint32_t capability = 0; + if (NS_SUCCEEDED(permission->GetCapability(&capability)) && + capability != nsIPermissionManager::ALLOW_ACTION) { + LOG(("Non-matching permission capability: %d", capability)); + continue; + } + + uint32_t expirationType = 0; + if (NS_SUCCEEDED(permission->GetExpireType(&expirationType)) && + expirationType != nsIPermissionManager ::EXPIRE_SESSION) { + LOG(("Non-matching permission expiration type: %d", expirationType)); + continue; + } + + int64_t expirationTime = 0; + if (NS_SUCCEEDED(permission->GetExpireTime(&expirationTime)) && + expirationTime != 0) { + LOG(("Non-matching permission expiration time: %" PRId64, + expirationTime)); + continue; + } + + LOG(("Found a matching permission")); + found = true; + break; + } + + if (!found) { + if (aRejectedReason) { + *aRejectedReason = aBlockedReason; + } + return false; + } + } else { + nsresult rv = permManager->TestPermissionWithoutDefaultsFromPrincipal( + aPrincipal, aType, &result); + if (NS_WARN_IF(NS_FAILED(rv))) { + LOG(("Failed to test the permission")); + return false; + } + + LOG_PRIN( + ("Testing permission type %s for %s resulted in %d (%s)", aType.get(), + _spec, int(result), + result == nsIPermissionManager::ALLOW_ACTION ? "success" : "failure"), + aPrincipal); + + if (result != nsIPermissionManager::ALLOW_ACTION) { + if (aRejectedReason) { + *aRejectedReason = aBlockedReason; + } + return false; + } + } + + return true; +} + +/* static */ +nsresult AntiTrackingUtils::TestStoragePermissionInParent( + nsIPrincipal* aTopPrincipal, nsIPrincipal* aPrincipal, uint32_t* aResult) { + NS_ENSURE_ARG(aResult); + *aResult = nsIPermissionManager::UNKNOWN_ACTION; + NS_ENSURE_ARG(aTopPrincipal); + NS_ENSURE_ARG(aPrincipal); + + nsCOMPtr<nsIPermissionManager> permMgr = + components::PermissionManager::Service(); + NS_ENSURE_TRUE(permMgr, NS_ERROR_FAILURE); + + // Build the permission keys + nsAutoCString requestPermissionKey; + bool success = AntiTrackingUtils::CreateStoragePermissionKey( + aPrincipal, requestPermissionKey); + NS_ENSURE_TRUE(success, NS_ERROR_FAILURE); + + nsAutoCString requestFramePermissionKey; + success = AntiTrackingUtils::CreateStorageFramePermissionKey( + aPrincipal, requestFramePermissionKey); + NS_ENSURE_TRUE(success, NS_ERROR_FAILURE); + + // Test the permission + uint32_t access = nsIPermissionManager::UNKNOWN_ACTION; + nsresult rv = permMgr->TestPermissionFromPrincipal( + aTopPrincipal, requestPermissionKey, &access); + NS_ENSURE_SUCCESS(rv, rv); + + if (access != nsIPermissionManager::UNKNOWN_ACTION) { + *aResult = access; + return NS_OK; + } + + uint32_t frameAccess = nsIPermissionManager::UNKNOWN_ACTION; + rv = permMgr->TestPermissionFromPrincipal( + aTopPrincipal, requestFramePermissionKey, &frameAccess); + NS_ENSURE_SUCCESS(rv, rv); + + *aResult = frameAccess; + return NS_OK; +} + +/* static */ +nsILoadInfo::StoragePermissionState +AntiTrackingUtils::GetStoragePermissionStateInParent(nsIChannel* aChannel) { + MOZ_ASSERT(aChannel); + MOZ_DIAGNOSTIC_ASSERT(XRE_IsParentProcess()); + + nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo(); + nsCOMPtr<nsICookieJarSettings> cookieJarSettings; + + auto policyType = loadInfo->GetExternalContentPolicyType(); + + // The channel is for the document load of the top-level window. The top-level + // window should always has 'hasStoragePermission' flag as false. So, we can + // return here directly. + if (policyType == ExtContentPolicy::TYPE_DOCUMENT) { + return nsILoadInfo::NoStoragePermission; + } + + nsresult rv = + loadInfo->GetCookieJarSettings(getter_AddRefs(cookieJarSettings)); + if (NS_WARN_IF(NS_FAILED(rv))) { + return nsILoadInfo::NoStoragePermission; + } + + int32_t cookieBehavior = cookieJarSettings->GetCookieBehavior(); + + // We only need to