/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "StoragePrincipalHelper.h" #include "mozilla/ipc/PBackgroundSharedTypes.h" #include "mozilla/dom/Document.h" #include "mozilla/dom/WorkerPrivate.h" #include "mozilla/net/CookieJarSettings.h" #include "mozilla/ScopeExit.h" #include "mozilla/StaticPrefs_privacy.h" #include "mozilla/StorageAccess.h" #include "nsContentUtils.h" #include "nsICookieJarSettings.h" #include "nsICookieService.h" #include "nsIDocShell.h" #include "nsIEffectiveTLDService.h" #include "nsIPrivateBrowsingChannel.h" #include "AntiTrackingUtils.h" namespace mozilla { namespace { bool ShouldPartitionChannel(nsIChannel* aChannel, nsICookieJarSettings* aCookieJarSettings) { MOZ_ASSERT(aChannel); nsCOMPtr uri; nsresult rv = aChannel->GetURI(getter_AddRefs(uri)); if (NS_FAILED(rv)) { return false; } uint32_t rejectedReason = 0; if (ShouldAllowAccessFor(aChannel, uri, &rejectedReason)) { return false; } // Let's use the storage principal only if we need to partition the cookie // jar. We use the lower-level ContentBlocking API here to ensure this // check doesn't send notifications. if (!ShouldPartitionStorage(rejectedReason) || !StoragePartitioningEnabled(rejectedReason, aCookieJarSettings)) { return false; } return true; } bool ChooseOriginAttributes(nsIChannel* aChannel, OriginAttributes& aAttrs, bool aForcePartitionedPrincipal) { MOZ_ASSERT(aChannel); nsCOMPtr loadInfo = aChannel->LoadInfo(); nsCOMPtr cjs; Unused << loadInfo->GetCookieJarSettings(getter_AddRefs(cjs)); if (!aForcePartitionedPrincipal && !ShouldPartitionChannel(aChannel, cjs)) { return false; } nsAutoString partitionKey; Unused << cjs->GetPartitionKey(partitionKey); if (!partitionKey.IsEmpty()) { aAttrs.SetPartitionKey(partitionKey); return true; } // Fallback to get first-party domain from top-level principal when we can't // get it from CookieJarSetting. This might happen when a channel is not // opened via http, for example, about page. nsCOMPtr toplevelPrincipal = loadInfo->GetTopLevelPrincipal(); if (!toplevelPrincipal) { return false; } // Cast to BasePrincipal to continue to get acess to GetUri() auto* basePrin = BasePrincipal::Cast(toplevelPrincipal); nsCOMPtr principalURI; nsresult rv = basePrin->GetURI(getter_AddRefs(principalURI)); if (NS_WARN_IF(NS_FAILED(rv))) { return false; } aAttrs.SetPartitionKey(principalURI); return true; } bool VerifyValidPartitionedPrincipalInfoForPrincipalInfoInternal( const ipc::PrincipalInfo& aPartitionedPrincipalInfo, const ipc::PrincipalInfo& aPrincipalInfo, bool aIgnoreSpecForContentPrincipal, bool aIgnoreDomainForContentPrincipal) { if (aPartitionedPrincipalInfo.type() != aPrincipalInfo.type()) { return false; } if (aPartitionedPrincipalInfo.type() == mozilla::ipc::PrincipalInfo::TContentPrincipalInfo) { const mozilla::ipc::ContentPrincipalInfo& spInfo = aPartitionedPrincipalInfo.get_ContentPrincipalInfo(); const mozilla::ipc::ContentPrincipalInfo& pInfo = aPrincipalInfo.get_ContentPrincipalInfo(); return spInfo.attrs().EqualsIgnoringPartitionKey(pInfo.attrs()) && spInfo.originNoSuffix() == pInfo.originNoSuffix() && (aIgnoreSpecForContentPrincipal || spInfo.spec() == pInfo.spec()) && (aIgnoreDomainForContentPrincipal || spInfo.domain() == pInfo.domain()) && spInfo.baseDomain() == pInfo.baseDomain(); } if (aPartitionedPrincipalInfo.type() == mozilla::ipc::PrincipalInfo::TSystemPrincipalInfo) { // Nothing to check here. return true; } if (aPartitionedPrincipalInfo.type() == mozilla::ipc::PrincipalInfo::TNullPrincipalInfo) { const mozilla::ipc::NullPrincipalInfo& spInfo = aPartitionedPrincipalInfo.get_NullPrincipalInfo(); const mozilla::ipc::NullPrincipalInfo& pInfo = aPrincipalInfo.get_NullPrincipalInfo(); return