diff options
Diffstat (limited to 'netwerk/cookie/CookieCommons.cpp')
-rw-r--r-- | netwerk/cookie/CookieCommons.cpp | 735 |
1 files changed, 735 insertions, 0 deletions
diff --git a/netwerk/cookie/CookieCommons.cpp b/netwerk/cookie/CookieCommons.cpp new file mode 100644 index 0000000000..52b61c4e95 --- /dev/null +++ b/netwerk/cookie/CookieCommons.cpp @@ -0,0 +1,735 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "Cookie.h" +#include "CookieCommons.h" +#include "CookieLogging.h" +#include "CookieService.h" +#include "mozilla/ConsoleReportCollector.h" +#include "mozilla/ContentBlockingNotifier.h" +#include "mozilla/ScopeExit.h" +#include "mozilla/StaticPrefs_network.h" +#include "mozilla/StorageAccess.h" +#include "mozilla/dom/Document.h" +#include "mozilla/dom/nsMixedContentBlocker.h" +#include "mozilla/net/CookieJarSettings.h" +#include "mozIThirdPartyUtil.h" +#include "nsContentUtils.h" +#include "nsICookiePermission.h" +#include "nsICookieService.h" +#include "nsIEffectiveTLDService.h" +#include "nsIRedirectHistoryEntry.h" +#include "nsIWebProgressListener.h" +#include "nsNetUtil.h" +#include "nsScriptSecurityManager.h" +#include "ThirdPartyUtil.h" + +namespace mozilla { + +using dom::Document; + +namespace net { + +// static +bool CookieCommons::DomainMatches(Cookie* aCookie, const nsACString& aHost) { + // first, check for an exact host or domain cookie match, e.g. "google.com" + // or ".google.com"; second a subdomain match, e.g. + // host = "mail.google.com", cookie domain = ".google.com". + return aCookie->RawHost() == aHost || + (aCookie->IsDomain() && StringEndsWith(aHost, aCookie->Host())); +} + +// static +bool CookieCommons::PathMatches(Cookie* aCookie, const nsACString& aPath) { + nsCString cookiePath(aCookie->GetFilePath()); + + // if our cookie path is empty we can't really perform our prefix check, and + // also we can't check the last character of the cookie path, so we would + // never return a successful match. + if (cookiePath.IsEmpty()) { + return false; + } + + // if the cookie path and the request path are identical, they match. + if (cookiePath.Equals(aPath)) { + return true; + } + + // if the cookie path is a prefix of the request path, and the last character + // of the cookie path is %x2F ("/"), they match. + bool isPrefix = StringBeginsWith(aPath, cookiePath); + if (isPrefix && cookiePath.Last() == '/') { + return true; + } + + // if the cookie path is a prefix of the request path, and the first character + // of the request path that is not included in the cookie path is a %x2F ("/") + // character, they match. + uint32_t cookiePathLen = cookiePath.Length(); + return isPrefix && aPath[cookiePathLen] == '/'; +} + +// Get the base domain for aHostURI; e.g. for "www.bbc.co.uk", this would be +// "bbc.co.uk". Only properly-formed URI's are tolerated, though a trailing +// dot may be present. If aHostURI is an IP address, an alias such as +// 'localhost', an eTLD such as 'co.uk', or the empty string, aBaseDomain will +// be the exact host, and aRequireHostMatch will be true to indicate that +// substring matches should not be performed. +nsresult CookieCommons::GetBaseDomain(nsIEffectiveTLDService* aTLDService, + nsIURI* aHostURI, nsACString& aBaseDomain, + bool& aRequireHostMatch) { + // get the base domain. this will fail if the host contains a leading dot, + // more than one trailing dot, or is otherwise malformed. + nsresult rv = aTLDService->GetBaseDomain(aHostURI, 0, aBaseDomain); + aRequireHostMatch = rv == NS_ERROR_HOST_IS_IP_ADDRESS || + rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS; + if (aRequireHostMatch) { + // aHostURI is either an IP address, an alias such as 'localhost', an eTLD + // such as 'co.uk', or the empty string. use the host as a key in such + // cases. + rv = nsContentUtils::GetHostOrIPv6WithBrackets(aHostURI, aBaseDomain); + } + NS_ENSURE_SUCCESS(rv, rv); + + // aHost (and thus aBaseDomain) may be the string '.'. If so, fail. + if (aBaseDomain.Length() == 1 && aBaseDomain.Last() == '.') { + return NS_ERROR_INVALID_ARG; + } + + // block any URIs without a host that aren't file:// URIs. + if (aBaseDomain.IsEmpty() && !aHostURI->SchemeIs("file")) { + return NS_ERROR_INVALID_ARG; + } + + return NS_OK; +} + +nsresult CookieCommons::GetBaseDomain(nsIPrincipal* aPrincipal, + nsACString& aBaseDomain) { + MOZ_ASSERT(aPrincipal); + + // for historical reasons we use ascii host for file:// URLs. + if (aPrincipal->SchemeIs("file")) { + return nsContentUtils::GetHostOrIPv6WithBrackets(aPrincipal, aBaseDomain); + } + + nsresult rv = aPrincipal->GetBaseDomain(aBaseDomain); + if (NS_FAILED(rv)) { + return rv; + } + + nsContentUtils::MaybeFixIPv6Host(aBaseDomain); + return NS_OK; +} + +// Get the base domain for aHost; e.g. for "www.bbc.co.uk", this would be +// "bbc.co.uk". This is done differently than GetBaseDomain(mTLDService, ): it +// is assumed that aHost is already normalized, and it may contain a leading dot +// (indicating that it represents a domain). A trailing dot may be present. +// If aHost is an IP address, an alias such as 'localhost', an eTLD such as +// 'co.uk', or the empty string, aBaseDomain will be the exact host, and a +// leading dot will be treated as an error. +nsresult CookieCommons::GetBaseDomainFromHost( + nsIEffectiveTLDService* aTLDService, const nsACString& aHost, + nsCString& aBaseDomain) { + // aHost must not be the string '.'. + if (aHost.Length() == 1 && aHost.Last() == '.') { + return NS_ERROR_INVALID_ARG; + } + + // aHost may contain a leading dot; if so, strip it now. + bool domain = !aHost.IsEmpty() && aHost.First() == '.'; + + // get the base domain. this will fail if the host contains a leading dot, + // more than one trailing dot, or is otherwise malformed. + nsresult rv = aTLDService->GetBaseDomainFromHost(Substring(aHost, domain), 0, + aBaseDomain); + if (rv == NS_ERROR_HOST_IS_IP_ADDRESS || + rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS) { + // aHost is either an IP address, an alias such as 'localhost', an eTLD + // such as 'co.uk', or the empty string. use the host as a key in such + // cases; however, we reject any such hosts with a leading dot, since it + // doesn't make sense for them to be domain cookies. + if (domain) { + return NS_ERROR_INVALID_ARG; + } + + aBaseDomain = aHost; + return NS_OK; + } + return rv; +} + +namespace { + +void NotifyRejectionToObservers(nsIURI* aHostURI, CookieOperation aOperation) { + if (aOperation == OPERATION_WRITE) { + nsCOMPtr<nsIObserverService> os = services::GetObserverService(); + if (os) { + os->NotifyObservers(aHostURI, "cookie-rejected", nullptr); + } + } else { + MOZ_ASSERT(aOperation == OPERATION_READ); + } +} + +} // namespace + +// Notify observers that a cookie was rejected due to the users' prefs. +void CookieCommons::NotifyRejected(nsIURI* aHostURI, nsIChannel* aChannel, + uint32_t