summaryrefslogtreecommitdiffstats
path: root/dom/security/nsContentSecurityManager.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'dom/security/nsContentSecurityManager.cpp')
-rw-r--r--dom/security/nsContentSecurityManager.cpp1849
1 files changed, 1849 insertions, 0 deletions
diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp
new file mode 100644
index 0000000000..a3a38c9776
--- /dev/null
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -0,0 +1,1849 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsAboutProtocolUtils.h"
+#include "nsArray.h"
+#include "nsContentSecurityManager.h"
+#include "nsContentSecurityUtils.h"
+#include "nsContentPolicyUtils.h"
+#include "nsEscape.h"
+#include "nsDataHandler.h"
+#include "nsIChannel.h"
+#include "nsIContentPolicy.h"
+#include "nsIHttpChannelInternal.h"
+#include "nsINode.h"
+#include "nsIStreamListener.h"
+#include "nsILoadInfo.h"
+#include "nsIMIMEService.h"
+#include "nsIOService.h"
+#include "nsContentUtils.h"
+#include "nsCORSListenerProxy.h"
+#include "nsIParentChannel.h"
+#include "nsIRedirectHistoryEntry.h"
+#include "nsIXULRuntime.h"
+#include "nsNetUtil.h"
+#include "nsReadableUtils.h"
+#include "nsSandboxFlags.h"
+#include "nsIXPConnect.h"
+
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/ClearOnShutdown.h"
+#include "mozilla/CmdLineAndEnvUtils.h"
+#include "mozilla/dom/Element.h"
+#include "mozilla/dom/nsMixedContentBlocker.h"
+#include "mozilla/dom/BrowserChild.h"
+#include "mozilla/dom/ContentChild.h"
+#include "mozilla/dom/ContentParent.h"
+#include "mozilla/dom/Document.h"
+#include "mozilla/extensions/WebExtensionPolicy.h"
+#include "mozilla/Components.h"
+#include "mozilla/ExtensionPolicyService.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Maybe.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/StaticPrefs_dom.h"
+#include "mozilla/StaticPrefs_security.h"
+#include "mozilla/Telemetry.h"
+#include "mozilla/TelemetryComms.h"
+#include "xpcpublic.h"
+#include "nsMimeTypes.h"
+
+#include "jsapi.h"
+#include "js/RegExp.h"
+
+using namespace mozilla;
+using namespace mozilla::dom;
+using namespace mozilla::Telemetry;
+
+NS_IMPL_ISUPPORTS(nsContentSecurityManager, nsIContentSecurityManager,
+ nsIChannelEventSink)
+
+mozilla::LazyLogModule sCSMLog("CSMLog");
+
+// These first two are used for off-the-main-thread checks of
+// general.config.filename
+// (which can't be checked off-main-thread).
+Atomic<bool, mozilla::Relaxed> sJSHacksChecked(false);
+Atomic<bool, mozilla::Relaxed> sJSHacksPresent(false);
+Atomic<bool, mozilla::Relaxed> sCSSHacksChecked(false);
+Atomic<bool, mozilla::Relaxed> sCSSHacksPresent(false);
+Atomic<bool, mozilla::Relaxed> sTelemetryEventEnabled(false);
+
+/* static */
+bool nsContentSecurityManager::AllowTopLevelNavigationToDataURI(
+ nsIChannel* aChannel) {
+ // Let's block all toplevel document navigations to a data: URI.
+ // In all cases where the toplevel document is navigated to a
+ // data: URI the triggeringPrincipal is a contentPrincipal, or
+ // a NullPrincipal. In other cases, e.g. typing a data: URL into
+ // the URL-Bar, the triggeringPrincipal is a SystemPrincipal;
+ // we don't want to block those loads. Only exception, loads coming
+ // from an external applicaton (e.g. Thunderbird) don't load
+ // using a contentPrincipal, but we want to block those loads.