spInfo.spec() == pInfo.spec() && spInfo.attrs().EqualsIgnoringPartitionKey(pInfo.attrs()); } if (aPartitionedPrincipalInfo.type() == mozilla::ipc::PrincipalInfo::TExpandedPrincipalInfo) { const mozilla::ipc::ExpandedPrincipalInfo& spInfo = aPartitionedPrincipalInfo.get_ExpandedPrincipalInfo(); const mozilla::ipc::ExpandedPrincipalInfo& pInfo = aPrincipalInfo.get_ExpandedPrincipalInfo(); if (!spInfo.attrs().EqualsIgnoringPartitionKey(pInfo.attrs())) { return false; } if (spInfo.allowlist().Length() != pInfo.allowlist().Length()) { return false; } for (uint32_t i = 0; i < spInfo.allowlist().Length(); ++i) { if (!VerifyValidPartitionedPrincipalInfoForPrincipalInfoInternal( spInfo.allowlist()[i], pInfo.allowlist()[i], aIgnoreSpecForContentPrincipal, aIgnoreDomainForContentPrincipal)) { return false; } } return true; } MOZ_CRASH("Invalid principalInfo type"); return false; } } // namespace // static nsresult StoragePrincipalHelper::Create(nsIChannel* aChannel, nsIPrincipal* aPrincipal, bool aForceIsolation, nsIPrincipal** aStoragePrincipal) { MOZ_ASSERT(aChannel); MOZ_ASSERT(aPrincipal); MOZ_ASSERT(aStoragePrincipal); auto scopeExit = MakeScopeExit([&] { nsCOMPtr storagePrincipal = aPrincipal; storagePrincipal.forget(aStoragePrincipal); }); OriginAttributes attrs = aPrincipal->OriginAttributesRef(); if (!ChooseOriginAttributes(aChannel, attrs, aForceIsolation)) { return NS_OK; } scopeExit.release(); nsCOMPtr storagePrincipal = BasePrincipal::Cast(aPrincipal)->CloneForcingOriginAttributes(attrs); // If aPrincipal is not a ContentPrincipal, e.g. a NullPrincipal, the clone // call will return a nullptr. NS_ENSURE_TRUE(storagePrincipal, NS_ERROR_FAILURE); storagePrincipal.forget(aStoragePrincipal); return NS_OK; } // static nsresult StoragePrincipalHelper::CreatePartitionedPrincipalForServiceWorker( nsIPrincipal* aPrincipal, nsICookieJarSettings* aCookieJarSettings, nsIPrincipal** aPartitionedPrincipal) { MOZ_ASSERT(aPrincipal); MOZ_ASSERT(aPartitionedPrincipal); OriginAttributes attrs = aPrincipal->OriginAttributesRef(); nsAutoString partitionKey; Unused << aCookieJarSettings->GetPartitionKey(partitionKey); if (!partitionKey.IsEmpty()) { attrs.SetPartitionKey(partitionKey); } nsCOMPtr partitionedPrincipal = BasePrincipal::Cast(aPrincipal)->CloneForcingOriginAttributes(attrs); // If aPrincipal is not a ContentPrincipal, e.g. a NullPrincipal, the clone // call will return a nullptr. NS_ENSURE_TRUE(partitionedPrincipal, NS_ERROR_FAILURE); partitionedPrincipal.forget(aPartitionedPrincipal); return NS_OK; } // static nsresult StoragePrincipalHelper::PrepareEffectiveStoragePrincipalOriginAttributes( nsIChannel* aChannel, OriginAttributes& aOriginAttributes) { MOZ_ASSERT(aChannel); ChooseOriginAttributes(aChannel, aOriginAttributes, false); return NS_OK; } // static bool StoragePrincipalHelper::VerifyValidStoragePrincipalInfoForPrincipalInfo( const mozilla::ipc::PrincipalInfo& aStoragePrincipalInfo, const mozilla::ipc::PrincipalInfo& aPrincipalInfo) { return VerifyValidPartitionedPrincipalInfoForPrincipalInfoInternal( aStoragePrincipalInfo, aPrincipalInfo, false, false); } // static bool StoragePrincipalHelper::VerifyValidClientPrincipalInfoForPrincipalInfo( const mozilla::ipc::PrincipalInfo& aClientPrincipalInfo, const mozilla::ipc::PrincipalInfo& aPrincipalInfo) { return VerifyValidPartitionedPrincipalInfoForPrincipalInfoInternal( aClientPrincipalInfo, aPrincipalInfo, true, true); } // static nsresult StoragePrincipalHelper::GetPrincipal(nsIChannel* aChannel, PrincipalType aPrincipalType, nsIPrincipal** aPrincipal) { MOZ_ASSERT(aChannel); MOZ_ASSERT(aPrincipal); nsCOMPtr loadInfo = aChannel->LoadInfo(); nsCOMPtr