diff options
Diffstat (limited to 'toolkit/components/extensions/ExtensionDNR.sys.mjs')
| -rw-r--r-- | toolkit/components/extensions/ExtensionDNR.sys.mjs | 2436 |
1 files changed, 2436 insertions, 0 deletions
diff --git a/toolkit/components/extensions/ExtensionDNR.sys.mjs b/toolkit/components/extensions/ExtensionDNR.sys.mjs new file mode 100644 index 0000000000..cd01d52b72 --- /dev/null +++ b/toolkit/components/extensions/ExtensionDNR.sys.mjs @@ -0,0 +1,2436 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// Each extension that uses DNR has one RuleManager. All registered RuleManagers +// are checked whenever a network request occurs. Individual extensions may +// occasionally modify their rules (e.g. via the updateSessionRules API). +const gRuleManagers = []; + +/** + * Whenever a request occurs, the rules of each RuleManager are matched against + * the request to determine the final action to take. The RequestEvaluator class + * is responsible for evaluating rules, and its behavior is described below. + * + * Short version: + * Find the highest-priority rule that matches the given request. If the + * request is not canceled, all matching allowAllRequests and modifyHeaders + * actions are returned. + * + * Longer version: + * Unless stated otherwise, the explanation below describes the behavior within + * an extension. + * An extension can specify rules, optionally in multiple rulesets. The ability + * to have multiple ruleset exists to support bulk updates of rules. Rulesets + * are NOT independent - rules from different rulesets can affect each other. + * + * When multiple rules match, the order between rules are defined as follows: + * - Ruleset precedence: session > dynamic > static (order from manifest.json). + * - Rules in ruleset precedence: ordered by rule.id, lowest (numeric) ID first. + * - Across all rules+rulesets: highest rule.priority (default 1) first, + * action precedence if rule priority are the same. + * + * The primary documented way for extensions to describe precedence is by + * specifying rule.priority. Between same-priority rules, their precedence is + * dependent on the rule action. The ruleset/rule ID precedence is only used to + * have a defined ordering if multiple rules have the same priority+action. + * + * Rule actions have the following order of precedence and meaning: + * - "allow" can be used to ignore other same-or-lower-priority rules. + * - "allowAllRequests" (for main_frame / sub_frame resourceTypes only) has the + * same effect as allow, but also applies to (future) subresource loads in + * the document (including descendant frames) generated from the request. + * - "block" cancels the matched request. + * - "upgradeScheme" upgrades the scheme of the request. + * - "redirect" redirects the request. + * - "modifyHeaders" rewrites request/response headers. + * + * The matched rules are evaluated in two passes: + * 1. findMatchingRules(): + * Find the highest-priority rule(s), and choose the action with the highest + * precedence (across all rulesets, any action except modifyHeaders). + * This also accounts for any allowAllRequests from an ancestor frame. + * + * 2. getMatchingModifyHeadersRules(): + * Find matching rules with the "modifyHeaders" action, minus ignored rules. + * Reaching this step implies that the request was not canceled, so either + * the first step did not yield a rule, or the rule action is "allow" or + * "allowAllRequests" (i.e. ignore same-or-lower-priority rules). + * + * If an extension does not have sufficient permissions for the action, the + * resulting action is ignored. + * + * The above describes the evaluation within one extension. When a sequence of + * (multiple) extensions is given, they may return conflicting actions in the + * first pass. This is resolved by choosing the action with the following order + * of precedence, in RequestEvaluator.evaluateRequest(): + * - block + * - redirect / upgradeScheme + * - allow / allowAllRequests + */ + +import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs"; + +const lazy = {}; + +ChromeUtils.defineESModuleGetters(lazy, { + ExtensionDNRLimits: "resource://gre/modules/ExtensionDNRLimits.sys.mjs", + ExtensionDNRStore: "resource://gre/modules/ExtensionDNRStore.sys.mjs", + WebRequest: "resource://gre/modules/WebRequest.sys.mjs", +}); + +import { ExtensionUtils } from "resource://gre/modules/ExtensionUtils.sys.mjs"; + +const { ExtensionError } = ExtensionUtils; + +XPCOMUtils.defineLazyPreferenceGetter( + lazy, + "gMatchRequestsFromOtherExtensions", + "extensions.dnr.match_requests_from_other_extensions", + false +); + +// As documented above: +// Ruleset precedence: session > dynamic > static (order from manifest.json). +const PRECEDENCE_SESSION_RULESET = 1; +const PRECEDENCE_DYNAMIC_RULESET = 2; +const PRECEDENCE_STATIC_RULESETS_BASE = 3; + +// The RuleCondition class represents a rule's "condition" type as described in +// schemas/declarative_net_request.json. This class exists to allow the JS +// engine to use one Shape for all Rule instances. +class RuleCondition { + #compiledUrlFilter; + #compiledRegexFilter; + + constructor(cond) { + this.urlFilter = cond.urlFilter; + this.regexFilter = cond.regexFilter; + this.isUrlFilterCaseSensitive = cond.isUrlFilterCaseSensitive; + this.initiatorDomains = cond.initiatorDomains; + this.excludedInitiatorDomains = cond.excludedInitiatorDomains; + this.requestDomains = cond.requestDomains; + this.excludedRequestDomains = cond.excludedRequestDomains; + this.resourceTypes = cond.resourceTypes; + this.excludedResourceTypes = cond.excludedResourceTypes; + this.requestMethods = cond.requestMethods; + this.excludedRequestMethods = cond.excludedRequestMethods; + this.domainType = cond.domainType; + this.tabIds = cond.tabIds; + this.excludedTabIds = cond.excludedTabIds; + } + + // See CompiledUrlFilter for documentation. + urlFilterMatches(requestDataForUrlFilter) { + if (!this.#compiledUrlFilter) { + // eslint-disable-next-line no-use-before-define + this.#compiledUrlFilter = new CompiledUrlFilter( + this.urlFilter, + this.isUrlFilterCaseSensitive + ); + } + return this.#compiledUrlFilter.matchesRequest(requestDataForUrlFilter); + } + + // Used for testing regexFilter matches in RuleEvaluator.#matchRuleCondition + // and to get redirect URL from regexSubstitution in applyRegexSubstitution. + getCompiledRegexFilter() { + return this.#compiledRegexFilter; + } + + // RuleValidator compiles regexFilter before this Rule class is instantiated. + // To avoid unnecessarily compiling it again, the result is assigned here. + setCompiledRegexFilter(compiledRegexFilter) { + this.#compiledRegexFilter = compiledRegexFilter; + } +} + +export class Rule { + constructor(rule) { + this.id = rule.id; + this.priority = rule.priority; + this.condition = new RuleCondition(rule.condition); + this.action = rule.action; + } + + // The precedence of rules within an extension. This method is frequently + // used during the first pass of the RequestEvaluator. + actionPrecedence() { + switch (this.action.type) { + case "allow": + return 1; // Highest precedence. + case "allowAllRequests": + return 2; + case "block": + return 3; + case "upgradeScheme": + return 4; + case "redirect": + return 5; + case "modifyHeaders": + return 6; + default: + throw new Error(`Unexpected action type: ${this.action.type}`); + } + } + + isAllowOrAllowAllRequestsAction() { + const type = this.action.type; + return type === "allow" || type === "allowAllRequests"; + } +} + +class Ruleset { + /** + * @param {string} rulesetId - extension-defined ruleset ID. + * @param {integer} rulesetPrecedence + * @param {Rule[]} rules - extension-defined rules + * @param {RuleManager} ruleManager - owner of this ruleset. + */ + constructor(rulesetId, rulesetPrecedence, rules, ruleManager) { + this.id = rulesetId; + this.rulesetPrecedence = rulesetPrecedence; + this.rules = rules; + // For use by MatchedRule. + this.ruleManager = ruleManager; + } +} + +/** + * @param {string} uriQuery - The query of a nsIURI to transform. + * @param {object} queryTransform - The value of the + * Rule.action.redirect.transform.queryTransform property as defined in + * declarative_net_request.json. + * @returns {string} The uriQuery with the queryTransform applied to it. + */ +function applyQueryTransform(uriQuery, queryTransform) { + // URLSearchParams cannot be applied to the full query string, because that + // API formats the full query string using form-urlencoding. But the input + // may be in a different format. So we try to only modify matched params. + + function urlencode(s) { + // Encode in application/x-www-form-urlencoded format. + // The only JS API to do that is URLSearchParams. encodeURIComponent is not + // the same, it differs in how it handles " " ("%20") and "!'()~" (raw). + // But urlencoded space should be "+" and the latter be "%21%27%28%29%7E". + return new URLSearchParams({ s }).toString().slice(2); + } + if (!uriQuery.length && !queryTransform.addOrReplaceParams) { + // Nothing to do. + return ""; + } + const removeParamsSet = new Set(queryTransform.removeParams?.map(urlencode)); + const addParams = (queryTransform.addOrReplaceParams || []).map(orig => ({ + normalizedKey: urlencode(orig.key), + orig, + })); + const finalParams = []; + if (uriQuery.length) { + for (let part of uriQuery.split("&")) { + let key = part.split("=", 1)[0]; + if (removeParamsSet.has(key)) { + continue; + } + let i = addParams.findIndex(p => p.normalizedKey === key); + if (i !== -1) { + // Replace found param with the key-value from addOrReplaceParams. + finalParams.push(`${key}=${urlencode(addParams[i].orig.value)}`); + // Omit param so that a future search for the same key can find the next + // specified key-value pair, if any. And to prevent the already-used + // key-value pairs from being appended after the loop. + addParams.splice(i, 1); + } else { + finalParams.push(part); + } + } + } + // Append remaining, unused key-value pairs. + for (let { normalizedKey, orig } of addParams) { + if (!orig.replaceOnly) { + finalParams.push(`${normalizedKey}=${urlencode(orig.value)}`); + } + } + return finalParams.length ? `?