+ if (!StaticPrefs::security_data_uri_block_toplevel_data_uri_navigations()) {
+ return true;
+ }
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+ if (loadInfo->GetExternalContentPolicyType() !=
+ ExtContentPolicy::TYPE_DOCUMENT) {
+ return true;
+ }
+ if (loadInfo->GetForceAllowDataURI()) {
+ // if the loadinfo explicitly allows the data URI navigation, let's allow it
+ // now
+ return true;
+ }
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
+ NS_ENSURE_SUCCESS(rv, true);
+ bool isDataURI = uri->SchemeIs("data");
+ if (!isDataURI) {
+ return true;
+ }
+
+ nsAutoCString spec;
+ rv = uri->GetSpec(spec);
+ NS_ENSURE_SUCCESS(rv, true);
+ nsAutoCString contentType;
+ bool base64;
+ rv = nsDataHandler::ParseURI(spec, contentType, nullptr, base64, nullptr);
+ NS_ENSURE_SUCCESS(rv, true);
+
+ // Allow data: images as long as they are not SVGs
+ if (StringBeginsWith(contentType, "image/"_ns) &&
+ !contentType.EqualsLiteral("image/svg+xml")) {
+ return true;
+ }
+ // Allow all data: PDFs. or JSON documents
+ if (contentType.EqualsLiteral(APPLICATION_JSON) ||
+ contentType.EqualsLiteral(TEXT_JSON) ||
+ contentType.EqualsLiteral(APPLICATION_PDF)) {
+ return true;
+ }
+ // Redirecting to a toplevel data: URI is not allowed, hence we make
+ // sure the RedirectChain is empty.
+ if (!loadInfo->GetLoadTriggeredFromExternal() &&
+ loadInfo->TriggeringPrincipal()->IsSystemPrincipal() &&
+ loadInfo->RedirectChain().IsEmpty()) {
+ return true;
+ }
+
+ // We're going to block the request, construct the localized error message to
+ // report to the console.
+ nsAutoCString dataSpec;
+ uri->GetSpec(dataSpec);
+ if (dataSpec.Length() > 50) {
+ dataSpec.Truncate(50);
+ dataSpec.AppendLiteral("...");
+ }
+ AutoTArray<nsString, 1> params;
+ CopyUTF8toUTF16(NS_UnescapeURL(dataSpec), *params.AppendElement());
+ nsAutoString errorText;
+ rv = nsContentUtils::FormatLocalizedString(
+ nsContentUtils::eSECURITY_PROPERTIES, "BlockTopLevelDataURINavigation",
+ params, errorText);
+ NS_ENSURE_SUCCESS(rv, false);
+
+ // Report the localized error message to the console for the loading
+ // BrowsingContext's current inner window.
+ RefPtr<BrowsingContext> target = loadInfo->GetBrowsingContext();
+ nsContentUtils::ReportToConsoleByWindowID(
+ errorText, nsIScriptError::warningFlag, "DATA_URI_BLOCKED"_ns,
+ target ? target->GetCurrentInnerWindowId() : 0);
+ return false;
+}
+
+/* static */
+bool nsContentSecurityManager::AllowInsecureRedirectToDataURI(
+ nsIChannel* aNewChannel) {
+ nsCOMPtr<nsILoadInfo> loadInfo = aNewChannel->LoadInfo();
+ if (loadInfo->GetExternalContentPolicyType() !=
+ ExtContentPolicy::TYPE_SCRIPT) {
+ return true;
+ }
+ nsCOMPtr<nsIURI> newURI;
+ nsresult rv = NS_GetFinalChannelURI(aNewChannel, getter_AddRefs(newURI));
+ if (NS_FAILED(rv) || !newURI) {
+ return true;
+ }
+ bool isDataURI = newURI->SchemeIs("data");
+ if (!isDataURI) {
+ return true;
+ }
+
+ // Web Extensions are exempt from that restriction and are allowed to redirect
+ // a channel to a data: URI. When a web extension redirects a channel, we set
+ // a flag on the loadInfo which allows us to identify such redirects here.