cjs; Unused << loadInfo->GetCookieJarSettings(getter_AddRefs(cjs)); nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager(); MOZ_DIAGNOSTIC_ASSERT(ssm); nsCOMPtr principal; nsCOMPtr partitionedPrincipal; nsresult rv = ssm->GetChannelResultPrincipals(aChannel, getter_AddRefs(principal), getter_AddRefs(partitionedPrincipal)); if (NS_WARN_IF(NS_FAILED(rv))) { return rv; } // The aChannel might not be opened in some cases, e.g. getting principal // for the new channel during a redirect. So, the value // `IsThirdPartyToTopWindow` is incorrect in this case because this value is // calculated during opening a channel. And we need to know the value in order // to get the correct principal. To fix this, we compute the value here even // the channel hasn't been opened yet. // // Note that we don't need to compute the value if there is no browsing // context ID assigned. This could happen in a GTest or XPCShell. // // ToDo: The AntiTrackingUtils::ComputeIsThirdPartyToTopWindow() is only // available in the parent process. So, this can only work in the parent // process. It's fine for now, but we should change this to also work in // content processes. Bug 1736452 will address this. // if (XRE_IsParentProcess() && loadInfo->GetBrowsingContextID() != 0) { AntiTrackingUtils::ComputeIsThirdPartyToTopWindow(aChannel); } nsCOMPtr outPrincipal = principal; switch (aPrincipalType) { case eRegularPrincipal: break; case eStorageAccessPrincipal: if (ShouldPartitionChannel(aChannel, cjs)) { outPrincipal = partitionedPrincipal; } break; case ePartitionedPrincipal: outPrincipal = partitionedPrincipal; break; case eForeignPartitionedPrincipal: // We only support foreign partitioned principal when dFPI is enabled. if (cjs->GetCookieBehavior() == nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN && loadInfo->GetIsThirdPartyContextToTopWindow()) { outPrincipal = partitionedPrincipal; } break; } outPrincipal.forget(aPrincipal); return NS_OK; } // static nsresult StoragePrincipalHelper::GetPrincipal(nsPIDOMWindowInner* aWindow, PrincipalType aPrincipalType, nsIPrincipal** aPrincipal) { MOZ_ASSERT(aWindow); MOZ_ASSERT(aPrincipal); nsCOMPtr doc = aWindow->GetExtantDoc(); NS_ENSURE_STATE(doc); nsCOMPtr outPrincipal; switch (aPrincipalType) { case eRegularPrincipal: outPrincipal = doc->NodePrincipal(); break; case eStorageAccessPrincipal: outPrincipal = doc->EffectiveStoragePrincipal(); break; case ePartitionedPrincipal: outPrincipal = doc->PartitionedPrincipal(); break; case eForeignPartitionedPrincipal: // We only support foreign partitioned principal when dFPI is enabled. if (doc->CookieJarSettings()->GetCookieBehavior() == nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN && AntiTrackingUtils::IsThirdPartyWindow(aWindow, nullptr)) { outPrincipal = doc->PartitionedPrincipal(); } else { outPrincipal = doc->NodePrincipal(); } break; } outPrincipal.forget(aPrincipal); return NS_OK; } // static bool StoragePrincipalHelper::ShouldUsePartitionPrincipalForServiceWorker( nsIDocShell* aDocShell) { MOZ_ASSERT(aDocShell); // We don't use the partitioned principal for service workers if it's // disabled. if (!StaticPrefs::privacy_partition_serviceWorkers()) { return false; } RefPtr document = aDocShell->GetExtantDocument(); // If we cannot get the document from the docShell, we turn to get its // parent's document. if (!document) { nsCOMPtr parentItem; aDocShell->GetInProcessSameTypeParent(getter_AddRefs(parentItem)); if (parentItem) { document = parentItem->GetDocument(); } } nsCOMPtr cookieJarSettings; if (document) { cookieJarSettings = document->CookieJarSettings(); } else { // If there was no document, we create one cookieJarSettings