${finalParams.join("&")}` : ""; +} + +/** + * @param {nsIURI} uri - Usually a http(s) URL. + * @param {object} transform - The value of the Rule.action.redirect.transform + * property as defined in declarative_net_request.json. + * @returns {nsIURI} uri - The new URL. + * @throws if the transformation is invalid. + */ +function applyURLTransform(uri, transform) { + let mut = uri.mutate(); + if (transform.scheme) { + // Note: declarative_net_request.json only allows http(s)/moz-extension:. + mut.setScheme(transform.scheme); + if (uri.port !== -1 || transform.port) { + // If the URI contains a port or transform.port was specified, the default + // port is significant. So we must set it in that case. + if (transform.scheme === "https") { + mut.QueryInterface(Ci.nsIStandardURLMutator).setDefaultPort(443); + } else if (transform.scheme === "http") { + mut.QueryInterface(Ci.nsIStandardURLMutator).setDefaultPort(80); + } + } + } + if (transform.username != null) { + mut.setUsername(transform.username); + } + if (transform.password != null) { + mut.setPassword(transform.password); + } + if (transform.host != null) { + mut.setHost(transform.host); + } + if (transform.port != null) { + // The caller ensures that transform.port is a string consisting of digits + // only. When it is an empty string, it should be cleared (-1). + mut.setPort(transform.port || -1); + } + if (transform.path != null) { + mut.setFilePath(transform.path); + } + if (transform.query != null) { + mut.setQuery(transform.query); + } else if (transform.queryTransform) { + mut.setQuery(applyQueryTransform(uri.query, transform.queryTransform)); + } + if (transform.fragment != null) { + mut.setRef(transform.fragment); + } + return mut.finalize(); +} + +/** + * @param {nsIURI} uri - Usually a http(s) URL. + * @param {MatchedRule} matchedRule - The matched rule with a regexFilter + * condition and regexSubstitution action. + * @returns {nsIURI} The new URL derived from the regexSubstitution combined + * with capturing group from regexFilter applied to the input uri. + * @throws if the resulting URL is an invalid redirect target. + */ +function applyRegexSubstitution(uri, matchedRule) { + const rule = matchedRule.rule; + const extension = matchedRule.ruleManager.extension; + const regexSubstitution = rule.action.redirect.regexSubstitution; + const compiledRegexFilter = rule.condition.getCompiledRegexFilter(); + // This method being called implies that regexFilter matched, so |matches| is + // always non-null, i.e. an array of string/undefined values. + const matches = compiledRegexFilter.exec(uri.spec); + + let redirectUrl = regexSubstitution.replace(/\\(.)/g, (_, char) => { + // #checkActionRedirect ensures that every \ is followed by a \ or digit. + return char === "\\" ? char : matches[char] ?? ""; + }); + + // Throws if the URL is invalid: + let redirectUri; + try { + redirectUri = Services.io.newURI(redirectUrl); + } catch (e) { + throw new Error( + `Extension ${extension.id} tried to redirect to an invalid URL: ${redirectUrl}` + ); + } + if (!extension.checkLoadURI(redirectUri, { dontReportErrors: true })) { + throw new Error( + `Extension ${extension.id} may not redirect to: ${redirectUrl}` + ); + } + return redirectUri; +} + +/** + * An urlFilter is a string pattern to match a canonical http(s) URL. + * urlFilter matches anywhere in the string, unless an anchor is present: + * - ||... ("Domain name anchor") - domain or subdomain starts with ... + * - |... ("Left anchor") - URL starts with ... + * - ...| ("Right anchor") - URL ends with ... + * + * Other than the anchors, the following special characters exist: + * - ^ = end of URL, or any char except: alphanum _ - . % ("Separator") + * - * = any number of characters ("Wildcard") + * + * Ambiguous cases (undocumented but actual Chrome behavior): + * - Plain "||" is a domain name anchor, not left + empty + right anchor. + * - "^" repeated at end of pattern: "^" matches end of URL only once. + * - "^|" at end of pattern: "^" is allowed to match end of URL. + * + * Implementation details: + * - CompiledUrlFilter's constructor (+#initializeUrlFilter) extracts the + * actual urlFilter and anchors, for matching against URLs later. + * - RequestDataForUrlFilter class precomputes the URL / domain anchors to + * support matching more efficiently. + * - CompiledUrlFilter's matchesRequest(request) checks whether the request is + * actually matched, using the precomputed information. + * + * The class was designed to minimize the number of string allocations during + * request evaluation, because the matchesRequest method may be called very + * often for every network request. + */ +class CompiledUrlFilter { + #isUrlFilterCaseSensitive; + #urlFilterParts; // = parts of urlFilter, minus anchors, split at "*". + // isAnchorLeft and isAnchorDomain are mutually exclusive. + #isAnchorLeft = false; + #isAnchorDomain = false; + #isAnchorRight = false; + #isTrailingSeparator = false; // Whether urlFilter ends with "^". + + /** + * @param {string} urlFilter - non-empty urlFilter + * @param {boolean} [isUrlFilterCaseSensitive] + */ + constructor(urlFilter, isUrlFilterCaseSensitive) { + this.#isUrlFilterCaseSensitive = isUrlFilterCaseSensitive; + this.#initializeUrlFilter(urlFilter, isUrlFilterCaseSensitive); + } + + #initializeUrlFilter(urlFilter, isUrlFilterCaseSensitive) { + let start = 0; + let end = urlFilter.length; + + // First, trim the anchors off urlFilter. + if (urlFilter[0] === "|") { + if (urlFilter[1] === "|") { + start = 2; + this.#isAnchorDomain = true; + // ^ will not revert to false below, because "||*" is already rejected + // by RuleValidator's #checkCondUrlFilterAndRegexFilter method. + } else { + start = 1; + this.#isAnchorLeft = true; // may revert to false below. + } + } + if (end > start && urlFilter[end - 1] === "|") { + --end; + this.#isAnchorRight = true; // may revert to false below. + } + + // Skip unnecessary wildcards, and adjust meaningless anchors accordingly: + // "|*" and "*|" are not effective anchors, they could have been omitted. + while (start < end && urlFilter[start] === "*") { + ++start; + this.#isAnchorLeft = false; + } + while (end > start && urlFilter[end - 1] === "*") { + --end; + this.#isAnchorRight = false; + } + + // Special-case the last "^", so that the matching algorithm can rely on + // the simple assumption that a "^" in the filter matches exactly one char: + // The "^" at the end of the pattern is specified to match either one char + // as usual, or as an anchor for the end of the URL (i.e. zero characters). + this.#isTrailingSeparator = urlFilter[end - 1] === "^"; + + let urlFilterWithoutAnchors = urlFilter.slice(start, end); + if (!isUrlFilterCaseSensitive) { + urlFilterWithoutAnchors = urlFilterWithoutAnchors.toLowerCase(); + } + this.#urlFilterParts = urlFilterWithoutAnchors.split("*"); + } + + /** + * Tests whether |request| matches the urlFilter. + * + * @param {RequestDataForUrlFilter} requestDataForUrlFilter + * @returns {boolean} Whether the condition matches the URL. + */ + matchesRequest(requestDataForUrlFilter) { + const url = requestDataForUrlFilter.getUrl(this.#isUrlFilterCaseSensitive); + const domainAnchors = requestDataForUrlFilter.domainAnchors; + + const urlFilterParts = this.#urlFilterParts; + + const REAL_END_OF_URL = url.length - 1; // minus trailing "^" + + // atUrlIndex is the position after the most recently matched part. + // If a match is not found, it is -1 and we should return false. + let atUrlIndex = 0; + + // The head always exists, potentially even an empty string. + const head = urlFilterParts[0]; + if (this.#isAnchorLeft) { + if (!this.#startsWithPart(head, url, 0)) { + return false; + } + atUrlIndex = head.length; + } else if (this.#isAnchorDomain) { + atUrlIndex = this.#indexAfterDomainPart(head, url, domainAnchors); + } else { + atUrlIndex = this.#indexAfterPart(head, url, 0); + } + + let previouslyAtUrlIndex = 0; + for (let i = 1; i < urlFilterParts.length && atUrlIndex !== -1; ++i) { + previouslyAtUrlIndex = atUrlIndex; + atUrlIndex = this.#indexAfterPart(urlFilterParts[i], url, atUrlIndex); + } + if (atUrlIndex === -1) { + return false; + } + if (atUrlIndex === url.length) { + // We always append a "^" to the URL, so if the match is at the end of the + // URL (REAL_END_OF_URL), only accept if the pattern ended with a "^". + return this.#isTrailingSeparator; + } + if (!this.#isAnchorRight || atUrlIndex === REAL_END_OF_URL) { + // Either not interested in the end, or already at the end of the URL. + return true; + } + + // #isAnchorRight is true but we are not at the end of the URL. + // Backtrack once, to retry the last pattern (tail) with the end of the URL. + + const tail = urlFilterParts[urlFilterParts.length - 1]; + // The expected offset where the tail should be located. + const expectedTailIndex = REAL_END_OF_URL - tail.length; + // If #isTrailingSeparator is true, then accept the URL's trailing "^". + const expectedTailIndexPlus1 = expectedTailIndex + 1; + if (urlFilterParts.length === 1) { + if (this.#isAnchorLeft) { + // If matched, we would have returned at the REAL_END_OF_URL checks. + return false; + } + if (this.#isAnchorDomain) { + // The tail must be exactly at one of the domain anchors. + return ( + (domainAnchors.includes(expectedTailIndex) && + this.#startsWithPart(tail, url, expectedTailIndex)) || + (this.#isTrailingSeparator && + domainAnchors.includes(expectedTailIndexPlus1) && + this.#startsWithPart(tail, url, expectedTailIndexPlus1)) + ); + } + // head has no left/domain anchor, fall through. + } + // The tail is not left/domain anchored, accept it as long as it did not + // overlap with an already-matched part of the URL. + return ( + (expectedTailIndex > previouslyAtUrlIndex && + this.#startsWithPart(tail, url, expectedTailIndex)) || + (this.#isTrailingSeparator && + expectedTailIndexPlus1 > previouslyAtUrlIndex && + this.#startsWithPart(tail, url, expectedTailIndexPlus1)) + ); + } + + // Whether a character should match "^" in an urlFilter. + // The "match end of URL" meaning of "^" is covered by #isTrailingSeparator. + static #regexIsSep = /[^A-Za-z0-9_\-.%]/; + + #matchPartAt(part, url, urlIndex, sepStart) { + if (sepStart === -1) { + // Fast path. + return url.startsWith(part, urlIndex); + } + if (urlIndex + part.length > url.length) { + return false; + } + for (let i = 0; i < part.length; ++i) { + let partChar = part[i]; + let urlChar = url[urlIndex + i]; + if ( + partChar !