check the storage permission if the cookie behavior is + // BEHAVIOR_REJECT_TRACKER, BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN or + // BEHAVIOR_REJECT_FOREIGN with exceptions. Because ContentBlocking wouldn't + // update or check the storage permission if the cookie behavior is not + // belongs to these three. + if (!net::CookieJarSettings::IsRejectThirdPartyContexts(cookieBehavior)) { + return nsILoadInfo::NoStoragePermission; + } + + RefPtr<BrowsingContext> bc; + rv = loadInfo->GetTargetBrowsingContext(getter_AddRefs(bc)); + if (NS_WARN_IF(NS_FAILED(rv)) || !bc) { + return nsILoadInfo::NoStoragePermission; + } + + uint64_t targetWindowId = GetTopLevelAntiTrackingWindowId(bc); + nsCOMPtr<nsIPrincipal> targetPrincipal; + + if (targetWindowId) { + RefPtr<WindowGlobalParent> wgp = + WindowGlobalParent::GetByInnerWindowId(targetWindowId); + + if (NS_WARN_IF(!wgp)) { + return nsILoadInfo::NoStoragePermission; + } + + targetPrincipal = wgp->DocumentPrincipal(); + } else { + // We try to use the loading principal if there is no AntiTrackingWindowId. + targetPrincipal = loadInfo->GetLoadingPrincipal(); + } + + if (!targetPrincipal) { + nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel); + + if (httpChannel) { + // We don't have a loading principal, let's see if this is a document + // channel which belongs to a top-level window. + bool isDocument = false; + rv = httpChannel->GetIsMainDocumentChannel(&isDocument); + if (NS_SUCCEEDED(rv) && isDocument) { + nsIScriptSecurityManager* ssm = + nsScriptSecurityManager::GetScriptSecurityManager(); + Unused << ssm->GetChannelResultPrincipal( + aChannel, getter_AddRefs(targetPrincipal)); + } + } + } + + // Let's use the triggering principal if we still have nothing on the hand. + if (!targetPrincipal) { + targetPrincipal = loadInfo->TriggeringPrincipal(); + } + + // Cannot get the target principal, bail out. + if (NS_WARN_IF(!targetPrincipal)) { + return nsILoadInfo::NoStoragePermission; + } + + nsCOMPtr<nsIURI> trackingURI; + rv = aChannel->GetURI(getter_AddRefs(trackingURI)); + if (NS_WARN_IF(NS_FAILED(rv))) { + return nsILoadInfo::NoStoragePermission; + } + + nsCOMPtr<nsIPrincipal> trackingPrincipal = + BasePrincipal::CreateContentPrincipal(trackingURI, + loadInfo->GetOriginAttributes()); + + if (IsThirdPartyChannel(aChannel)) { + nsAutoCString targetOrigin; + nsAutoCString trackingOrigin; + if (NS_FAILED(targetPrincipal->GetOriginNoSuffix(targetOrigin)) || + NS_FAILED(trackingPrincipal->GetOriginNoSuffix(trackingOrigin))) { + return nsILoadInfo::NoStoragePermission; + } + + if (PartitioningExceptionList::Check(targetOrigin, trackingOrigin)) { + return nsILoadInfo::StoragePermissionAllowListed; + } + } + + nsAutoCString type; + AntiTrackingUtils::CreateStoragePermissionKey(trackingPrincipal, type); + + uint32_t unusedReason = 0; + + if (AntiTrackingUtils::CheckStoragePermission(targetPrincipal, type, + NS_UsePrivateBrowsing(aChannel), + &unusedReason, unusedReason)) { + return nsILoadInfo::HasStoragePermission; + } + + WindowContext* wc = bc->GetCurrentWindowContext(); + if (!wc) { + return nsILoadInfo::NoStoragePermission; + } + WindowGlobalParent* wgp = wc->Canonical(); + if (!wgp) { + return nsILoadInfo::NoStoragePermission; + } + nsIPrincipal* framePrincipal = wgp->DocumentPrincipal(); + if (!framePrincipal) { + return nsILoadInfo::NoStoragePermission; + } + + if (policyType == ExtContentPolicy::TYPE_SUBDOCUMENT) { + // For loads of framed documents, we only use storage access + // if the load is the result of a same-origin, self-initiated + // navigation of the frame. + uint64_t targetWindowIdNoTop = bc->GetCurrentInnerWindowId(); + uint64_t triggeringWindowId; + rv = loadInfo->GetTriggeringWindowId(&triggeringWindowId); + if (NS_WARN_IF(NS_FAILED(rv))) { + return nsILoadInfo::NoStoragePermission; + } + bool triggeringWindowHasStorageAccess; + rv = + loadInfo->GetTriggeringStorageAccess(&triggeringWindowHasStorageAccess); + if (NS_WARN_IF(NS_FAILED(rv))) { + return nsILoadInfo::NoStoragePermission; + } + RefPtr<net::HttpBaseChannel> httpChannel = do_QueryObject(aChannel); + + if (targetWindowIdNoTop == triggeringWindowId && + triggeringWindowHasStorageAccess && + trackingPrincipal->Equals(framePrincipal) && httpChannel && + !httpChannel->HasRedirectTaintedOrigin()) { + return nsILoadInfo::HasStoragePermission; + } + } else if (!bc->IsTop()) { + // For subframe resources, check if the document has storage access + // and that the resource being loaded is same-site to the page. + bool isThirdParty = true; + nsresult rv = framePrincipal->IsThirdPartyURI(trackingURI, &isThirdParty); + if (NS_SUCCEEDED(rv) && wc->GetUsingStorageAccess() && !isThirdParty) { + return nsILoadInfo::HasStoragePermission; + } + } + + return nsILoadInfo::NoStoragePermission; +} + +uint64_t AntiTrackingUtils::GetTopLevelAntiTrackingWindowId( + BrowsingContext* aBrowsingContext) { + MOZ_ASSERT(aBrowsingContext); + + RefPtr<WindowContext> winContext = + aBrowsingContext->GetCurrentWindowContext(); + if (!winContext || winContext->GetCookieBehavior().isNothing()) { + return 0; + } + + // Do not check BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN her because when + // a third-party subresource is inside the main frame, we need to return the + // top-level window id to partition its cookies correctly. + uint32_t behavior = *winContext->GetCookieBehavior(); + if (behavior == nsICookieService::BEHAVIOR_REJECT_TRACKER && + aBrowsingContext->IsTop()) { + return 0; + } + + return aBrowsingContext->Top()->GetCurrentInnerWindowId(); +} + +uint64_t AntiTrackingUtils::GetTopLevelStorageAreaWindowId( + BrowsingContext* aBrowsingContext) { + MOZ_ASSERT(aBrowsingContext); + + if (Document::StorageAccessSandboxed(aBrowsingContext->GetSandboxFlags())) { + return 0; + } + + BrowsingContext* parentBC = aBrowsingContext->GetParent(); + if (!parentBC) { + // No parent browsing context available! + return 0; + } + + if (!parentBC->IsTop()) { + return 0; + } + + return parentBC->GetCurrentInnerWindowId(); +} + +/* static */ +already_AddRefed<nsIPrincipal> AntiTrackingUtils::GetPrincipal( + BrowsingContext* aBrowsingContext) { + MOZ_ASSERT(aBrowsingContext); + + nsCOMPtr<nsIPrincipal> principal; + + if (XRE_IsContentProcess()) { + // Passing an out-of-process browsing context in child processes to + // this API won't get any result, so just assert. + MOZ_ASSERT(aBrowsingContext->IsInProcess()); + + nsPIDOMWindowOuter* outer = aBrowsingContext->GetDOMWindow(); + if (NS_WARN_IF(!outer)) { + return nullptr; + } + + nsPIDOMWindowInner* inner = outer->GetCurrentInnerWindow(); + if (NS_WARN_IF(!inner)) { + return nullptr; + } + + principal = nsGlobalWindowInner::Cast(inner)->GetPrincipal(); + } else { + WindowGlobalParent* wgp = + aBrowsingContext->Canonical()->GetCurrentWindowGlobal(); + if (NS_WARN_IF(!wgp)) { + return nullptr; + } + + principal = wgp->DocumentPrincipal(); + } + return principal.forget(); +} + +/* static */ +bool AntiTrackingUtils::GetPrincipalAndTrackingOrigin( + BrowsingContext* aBrowsingContext, nsIPrincipal** aPrincipal, + nsACString& aTrackingOrigin) { + MOZ_ASSERT(aBrowsingContext); + + // Passing an out-of-process browsing context in child processes to + // this API won't get any result, so just assert. + MOZ_ASSERT_IF(XRE_IsContentProcess(), aBrowsingContext->IsInProcess()); + + // Let's take the principal and the origin of the tracker. + nsCOMPtr<nsIPrincipal> principal = + AntiTrackingUtils::GetPrincipal(aBrowsingContext); + if (NS_WARN_IF(!principal)) { + return