aRejectedReason, + CookieOperation aOperation) { + NotifyRejectionToObservers(aHostURI, aOperation); + + ContentBlockingNotifier::OnDecision( + aChannel, ContentBlockingNotifier::BlockingDecision::eBlock, + aRejectedReason); +} + +bool CookieCommons::CheckPathSize(const CookieStruct& aCookieData) { + return aCookieData.path().Length() <= kMaxBytesPerPath; +} + +bool CookieCommons::CheckNameAndValueSize(const CookieStruct& aCookieData) { + // reject cookie if it's over the size limit, per RFC2109 + return (aCookieData.name().Length() + aCookieData.value().Length()) <= + kMaxBytesPerCookie; +} + +bool CookieCommons::CheckName(const CookieStruct& aCookieData) { + const char illegalNameCharacters[] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, + 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, + 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x00}; + + const auto* start = aCookieData.name().BeginReading(); + const auto* end = aCookieData.name().EndReading(); + + auto charFilter = [&](unsigned char c) { + if (StaticPrefs::network_cookie_blockUnicode() && c >= 0x80) { + return true; + } + return std::find(std::begin(illegalNameCharacters), + std::end(illegalNameCharacters), + c) != std::end(illegalNameCharacters); + }; + + return std::find_if(start, end, charFilter) == end; +} + +bool CookieCommons::CheckValue(const CookieStruct& aCookieData) { + // reject cookie if value contains an RFC 6265 disallowed character - see + // https://bugzilla.mozilla.org/show_bug.cgi?id=1191423 + // NOTE: this is not the full set of characters disallowed by 6265 - notably + // 0x09, 0x20, 0x22, 0x2C, and 0x5C are missing from this list. + const char illegalCharacters[] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x0A, 0x0B, 0x0C, + 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x3B, 0x7F, 0x00}; + + const auto* start = aCookieData.value().BeginReading(); + const auto* end = aCookieData.value().EndReading(); + + auto charFilter = [&](unsigned char c) { + if (StaticPrefs::network_cookie_blockUnicode() && c >= 0x80) { + return true; + } + return std::find(std::begin(illegalCharacters), std::end(illegalCharacters), + c) != std::end(illegalCharacters); + }; + + return std::find_if(start, end, charFilter) == end; +} + +// static +bool CookieCommons::CheckCookiePermission(nsIChannel* aChannel, + CookieStruct& aCookieData) { + if (!aChannel) { + // No channel, let's assume this is a system-principal request. + return true; + } + + nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo(); + nsCOMPtr<nsICookieJarSettings> cookieJarSettings; + nsresult rv = + loadInfo->GetCookieJarSettings(getter_AddRefs(cookieJarSettings)); + if (NS_WARN_IF(NS_FAILED(rv))) { + return true; + } + + nsIScriptSecurityManager* ssm = + nsScriptSecurityManager::GetScriptSecurityManager(); + MOZ_ASSERT(ssm); + + nsCOMPtr<nsIPrincipal> channelPrincipal; + rv = ssm->GetChannelURIPrincipal(aChannel, getter_AddRefs(channelPrincipal)); + if (NS_WARN_IF(NS_FAILED(rv))) { + return false; + } + + return CheckCookiePermission(channelPrincipal, cookieJarSettings, + aCookieData); +} + +// static +bool CookieCommons::CheckCookiePermission( + nsIPrincipal* aPrincipal, nsICookieJarSettings* aCookieJarSettings, + CookieStruct& aCookieData) { + MOZ_ASSERT(aPrincipal); + MOZ_ASSERT(aCookieJarSettings); + + if (!aPrincipal->GetIsContentPrincipal()) { + return true; + } + + uint32_t