== urlChar && + (partChar !== "^" || !CompiledUrlFilter.#regexIsSep.test(urlChar)) + ) { + return false; + } + } + return true; + } + + #startsWithPart(part, url, urlIndex) { + const sepStart = part.indexOf("^"); + return this.#matchPartAt(part, url, urlIndex, sepStart); + } + + #indexAfterPart(part, url, urlIndex) { + let sepStart = part.indexOf("^"); + if (sepStart === -1) { + // Fast path. + let i = url.indexOf(part, urlIndex); + return i === -1 ? i : i + part.length; + } + let maxUrlIndex = url.length - part.length; + for (let i = urlIndex; i <= maxUrlIndex; ++i) { + if (this.#matchPartAt(part, url, i, sepStart)) { + return i + part.length; + } + } + return -1; + } + + #indexAfterDomainPart(part, url, domainAnchors) { + const sepStart = part.indexOf("^"); + for (let offset of domainAnchors) { + if (this.#matchPartAt(part, url, offset, sepStart)) { + return offset + part.length; + } + } + return -1; + } +} + +// See CompiledUrlFilter for documentation of RequestDataForUrlFilter. +class RequestDataForUrlFilter { + /** + * @param {string} requestURIspec - The URL to match against. + */ + constructor(requestURIspec) { + // "^" is appended, see CompiledUrlFilter's #initializeUrlFilter. + this.urlAnyCase = requestURIspec + "^"; + this.urlLowerCase = this.urlAnyCase.toLowerCase(); + // For "||..." (Domain name anchor): where (sub)domains start in the URL. + this.domainAnchors = this.#getDomainAnchors(this.urlAnyCase); + } + + getUrl(isUrlFilterCaseSensitive) { + return isUrlFilterCaseSensitive ? this.urlAnyCase : this.urlLowerCase; + } + + #getDomainAnchors(url) { + let hostStart = url.indexOf("://") + 3; + let hostEnd = url.indexOf("/", hostStart); + let userpassEnd = url.lastIndexOf("@", hostEnd) + 1; + if (userpassEnd) { + hostStart = userpassEnd; + } + let host = url.slice(hostStart, hostEnd); + let domainAnchors = [hostStart]; + let offset = 0; + // Find all offsets after ".". If not found, -1 + 1 = 0, and the loop ends. + while ((offset = host.indexOf(".", offset) + 1)) { + domainAnchors.push(hostStart + offset); + } + return domainAnchors; + } +} + +function compileRegexFilter(regexFilter, isUrlFilterCaseSensitive) { + // TODO bug 1821033: Restrict supported regex to avoid perf issues. For + // discussion on the desired syntax, see + // https://github.com/w3c/webextensions/issues/344 + return new RegExp(regexFilter, isUrlFilterCaseSensitive ? "" : "i"); +} + +class ModifyHeadersBase { + // Map<string,MatchedRule> - The first MatchedRule that modified the header. + // After modifying a header, it cannot be modified further, with the exception + // of the "append" operation, provided that they are from the same extension. + #alreadyModifiedMap = new Map(); + // Set<string> - The list of headers allowed to be modified with "append", + // despite having been modified. Allowed for "set"/"append", not for "remove". + #appendStillAllowed = new Set(); + + /** + * @param {ChannelWrapper} channel + */ + constructor(channel) { + this.channel = channel; + } + + /** + * @param {MatchedRule} matchedRule + * @returns {object[]} + */ + headerActionsFor(matchedRule) { + throw new Error("Not implemented."); + } + + /** + * @param {MatchedRule} matchedrule + * @param {string} name + * @param {string} value + * @param {boolean} merge + */ + setHeaderImpl(matchedrule, name, value, merge) { + throw new Error("Not implemented."); + } + + /** @param {MatchedRule[]} matchedRules */ + applyModifyHeaders(matchedRules) { + for (const matchedRule of matchedRules) { + for (const headerAction of this.headerActionsFor(matchedRule)) { + const { header: name, operation, value } = headerAction; + if (!this.#isOperationAllowed(name, operation, matchedRule)) { + continue; + } + let ok; + switch (operation) { + case "set": + ok = this.setHeader(matchedRule, name, value, /* merge */ false); + if (ok) { + this.#appendStillAllowed.add(name); + } + break; + case "append": + ok = this.setHeader(matchedRule, name, value, /* merge */ true); + if (ok) { + this.#appendStillAllowed.add(name); + } + break; + case "remove": + ok = this.setHeader(matchedRule, name, "", /* merge */ false); + // Note: removal is final, so we don't add to #appendStillAllowed. + break; + } + if (ok) { + this.#alreadyModifiedMap.set(name, matchedRule); + } + } + } + } + + #isOperationAllowed(name, operation, matchedRule) { + const modifiedBy = this.#alreadyModifiedMap.get(name); + if (!modifiedBy) { + return true; + } + if ( + operation === "append" && + this.#appendStillAllowed.has(name) && + matchedRule.ruleManager === modifiedBy.ruleManager + ) { + return true; + } + // TODO bug 1803369: dev experience improvement: consider logging when + // a header modification was rejected. + return false; + } + + setHeader(matchedRule, name, value, merge) { + try { + this.setHeaderImpl(matchedRule, name, value, merge); + return true; + } catch (e) { + const extension = matchedRule.ruleManager.extension; + extension.logger.error( + `Failed to apply modifyHeaders action to header "${name}" (DNR rule id ${matchedRule.rule.id} from ruleset "${matchedRule.ruleset.id}"): ${e}` + ); + } + return false; + } + + // kName should already be in lower case. + isHeaderNameEqual(name, kName) { + return name.length === kName.length && name.toLowerCase() === kName; + } +} + +class ModifyRequestHeaders extends ModifyHeadersBase { + static maybeApplyModifyHeaders(channel, matchedRules) { + matchedRules = matchedRules.filter(mr => { + const action = mr.rule.action; + return action.type === "modifyHeaders" && action.requestHeaders?.length; + }); + if (matchedRules.length) { + new ModifyRequestHeaders(channel).applyModifyHeaders(matchedRules); + } + } + + /** @param {MatchedRule} matchedRule */ + headerActionsFor(matchedRule) { + return matchedRule.rule.action.requestHeaders; + } + + setHeaderImpl(matchedRule, name, value, merge) { + if (this.isHeaderNameEqual(name, "host")) { + this.#checkHostHeader(matchedRule, value); + } + if (merge && value && this.isHeaderNameEqual(name, "cookie")) { + // By default, headers are merged with ",". But Cookie should use "; ". + // HTTP/1.1 allowed only one Cookie header, but HTTP/2.0 allows multiple, + // but recommends concatenation on one line. Relevant RFCs: + // - https://www.rfc-editor.org/rfc/rfc6265#section-5.4 + // - https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2.5 + // Consistent with Firefox internals, we ensure that there is at most one + // Cookie header, by overwriting the previous one, if any. + let existingCookie = this.channel.getRequestHeader("cookie"); + if (existingCookie) { + value = existingCookie + "; " + value; + merge = false; + } + } + this.channel.setRequestHeader(name, value, merge); + } + + #checkHostHeader(matchedRule, value) { + let uri = Services.io.newURI(`https://${value}/`); + let { policy } = matchedRule.ruleManager.extension; + + if (!policy.allowedOrigins.matches(uri)) { + throw new Error( + `Unable to set host header, url missing from permissions.` + ); + } + + if (WebExtensionPolicy.isRestrictedURI(uri)) { + throw new Error(`Unable to set host header to restricted url.`); + } + } +} + +class ModifyResponseHeaders extends ModifyHeadersBase { + static maybeApplyModifyHeaders(channel, matchedRules) { + matchedRules = matchedRules.filter(mr => { + const action = mr.rule.action; + return action.type === "modifyHeaders" && action.responseHeaders?.length; + }); + if (matchedRules.length) { + new ModifyResponseHeaders(channel).applyModifyHeaders(matchedRules); + } + } + + headerActionsFor(matchedRule) { + return matchedRule.rule.action.responseHeaders; + } + + setHeaderImpl(matchedRule, name, value, merge) { + this.channel.setResponseHeader(name, value, merge); + } +} + +class RuleValidator { + constructor(alreadyValidatedRules, { isSessionRuleset = false } = {}) { + this.rulesMap = new Map(alreadyValidatedRules.map(r => [r.id, r])); + this.failures = []; + this.isSessionRuleset = isSessionRuleset; + } + + /** + * Static method used to deserialize Rule class instances from a plain + * js object rule as serialized implicitly by aomStartup.encodeBlob + * when we store the rules into the startup cache file. + * + * @param {object} rule + * @returns {Rule} + */ + static deserializeRule(rule) { + const newRule = new Rule(rule); + if (newRule.condition.regexFilter) { + newRule.condition.setCompiledRegexFilter( + compileRegexFilter( + newRule.condition.regexFilter, + newRule.condition.isUrlFilterCaseSensitive + ) + ); + } + return newRule; + } + + removeRuleIds(ruleIds) { + for (const ruleId of ruleIds) { + this.rulesMap.delete(ruleId); + } + } + + /** + * @param {object[]} rules - A list of objects that adhere to the Rule type + * from declarative_net_request.json. + */ + addRules(rules) { + for (const rule of rules) { + if (this.rulesMap.has(rule.id)) { + this.#collectInvalidRule(rule, `Duplicate rule ID: ${rule.id}`); + continue; + } + // declarative_net_request.json defines basic types, such as the expected + // object properties and (primitive) type. Trivial constraints such as + // minimum array lengths are also expressed in the schema. + // Anything more complex is validated here. In particular, constraints + // involving multiple properties (e.g. mutual exclusiveness). + // + // The following conditions have already been validated by the schema: + // - isUrlFilterCaseSensitive (boolean) + // - domainType (enum string) + // - initiatorDomains & excludedInitiatorDomains & requestDomains & + // excludedRequestDomains (array of string in canonicalDomain format) + if ( + !this.#checkCondResourceTypes(rule) || + !this.#checkCondRequestMethods(rule) || + !this.#checkCondTabIds(rule) || + !this.#checkCondUrlFilterAndRegexFilter(rule) || + !this.#checkAction(rule) + ) { + continue; + } + + const newRule = new Rule(rule); + // #lastCompiledRegexFilter is set if regexFilter is set, and null + // otherwise by the above call to #checkCondUrlFilterAndRegexFilter(). + if (this.#lastCompiledRegexFilter) { + newRule.condition.setCompiledRegexFilter(this.#lastCompiledRegexFilter); + } + + this.rulesMap.set(rule.id, newRule); + } + } + + // #checkCondUrlFilterAndRegexFilter() compiles the regexFilter to check its + // validity. To avoid having to compile it again when the Rule (RuleCondition) + // is constructed, we temporarily cache the result. + #lastCompiledRegexFilter; + + // Checks: resourceTypes & excludedResourceTypes + #checkCondResourceTypes(rule) { + const { resourceTypes, excludedResourceTypes } = rule.condition; + if (this.