+ if (loadInfo->GetAllowInsecureRedirectToDataURI()) {
+ return true;
+ }
+
+ nsAutoCString dataSpec;
+ newURI->GetSpec(dataSpec);
+ if (dataSpec.Length() > 50) {
+ dataSpec.Truncate(50);
+ dataSpec.AppendLiteral("...");
+ }
+ nsCOMPtr<Document> doc;
+ nsINode* node = loadInfo->LoadingNode();
+ if (node) {
+ doc = node->OwnerDoc();
+ }
+ AutoTArray<nsString, 1> params;
+ CopyUTF8toUTF16(NS_UnescapeURL(dataSpec), *params.AppendElement());
+ nsContentUtils::ReportToConsole(nsIScriptError::warningFlag,
+ "DATA_URI_BLOCKED"_ns, doc,
+ nsContentUtils::eSECURITY_PROPERTIES,
+ "BlockSubresourceRedirectToData", params);
+ return false;
+}
+
+/* static */
+nsresult nsContentSecurityManager::CheckFTPSubresourceLoad(
+ nsIChannel* aChannel) {
+ // We dissallow using FTP resources as a subresource everywhere.
+ // The only valid way to use FTP resources is loading it as
+ // a top level document.
+
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+ ExtContentPolicyType type = loadInfo->GetExternalContentPolicyType();
+
+ // Allow top-level FTP documents and save-as download of FTP files on
+ // HTTP pages.
+ if (type == ExtContentPolicy::TYPE_DOCUMENT ||
+ type == ExtContentPolicy::TYPE_SAVEAS_DOWNLOAD) {
+ return NS_OK;
+ }
+
+ // Allow the system principal to load everything. This is meant to
+ // temporarily fix downloads and pdf.js.
+ nsIPrincipal* triggeringPrincipal = loadInfo->TriggeringPrincipal();
+ if (triggeringPrincipal->IsSystemPrincipal()) {
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (!uri) {
+ return NS_OK;
+ }
+
+ bool isFtpURI = uri->SchemeIs("ftp");
+ if (!isFtpURI) {
+ return NS_OK;
+ }
+
+ nsCOMPtr<Document> doc;
+ if (nsINode* node = loadInfo->LoadingNode()) {
+ doc = node->OwnerDoc();
+ }
+
+ nsAutoCString spec;
+ uri->GetSpec(spec);
+ AutoTArray<nsString, 1> params;
+ CopyUTF8toUTF16(NS_UnescapeURL(spec), *params.AppendElement());
+
+ nsContentUtils::ReportToConsole(
+ nsIScriptError::warningFlag, "FTP_URI_BLOCKED"_ns, doc,
+ nsContentUtils::eSECURITY_PROPERTIES, "BlockSubresourceFTP", params);
+
+ return NS_ERROR_CONTENT_BLOCKED;
+}
+
+static nsresult ValidateSecurityFlags(nsILoadInfo* aLoadInfo) {
+ nsSecurityFlags securityMode = aLoadInfo->GetSecurityMode();
+
+ // We should never perform a security check on a loadInfo that uses the flag
+ // SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, because that is only used for
+ // temporary loadInfos used for explicit nsIContentPolicy checks, but never be
+ // set as a security flag on an actual channel.
+ if (securityMode !=
+ nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT &&
+ securityMode != nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED &&
+ securityMode !=
+ nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT &&
+ securityMode != nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL &&
+ securityMode != nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT) {
+ MOZ_ASSERT(
+ false,
+ "need one securityflag from nsILoadInfo to perform security checks");
+ return NS_ERROR_FAILURE;
+ }
+
+ // all good, found the right security flags
+ return NS_OK;
+}
+
+static already_AddRefed<nsIPrincipal> GetExtensionSandboxPrincipal(
+ nsILoadInfo* aLoadInfo) {
+ // An extension is allowed to load resources from itself when its pages are
+ // loaded into a sandboxed frame. Extension resources in a sandbox have
+ // a null principal and no access to extension APIs. See "sandbox" in
+ // MDN extension docs for more information.