cookiePermission = nsICookiePermission::ACCESS_DEFAULT; + nsresult rv = + aCookieJarSettings->CookiePermission(aPrincipal, &cookiePermission); + if (NS_WARN_IF(NS_FAILED(rv))) { + return true; + } + + if (cookiePermission == nsICookiePermission::ACCESS_ALLOW) { + return true; + } + + if (cookiePermission == nsICookiePermission::ACCESS_SESSION) { + aCookieData.isSession() = true; + return true; + } + + if (cookiePermission == nsICookiePermission::ACCESS_DENY) { + return false; + } + + return true; +} + +namespace { + +CookieStatus CookieStatusForWindow(nsPIDOMWindowInner* aWindow, + nsIURI* aDocumentURI) { + MOZ_ASSERT(aWindow); + MOZ_ASSERT(aDocumentURI); + + ThirdPartyUtil* thirdPartyUtil = ThirdPartyUtil::GetInstance(); + if (thirdPartyUtil) { + bool isThirdParty = true; + + nsresult rv = thirdPartyUtil->IsThirdPartyWindow( + aWindow->GetOuterWindow(), aDocumentURI, &isThirdParty); + NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "Third-party window check failed."); + + if (NS_SUCCEEDED(rv) && !isThirdParty) { + return STATUS_ACCEPTED; + } + } + + if (StaticPrefs::network_cookie_thirdparty_sessionOnly()) { + return STATUS_ACCEPT_SESSION; + } + + if (StaticPrefs::network_cookie_thirdparty_nonsecureSessionOnly() && + !nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(aDocumentURI)) { + return STATUS_ACCEPT_SESSION; + } + + return STATUS_ACCEPTED; +} + +} // namespace + +// static +already_AddRefed<Cookie> CookieCommons::CreateCookieFromDocument( + Document* aDocument, const nsACString& aCookieString, + int64_t currentTimeInUsec, nsIEffectiveTLDService* aTLDService, + mozIThirdPartyUtil* aThirdPartyUtil, + std::function<bool(const nsACString&, const OriginAttributes&)>&& + aHasExistingCookiesLambda, + nsIURI** aDocumentURI, nsACString& aBaseDomain, OriginAttributes& aAttrs) { + nsCOMPtr<nsIPrincipal> storagePrincipal = + aDocument->EffectiveCookiePrincipal(); + MOZ_ASSERT(storagePrincipal); + + nsCOMPtr<nsIURI> principalURI; + auto* basePrincipal = BasePrincipal::Cast(aDocument->NodePrincipal()); + basePrincipal->GetURI(getter_AddRefs(principalURI)); + if (NS_WARN_IF(!principalURI)) { + // Document's principal is not a content or null (may be system), so + // can't set cookies + return nullptr; + } + + if (!CookieCommons::IsSchemeSupported(principalURI)) { + return nullptr; + } + + nsAutoCString baseDomain; + bool requireHostMatch = false; + nsresult rv = CookieCommons::GetBaseDomain(aTLDService, principalURI, + baseDomain, requireHostMatch); + if (NS_WARN_IF(NS_FAILED(rv))) { + return nullptr; + } + + nsPIDOMWindowInner* innerWindow = aDocument->GetInnerWindow(); + if (NS_WARN_IF(!innerWindow)) { + return nullptr; + } + + // Check if limit-foreign is required. + uint32_t dummyRejectedReason = 0; + if (aDocument->CookieJarSettings()->GetLimitForeignContexts() && + !aHasExistingCookiesLambda(baseDomain, + storagePrincipal->OriginAttributesRef()) && + !ShouldAllowAccessFor(innerWindow, principalURI, &dummyRejectedReason)) { + return nullptr; + } + + bool isForeignAndNotAddon = false; + if (!BasePrincipal::Cast(aDocument->NodePrincipal())->AddonPolicy()) { + rv = aThirdPartyUtil->IsThirdPartyWindow( + innerWindow->GetOuterWindow(), principalURI, &isForeignAndNotAddon); + if (NS_WARN_IF(NS_FAILED(rv))) { + isForeignAndNotAddon = true; + } + } + + // If we are here, we have been already accepted by the anti-tracking. + // We just need to check if we have