#hasOverlap(resourceTypes, excludedResourceTypes)) { + this.#collectInvalidRule( + rule, + "resourceTypes and excludedResourceTypes should not overlap" + ); + return false; + } + if (rule.action.type === "allowAllRequests") { + if (!resourceTypes) { + this.#collectInvalidRule( + rule, + "An allowAllRequests rule must have a non-empty resourceTypes array" + ); + return false; + } + if (resourceTypes.some(r => r !== "main_frame" && r !== "sub_frame")) { + this.#collectInvalidRule( + rule, + "An allowAllRequests rule may only include main_frame/sub_frame in resourceTypes" + ); + return false; + } + } + return true; + } + + // Checks: requestMethods & excludedRequestMethods + #checkCondRequestMethods(rule) { + const { requestMethods, excludedRequestMethods } = rule.condition; + if (this.#hasOverlap(requestMethods, excludedRequestMethods)) { + this.#collectInvalidRule( + rule, + "requestMethods and excludedRequestMethods should not overlap" + ); + return false; + } + const isInvalidRequestMethod = method => method.toLowerCase() !== method; + if ( + requestMethods?.some(isInvalidRequestMethod) || + excludedRequestMethods?.some(isInvalidRequestMethod) + ) { + this.#collectInvalidRule(rule, "request methods must be in lower case"); + return false; + } + return true; + } + + // Checks: tabIds & excludedTabIds + #checkCondTabIds(rule) { + const { tabIds, excludedTabIds } = rule.condition; + + if ((tabIds || excludedTabIds) && !this.isSessionRuleset) { + this.#collectInvalidRule( + rule, + "tabIds and excludedTabIds can only be specified in session rules" + ); + return false; + } + + if (this.#hasOverlap(tabIds, excludedTabIds)) { + this.#collectInvalidRule( + rule, + "tabIds and excludedTabIds should not overlap" + ); + return false; + } + return true; + } + + static #regexNonASCII = /[^\x00-\x7F]/; // eslint-disable-line no-control-regex + static #regexDigitOrBackslash = /^[0-9\\]$/; + + // Checks: urlFilter & regexFilter + #checkCondUrlFilterAndRegexFilter(rule) { + const { urlFilter, regexFilter } = rule.condition; + + this.#lastCompiledRegexFilter = null; + + const checkEmptyOrNonASCII = (str, prop) => { + if (!str) { + this.#collectInvalidRule(rule, `${prop} should not be an empty string`); + return false; + } + // Non-ASCII in URLs are always encoded in % (or punycode in domains). + if (RuleValidator.#regexNonASCII.test(str)) { + this.#collectInvalidRule( + rule, + `${prop} should not contain non-ASCII characters` + ); + return false; + } + return true; + }; + if (urlFilter != null) { + if (regexFilter != null) { + this.#collectInvalidRule( + rule, + "urlFilter and regexFilter are mutually exclusive" + ); + return false; + } + if (!checkEmptyOrNonASCII(urlFilter, "urlFilter")) { + // #collectInvalidRule already called by checkEmptyOrNonASCII. + return false; + } + if (urlFilter.startsWith("||*")) { + // Rejected because Chrome does too. '||*' is equivalent to '*'. + this.#collectInvalidRule(rule, "urlFilter should not start with '||*'"); + return false; + } + } else if (regexFilter != null) { + if (!checkEmptyOrNonASCII(regexFilter, "regexFilter")) { + // #collectInvalidRule already called by checkEmptyOrNonASCII. + return false; + } + try { + this.#lastCompiledRegexFilter = compileRegexFilter( + regexFilter, + rule.condition.isUrlFilterCaseSensitive + ); + } catch (e) { + this.#collectInvalidRule( + rule, + "regexFilter is not a valid regular expression" + ); + return false; + } + } + return true; + } + + #checkAction(rule) { + switch (rule.action.type) { + case "allow": + case "allowAllRequests": + case "block": + case "upgradeScheme": + // These actions have no extra properties. + break; + case "redirect": + return this.#checkActionRedirect(rule); + case "modifyHeaders": + return this.#checkActionModifyHeaders(rule); + default: + // Other values are not possible because declarative_net_request.json + // only accepts the above action types. + throw new Error(`Unexpected action type: ${rule.action.type}`); + } + return true; + } + + #checkActionRedirect(rule) { + const { url, extensionPath, transform, regexSubstitution } = + rule.action.redirect ?? {}; + const hasExtensionPath = extensionPath != null; + const hasRegexSubstitution = regexSubstitution != null; + const redirectKeyCount = // @ts-ignore trivial/noisy + !!url + !!hasExtensionPath + !!transform + !!hasRegexSubstitution; + if (redirectKeyCount !== 1) { + if (redirectKeyCount === 0) { + this.#collectInvalidRule( + rule, + "A redirect rule must have a non-empty action.redirect object" + ); + return false; + } + // Side note: Chrome silently ignores excess keys, and skips validation + // for ignored keys, in this order: + // - url > extensionPath > transform > regexSubstitution + this.#collectInvalidRule( + rule, + "redirect.url, redirect.extensionPath, redirect.transform and redirect.regexSubstitution are mutually exclusive" + ); + return false; + } + + if (hasExtensionPath && !extensionPath.startsWith("/")) { + this.#collectInvalidRule( + rule, + "redirect.extensionPath should start with a '/'" + ); + return false; + } + + // If specified, the "url" property is described as "format": "url" in the + // JSON schema, which ensures that the URL is a canonical form, and that + // the extension is allowed to trigger a navigation to the URL. + // E.g. javascript: and privileged about:-URLs cannot be navigated to, but + // http(s) URLs can (regardless of extension permissions). + // data:-URLs are currently blocked due to bug 1622986. + + if (transform) { + if (transform.query != null && transform.queryTransform) { + this.#collectInvalidRule( + rule, + "redirect.transform.query and redirect.transform.queryTransform are mutually exclusive" + ); + return false; + } + // Most of the validation is done by nsIURIMutator via applyURLTransform. + // nsIURIMutator is not very strict, so we perform some extra checks here + // to reject values that are not technically valid URLs. + + if (transform.port && /\D/.test(transform.port)) { + // nsIURIMutator's setPort takes an int, so any string will implicitly + // be converted to a number. This part verifies that the input only + // consists of digits. setPort will ensure that it is at most 65535. + this.#collectInvalidRule( + rule, + "redirect.transform.port should be empty or an integer" + ); + return false; + } + + // Note: we don't verify whether transform.query starts with '/', because + // Chrome does not require it, and nsIURIMutator prepends it if missing. + + if (transform.query && !transform.query.startsWith("?")) { + this.#collectInvalidRule( + rule, + "redirect.transform.query should be empty or start with a '?'" + ); + return false; + } + if (transform.fragment && !transform.fragment.startsWith("#")) { + this.#collectInvalidRule( + rule, + "redirect.transform.fragment should be empty or start with a '#'" + ); + return false; + } + try { + const dummyURI = Services.io.newURI("http://dummy"); + // applyURLTransform uses nsIURIMutator to transform a URI, and throws + // if |transform| is invalid, e.g. invalid host, port, etc. + applyURLTransform(dummyURI, transform); + } catch (e) { + this.#collectInvalidRule( + rule, + "redirect.transform does not describe a valid URL transformation" + ); + return false; + } + } + + if (hasRegexSubstitution) { + if (!rule.condition.regexFilter) { + this.#collectInvalidRule( + rule, + "redirect.regexSubstitution requires the regexFilter condition to be specified" + ); + return false; + } + let i = 0; + // i will be index after \. Loop breaks if not found (-1+1=0 = false). + while ((i = regexSubstitution.indexOf("\\", i) + 1)) { + let c = regexSubstitution[i++]; // may be undefined if \ is at end. + if (c === undefined || !RuleValidator.#regexDigitOrBackslash.test(c)) { + this.#collectInvalidRule( + rule, + "redirect.regexSubstitution only allows digit or \\ after \\." + ); + return false; + } + } + } + + return true; + } + + #checkActionModifyHeaders(rule) { + const { requestHeaders, responseHeaders } = rule.action; + if (!requestHeaders && !responseHeaders) { + this.#collectInvalidRule( + rule, + "A modifyHeaders rule must have a non-empty requestHeaders or modifyHeaders list" + ); + return false; + } + + const isValidModifyHeadersOp = ({ header, operation, value }) => { + if (!header) { + this.#collectInvalidRule(rule, "header must be non-empty"); + return false; + } + if (!value && (operation === "append" || operation === "set")) { + this.#collectInvalidRule( + rule, + "value is required for operations append/set" + ); + return false; + } + if (value && operation === "remove") { + this.#collectInvalidRule( + rule, + "value must not be provided for operation remove" + ); + return false; + } + return true; + }; + if ( + (requestHeaders && !requestHeaders.every(isValidModifyHeadersOp)) || + (responseHeaders && !responseHeaders.every(isValidModifyHeadersOp)) + ) { + // #collectInvalidRule already called by isValidModifyHeadersOp. + return false; + } + return true; + } + + // Conditions with a filter and an exclude-filter should reject overlapping + // lists, because they can never simultaneously be true. + #hasOverlap(arrayA, arrayB) { + return arrayA && arrayB && arrayA.some(v => arrayB.includes(v)); + } + + #collectInvalidRule(rule, message) { + this.failures.push({ rule, message }); + } + + getValidatedRules() { + return Array.from(this.rulesMap.values()); + } + + getFailures() { + return this.failures; + } +} + +export class RuleQuotaCounter { + constructor(isStaticRulesets) { + this.isStaticRulesets = isStaticRulesets; + this.ruleLimitName = isStaticRulesets + ? "GUARANTEED_MINIMUM_STATIC_RULES" + : "MAX_NUMBER_OF_DYNAMIC_AND_SESSION_RULES"; + this.ruleLimitRemaining = lazy.ExtensionDNRLimits[this.ruleLimitName]; + this.regexRemaining = lazy.ExtensionDNRLimits.MAX_NUMBER_OF_REGEX_RULES; + } + + tryAddRules(rulesetId, rules) { + if (rules.length > this.ruleLimitRemaining) { + this.#throwQuotaError(rulesetId, "rules", this.ruleLimitName); + } + let regexCount = 0; + for (let rule of rules) { + if (rule.condition.regexFilter && ++regexCount > this.regexRemaining) { + this.