+ if (!aLoadInfo->TriggeringPrincipal()->GetIsNullPrincipal()) {
+ return nullptr;
+ }
+ RefPtr<Document> doc;
+ aLoadInfo->GetLoadingDocument(getter_AddRefs(doc));
+ if (!doc || !(doc->GetSandboxFlags() & SANDBOXED_ORIGIN)) {
+ return nullptr;
+ }
+
+ // node principal is also a null principal here, so we need to
+ // create a principal using documentURI, which is the moz-extension
+ // uri for the page if this is an extension sandboxed page.
+ nsCOMPtr<nsIPrincipal> docPrincipal = BasePrincipal::CreateContentPrincipal(
+ doc->GetDocumentURI(), doc->NodePrincipal()->OriginAttributesRef());
+
+ if (!BasePrincipal::Cast(docPrincipal)->AddonPolicy()) {
+ return nullptr;
+ }
+ return docPrincipal.forget();
+}
+
+static bool IsImageLoadInEditorAppType(nsILoadInfo* aLoadInfo) {
+ // Editor apps get special treatment here, editors can load images
+ // from anywhere. This allows editor to insert images from file://
+ // into documents that are being edited.
+ nsContentPolicyType type = aLoadInfo->InternalContentPolicyType();
+ if (type != nsIContentPolicy::TYPE_INTERNAL_IMAGE &&
+ type != nsIContentPolicy::TYPE_INTERNAL_IMAGE_PRELOAD &&
+ type != nsIContentPolicy::TYPE_INTERNAL_IMAGE_FAVICON &&
+ type != nsIContentPolicy::TYPE_IMAGESET) {
+ return false;
+ }
+
+ auto appType = nsIDocShell::APP_TYPE_UNKNOWN;
+ nsINode* node = aLoadInfo->LoadingNode();
+ if (!node) {
+ return false;
+ }
+ Document* doc = node->OwnerDoc();
+ if (!doc) {
+ return false;
+ }
+
+ nsCOMPtr<nsIDocShellTreeItem> docShellTreeItem = doc->GetDocShell();
+ if (!docShellTreeItem) {
+ return false;
+ }
+
+ nsCOMPtr<nsIDocShellTreeItem> root;
+ docShellTreeItem->GetInProcessRootTreeItem(getter_AddRefs(root));
+ nsCOMPtr<nsIDocShell> docShell(do_QueryInterface(root));
+ if (docShell) {
+ appType = docShell->GetAppType();
+ }
+
+ return appType == nsIDocShell::APP_TYPE_EDITOR;
+}
+
+static nsresult DoCheckLoadURIChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo) {
+ // In practice, these DTDs are just used for localization, so applying the
+ // same principal check as Fluent.
+ if (aLoadInfo->InternalContentPolicyType() ==
+ nsIContentPolicy::TYPE_INTERNAL_DTD) {
+ RefPtr<Document> doc;
+ aLoadInfo->GetLoadingDocument(getter_AddRefs(doc));
+ bool allowed = false;
+ aLoadInfo->TriggeringPrincipal()->IsL10nAllowed(
+ doc ? doc->GetDocumentURI() : nullptr, &allowed);
+
+ return allowed ? NS_OK : NS_ERROR_DOM_BAD_URI;
+ }
+
+ // This is used in order to allow a privileged DOMParser to parse documents
+ // that need to access localization DTDs. We just allow through
+ // TYPE_INTERNAL_FORCE_ALLOWED_DTD no matter what the triggering principal is.
+ if (aLoadInfo->InternalContentPolicyType() ==
+ nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD) {
+ return NS_OK;
+ }
+
+ if (IsImageLoadInEditorAppType(aLoadInfo)) {
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsIPrincipal> triggeringPrincipal = aLoadInfo->TriggeringPrincipal();
+ nsCOMPtr<nsIPrincipal> addonPrincipal =
+ GetExtensionSandboxPrincipal(aLoadInfo);
+ if (addonPrincipal) {
+ // call CheckLoadURIWithPrincipal() as below to continue other checks, but
+ // with the addon principal.
+ triggeringPrincipal = addonPrincipal;
+ }
+
+ // Only call CheckLoadURIWithPrincipal() using the TriggeringPrincipal and not
+ // the LoadingPrincipal when SEC_ALLOW_CROSS_ORIGIN_* security flags are set,
+ // to allow, e.g. user stylesheets to load chrome:// URIs.