false; + } + + nsresult rv = principal->GetOriginNoSuffix(aTrackingOrigin); + if (NS_WARN_IF(NS_FAILED(rv))) { + return false; + } + + if (aPrincipal) { + principal.forget(aPrincipal); + } + + return true; +}; + +/* static */ +uint32_t AntiTrackingUtils::GetCookieBehavior( + BrowsingContext* aBrowsingContext) { + MOZ_ASSERT(aBrowsingContext); + + RefPtr<dom::WindowContext> win = aBrowsingContext->GetCurrentWindowContext(); + if (!win || win->GetCookieBehavior().isNothing()) { + return nsICookieService::BEHAVIOR_REJECT; + } + + return *win->GetCookieBehavior(); +} + +/* static */ +already_AddRefed<WindowGlobalParent> +AntiTrackingUtils::GetTopWindowExcludingExtensionAccessibleContentFrames( + CanonicalBrowsingContext* aBrowsingContext, nsIURI* aURIBeingLoaded) { + MOZ_ASSERT(XRE_IsParentProcess()); + MOZ_ASSERT(aBrowsingContext); + + CanonicalBrowsingContext* bc = aBrowsingContext; + RefPtr<WindowGlobalParent> prev; + while (RefPtr<WindowGlobalParent> parent = bc->GetParentWindowContext()) { + CanonicalBrowsingContext* parentBC = parent->BrowsingContext(); + + nsIPrincipal* parentPrincipal = parent->DocumentPrincipal(); + nsIURI* uri = prev ? prev->GetDocumentURI() : aURIBeingLoaded; + + // If the new parent has permission to load the current page, we're + // at a moz-extension:// frame which has a host permission that allows + // it to load the document that we've loaded. In that case, stop at + // this frame and consider it the top-level frame. + if (uri && + BasePrincipal::Cast(parentPrincipal)->AddonAllowsLoad(uri, true)) { + break; + } + + bc = parentBC; + prev = parent; + } + if (!prev) { + prev = bc->GetCurrentWindowGlobal(); + } + return prev.forget(); +} + +/* static */ +void AntiTrackingUtils::ComputeIsThirdPartyToTopWindow(nsIChannel* aChannel) { + MOZ_ASSERT(aChannel); + MOZ_ASSERT(XRE_IsParentProcess()); + + nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo(); + + // When a top-level load is opened by window.open, BrowsingContext from + // LoadInfo is its opener, which may make the third-party caculation code + // below returns an incorrect result. So we use TYPE_DOCUMENT to + // ensure a top-level load is not considered 3rd-party. + auto policyType = loadInfo->GetExternalContentPolicyType(); + if (policyType == ExtContentPolicy::TYPE_DOCUMENT) { + loadInfo->SetIsThirdPartyContextToTopWindow(false); + return; + } + + RefPtr<BrowsingContext> bc; + loadInfo->GetBrowsingContext(getter_AddRefs(bc)); + + nsCOMPtr<nsIURI> uri; + Unused << aChannel->GetURI(getter_AddRefs(uri)); + + // In some cases we don't have a browsingContext. For example, in xpcshell + // tests, channels that are used to download images and channels for loading + // worker script. + if (!bc) { + // If the flag was set before, we don't need to compute again. This could + // happen for the channels used to load worker scripts. + // + // Note that we cannot stop computing the flag in general even it has set + // before because sometimes we need to get the up-to-date flag, e.g. + // redirects. + if (static_cast<net::LoadInfo*>(loadInfo.get()) + ->HasIsThirdPartyContextToTopWindowSet()) { + return; + } + + // We turn to check the loading principal if there is no browsing context. + auto* loadingPrincipal = + BasePrincipal::Cast(loadInfo->GetLoadingPrincipal()); + + if (uri && loadingPrincipal) { + bool isThirdParty = true; + nsresult rv = loadingPrincipal->IsThirdPartyURI(uri, &isThirdParty); + + if (NS_SUCCEEDED(rv)) { + loadInfo->SetIsThirdPartyContextToTopWindow(isThirdParty); + } + } + return; + } + + RefPtr<WindowGlobalParent> topWindow = + GetTopWindowExcludingExtensionAccessibleContentFrames(bc->Canonical(), + uri); + + if (NS_WARN_IF(!topWindow)) { + return; + } + + nsCOMPtr<nsIPrincipal> topWindowPrincipal = topWindow->DocumentPrincipal(); + if (topWindowPrincipal && !topWindowPrincipal->GetIsNullPrincipal()) { + auto* basePrin = BasePrincipal::Cast(topWindowPrincipal); + bool isThirdParty = true; + + // For about:blank and about:srcdoc, we can't just compare uri to determine + // whether the page is third-party, so we use channel result principal + // instead. By doing this, an the resource inherits the principal from + // its parent is considered not a third-party. + if (NS_IsAboutBlank(uri) || NS_IsAboutSrcdoc(uri)) { + nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager(); + if (NS_WARN_IF(!ssm)) { + return; + } + + nsCOMPtr<nsIPrincipal> principal; + nsresult rv = + ssm->GetChannelResultPrincipal(aChannel, getter_AddRefs(principal)); + if (NS_WARN_IF(NS_FAILED(rv))) { + return; + } + + basePrin->IsThirdPartyPrincipal(principal, &isThirdParty); + } else { + basePrin->IsThirdPartyURI(uri, &isThirdParty); + } + + loadInfo->SetIsThirdPartyContextToTopWindow(isThirdParty); + } +} + +/* static */ +bool AntiTrackingUtils::IsThirdPartyChannel(nsIChannel* aChannel) { + MOZ_ASSERT(aChannel); + + // We only care whether the channel is 3rd-party with respect to + // the top-level. + nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo(); + return loadInfo->GetIsThirdPartyContextToTopWindow(); +} + +/* static */ +bool AntiTrackingUtils::IsThirdPartyWindow(nsPIDOMWindowInner* aWindow, + nsIURI* aURI) { + MOZ_ASSERT(aWindow); + + // We assume that the window is foreign to the URI by default. + bool thirdParty = true; + + // We will skip checking URIs for about:blank and about:srcdoc because they + // have no domain. So, comparing them will always fail. + if (aURI && !NS_IsAboutBlank(aURI) && !NS_IsAboutSrcdoc(aURI)) { + nsCOMPtr<nsIScriptObjectPrincipal> scriptObjPrin = + do_QueryInterface(aWindow); + if (!scriptObjPrin) { + return thirdParty; + } + + nsCOMPtr<nsIPrincipal> prin = scriptObjPrin->GetPrincipal(); + if (!prin) { + return thirdParty; + } + + // Determine whether aURI is foreign with respect to the current principal. + nsresult rv = prin->IsThirdPartyURI(aURI, &thirdParty); + if (NS_FAILED(rv)) { + return thirdParty; + } + + if (thirdParty) { + return thirdParty; + } + } + + RefPtr<Document> doc = aWindow->GetDoc(); + if (!doc) { + // If we can't get the document from the window, ex, about:blank, fallback + // to use IsThirdPartyWindow check that examine the whole hierarchy. + nsCOMPtr<mozIThirdPartyUtil> thirdPartyUtil = + components::ThirdPartyUtil::Service(); + Unused << thirdPartyUtil->IsThirdPartyWindow(aWindow->GetOuterWindow(), + nullptr, &thirdParty); + return thirdParty; + } + + return IsThirdPartyDocument(doc); +} + +/* static */ +bool AntiTrackingUtils::IsThirdPartyDocument(Document* aDocument) { + MOZ_ASSERT(aDocument); + if (!aDocument->GetChannel()) { + // If we can't get the channel from the document, i.e. initial about:blank + // page, we use the browsingContext of the document to check if it's in the + // third-party context. If the browsing context is still not available, we + // will treat the window as third-party. + RefPtr<BrowsingContext> bc = aDocument->GetBrowsingContext(); + return bc ? IsThirdPartyContext(bc) : true; + } + + // We only care whether the channel is 3rd-party with respect to + // the top-level. + nsCOMPtr<nsILoadInfo> loadInfo = aDocument->GetChannel()->LoadInfo(); + return loadInfo->GetIsThirdPartyContextToTopWindow(); +} + +/* static */ +bool AntiTrackingUtils::IsThirdPartyContext(BrowsingContext* aBrowsingContext) { + MOZ_ASSERT(aBrowsingContext); + MOZ_ASSERT(aBrowsingContext->IsInProcess()); + + if (aBrowsingContext->IsTopContent()) { + return false; + } + + // If the top browsing context is not in the same process, it's cross-origin. + if (!aBrowsingContext->Top()->IsInProcess()) { + return true; + } + + nsIDocShell* docShell = aBrowsingContext->GetDocShell(); + if (!docShell) { + return true; + } + Document* doc = docShell->GetExtantDocument(); + if (!doc) { + return true; + } + nsIPrincipal* principal = doc->NodePrincipal(); + + nsIDocShell* topDocShell = aBrowsingContext->Top()->GetDocShell(); + if (!topDocShell) { + return true; + } + Document* topDoc = topDocShell->GetDocument(); + if (!topDoc) { + return true; + } + nsIPrincipal* topPrincipal = topDoc->NodePrincipal(); + + auto* topBasePrin = BasePrincipal::Cast(topPrincipal); + bool isThirdParty = true; + + topBasePrin->IsThirdPartyPrincipal(principal, &isThirdParty); + + return isThirdParty; +} + +/* static */ +nsCString AntiTrackingUtils::GrantedReasonToString( + ContentBlockingNotifier::StorageAccessPermissionGrantedReason aReason) { + switch (aReason) { + case ContentBlockingNotifier::eOpener: + return "opener"_ns; + case ContentBlockingNotifier::eOpenerAfterUserInteraction: + return "user interaction"_ns; + default: + return "stroage access API"_ns; + } +} + +/* static */ +void AntiTrackingUtils::UpdateAntiTrackingInfoForChannel(nsIChannel* aChannel) { + MOZ_ASSERT(aChannel); + + if (!XRE_IsParentProcess()) { + return; + } + + MOZ_DIAGNOSTIC_ASSERT(XRE_IsParentProcess()); + + AntiTrackingUtils::ComputeIsThirdPartyToTopWindow(aChannel); + + nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo(); + + Unused << loadInfo->SetStoragePermission( + AntiTrackingUtils::GetStoragePermissionStateInParent(aChannel)); + + // Note that we need to put this after computing the IsThirdPartyToTopWindow + // flag because it will be used when getting the granular fingerprinting + // protections. + Maybe<RFPTarget> overriddenFingerprintingSettings = + nsRFPService::GetOverriddenFingerprintingSettingsForChannel(aChannel); + + if (overriddenFingerprintingSettings) { + loadInfo->SetOverriddenFingerprintingSettings( + overriddenFingerprintingSettings.ref()); + } +#ifdef DEBUG + static_cast<mozilla::net::LoadInfo*>(loadInfo.get()) + ->MarkOverriddenFingerprintingSettingsAsSet(); +#endif + + // We only update the IsOnContentBlockingAllowList flag and the partition key + // for the top-level http channel. + // + // The IsOnContentBlockingAllowList is only for http. For other types of + // channels, such as 'file:', there will be no interface to modify this. So, + // we only update it in http channels. + // + // The partition key is computed based on the site, so it's no point to set it + // for channels other than http channels. + nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel); + if (!httpChannel || loadInfo->GetExternalContentPolicyType() != + ExtContentPolicy::TYPE_DOCUMENT) { + return; + } + + nsCOMPtr<nsICookieJarSettings> cookieJarSettings; + Unused << loadInfo->GetCookieJarSettings(getter_AddRefs(cookieJarSettings)); + + // Update the IsOnContentBlockingAllowList flag in the CookieJarSettings + // if this is a top level loading. For sub-document loading, this flag + // would inherit from the parent. + net::CookieJarSettings::Cast(cookieJarSettings) + ->UpdateIsOnContentBlockingAllowList(aChannel); + + // We only need to set FPD for top-level loads. FPD will automatically be + // propagated to non-top level loads via CookieJarSetting. + nsCOMPtr<nsIURI> uri; + Unused << aChannel->GetURI(getter_AddRefs(uri)); + net::CookieJarSettings::Cast(cookieJarSettings)->SetPartitionKey(uri); + + // Generate the fingerprinting randomization key for top-level loads. The key + // will automatically be propagated to sub loads. + auto RFPRandomKey = nsRFPService::GenerateKey(aChannel); + if (RFPRandomKey) { + net::CookieJarSettings::Cast(cookieJarSettings) + ->SetFingerprintingRandomizationKey(RFPRandomKey.ref()); + } +} |