#throwQuotaError( + rulesetId, + "regexFilter rules", + "MAX_NUMBER_OF_REGEX_RULES" + ); + } + } + + // Update counters only when there are no quota errors. + this.ruleLimitRemaining -= rules.length; + this.regexRemaining -= regexCount; + } + + #throwQuotaError(rulesetId, what, limitName) { + if (this.isStaticRulesets) { + throw new ExtensionError( + `Number of ${what} across all enabled static rulesets exceeds ${limitName} if ruleset "${rulesetId}" were to be enabled.` + ); + } + throw new ExtensionError( + `Number of ${what} in ruleset "${rulesetId}" exceeds ${limitName}.` + ); + } +} + +/** + * Compares two rules to determine the relative order of precedence. + * Rules are only comparable if they are from the same extension! + * + * @param {Rule} ruleA + * @param {Rule} ruleB + * @param {Ruleset} rulesetA - the ruleset ruleA is part of. + * @param {Ruleset} rulesetB - the ruleset ruleB is part of. + * @returns {integer} + * 0 if equal. + * <0 if ruleA comes before ruleB. + * >0 if ruleA comes after ruleB. + */ +function compareRule(ruleA, ruleB, rulesetA, rulesetB) { + // Comparators: 0 if equal, >0 if a after b, <0 if a before b. + function cmpHighestNumber(a, b) { + return a === b ? 0 : b - a; + } + function cmpLowestNumber(a, b) { + return a === b ? 0 : a - b; + } + return ( + // All compared operands are non-negative integers. + cmpHighestNumber(ruleA.priority, ruleB.priority) || + cmpLowestNumber(ruleA.actionPrecedence(), ruleB.actionPrecedence()) || + // As noted in the big comment at the top of the file, the following two + // comparisons only exist in order to have a stable ordering of rules. The + // specific comparison is somewhat arbitrary and matches Chrome's behavior. + // For context, see https://github.com/w3c/webextensions/issues/280 + cmpLowestNumber(rulesetA.rulesetPrecedence, rulesetB.rulesetPrecedence) || + cmpLowestNumber(ruleA.id, ruleB.id) + ); +} + +class MatchedRule { + /** + * @param {Rule} rule + * @param {Ruleset} ruleset + */ + constructor(rule, ruleset) { + this.rule = rule; + this.ruleset = ruleset; + } + + // The RuleManager that generated this MatchedRule. + get ruleManager() { + return this.ruleset.ruleManager; + } +} + +// tabId computation is currently not free, and depends on the initialization of +// ExtensionParent.apiManager.global (see WebRequest.getTabIdForChannelWrapper). +// Fortunately, DNR only supports tabIds in session rules, so by keeping track +// of session rules with tabIds/excludedTabIds conditions, we can find tabId +// exactly and only when necessary. +let gHasAnyTabIdConditions = false; + +class RequestDetails { + /** + * @param {object} options + * @param {nsIURI} options.requestURI - URL of the requested resource. + * @param {nsIURI} [options.initiatorURI] - URL of triggering principal, + * provided that it is a content principal. Otherwise null. + * @param {string} options.type - ResourceType (MozContentPolicyType). + * @param {string} [options.method] - HTTP method + * @param {integer} [options.tabId] + * @param {BrowsingContext} [options.browsingContext] - The BrowsingContext + * associated with the request. Typically the bc for which the subresource + * request is initiated, if any. For document requests, this is the parent + * (i.e. the parent frame for sub_frame, null for main_frame). + */ + constructor({ + requestURI, + initiatorURI, + type, + method, + tabId, + browsingContext, + }) { + this.requestURI = requestURI; + this.initiatorURI = initiatorURI; + this.type = type; + this.method = method; + this.tabId = tabId; + this.browsingContext = browsingContext; + + this.requestDomain = this.#domainFromURI(requestURI); + this.initiatorDomain = initiatorURI + ? this.#domainFromURI(initiatorURI) + : null; + + this.requestURIspec = requestURI.spec; + this.requestDataForUrlFilter = new RequestDataForUrlFilter( + this.requestURIspec + ); + } + + static fromChannelWrapper(channel) { + let tabId = -1; + if (gHasAnyTabIdConditions) { + tabId = lazy.WebRequest.getTabIdForChannelWrapper(channel); + } + return new RequestDetails({ + requestURI: channel.finalURI, + // Note: originURI may be null, if missing or null principal, as desired. + initiatorURI: channel.originURI, + type: channel.type, + method: channel.method.toLowerCase(), + tabId, + browsingContext: channel.loadInfo.browsingContext, + }); + } + + #ancestorRequestDetails; + get ancestorRequestDetails() { + if (this.#ancestorRequestDetails) { + return this.#ancestorRequestDetails; + } + this.#ancestorRequestDetails = []; + if (!this.browsingContext?.ancestorsAreCurrent) { + // this.browsingContext is set for real requests (via fromChannelWrapper). + // It may be void for testMatchOutcome and for the ancestor requests + // simulated below. + // + // ancestorsAreCurrent being false is unexpected, but could theoretically + // happen if the request is triggered from an unloaded (sub)frame. In that + // case we don't want to use potentially incorrect ancestor information. + // + // In any case, nothing left to do. + return this.#ancestorRequestDetails; + } + // Reconstruct the frame hierarchy of the request's document, in order to + // retroactively recompute the relevant matches of allowAllRequests rules. + // + // The allowAllRequests rule is supposedly applying to all subresource + // requests. For non-document requests, this is usually the document if any. + // In case of document requests, there is some ambiguity: + // - Usually, the initiator is the parent document that created the frame. + // - Sometimes, the initiator is a different frame or even another window. + // + // In RequestDetails.fromChannelWrapper, the actual initiator is used and + // reflected in initiatorURI, but here we use the document's parent. This + // is done because the chain of initiators is unstable (e.g. an opener can + // navigate/unload), whereas frame ancestor chain is constant as long as + // the leaf BrowsingContext is current. Moreover, allowAllRequests was + // originally designed to operate on frame hierarchies (crbug.com/1038831). + // + // This implementation of "initiator" for "allowAllRequests" is consistent + // with Chrome and Safari. + for (let bc = this.browsingContext; bc; bc = bc.parent) { + // Note: requestURI may differ from the document's initial requestURI, + // e.g. due to same-document navigations. + const requestURI = bc.currentURI; + if (!requestURI.schemeIs("https") && !requestURI.schemeIs("http")) { + // DNR is currently only hooked up to http(s) requests. Ignore other + // URLs, e.g. about:, blob:, moz-extension:, data:, etc. + continue; + } + const isTop = !bc.parent; + const parentPrin = bc.parentWindowContext?.documentPrincipal; + const requestDetails = new RequestDetails({ + requestURI, + // Note: initiatorURI differs from RequestDetails.fromChannelWrapper; + // See the above comment for more info. + initiatorURI: parentPrin?.isContentPrincipal ? parentPrin.URI : null, + type: isTop ? "main_frame" : "sub_frame", + method: bc.activeSessionHistoryEntry?.hasPostData ? "post" : "get", + tabId: this.tabId, + // In this loop we are already explicitly accounting for ancestors, so + // we intentionally omit browsingContext even though we have |bc|. If + // we were to set `browsingContext: bc`, the output would be the same, + // but be derived from unnecessarily repeated request evaluations. + browsingContext: null, + }); + this.#ancestorRequestDetails.unshift(requestDetails); + } + return this.#ancestorRequestDetails; + } + + canExtensionModify(extension) { + const policy = extension.policy; + if (!policy.canAccessURI(this.requestURI)) { + return false; + } + if ( + this.initiatorURI && + this.type !== "main_frame" && + this.type !== "sub_frame" && + !policy.canAccessURI(this.initiatorURI) + ) { + // Host permissions for the initiator is required except for navigation + // requests: https://bugzilla.mozilla.org/show_bug.cgi?id=1825824#c2 + return false; + } + return true; + } + + #domainFromURI(uri) { + try { + let hostname = uri.host; + // nsIURI omits brackets from IPv6 addresses. But the canonical form of an + // IPv6 address is with brackets, so add them. + return hostname.includes(":") ? `[${hostname}]` : hostname; + } catch (e) { + // uri.host throws for some schemes (e.g. about:). In practice we won't + // encounter this for network (via NetworkIntegration.startDNREvaluation) + // because isRestrictedPrincipalURI filters the initiatorURI. Furthermore, + // because only http(s) requests are observed, requestURI is http(s). + // + // declarativeNetRequest.testMatchOutcome can pass arbitrary URIs and thus + // trigger the error in nsIURI::GetHost. + Cu.reportError(e); + return null; + } + } +} + +/** + * This RequestEvaluator class's logic is documented at the top of this file. + */ +class RequestEvaluator { + // private constructor, only used by RequestEvaluator.evaluateRequest. + constructor(request, ruleManager) { + this.req = request; + this.ruleManager = ruleManager; + this.canModify = request.canExtensionModify(ruleManager.extension); + + // These values are initialized by findMatchingRules(): + this.matchedRule = null; + this.matchedModifyHeadersRules = []; + this.didCheckAncestors = false; + this.findMatchingRules(); + } + + /** + * Finds the matched rules for the given request and extensions, + * according to the logic documented at the top of this file. + * + * @param {RequestDetails} request + * @param {RuleManager[]} ruleManagers + * The list of RuleManagers, ordered by importance of its extension. + * @returns {MatchedRule[]} + */ + static evaluateRequest(request, ruleManagers) { + // Helper to determine precedence of rules from different extensions. + function precedence(matchedRule) { + switch (matchedRule.rule.action.type) { + case "block": + return 1; + case "redirect": + case "upgradeScheme": + return 2; + case "allow": + case "allowAllRequests": + return 3; + // case "modifyHeaders": not comparable after the first pass. + default: + throw new Error(`Unexpected action: ${matchedRule.rule.action.type}`); + } + } + + let requestEvaluators = []; + let finalMatch; + for (let ruleManager of ruleManagers) { + // Evaluate request with findMatchingRules(): + const requestEvaluator = new RequestEvaluator(request, ruleManager); + // RequestEvaluator may be used after the