+ return nsContentUtils::GetSecurityManager()->CheckLoadURIWithPrincipal(
+ triggeringPrincipal, aURI, aLoadInfo->CheckLoadURIFlags(),
+ aLoadInfo->GetInnerWindowID());
+}
+
+static bool URIHasFlags(nsIURI* aURI, uint32_t aURIFlags) {
+ bool hasFlags;
+ nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &hasFlags);
+ NS_ENSURE_SUCCESS(rv, false);
+
+ return hasFlags;
+}
+
+static nsresult DoSOPChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo,
+ nsIChannel* aChannel) {
+ if (aLoadInfo->GetAllowChrome() &&
+ (URIHasFlags(aURI, nsIProtocolHandler::URI_IS_UI_RESOURCE) ||
+ nsContentUtils::SchemeIs(aURI, "moz-safe-about"))) {
+ // UI resources are allowed.
+ return DoCheckLoadURIChecks(aURI, aLoadInfo);
+ }
+
+ if (NS_HasBeenCrossOrigin(aChannel, true)) {
+ NS_SetRequestBlockingReason(aLoadInfo,
+ nsILoadInfo::BLOCKING_REASON_NOT_SAME_ORIGIN);
+ return NS_ERROR_DOM_BAD_URI;
+ }
+
+ return NS_OK;
+}
+
+static nsresult DoCORSChecks(nsIChannel* aChannel, nsILoadInfo* aLoadInfo,
+ nsCOMPtr<nsIStreamListener>& aInAndOutListener) {
+ MOZ_RELEASE_ASSERT(aInAndOutListener,
+ "can not perform CORS checks without a listener");
+
+ // No need to set up CORS if TriggeringPrincipal is the SystemPrincipal.
+ if (aLoadInfo->TriggeringPrincipal()->IsSystemPrincipal()) {
+ return NS_OK;
+ }
+
+ // We use the triggering principal here, rather than the loading principal
+ // to ensure that anonymous CORS content in the browser resources and in
+ // WebExtensions is allowed to load.
+ nsIPrincipal* principal = aLoadInfo->TriggeringPrincipal();
+ RefPtr<nsCORSListenerProxy> corsListener = new nsCORSListenerProxy(
+ aInAndOutListener, principal,
+ aLoadInfo->GetCookiePolicy() == nsILoadInfo::SEC_COOKIES_INCLUDE);
+ // XXX: @arg: DataURIHandling::Allow
+ // lets use DataURIHandling::Allow for now and then decide on callsite basis.
+ // see also:
+ // http://mxr.mozilla.org/mozilla-central/source/dom/security/nsCORSListenerProxy.h#33
+ nsresult rv = corsListener->Init(aChannel, DataURIHandling::Allow);
+ NS_ENSURE_SUCCESS(rv, rv);
+ aInAndOutListener = corsListener;
+ return NS_OK;
+}
+
+static nsresult DoContentSecurityChecks(nsIChannel* aChannel,
+ nsILoadInfo* aLoadInfo) {
+ ExtContentPolicyType contentPolicyType =
+ aLoadInfo->GetExternalContentPolicyType();
+ nsContentPolicyType internalContentPolicyType =
+ aLoadInfo->InternalContentPolicyType();
+ nsCString mimeTypeGuess;
+
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ switch (contentPolicyType) {
+ case ExtContentPolicy::TYPE_OTHER: {
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_SCRIPT: {
+ mimeTypeGuess = "application/javascript"_ns;
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_IMAGE: {
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_STYLESHEET: {
+ mimeTypeGuess = "text/css"_ns;
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_OBJECT: {
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_DOCUMENT: {
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_SUBDOCUMENT: {
+ mimeTypeGuess = "text/html"_ns;
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_PING: {
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_XMLHTTPREQUEST: {
+#ifdef DEBUG
+ {
+ nsCOMPtr<nsINode> node = aLoadInfo->LoadingNode();
+ MOZ_ASSERT(!node || node->NodeType() == nsINode::DOCUMENT_NODE,
+ "type_xml requires requestingContext of type Document");
+ }
+#endif
+ // We're checking for the external TYPE_XMLHTTPREQUEST here in case
+ // an addon creates a request with that type.
