summaryrefslogtreecommitdiffstats
path: root/toolkit/mozapps/extensions/AddonManagerWebAPI.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'toolkit/mozapps/extensions/AddonManagerWebAPI.cpp')
-rw-r--r--toolkit/mozapps/extensions/AddonManagerWebAPI.cpp170
1 files changed, 170 insertions, 0 deletions
diff --git a/toolkit/mozapps/extensions/AddonManagerWebAPI.cpp b/toolkit/mozapps/extensions/AddonManagerWebAPI.cpp
new file mode 100644
index 0000000000..08ca2d1ec9
--- /dev/null
+++ b/toolkit/mozapps/extensions/AddonManagerWebAPI.cpp
@@ -0,0 +1,170 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "AddonManagerWebAPI.h"
+
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/dom/Document.h"
+#include "mozilla/dom/Navigator.h"
+#include "mozilla/dom/NavigatorBinding.h"
+
+#include "mozilla/Preferences.h"
+#include "mozilla/StaticPrefs_extensions.h"
+#include "nsGlobalWindow.h"
+#include "xpcpublic.h"
+
+#include "nsIDocShell.h"
+#include "nsIScriptObjectPrincipal.h"
+
+namespace mozilla {
+using namespace mozilla::dom;
+
+#ifndef MOZ_THUNDERBIRD
+# define MOZ_AMO_HOSTNAME "addons.mozilla.org"
+# define MOZ_AMO_STAGE_HOSTNAME "addons.allizom.org"
+# define MOZ_AMO_DEV_HOSTNAME "addons-dev.allizom.org"
+#else
+# define MOZ_AMO_HOSTNAME "addons.thunderbird.net"
+# define MOZ_AMO_STAGE_HOSTNAME "addons-stage.thunderbird.net"
+# undef MOZ_AMO_DEV_HOSTNAME
+#endif
+
+static bool IsValidHost(const nsACString& host) {
+ // This hidden pref allows users to disable mozAddonManager entirely if they
+ // want for fingerprinting resistance. Someone like Tor browser will use this
+ // pref.
+ if (StaticPrefs::privacy_resistFingerprinting_block_mozAddonManager()) {
+ return false;
+ }
+
+ if (host.EqualsLiteral(MOZ_AMO_HOSTNAME)) {
+ return true;
+ }
+
+ // When testing allow access to the developer sites.
+ if (StaticPrefs::extensions_webapi_testing()) {
+ if (host.LowerCaseEqualsLiteral(MOZ_AMO_STAGE_HOSTNAME) ||
+#ifdef MOZ_AMO_DEV_HOSTNAME
+ host.LowerCaseEqualsLiteral(MOZ_AMO_DEV_HOSTNAME) ||
+#endif
+ host.LowerCaseEqualsLiteral("example.com")) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+// Checks if the given uri is secure and matches one of the hosts allowed to
+// access the API.
+bool AddonManagerWebAPI::IsValidSite(nsIURI* uri) {
+ if (!uri) {
+ return false;
+ }
+
+ if (!uri->SchemeIs("https")) {
+ if (!(xpc::IsInAutomation() &&
+ StaticPrefs::extensions_webapi_testing_http())) {
+ return false;
+ }
+ }
+
+ nsAutoCString host;
+ nsresult rv = uri->GetHost(host);
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+
+ return IsValidHost(host);
+}
+
+#ifndef ANDROID
+bool AddonManagerWebAPI::IsAPIEnabled(JSContext* aCx, JSObject* aGlobal) {
+ MOZ_DIAGNOSTIC_ASSERT(JS_IsGlobalObject(aGlobal));
+ nsCOMPtr<nsPIDOMWindowInner> win = xpc::WindowOrNull(aGlobal);
+ if (!win) {
+ return false;
+ }
+
+ // Check that the current window and all parent frames are allowed access to
+ // the API.
+ while (win) {
+ nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(win);
+ if (!sop) {
+ return false;
+ }
+
+ nsCOMPtr<nsIPrincipal> principal = sop->GetPrincipal();
+ if (!principal) {
+ return false;
+ }
+
+ // Reaching a window with a system principal means we have reached
+ // privileged UI of some kind so stop at this point and allow access.
+ if (principal->IsSystemPrincipal()) {
+ return true;
+ }
+
+ nsCOMPtr<nsIDocShell> docShell = win->GetDocShell();
+ if (!docShell) {
+ // This window has been torn down so don't allow access to the API.
+ return false;
+ }
+
+ if (!IsValidSite(win->GetDocumentURI())) {
+ return false;
+ }
+
+ // Checks whether there is a parent frame of the same type. This won't cross
+ // mozbrowser or chrome or fission/process boundaries.
+ nsCOMPtr<nsIDocShellTreeItem> parent;
+ nsresult rv = docShell->GetInProcessSameTypeParent(getter_AddRefs(parent));
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+
+ // No parent means we've hit a mozbrowser or chrome or process boundary.
+ if (!parent) {
+ // With Fission, a cross-origin iframe has an out-of-process parent, but
+ // DocShell knows nothing about it. We need to ask BrowsingContext here,
+ // and only allow API access if AMO is actually at the top, not framed
+ // by evilleagueofevil.com.
+ return docShell->GetBrowsingContext()->IsTopContent();
+ }
+
+ Document* doc = win->GetDoc();
+ if (!doc) {
+ return false;
+ }
+
+ doc = doc->GetInProcessParentDocument();
+ if (!doc) {
+ // Getting here means something has been torn down so fail safe.
+ return false;
+ }
+
+ win = doc->GetInnerWindow();
+ }
+
+ // Found a document with no inner window, don't grant access to the API.
+ return false;
+}
+#else // We don't support mozAddonManager on Android
+bool AddonManagerWebAPI::IsAPIEnabled(JSContext* aCx, JSObject* aGlobal) {
+ return false;
+}
+#endif // ifndef ANDROID
+
+namespace dom {
+
+bool AddonManagerPermissions::IsHostPermitted(const GlobalObject& /*unused*/,
+ const nsAString& host) {
+ return IsValidHost(NS_ConvertUTF16toUTF8(host));
+}
+
+} // namespace dom
+
+} // namespace mozilla