loop when the request is + // accepted, to collect modifyHeaders/allow/allowAllRequests actions. + requestEvaluators.push(requestEvaluator); + let matchedRule = requestEvaluator.matchedRule; + if ( + matchedRule && + (!finalMatch || precedence(matchedRule) < precedence(finalMatch)) + ) { + // Before choosing the matched rule as finalMatch, check whether there + // is an allowAllRequests rule override among the ancestors. + requestEvaluator.findAncestorRuleOverride(); + matchedRule = requestEvaluator.matchedRule; + if (!finalMatch || precedence(matchedRule) < precedence(finalMatch)) { + finalMatch = matchedRule; + if (finalMatch.rule.action.type === "block") { + break; + } + } + } + } + if (finalMatch && !finalMatch.rule.isAllowOrAllowAllRequestsAction()) { + // Found block/redirect/upgradeScheme, request will be replaced. + return [finalMatch]; + } + // Request not canceled, collect all modifyHeaders actions: + let matchedRules = requestEvaluators + .map(re => re.getMatchingModifyHeadersRules()) + .flat(1); + + // ... and collect the allowAllRequests actions: + // Note: Only needed for testMatchOutcome, getMatchedRules (bug 1745765) and + // onRuleMatchedDebug (bug 1745773). Not for regular requests, since regular + // requests do not distinguish between no rule vs allow vs allowAllRequests. + let finalAllowAllRequestsMatches = []; + for (let requestEvaluator of requestEvaluators) { + // TODO bug 1745765 / bug 1745773: Uncomment findAncestorRuleOverride() + // when getMatchedRules() or onRuleMatchedDebug are implemented. + // requestEvaluator.findAncestorRuleOverride(); + let matchedRule = requestEvaluator.matchedRule; + if (matchedRule && matchedRule.rule.action.type === "allowAllRequests") { + // Even if a different extension wins the final match, an extension + // may want to record the "allowAllRequests" action for the future. + finalAllowAllRequestsMatches.push(matchedRule); + } + } + if (finalAllowAllRequestsMatches.length) { + matchedRules = finalAllowAllRequestsMatches.concat(matchedRules); + } + + // ... and collect the "allow" action. At this point, finalMatch could also + // be a modifyHeaders or allowAllRequests action, but these would already + // have been added to the matchedRules result before. + if (finalMatch && finalMatch.rule.action.type === "allow") { + matchedRules.unshift(finalMatch); + } + return matchedRules; + } + + /** + * Finds the matching rules, as documented in the comment before the class. + */ + findMatchingRules() { + if (!this.canModify && !this.ruleManager.hasBlockPermission) { + // If the extension cannot apply any action, don't bother. + return; + } + + this.#collectMatchInRuleset(this.ruleManager.sessionRules); + this.#collectMatchInRuleset(this.ruleManager.dynamicRules); + for (let ruleset of this.ruleManager.enabledStaticRules) { + this.#collectMatchInRuleset(ruleset); + } + + if (this.matchedRule && !this.#isRuleActionAllowed(this.matchedRule.rule)) { + this.matchedRule = null; + // Note: this.matchedModifyHeadersRules is [] because canModify access is + // checked before populating the list. + } + } + + /** + * Find an "allowAllRequests" rule among the ancestors that may override the + * current matchedRule and/or matchedModifyHeadersRules rules. + */ + findAncestorRuleOverride() { + if (this.didCheckAncestors) { + return; + } + this.didCheckAncestors = true; + + if (!this.ruleManager.hasRulesWithAllowAllRequests) { + // Optimization: Skip ancestorRequestDetails lookup and/or request + // evaluation if there are no allowAllRequests rules. + return; + } + + // Now we need to check whether any of the ancestor frames had a matching + // allowAllRequests rule. matchedRule and/or matchedModifyHeadersRules + // results may be ignored if their priority is lower or equal to the + // highest-priority allowAllRequests rule among the frame ancestors. + // + // In theory, every ancestor may potentially yield an allowAllRequests rule, + // and should therefore be checked unconditionally. But logically, if there + // are no existing matches, then any matching allowAllRequests rules will + // not have any effect on the request outcome. As an optimization, we + // therefore skip ancestor checks in this case. + if ( + (!this.matchedRule || + this.matchedRule.rule.isAllowOrAllowAllRequestsAction()) && + !this.matchedModifyHeadersRules.length + ) { + // Optimization: Do not look up ancestors if no rules were matched. + // + // TODO bug 1745773: onRuleMatchedDebug is supposed to report when a rule + // has been matched. To be pedantic, when there is an onRuleMatchedDebug + // listener, the parents need to be checked unconditionally, in order to + // report potential allowAllRequests matches among ancestors. + // TODO bug 1745765: the above may also apply to getMatchedRules(). + return; + } + + for (let request of this.req.ancestorRequestDetails) { + // TODO: Optimize by only evaluating allow/allowAllRequests rules, because + // the request being seen here implies that the request was not canceled, + // i.e. that there were no block/redirect/upgradeScheme rules in any of + // the ancestors (across all extensions!). + let requestEvaluator = new RequestEvaluator(request, this.ruleManager); + let ancestorMatchedRule = requestEvaluator.matchedRule; + if ( + ancestorMatchedRule && + ancestorMatchedRule.rule.action.type === "allowAllRequests" && + (!this.matchedRule || + compareRule( + this.matchedRule.rule, + ancestorMatchedRule.rule, + this.matchedRule.ruleset, + ancestorMatchedRule.ruleset + ) > 0) + ) { + // Found an allowAllRequests rule that takes precedence over whatever + // the current rule was. + this.matchedRule = ancestorMatchedRule; + } + } + } + + /** + * Retrieves the list of matched modifyHeaders rules that should apply. + * + * @returns {MatchedRule[]} + */ + getMatchingModifyHeadersRules() { + if (this.matchedModifyHeadersRules.length) { + // Find parent allowAllRequests rules, if any, to make sure that we can + // appropriately ignore same-or-lower-priority modifyHeaders rules. + this.findAncestorRuleOverride(); + } + // The minimum priority is 1. Defaulting to 0 = include all. + let priorityThreshold = 0; + if (this.matchedRule?.rule.isAllowOrAllowAllRequestsAction()) { + priorityThreshold = this.matchedRule.rule.priority; + } + // Note: the result cannot be non-empty if this.matchedRule is a non-allow + // action, because if that were to be the case, then the request would have + // been canceled, and therefore there would not be any header to modify. + // Even if another extension were to override the action, it could only be + // any other non-allow action, which would still cancel the request. + let matchedRules = this.matchedModifyHeadersRules.filter(matchedRule => { + return matchedRule.rule.priority > priorityThreshold; + }); + // Sort output for a deterministic order. + // NOTE: Sorting rules at registration (in RuleManagers) would avoid the + // need to sort here. Since the number of matched modifyHeaders rules are + // expected to be small, we don't bother optimizing. + matchedRules.sort((a, b) => { + return compareRule(a.rule, b.rule, a.ruleset, b.ruleset); + }); + return matchedRules; + } + + /** @param {Ruleset} ruleset */ + #collectMatchInRuleset(ruleset) { + for (let rule of ruleset.rules) { + if (!this.#matchesRuleCondition(rule.condition)) { + continue; + } + if (rule.action.type === "modifyHeaders") { + if (this.canModify) { + this.matchedModifyHeadersRules.push(new MatchedRule(rule, ruleset)); + } + continue; + } + if ( + this.matchedRule && + compareRule( + this.matchedRule.rule, + rule, + this.matchedRule.ruleset, + ruleset + ) <= 0 + ) { + continue; + } + this.matchedRule = new MatchedRule(rule, ruleset); + } + } + + /** + * @param {RuleCondition} cond + * @returns {boolean} Whether the condition matched. + */ + #matchesRuleCondition(cond) { + if (cond.resourceTypes) { + if (!cond.resourceTypes.includes(this.req.type)) { + return false; + } + } else if (cond.excludedResourceTypes) { + if (cond.excludedResourceTypes.includes(this.req.type)) { + return false; + } + } else if (this.req.type === "main_frame") { + // When resourceTypes/excludedResourceTypes are not specified, the + // documented behavior is to ignore main_frame requests. + return false; + } + + // Check this.req.requestURI: + if (cond.urlFilter) { + if (!cond.urlFilterMatches(this.req.requestDataForUrlFilter)) { + return false; + } + } else if (cond.regexFilter) { + if (!cond.getCompiledRegexFilter().test(this.req.requestURIspec)) { + return false; + } + } + if ( + cond.excludedRequestDomains && + this.#matchesDomains(cond.excludedRequestDomains, this.req.requestDomain) + ) { + return false; + } + if ( + cond.requestDomains && + !this.#matchesDomains(cond.requestDomains, this.req.requestDomain) + ) { + return false; + } + if ( + cond.excludedInitiatorDomains && + // Note: unable to only match null principals (bug 1798225). + this.req.initiatorDomain && + this.#matchesDomains( + cond.excludedInitiatorDomains, + this.req.initiatorDomain + ) + ) { + return false; + } + if ( + cond.initiatorDomains && + // Note: unable to only match null principals (bug 1798225). + (!this.req.initiatorDomain || + !this.