+ if (internalContentPolicyType ==
+ nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST ||
+ internalContentPolicyType == nsIContentPolicy::TYPE_XMLHTTPREQUEST) {
+ mimeTypeGuess.Truncate();
+ } else {
+ MOZ_ASSERT(internalContentPolicyType ==
+ nsIContentPolicy::TYPE_INTERNAL_EVENTSOURCE,
+ "can not set mime type guess for unexpected internal type");
+ mimeTypeGuess = nsLiteralCString(TEXT_EVENT_STREAM);
+ }
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_OBJECT_SUBREQUEST: {
+ mimeTypeGuess.Truncate();
+#ifdef DEBUG
+ {
+ nsCOMPtr<nsINode> node = aLoadInfo->LoadingNode();
+ MOZ_ASSERT(
+ !node || node->NodeType() == nsINode::ELEMENT_NODE,
+ "type_subrequest requires requestingContext of type Element");
+ }
+#endif
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_DTD: {
+ mimeTypeGuess.Truncate();
+#ifdef DEBUG
+ {
+ nsCOMPtr<nsINode> node = aLoadInfo->LoadingNode();
+ MOZ_ASSERT(!node || node->NodeType() == nsINode::DOCUMENT_NODE,
+ "type_dtd requires requestingContext of type Document");
+ }
+#endif
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_FONT:
+ case ExtContentPolicy::TYPE_UA_FONT: {
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_MEDIA: {
+ if (internalContentPolicyType == nsIContentPolicy::TYPE_INTERNAL_TRACK) {
+ mimeTypeGuess = "text/vtt"_ns;
+ } else {
+ mimeTypeGuess.Truncate();
+ }
+#ifdef DEBUG
+ {
+ nsCOMPtr<nsINode> node = aLoadInfo->LoadingNode();
+ MOZ_ASSERT(!node || node->NodeType() == nsINode::ELEMENT_NODE,
+ "type_media requires requestingContext of type Element");
+ }
+#endif
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_WEBSOCKET: {
+ // Websockets have to use the proxied URI:
+ // ws:// instead of http:// for CSP checks
+ nsCOMPtr<nsIHttpChannelInternal> httpChannelInternal =
+ do_QueryInterface(aChannel);
+ MOZ_ASSERT(httpChannelInternal);
+ if (httpChannelInternal) {
+ rv = httpChannelInternal->GetProxyURI(getter_AddRefs(uri));
+ MOZ_ASSERT(NS_SUCCEEDED(rv));
+ }
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_CSP_REPORT: {
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_XSLT: {
+ mimeTypeGuess = "application/xml"_ns;
+#ifdef DEBUG
+ {
+ nsCOMPtr<nsINode> node = aLoadInfo->LoadingNode();
+ MOZ_ASSERT(!node || node->NodeType() == nsINode::DOCUMENT_NODE,
+ "type_xslt requires requestingContext of type Document");
+ }
+#endif
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_BEACON: {
+ mimeTypeGuess.Truncate();
+#ifdef DEBUG
+ {
+ nsCOMPtr<nsINode> node = aLoadInfo->LoadingNode();
+ MOZ_ASSERT(!node || node->NodeType() == nsINode::DOCUMENT_NODE,
+ "type_beacon requires requestingContext of type Document");
+ }
+#endif
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_FETCH: {
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_IMAGESET: {
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_WEB_MANIFEST: {
+ mimeTypeGuess = "application/manifest+json"_ns;
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_SAVEAS_DOWNLOAD: {
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_SPECULATIVE: {
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA: {
+ mimeTypeGuess.Truncate();
+ break;
+ }
+
+ case ExtContentPolicy::TYPE_INVALID:
+ MOZ_ASSERT(false,
+ "can not perform security check without a valid contentType");
+ // Do not add default: so that compilers can catch the missing case.
