1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef mozilla_dom_FeaturePolicy_h
#define mozilla_dom_FeaturePolicy_h
#include "nsCycleCollectionParticipant.h"
#include "nsIPrincipal.h"
#include "nsStringFwd.h"
#include "nsTArray.h"
#include "nsWrapperCache.h"
/**
* FeaturePolicy
* ~~~~~~~~~~~~~
*
* Each document and each HTMLIFrameElement have a FeaturePolicy object which is
* used to allow or deny features in their contexts.
*
* FeaturePolicy is composed by a set of directives configured by the
* 'Feature-Policy' HTTP Header and the 'allow' attribute in HTMLIFrameElements.
* Both header and attribute are parsed by FeaturePolicyParser which returns an
* array of Feature objects. Each Feature object has a feature name and one of
* these policies:
* - eNone - the feature is fully disabled.
* - eAll - the feature is allowed.
* - eAllowList - the feature is allowed for a list of origins.
*
* An interesting element of FeaturePolicy is the inheritance: each context
* inherits the feature-policy directives from the parent context, if it exists.
* When a context inherits a policy for feature X, it only knows if that feature
* is allowed or denied (it ignores the list of allowed origins for instance).
* This information is stored in an array of inherited feature strings because
* we care only to know when they are denied.
*
* FeaturePolicy can be reset if the 'allow' or 'src' attributes change in
* HTMLIFrameElements. 'src' attribute is important to compute correcly
* the features via FeaturePolicy 'src' keyword.
*
* When FeaturePolicy must decide if feature X is allowed or denied for the
* current origin, it checks if the parent context denied that feature.
* If not, it checks if there is a Feature object for that
* feature named X and if the origin is allowed or not.
*
* From a C++ point of view, use FeaturePolicyUtils to obtain the list of
* features and to check if they are allowed in the current context.
*
* dom.security.featurePolicy.header.enabled pref can be used to disable the
* HTTP header support.
**/
class nsINode;
namespace mozilla::dom {
class Document;
class Feature;
template <typename T>
class Optional;
class FeaturePolicyUtils;
class FeaturePolicy final : public nsISupports, public nsWrapperCache {
friend class FeaturePolicyUtils;
public:
NS_DECL_CYCLE_COLLECTING_ISUPPORTS
NS_DECL_CYCLE_COLLECTION_WRAPPERCACHE_CLASS(FeaturePolicy)
explicit FeaturePolicy(nsINode* aNode);
// A FeaturePolicy must have a default origin.
// This method must be called before any other exposed WebIDL method or before
// checking if a feature is allowed.
void SetDefaultOrigin(nsIPrincipal* aPrincipal) {
mDefaultOrigin = aPrincipal;
}
void SetSrcOrigin(nsIPrincipal* aPrincipal) { mSrcOrigin = aPrincipal; }
nsIPrincipal* DefaultOrigin() const { return mDefaultOrigin; }
// Inherits the policy from the 'parent' context if it exists.
void InheritPolicy(FeaturePolicy* aParentFeaturePolicy);
// Sets the declarative part of the policy. This can be from the HTTP header
// or for the 'allow' HTML attribute.
void SetDeclaredPolicy(mozilla::dom::Document* aDocument,
const nsAString& aPolicyString,
nsIPrincipal* aSelfOrigin, nsIPrincipal* aSrcOrigin);
// This method creates a policy for aFeatureName allowing it to '*' if it
// doesn't exist yet. It's used by HTMLIFrameElement to enable features by
// attributes.
void MaybeSetAllowedPolicy(const nsAString& aFeatureName);
// Clears all the declarative policy directives. This is needed when the
// 'allow' attribute or the 'src' attribute change for HTMLIFrameElement's
// policy.
void ResetDeclaredPolicy();
// This method appends a feature to in-chain declared allowlist. If the name's
// feature existed in the list, we only need to append the allowlist of new
// feature to the existed one.
void AppendToDeclaredAllowInAncestorChain(const Feature& aFeature);
// This method returns true if aFeatureName is declared as "*" (allow all)
// in parent.
bool HasFeatureUnsafeAllowsAll(const nsAString& aFeatureName) const;
// This method returns true if the aFeatureName is allowed for aOrigin
// explicitly in ancestor chain,
bool AllowsFeatureExplicitlyInAncestorChain(const nsAString& aFeatureName,
nsIPrincipal* aOrigin) const;
bool IsSameOriginAsSrc(nsIPrincipal* aPrincipal) const;
// WebIDL internal methods.
JSObject* WrapObject(JSContext* aCx,
JS::Handle<JSObject*> aGivenProto) override;
nsINode* GetParentObject() const { return mParentNode; }
// WebIDL explosed methods.
bool AllowsFeature(const nsAString& aFeatureName,
const Optional<nsAString>& aOrigin) const;
void Features(nsTArray<nsString>& aFeatures);
void AllowedFeatures(nsTArray<nsString>& aAllowedFeatures);
void GetAllowlistForFeature(const nsAString& aFeatureName,
nsTArray<nsString>& aList) const;
const nsTArray<nsString>& InheritedDeniedFeatureNames() const {
return mInheritedDeniedFeatureNames;
}
const nsTArray<nsString>& AttributeEnabledFeatureNames() const {
return mAttributeEnabledFeatureNames;
}
void SetInheritedDeniedFeatureNames(
const nsTArray<nsString>& aInheritedDeniedFeatureNames) {
mInheritedDeniedFeatureNames = aInheritedDeniedFeatureNames.Clone();
}
const nsAString& DeclaredString() const { return mDeclaredString; }
nsIPrincipal* GetSelfOrigin() const { return mSelfOrigin; }
nsIPrincipal* GetSrcOrigin() const { return mSrcOrigin; }
private:
~FeaturePolicy() = default;
// This method returns true if the aFeatureName is allowed for aOrigin,
// following the feature-policy directives. See the comment at the top of this
// file.
bool AllowsFeatureInternal(const nsAString& aFeatureName,
nsIPrincipal* aOrigin) const;
// Inherits a single denied feature from the parent context.
void SetInheritedDeniedFeature(const nsAString& aFeatureName);
bool HasInheritedDeniedFeature(const nsAString& aFeatureName) const;
// This returns true if we have a declared feature policy for aFeatureName.
bool HasDeclaredFeature(const nsAString& aFeatureName) const;
nsINode* mParentNode;
// This is set in sub-contexts when the parent blocks some feature for the
// current context.
nsTArray<nsString> mInheritedDeniedFeatureNames;
// The list of features that have been enabled via MaybeSetAllowedPolicy.
nsTArray<nsString> mAttributeEnabledFeatureNames;
// This is set of feature names when the parent allows all for that feature.
nsTArray<nsString> mParentAllowedAllFeatures;
// The explicitly declared policy contains allowlist as a set of origins
// except 'none' and '*'. This set contains all explicitly declared policies
// in ancestor chain
nsTArray<Feature> mDeclaredFeaturesInAncestorChain;
// Feature policy for the current context.
nsTArray<Feature> mFeatures;
// Declared string represents Feature policy.
nsString mDeclaredString;
nsCOMPtr<nsIPrincipal> mDefaultOrigin;
nsCOMPtr<nsIPrincipal> mSelfOrigin;
nsCOMPtr<nsIPrincipal> mSrcOrigin;
};
} // namespace mozilla::dom
#endif // mozilla_dom_FeaturePolicy_h
|