#matchesDomains(cond.initiatorDomains, this.req.initiatorDomain)) + ) { + return false; + } + + // TODO bug 1797408: domainType + + if (cond.requestMethods) { + if (!cond.requestMethods.includes(this.req.method)) { + return false; + } + } else if (cond.excludedRequestMethods?.includes(this.req.method)) { + return false; + } + + if (cond.tabIds) { + if (!cond.tabIds.includes(this.req.tabId)) { + return false; + } + } else if (cond.excludedTabIds?.includes(this.req.tabId)) { + return false; + } + + return true; + } + + /** + * @param {string[]} domains - A list of canonicalized domain patterns. + * Canonical means punycode, no ports, and IPv6 without brackets, and not + * starting with a dot. May end with a dot if it is a FQDN. + * @param {string} host - The canonical representation of the host of a URL. + * @returns {boolean} Whether the given host is a (sub)domain of any of the + * given domains. + */ + #matchesDomains(domains, host) { + return domains.some(domain => { + return ( + host.endsWith(domain) && + // either host === domain + (host.length === domain.length || + // or host = "something." + domain (WITH a domain separator). + host.charAt(host.length - domain.length - 1) === ".") + ); + }); + } + + /** + * @param {Rule} rule - The final rule from the first pass. + * @returns {boolean} Whether the extension is allowed to execute the rule. + */ + #isRuleActionAllowed(rule) { + if (this.canModify) { + return true; + } + switch (rule.action.type) { + case "allow": + case "allowAllRequests": + case "block": + case "upgradeScheme": + return this.ruleManager.hasBlockPermission; + case "redirect": + return false; + // case "modifyHeaders" is never an action for this.matchedRule. + default: + throw new Error(`Unexpected action type: ${rule.action.type}`); + } + } +} + +/** + * Checks whether a request from a document with the given URI is allowed to + * be modified by an unprivileged extension (e.g. an extension without host + * permissions but the "declarativeNetRequest" permission). + * The output is comparable to WebExtensionPolicy::CanAccessURI for an extension + * with the `<all_urls>` permission, for consistency with the webRequest API. + * + * @param {nsIURI} [uri] The URI of a request's loadingPrincipal. May be void + * if missing (e.g. top-level requests) or not a content principal. + * @returns {boolean} Whether there is any extension that is allowed to see + * requests from a document with the given URI. Callers are expected to: + * - check system requests (and treat as true). + * - check WebExtensionPolicy.isRestrictedURI (and treat as true). + */ +function isRestrictedPrincipalURI(uri) { + if (!uri) { + // No URI, could be: + // - System principal (caller should have checked and disallowed access). + // - Expanded principal, typically content script in documents. If an + // extension content script managed to run there, that implies that an + // extension was able to access it. + // - Null principal (e.g. sandboxed document, about:blank, data:). + return false; + } + + // An unprivileged extension with maximal host permissions has allowedOrigins + // set to [`<all_urls>`, `moz-extension://extensions-own-uuid-here`]. + // `<all_urls>` matches PermittedSchemes from MatchPattern.cpp: + // https://searchfox.org/mozilla-central/rev/55d5c4b9dffe5e59eb6b019c1a930ec9ada47e10/toolkit/components/extensions/MatchPattern.cpp#209-211 + // i.e. "http", "https", "ws", "wss", "file", "ftp", "data". + // - It is not possible to have a loadingPrincipal for: ws, wss, ftp. + // - data:-URIs always have an opaque origin, i.e. the principal is not a + // content principal, thus void here. + // - The remaining schemes from `<all_urls>` are: http, https, file, data, + // and checked below. + // + // Privileged addons can also access resource: and about:, but we do not need + // to support these now. + + // http(s) are common, and allowed, except for some restricted domains. The + // caller is expected to check WebExtensionPolicy.isRestrictedURI. + if (uri.schemeIs("http") || uri.schemeIs("https")) { + return false; // Very common. + } + + // moz-extension: is not restricted because an extension always has permission + // to its own moz-extension:-origin. The caller is expected to verify that an + // extension can only access its own URI. + if (uri.schemeIs("moz-extension")) { + return false; + } + + // Requests from local files are intentionally allowed (bug 1621935). + if (uri.schemeIs("file")) { + return false; + } + + // Anything else (e.g. resource:, about:newtab, etc.) is not allowed. + return true; +} + +const NetworkIntegration = { + maxEvaluatedRulesCount: 0, + + register() { + // We register via WebRequest.jsm to ensure predictable ordering of DNR and + // WebRequest behavior. + lazy.WebRequest.setDNRHandlingEnabled(true); + }, + unregister() { + lazy.WebRequest.setDNRHandlingEnabled(false); + }, + maybeUpdateTabIdChecker() { + gHasAnyTabIdConditions = gRuleManagers.some(rm => rm.hasRulesWithTabIds); + }, + + startDNREvaluation(channel) { + let ruleManagers = gRuleManagers; + // TODO bug 1827422: Merge isRestrictedPrincipalURI with canModify. + if (!channel.canModify || isRestrictedPrincipalURI(channel.documentURI)) { + // Ignore system requests or requests to restricted domains. + ruleManagers = []; + } + if (channel.loadInfo.originAttributes.privateBrowsingId > 0) { + ruleManagers = ruleManagers.filter( + rm => rm.extension.privateBrowsingAllowed + ); + } + if (ruleManagers.length && !lazy.gMatchRequestsFromOtherExtensions) { + const policy = channel.loadInfo.loadingPrincipal?.addonPolicy; + if (policy) { + ruleManagers = ruleManagers.filter( + rm => rm.extension.policy === policy + ); + } + } + let matchedRules; + if (ruleManagers.length) { + const evaluateRulesTimerId = + Glean.extensionsApisDnr.evaluateRulesTime.start(); + try { + const request = RequestDetails.fromChannelWrapper(channel); + matchedRules = RequestEvaluator.evaluateRequest(request, ruleManagers); + } finally { + if (evaluateRulesTimerId !== undefined) { + Glean.extensionsApisDnr.evaluateRulesTime.stopAndAccumulate( + evaluateRulesTimerId + ); + } + } + const evaluateRulesCount = ruleManagers.reduce( + (sum, ruleManager) => sum + ruleManager.getRulesCount(), + 0 + ); + if (evaluateRulesCount > this.maxEvaluatedRulesCount) { + Glean.extensionsApisDnr.evaluateRulesCountMax.set(evaluateRulesCount); + this.maxEvaluatedRulesCount = evaluateRulesCount; + } + } + // Cache for later. In case of redirects, _dnrMatchedRules may exist for + // the pre-redirect HTTP channel, and is overwritten here again. + channel._dnrMatchedRules = matchedRules; + }, + + /** + * Applies the actions of the DNR rules. + * + * @param {ChannelWrapper} channel + * @returns {boolean} Whether to ignore any responses from the webRequest API. + */ + onBeforeRequest(channel) { + let matchedRules = channel._dnrMatchedRules; + if (!matchedRules?.length) { + return false; + } + // If a matched rule closes the channel, it is the sole match. + const finalMatch = matchedRules[0]; + switch (finalMatch.rule.action.type) { + case "block": + this.applyBlock(channel, finalMatch); + return true; + case "redirect": + this.applyRedirect(channel, finalMatch); + return true; + case "upgradeScheme": + this.applyUpgradeScheme(channel, finalMatch); + return true; + } + // If there are multiple rules, then it may be a combination of allow, + // allowAllRequests and/or modifyHeaders. + + // "modifyHeaders" is handled by onBeforeSendHeaders/onHeadersReceived. + // "allow" and "allowAllRequests" require no further action now. + // "allowAllRequests" is applied to new requests in the future (if any) + // through RequestEvaluator's findAncestorRuleOverride(). + + return false; + }, + + onBeforeSendHeaders(channel) { + let matchedRules = channel._dnrMatchedRules; + if (!matchedRules?.length) { + return; + } + ModifyRequestHeaders.maybeApplyModifyHeaders(channel, matchedRules); + }, + + onHeadersReceived(channel) { + let matchedRules = channel._dnrMatchedRules; + if (!matchedRules?.length) { + return; + } + ModifyResponseHeaders.maybeApplyModifyHeaders(channel, matchedRules); + }, + + applyBlock(channel, matchedRule) { + // TODO bug 1802259: Consider a DNR-specific reason. + channel.cancel( + Cr.NS_ERROR_ABORT, + Ci.nsILoadInfo.BLOCKING_REASON_EXTENSION_WEBREQUEST + ); + const addonId = matchedRule.ruleManager.extension.id; + let properties = channel.channel.QueryInterface(Ci.nsIWritablePropertyBag); + properties.setProperty("cancelledByExtension", addonId); + }, + + applyUpgradeScheme(channel, matchedRule) { + // Request upgrade. No-op if already secure (i.e. https). + channel.upgradeToSecure(); + }, + + applyRedirect(channel, matchedRule) { + // Ambiguity resolution order of redirect dict keys, consistent with Chrome: + // - url > extensionPath > transform > regexSubstitution + const redirect = matchedRule.rule.action.redirect; + const extension = matchedRule.ruleManager.extension; + const preRedirectUri = channel.finalURI; + let redirectUri; + if (redirect.url) { + // redirect.url already validated by checkActionRedirect. + redirectUri = Services.io.newURI(redirect.url); + } else if (redirect.extensionPath) { + redirectUri = extension.baseURI + .mutate() + .setPathQueryRef(redirect.extensionPath) + .finalize(); + } else if (redirect.transform) { + redirectUri = applyURLTransform(preRedirectUri, redirect.transform); + } else if (redirect.regexSubstitution) { + // Note: may throw if regexSubstitution results in an invalid redirect. + // The error propagates up to handleRequest, which will just allow the + // request to continue. + redirectUri = applyRegexSubstitution(preRedirectUri, matchedRule); + } else { + // #checkActionRedirect ensures that the redirect action is non-empty. + } + + if (preRedirectUri.equals(redirectUri)) { + // URL did not change. Sometimes it is a bug in the extension, but there + // are also cases where the result is unavoidable. E.g. redirect.transform + // with queryTransform.removeParams that does not remove anything. + // TODO: consider logging to help with debugging. + return; + } + + channel.redirectTo(redirectUri); + + let properties = channel.channel.QueryInterface(Ci.nsIWritablePropertyBag); + properties.setProperty("redirectedByExtension", extension.id); + + let origin = channel.getRequestHeader("Origin"); + if (origin) { + channel.setResponseHeader("Access-Control-Allow-Origin", origin); + channel.setResponseHeader("Access-Control-Allow-Credentials", "true"); + channel.setResponseHeader("Access-Control-Max-Age", "0"); + } + }, +}; + +class RuleManager { + constructor(extension) { + this.extension = extension; + this.sessionRules = this.makeRuleset( + "_session", + PRECEDENCE_SESSION_RULESET + ); + this.dynamicRules = this.makeRuleset( + "_dynamic", + PRECEDENCE_DYNAMIC_RULESET + ); + this.enabledStaticRules = []; + + this.hasBlockPermission = extension.hasPermission("declarativeNetRequest"); + this.hasRulesWithTabIds = false; + this.hasRulesWithAllowAllRequests = false; + this.totalRulesCount = 0; + } + + get availableStaticRuleCount() { + return Math.max( + lazy.ExtensionDNRLimits.GUARANTEED_MINIMUM_STATIC_RULES - + this.enabledStaticRules.reduce( + (acc, ruleset) => acc + ruleset.rules.length, + 0 + ), + 0 + ); + } + + get enabledStaticRulesetIds() { + return this.enabledStaticRules.map(ruleset => ruleset.id); + } + + makeRuleset(rulesetId, rulesetPrecedence, rules = []) { + return new Ruleset(rulesetId, rulesetPrecedence, rules, this); + } + + setSessionRules(validatedSessionRules) { + let oldRulesCount = this.sessionRules.rules.length; + let newRulesCount = validatedSessionRules.length; + this.sessionRules.rules = validatedSessionRules; + this.totalRulesCount += newRulesCount - oldRulesCount; + this.hasRulesWithTabIds = !!this.sessionRules.rules.find(rule => { + return rule.condition.tabIds || rule.condition.excludedTabIds; + }); + this.