to be in session-only mode. + CookieStatus cookieStatus = CookieStatusForWindow(innerWindow, principalURI); + MOZ_ASSERT(cookieStatus == STATUS_ACCEPTED || + cookieStatus == STATUS_ACCEPT_SESSION); + + // Console report takes care of the correct reporting at the exit of this + // method. + RefPtr<ConsoleReportCollector> crc = new ConsoleReportCollector(); + auto scopeExit = MakeScopeExit([&] { crc->FlushConsoleReports(aDocument); }); + + nsCString cookieString(aCookieString); + + CookieStruct cookieData; + MOZ_ASSERT(cookieData.creationTime() == 0, "Must be initialized to 0"); + bool canSetCookie = false; + CookieService::CanSetCookie(principalURI, baseDomain, cookieData, + requireHostMatch, cookieStatus, cookieString, + false, isForeignAndNotAddon, crc, canSetCookie); + + if (!canSetCookie) { + return nullptr; + } + + // check permissions from site permission list. + if (!CookieCommons::CheckCookiePermission(aDocument->NodePrincipal(), + aDocument->CookieJarSettings(), + cookieData)) { + NotifyRejectionToObservers(principalURI, OPERATION_WRITE); + ContentBlockingNotifier::OnDecision( + innerWindow, ContentBlockingNotifier::BlockingDecision::eBlock, + nsIWebProgressListener::STATE_COOKIES_BLOCKED_BY_PERMISSION); + return nullptr; + } + + RefPtr<Cookie> cookie = + Cookie::Create(cookieData, storagePrincipal->OriginAttributesRef()); + MOZ_ASSERT(cookie); + + cookie->SetLastAccessed(currentTimeInUsec); + cookie->SetCreationTime( + Cookie::GenerateUniqueCreationTime(currentTimeInUsec)); + + aBaseDomain = baseDomain; + aAttrs = storagePrincipal->OriginAttributesRef(); + principalURI.forget(aDocumentURI); + + return cookie.forget(); +} + +// static +already_AddRefed<nsICookieJarSettings> CookieCommons::GetCookieJarSettings( + nsIChannel* aChannel) { + nsCOMPtr<nsICookieJarSettings> cookieJarSettings; + bool shouldResistFingerprinting = + nsContentUtils::ShouldResistFingerprinting(aChannel); + if (aChannel) { + nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo(); + nsresult rv = + loadInfo->GetCookieJarSettings(getter_AddRefs(cookieJarSettings)); + if (NS_WARN_IF(NS_FAILED(rv))) { + cookieJarSettings = + CookieJarSettings::GetBlockingAll(shouldResistFingerprinting); + } + } else { + cookieJarSettings = CookieJarSettings::Create(CookieJarSettings::eRegular, + shouldResistFingerprinting); + } + + MOZ_ASSERT(cookieJarSettings); + return cookieJarSettings.forget(); +} + +// static +bool CookieCommons::ShouldIncludeCrossSiteCookieForDocument(Cookie* aCookie) { + MOZ_ASSERT(aCookie); + + int32_t sameSiteAttr = 0; + aCookie->GetSameSite(&sameSiteAttr); + + return sameSiteAttr == nsICookie::SAMESITE_NONE; +} + +bool CookieCommons::IsSafeTopLevelNav(nsIChannel* aChannel) { + if (!aChannel) { + return false; + } + nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo(); + nsCOMPtr<nsIInterceptionInfo> interceptionInfo = loadInfo->InterceptionInfo(); + if ((loadInfo->GetExternalContentPolicyType() != + ExtContentPolicy::TYPE_DOCUMENT && + loadInfo->GetExternalContentPolicyType() != + ExtContentPolicy::TYPE_SAVEAS_DOWNLOAD) && + !interceptionInfo) { + return false; + } + + if (interceptionInfo && + interceptionInfo->GetExtContentPolicyType() != + ExtContentPolicy::TYPE_DOCUMENT && + interceptionInfo->GetExtContentPolicyType() != + ExtContentPolicy::TYPE_SAVEAS_DOWNLOAD && + interceptionInfo->GetExtContentPolicyType() != + ExtContentPolicy::TYPE_INVALID) { + return