+ }
+
+ int16_t shouldLoad = nsIContentPolicy::ACCEPT;
+ rv = NS_CheckContentLoadPolicy(uri, aLoadInfo, mimeTypeGuess, &shouldLoad,
+ nsContentUtils::GetContentPolicy());
+
+ if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
+ NS_SetRequestBlockingReasonIfNull(
+ aLoadInfo, nsILoadInfo::BLOCKING_REASON_CONTENT_POLICY_GENERAL);
+
+ if (NS_SUCCEEDED(rv) &&
+ (contentPolicyType == ExtContentPolicy::TYPE_DOCUMENT ||
+ contentPolicyType == ExtContentPolicy::TYPE_SUBDOCUMENT)) {
+ if (shouldLoad == nsIContentPolicy::REJECT_TYPE) {
+ // for docshell loads we might have to return SHOW_ALT.
+ return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+ }
+ if (shouldLoad == nsIContentPolicy::REJECT_POLICY) {
+ return NS_ERROR_BLOCKED_BY_POLICY;
+ }
+ }
+ return NS_ERROR_CONTENT_BLOCKED;
+ }
+
+ return NS_OK;
+}
+
+static void LogHTTPSOnlyInfo(nsILoadInfo* aLoadInfo) {
+ MOZ_LOG(sCSMLog, LogLevel::Verbose, (" httpsOnlyFirstStatus:"));
+ uint32_t httpsOnlyStatus = aLoadInfo->GetHttpsOnlyStatus();
+
+ if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UNINITIALIZED) {
+ MOZ_LOG(sCSMLog, LogLevel::Verbose, (" - HTTPS_ONLY_UNINITIALIZED"));
+ }
+ if (httpsOnlyStatus &
+ nsILoadInfo::HTTPS_ONLY_UPGRADED_LISTENER_NOT_REGISTERED) {
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" - HTTPS_ONLY_UPGRADED_LISTENER_NOT_REGISTERED"));
+ }
+ if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UPGRADED_LISTENER_REGISTERED) {
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" - HTTPS_ONLY_UPGRADED_LISTENER_REGISTERED"));
+ }
+ if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_EXEMPT) {
+ MOZ_LOG(sCSMLog, LogLevel::Verbose, (" - HTTPS_ONLY_EXEMPT"));
+ }
+ if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_TOP_LEVEL_LOAD_IN_PROGRESS) {
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" - HTTPS_ONLY_TOP_LEVEL_LOAD_IN_PROGRESS"));
+ }
+ if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_DOWNLOAD_IN_PROGRESS) {
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" - HTTPS_ONLY_DOWNLOAD_IN_PROGRESS"));
+ }
+ if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_DO_NOT_LOG_TO_CONSOLE) {
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" - HTTPS_ONLY_DO_NOT_LOG_TO_CONSOLE"));
+ }
+ if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UPGRADED_HTTPS_FIRST) {
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" - HTTPS_ONLY_UPGRADED_HTTPS_FIRST"));
+ }
+}
+
+static void LogPrincipal(nsIPrincipal* aPrincipal,
+ const nsAString& aPrincipalName,
+ const uint8_t& aNestingLevel) {
+ nsPrintfCString aIndentationString("%*s", aNestingLevel * 2, "");
+
+ if (aPrincipal && aPrincipal->IsSystemPrincipal()) {
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("%s%s: SystemPrincipal\n", aIndentationString.get(),
+ NS_ConvertUTF16toUTF8(aPrincipalName).get()));
+ return;
+ }
+ if (aPrincipal) {
+ if (aPrincipal->GetIsNullPrincipal()) {
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("%s%s: NullPrincipal\n", aIndentationString.get(),
+ NS_ConvertUTF16toUTF8(aPrincipalName).get()));
+ return;
+ }
+ if (aPrincipal->GetIsExpandedPrincipal()) {
+ nsCOMPtr<nsIExpandedPrincipal> expanded(do_QueryInterface(aPrincipal));
+ nsAutoCString origin;
+ origin.AssignLiteral("[Expanded Principal [");