#updateAllowAllRequestRules(); + NetworkIntegration.maybeUpdateTabIdChecker(); + } + + setDynamicRules(validatedDynamicRules) { + let oldRulesCount = this.dynamicRules.rules.length; + let newRulesCount = validatedDynamicRules.length; + this.dynamicRules.rules = validatedDynamicRules; + this.totalRulesCount += newRulesCount - oldRulesCount; + this.#updateAllowAllRequestRules(); + } + + /** + * Set the enabled static rulesets. + * + * @param {Array<{ id, rules }>} enabledStaticRulesets + * Array of objects including the ruleset id and rules. + * The order of the rulesets in the Array is expected to + * match the order of the rulesets in the extension manifest. + */ + setEnabledStaticRulesets(enabledStaticRulesets) { + const rulesets = []; + for (const [idx, { id, rules }] of enabledStaticRulesets.entries()) { + rulesets.push( + this.makeRuleset(id, idx + PRECEDENCE_STATIC_RULESETS_BASE, rules) + ); + } + const countRules = rulesets => + rulesets.reduce((sum, ruleset) => sum + ruleset.rules.length, 0); + const oldRulesCount = countRules(this.enabledStaticRules); + const newRulesCount = countRules(rulesets); + this.enabledStaticRules = rulesets; + this.totalRulesCount += newRulesCount - oldRulesCount; + this.#updateAllowAllRequestRules(); + } + + getSessionRules() { + return this.sessionRules.rules; + } + + getDynamicRules() { + return this.dynamicRules.rules; + } + + getRulesCount() { + return this.totalRulesCount; + } + + #updateAllowAllRequestRules() { + const filterAAR = rule => rule.action.type === "allowAllRequests"; + this.hasRulesWithAllowAllRequests = + this.sessionRules.rules.some(filterAAR) || + this.dynamicRules.rules.some(filterAAR) || + this.enabledStaticRules.some(ruleset => ruleset.rules.some(filterAAR)); + } +} + +function getRuleManager(extension, createIfMissing = true) { + let ruleManager = gRuleManagers.find(rm => rm.extension === extension); + if (!ruleManager && createIfMissing) { + if (extension.hasShutdown) { + throw new Error( + `Error on creating new DNR RuleManager after extension shutdown: ${extension.id}` + ); + } + ruleManager = new RuleManager(extension); + // The most recently installed extension gets priority, i.e. appears at the + // start of the gRuleManagers list. It is not yet possible to determine the + // installation time of a given Extension, so currently the last to + // instantiate a RuleManager claims the highest priority. + // TODO bug 1786059: order extensions by "installation time". + gRuleManagers.unshift(ruleManager); + if (gRuleManagers.length === 1) { + // The first DNR registration. + NetworkIntegration.register(); + } + } + return ruleManager; +} + +function clearRuleManager(extension) { + let i = gRuleManagers.findIndex(rm => rm.extension === extension); + if (i !== -1) { + gRuleManagers.splice(i, 1); + NetworkIntegration.maybeUpdateTabIdChecker(); + if (gRuleManagers.length === 0) { + // The last DNR registration. + NetworkIntegration.unregister(); + } + } +} + +/** + * Finds all matching rules for a request, optionally restricted to one + * extension. Used by declarativeNetRequest.testMatchOutcome. + * + * @param {object|RequestDetails} request + * @param {Extension} [extension] + * @returns {MatchedRule[]} + */ +function getMatchedRulesForRequest(request, extension) { + let requestDetails = new RequestDetails(request); + const { requestURI, initiatorURI } = requestDetails; + let ruleManagers = gRuleManagers; + if (extension) { + ruleManagers = ruleManagers.filter(rm => rm.extension === extension); + } + if ( + // NetworkIntegration.startDNREvaluation does not check requestURI, but we + // do that here to filter URIs that are obviously disallowed. In practice, + // anything other than http(s) is bogus and unsupported in DNR. + isRestrictedPrincipalURI(requestURI) || + // Equivalent to NetworkIntegration.startDNREvaluation's channel.canModify + // check, which excludes system requests and restricted domains. + WebExtensionPolicy.isRestrictedURI(requestURI) || + (initiatorURI && WebExtensionPolicy.isRestrictedURI(initiatorURI)) || + isRestrictedPrincipalURI(initiatorURI) + ) { + ruleManagers = []; + } + // While this simulated request is not really from another extension, apply + // the same access control checks from NetworkIntegration.startDNREvaluation + // for consistency. + if ( + !lazy.gMatchRequestsFromOtherExtensions && + initiatorURI?.schemeIs("moz-extension") + ) { + const extUuid = initiatorURI.host; + ruleManagers = ruleManagers.filter(rm => rm.extension.uuid === extUuid); + } + return RequestEvaluator.evaluateRequest(requestDetails, ruleManagers); +} + +/** + * Runs before any webRequest event is notified. Headers may be modified, but + * the request should not be canceled (see handleRequest instead). + * + * @param {ChannelWrapper} channel + * @param {string} kind - The name of the webRequest event. + */ +function beforeWebRequestEvent(channel, kind) { + try { + switch (kind) { + case "onBeforeRequest": + NetworkIntegration.startDNREvaluation(channel); + break; + case "onBeforeSendHeaders": + NetworkIntegration.onBeforeSendHeaders(channel); + break; + case "onHeadersReceived": + NetworkIntegration.onHeadersReceived(channel); + break; + } + } catch (e) { + Cu.reportError(e); + } +} + +/** + * Applies matching DNR rules, some of which may potentially cancel the request. + * + * @param {ChannelWrapper} channel + * @param {string} kind - The name of the webRequest event. + * @returns {boolean} Whether to ignore any responses from the webRequest API. + */ +function handleRequest(channel, kind) { + try { + if (kind === "onBeforeRequest") { + return NetworkIntegration.onBeforeRequest(channel); + } + } catch (e) { + Cu.reportError(e); + } + return false; +} + +async function initExtension(extension) { + // These permissions are NOT an OptionalPermission, so their status can be + // assumed to be constant for the lifetime of the extension. + if ( + extension.hasPermission("declarativeNetRequest") || + extension.hasPermission("declarativeNetRequestWithHostAccess") + ) { + if (extension.hasShutdown) { + throw new Error( + `Aborted ExtensionDNR.initExtension call, extension "${extension.id}" is not active anymore` + ); + } + extension.once("shutdown", () => clearRuleManager(extension)); + await lazy.ExtensionDNRStore.initExtension(extension); + } +} + +function ensureInitialized(extension) { + return (extension._dnrReady ??= initExtension(extension)); +} + +function validateManifestEntry(extension) { + const ruleResourcesArray = + extension.manifest.declarative_net_request.rule_resources; + + const getWarningMessage = msg => + `Warning processing declarative_net_request: ${msg}`; + + const { MAX_NUMBER_OF_STATIC_RULESETS } = lazy.ExtensionDNRLimits; + if (ruleResourcesArray.length > MAX_NUMBER_OF_STATIC_RULESETS) { + extension.manifestWarning( + getWarningMessage( + `Static rulesets are exceeding the MAX_NUMBER_OF_STATIC_RULESETS limit (${MAX_NUMBER_OF_STATIC_RULESETS}).` + ) + ); + } + + const seenRulesetIds = new Set(); + const seenRulesetPaths = new Set(); + const duplicatedRulesetIds = []; + const duplicatedRulesetPaths = []; + for (const [idx, { id, path }] of ruleResourcesArray.entries()) { + if (seenRulesetIds.has(id)) { + duplicatedRulesetIds.push({ idx, id }); + } + if (seenRulesetPaths.has(path)) { + duplicatedRulesetPaths.push({ idx, path }); + } + seenRulesetIds.add(id); + seenRulesetPaths.add(path); + } + + if (duplicatedRulesetIds.length) { + const errorDetails = duplicatedRulesetIds + .map(({ idx, id }) => `"${id}" at index ${idx}`) + .join(", "); + extension.manifestWarning( + getWarningMessage( + `Static ruleset ids should be unique, duplicated ruleset ids: ${errorDetails}.` + ) + ); + } + + if (duplicatedRulesetPaths.length) { + // NOTE: technically Chrome allows duplicated paths without any manifest + // validation warnings or errors, but if this happens it not unlikely to be + // actually a mistake in the manifest that may have been missed. + // + // In Firefox we decided to allow the same behavior to avoid introducing a chrome + // incompatibility, but we still warn about it to avoid extension developers + // to investigate more easily issue that may be due to duplicated rulesets + // paths. + const errorDetails = duplicatedRulesetPaths + .map(({ idx, path }) => `"${path}" at index ${idx}`) + .join(", "); + extension.manifestWarning( + getWarningMessage( + `Static rulesets paths are not unique, duplicated ruleset paths: ${errorDetails}.` + ) + ); + } + + const { MAX_NUMBER_OF_ENABLED_STATIC_RULESETS } = lazy.ExtensionDNRLimits; + + const enabledRulesets = ruleResourcesArray.filter(rs => rs.enabled); + if (enabledRulesets.length > MAX_NUMBER_OF_ENABLED_STATIC_RULESETS) { + const exceedingRulesetIds = enabledRulesets + .slice(MAX_NUMBER_OF_ENABLED_STATIC_RULESETS) + .map(ruleset => `"${ruleset.id}"`) + .join(", "); + extension.manifestWarning( + getWarningMessage( + `Enabled static rulesets are exceeding the MAX_NUMBER_OF_ENABLED_STATIC_RULESETS limit (${MAX_NUMBER_OF_ENABLED_STATIC_RULESETS}): ${exceedingRulesetIds}.` + ) + ); + } +} + +async function updateEnabledStaticRulesets(extension, updateRulesetOptions) { + await ensureInitialized(extension); + await lazy.ExtensionDNRStore.updateEnabledStaticRulesets( + extension, + updateRulesetOptions + ); +} + +async function updateDynamicRules(extension, updateRuleOptions) { + await ensureInitialized(extension); + await lazy.ExtensionDNRStore.updateDynamicRules(extension, updateRuleOptions); +} + +// exports used by the DNR API implementation. +export const ExtensionDNR = { + RuleValidator, + RuleQuotaCounter, + clearRuleManager, + ensureInitialized, + getMatchedRulesForRequest, + getRuleManager, + updateDynamicRules, + updateEnabledStaticRulesets, + validateManifestEntry, + beforeWebRequestEvent, + handleRequest, +}; |