false; + } + + return NS_IsSafeMethodNav(aChannel); +} + +// This function determines if two schemes are equal in the context of +// "Schemeful SameSite cookies". +// +// Two schemes are considered equal: +// - if the "network.cookie.sameSite.schemeful" pref is set to false. +// OR +// - if one of the schemes is not http or https. +// OR +// - if both schemes are equal AND both are either http or https. +bool IsSameSiteSchemeEqual(const nsACString& aFirstScheme, + const nsACString& aSecondScheme) { + if (!StaticPrefs::network_cookie_sameSite_schemeful()) { + return true; + } + + auto isSchemeHttpOrHttps = [](const nsACString& scheme) -> bool { + return scheme.EqualsLiteral("http") || scheme.EqualsLiteral("https"); + }; + + if (!isSchemeHttpOrHttps(aFirstScheme) || + !isSchemeHttpOrHttps(aSecondScheme)) { + return true; + } + + return aFirstScheme.Equals(aSecondScheme); +} + +bool CookieCommons::IsSameSiteForeign(nsIChannel* aChannel, nsIURI* aHostURI, + bool* aHadCrossSiteRedirects) { + *aHadCrossSiteRedirects = false; + + if (!aChannel) { + return false; + } + nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo(); + // Do not treat loads triggered by web extensions as foreign + nsCOMPtr<nsIURI> channelURI; + NS_GetFinalChannelURI(aChannel, getter_AddRefs(channelURI)); + + nsCOMPtr<nsIInterceptionInfo> interceptionInfo = loadInfo->InterceptionInfo(); + + RefPtr<BasePrincipal> triggeringPrincipal; + ExtContentPolicy contentPolicyType; + if (interceptionInfo && interceptionInfo->TriggeringPrincipal()) { + triggeringPrincipal = + BasePrincipal::Cast(interceptionInfo->TriggeringPrincipal()); + contentPolicyType = interceptionInfo->GetExtContentPolicyType(); + } else { + triggeringPrincipal = BasePrincipal::Cast(loadInfo->TriggeringPrincipal()); + contentPolicyType = loadInfo->GetExternalContentPolicyType(); + + if (triggeringPrincipal->AddonPolicy() && + triggeringPrincipal->AddonAllowsLoad(channelURI)) { + return false; + } + } + const nsTArray<nsCOMPtr<nsIRedirectHistoryEntry>>& redirectChain( + interceptionInfo && interceptionInfo->TriggeringPrincipal() + ? interceptionInfo->RedirectChain() + : loadInfo->RedirectChain()); + + nsAutoCString hostScheme, otherScheme; + aHostURI->GetScheme(hostScheme); + + bool isForeign = true; + nsresult rv; + if (contentPolicyType == ExtContentPolicy::TYPE_DOCUMENT || + contentPolicyType == ExtContentPolicy::TYPE_SAVEAS_DOWNLOAD) { + // for loads of TYPE_DOCUMENT we query the hostURI from the + // triggeringPrincipal which returns the URI of the document that caused the + // navigation. + rv = triggeringPrincipal->IsThirdPartyChannel(aChannel, &isForeign); + + triggeringPrincipal->GetScheme(otherScheme); + } else { + // If the load is caused by FetchEvent.request or NavigationPreload request, + // check the original InterceptedHttpChannel is a third-party channel or + // not. + if (interceptionInfo && interceptionInfo->TriggeringPrincipal()) { + isForeign = interceptionInfo->FromThirdParty(); + if (isForeign) { + return true; + } + } + nsCOMPtr<mozIThirdPartyUtil> thirdPartyUtil = + do_GetService(THIRDPARTYUTIL_CONTRACTID); + if (!thirdPartyUtil) { + return true; + } + rv = thirdPartyUtil->IsThirdPartyChannel(aChannel, aHostURI, &isForeign); + + channelURI->GetScheme(otherScheme); + } + // if we are dealing with a cross origin request, we can return here + // because we already know the request is 'foreign'. + if (NS_FAILED(rv) || isForeign) { + return