here in order // to get the cookieBehavior. We don't need a real value for RFP because // we are only using this object to check default cookie behavior. cookieJarSettings = net::CookieJarSettings::Create(net::CookieJarSettings::eRegular, /* shouldResistFingerpreinting */ false); } // We only support partitioned service workers when dFPI is enabled. if (cookieJarSettings->GetCookieBehavior() != nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN) { return false; } // Only the third-party context will need to use the partitioned principal. A // first-party context is still using the regular principal for the service // worker. return AntiTrackingUtils::IsThirdPartyContext( document ? document->GetBrowsingContext() : aDocShell->GetBrowsingContext()); } // static bool StoragePrincipalHelper::ShouldUsePartitionPrincipalForServiceWorker( dom::WorkerPrivate* aWorkerPrivate) { MOZ_ASSERT(aWorkerPrivate); // We don't use the partitioned principal for service workers if it's // disabled. if (!StaticPrefs::privacy_partition_serviceWorkers()) { return false; } nsCOMPtr cookieJarSettings = aWorkerPrivate->CookieJarSettings(); // We only support partitioned service workers when dFPI is enabled. if (cookieJarSettings->GetCookieBehavior() != nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN) { return false; } return aWorkerPrivate->IsThirdPartyContextToTopWindow(); } // static bool StoragePrincipalHelper::GetOriginAttributes( nsIChannel* aChannel, mozilla::OriginAttributes& aAttributes, StoragePrincipalHelper::PrincipalType aPrincipalType) { nsCOMPtr loadInfo = aChannel->LoadInfo(); loadInfo->GetOriginAttributes(&aAttributes); bool isPrivate = false; nsCOMPtr pbChannel = do_QueryInterface(aChannel); if (pbChannel) { nsresult rv = pbChannel->GetIsChannelPrivate(&isPrivate); NS_ENSURE_SUCCESS(rv, false); } else { // Some channels may not implement nsIPrivateBrowsingChannel nsCOMPtr loadContext; NS_QueryNotificationCallbacks(aChannel, loadContext); isPrivate = loadContext && loadContext->UsePrivateBrowsing(); } aAttributes.SyncAttributesWithPrivateBrowsing(isPrivate); nsCOMPtr cjs; switch (aPrincipalType) { case eRegularPrincipal: break; case eStorageAccessPrincipal: PrepareEffectiveStoragePrincipalOriginAttributes(aChannel, aAttributes); break; case ePartitionedPrincipal: ChooseOriginAttributes(aChannel, aAttributes, true); break; case eForeignPartitionedPrincipal: Unused << loadInfo->GetCookieJarSettings(getter_AddRefs(cjs)); // We only support foreign partitioned principal when dFPI is enabled. // Otherwise, we will use the regular principal. if (cjs->GetCookieBehavior() == nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN && loadInfo->GetIsThirdPartyContextToTopWindow()) { ChooseOriginAttributes(aChannel, aAttributes, true); } break; } return true; } // static bool StoragePrincipalHelper::GetRegularPrincipalOriginAttributes( dom::Document* aDocument, OriginAttributes& aAttributes) { aAttributes = mozilla::OriginAttributes(); if (!aDocument) { return false; } nsCOMPtr loadGroup = aDocument->GetDocumentLoadGroup(); if (loadGroup) { return GetRegularPrincipalOriginAttributes(loadGroup, aAttributes); } nsCOMPtr channel = aDocument->GetChannel(); if (!channel) { return false; } return GetOriginAttributes(channel, aAttributes, eRegularPrincipal); } // static bool StoragePrincipalHelper::GetRegularPrincipalOriginAttributes( nsILoadGroup* aLoadGroup, OriginAttributes& aAttributes) { aAttributes = mozilla::OriginAttributes(); if (!aLoadGroup) { return false; } nsCOMPtr callbacks; aLoadGroup->GetNotificationCallbacks(getter_AddRefs(callbacks)); if (!callbacks) { return false; } nsCOMPtr loadContext = do_GetInterface(callbacks); if (!loadContext) { return false; } loadContext->GetOriginAttributes(aAttributes); return true; } // static bool StoragePrincipalHelper::GetOriginAttributesForNetworkState( nsIChannel* aChannel, OriginAttributes& aAttributes) { return StoragePrincipalHelper::GetOriginAttributes( aChannel, aAttributes, StaticPrefs::privacy_partition_network_state() ? ePartitionedPrincipal : eRegularPrincipal); } // static void StoragePrincipalHelper::GetOriginAttributesForNetworkState( dom::Document* aDocument, OriginAttributes& aAttributes) { aAttributes = aDocument->NodePrincipal()->OriginAttributesRef(); if (!StaticPrefs::privacy_partition_network_state()) { return; } aAttributes = aDocument->PartitionedPrincipal()->OriginAttributesRef(); } // static void StoragePrincipalHelper::UpdateOriginAttributesForNetworkState( nsIURI* aFirstPartyURI, OriginAttributes& aAttributes) { if (!StaticPrefs::privacy_partition_network_state()) { return; } aAttributes.SetPartitionKey(aFirstPartyURI); } enum SupportedScheme { HTTP, HTTPS }; static bool GetOriginAttributesWithScheme(nsIChannel* aChannel, OriginAttributes& aAttributes, SupportedScheme aScheme) { const nsString targetScheme = aScheme == HTTP ? u"http"_ns : u"https"_ns; if (!StoragePrincipalHelper::GetOriginAttributesForNetworkState( aChannel, aAttributes)) { return false; } if (aAttributes.mPartitionKey.IsEmpty() || aAttributes.mPartitionKey[0] != '(') { return true; } nsAString::const_iterator start, end; aAttributes.mPartitionKey.BeginReading(start); aAttributes.mPartitionKey.EndReading(end); MOZ_DIAGNOSTIC_ASSERT(*start == '('); start++; nsAString::const_iterator iter(start); bool ok = FindCharInReadable(',', iter, end); MOZ_DIAGNOSTIC_ASSERT(ok); if (!ok) { return false; } nsAutoString scheme; scheme.Assign(Substring(start, iter)); if (scheme.Equals(targetScheme)) { return true; } nsAutoString key; key += u"("_ns; key += targetScheme; key.Append(Substring(iter, end)); aAttributes.SetPartitionKey(key); return true; } // static bool StoragePrincipalHelper::GetOriginAttributesForHSTS( nsIChannel* aChannel, OriginAttributes& aAttributes) { return GetOriginAttributesWithScheme(aChannel, aAttributes, HTTP); } // static bool StoragePrincipalHelper::GetOriginAttributesForHTTPSRR( nsIChannel* aChannel, OriginAttributes& aAttributes) { return GetOriginAttributesWithScheme(aChannel, aAttributes, HTTPS); } // static bool StoragePrincipalHelper::GetOriginAttributes( const mozilla::ipc::PrincipalInfo& aPrincipalInfo, OriginAttributes& aAttributes) { aAttributes = mozilla::OriginAttributes(); using Type = ipc::PrincipalInfo; switch (aPrincipalInfo.type()) { case Type::TContentPrincipalInfo: aAttributes = aPrincipalInfo.get_ContentPrincipalInfo().attrs(); break; case Type::TNullPrincipalInfo: aAttributes = aPrincipalInfo.get_NullPrincipalInfo().attrs(); break; case Type::TExpandedPrincipalInfo: aAttributes = aPrincipalInfo.get_ExpandedPrincipalInfo().attrs(); break; case Type::TSystemPrincipalInfo: break; default: return false; } return true; } bool StoragePrincipalHelper::PartitionKeyHasBaseDomain( const nsAString& aPartitionKey, const nsACString& aBaseDomain) { return PartitionKeyHasBaseDomain(aPartitionKey, NS_ConvertUTF8toUTF16(aBaseDomain)); } // static bool StoragePrincipalHelper::PartitionKeyHasBaseDomain( const nsAString& aPartitionKey, const nsAString& aBaseDomain) { if (aPartitionKey.IsEmpty() || aBaseDomain.IsEmpty()) { return false; } nsString scheme; nsString pkBaseDomain; int32_t port; bool success = OriginAttributes::ParsePartitionKey(aPartitionKey, scheme, pkBaseDomain, port); if (!success) { return false; } return aBaseDomain.Equals(pkBaseDomain); } } // namespace mozilla