true; + } + + if (!IsSameSiteSchemeEqual(otherScheme, hostScheme)) { + // If the two schemes are not of the same http(s) scheme then we + // consider the request as foreign. + return true; + } + + // for loads of TYPE_SUBDOCUMENT we have to perform an additional test, + // because a cross-origin iframe might perform a navigation to a same-origin + // iframe which would send same-site cookies. Hence, if the iframe navigation + // was triggered by a cross-origin triggeringPrincipal, we treat the load as + // foreign. + if (contentPolicyType == ExtContentPolicy::TYPE_SUBDOCUMENT) { + rv = triggeringPrincipal->IsThirdPartyChannel(aChannel, &isForeign); + if (NS_FAILED(rv) || isForeign) { + return true; + } + } + + // for the purpose of same-site cookies we have to treat any cross-origin + // redirects as foreign. E.g. cross-site to same-site redirect is a problem + // with regards to CSRF. + + nsCOMPtr<nsIPrincipal> redirectPrincipal; + for (nsIRedirectHistoryEntry* entry : redirectChain) { + entry->GetPrincipal(getter_AddRefs(redirectPrincipal)); + if (redirectPrincipal) { + rv = redirectPrincipal->IsThirdPartyChannel(aChannel, &isForeign); + // if at any point we encounter a cross-origin redirect we can return. + if (NS_FAILED(rv) || isForeign) { + *aHadCrossSiteRedirects = isForeign; + return true; + } + + nsAutoCString redirectScheme; + redirectPrincipal->GetScheme(redirectScheme); + if (!IsSameSiteSchemeEqual(redirectScheme, hostScheme)) { + // If the two schemes are not of the same http(s) scheme then we + // consider the request as foreign. + *aHadCrossSiteRedirects = true; + return true; + } + } + } + return isForeign; +} + +// static +nsICookie::schemeType CookieCommons::URIToSchemeType(nsIURI* aURI) { + MOZ_ASSERT(aURI); + + nsAutoCString scheme; + nsresult rv = aURI->GetScheme(scheme); + if (NS_WARN_IF(NS_FAILED(rv))) { + return nsICookie::SCHEME_UNSET; + } + + return SchemeToSchemeType(scheme); +} + +// static +nsICookie::schemeType CookieCommons::PrincipalToSchemeType( + nsIPrincipal* aPrincipal) { + MOZ_ASSERT(aPrincipal); + + nsAutoCString scheme; + nsresult rv = aPrincipal->GetScheme(scheme); + if (NS_WARN_IF(NS_FAILED(rv))) { + return nsICookie::SCHEME_UNSET; + } + + return SchemeToSchemeType(scheme); +} + +// static +nsICookie::schemeType CookieCommons::SchemeToSchemeType( + const nsACString& aScheme) { + MOZ_ASSERT(IsSchemeSupported(aScheme)); + + if (aScheme.Equals("https")) { + return nsICookie::SCHEME_HTTPS; + } + + if (aScheme.Equals("http")) { + return nsICookie::SCHEME_HTTP; + } + + if (aScheme.Equals("file")) { + return nsICookie::SCHEME_FILE; + } + + MOZ_CRASH("Unsupported scheme type"); +} + +// static +bool CookieCommons::IsSchemeSupported(nsIPrincipal* aPrincipal) { + MOZ_ASSERT(aPrincipal); + + nsAutoCString scheme; + nsresult rv = aPrincipal->GetScheme(scheme); + if (NS_WARN_IF(NS_FAILED(rv))) { + return false; + } + + return IsSchemeSupported(scheme); +} + +// static +bool CookieCommons::IsSchemeSupported(nsIURI* aURI) { + MOZ_ASSERT(aURI); + + nsAutoCString scheme; + nsresult rv = aURI->GetScheme(scheme); + if (NS_WARN_IF(NS_FAILED(rv))) { + return false; + } + + return IsSchemeSupported(scheme); +} + +// static +bool CookieCommons::IsSchemeSupported(const nsACString& aScheme) { + return aScheme.Equals("https") || aScheme.Equals("http") || + aScheme.Equals("file"); +} + +} // namespace net +} // namespace mozilla |