+
+ StringJoinAppend(origin, ", "_ns, expanded->AllowList(),
+ [](nsACString& dest, nsIPrincipal* principal) {
+ nsAutoCString subOrigin;
+ DebugOnly<nsresult> rv =
+ principal->GetOrigin(subOrigin);
+ MOZ_ASSERT(NS_SUCCEEDED(rv));
+ dest.Append(subOrigin);
+ });
+
+ origin.AppendLiteral("]]");
+
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("%s%s: %s\n", aIndentationString.get(),
+ NS_ConvertUTF16toUTF8(aPrincipalName).get(), origin.get()));
+ return;
+ }
+ nsAutoCString principalSpec;
+ aPrincipal->GetAsciiSpec(principalSpec);
+ if (aPrincipalName.IsEmpty()) {
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("%s - \"%s\"\n", aIndentationString.get(), principalSpec.get()));
+ } else {
+ MOZ_LOG(
+ sCSMLog, LogLevel::Debug,
+ ("%s%s: \"%s\"\n", aIndentationString.get(),
+ NS_ConvertUTF16toUTF8(aPrincipalName).get(), principalSpec.get()));
+ }
+ return;
+ }
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("%s%s: nullptr\n", aIndentationString.get(),
+ NS_ConvertUTF16toUTF8(aPrincipalName).get()));
+}
+
+static void LogSecurityFlags(nsSecurityFlags securityFlags) {
+ struct DebugSecFlagType {
+ unsigned long secFlag;
+ char secTypeStr[128];
+ };
+ static const DebugSecFlagType secTypes[] = {
+ {nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+ "SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK"},
+ {nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT,
+ "SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT"},
+ {nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED,
+ "SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED"},
+ {nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT,
+ "SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT"},
+ {nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,
+ "SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL"},
+ {nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT,
+ "SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT"},
+ {nsILoadInfo::SEC_COOKIES_DEFAULT, "SEC_COOKIES_DEFAULT"},
+ {nsILoadInfo::SEC_COOKIES_INCLUDE, "SEC_COOKIES_INCLUDE"},
+ {nsILoadInfo::SEC_COOKIES_SAME_ORIGIN, "SEC_COOKIES_SAME_ORIGIN"},
+ {nsILoadInfo::SEC_COOKIES_OMIT, "SEC_COOKIES_OMIT"},
+ {nsILoadInfo::SEC_FORCE_INHERIT_PRINCIPAL, "SEC_FORCE_INHERIT_PRINCIPAL"},
+ {nsILoadInfo::SEC_ABOUT_BLANK_INHERITS, "SEC_ABOUT_BLANK_INHERITS"},
+ {nsILoadInfo::SEC_ALLOW_CHROME, "SEC_ALLOW_CHROME"},
+ {nsILoadInfo::SEC_DISALLOW_SCRIPT, "SEC_DISALLOW_SCRIPT"},
+ {nsILoadInfo::SEC_DONT_FOLLOW_REDIRECTS, "SEC_DONT_FOLLOW_REDIRECTS"},
+ {nsILoadInfo::SEC_LOAD_ERROR_PAGE, "SEC_LOAD_ERROR_PAGE"},
+ {nsILoadInfo::SEC_FORCE_INHERIT_PRINCIPAL_OVERRULE_OWNER,
+ "SEC_FORCE_INHERIT_PRINCIPAL_OVERRULE_OWNER"}};
+
+ for (const DebugSecFlagType& flag : secTypes) {
+ if (securityFlags & flag.secFlag) {
+ // the logging level should be in sync with the logging level in
+ // DebugDoContentSecurityCheck()
+ MOZ_LOG(sCSMLog, LogLevel::Verbose, (" - %s\n", flag.secTypeStr));
+ }
+ }
+}
+static void DebugDoContentSecurityCheck(nsIChannel* aChannel,
+ nsILoadInfo* aLoadInfo) {
+ nsCOMPtr<nsIHttpChannel> httpChannel(do_QueryInterface(aChannel));
+
+ MOZ_LOG(sCSMLog, LogLevel::Debug, ("\n#DebugDoContentSecurityCheck Begin\n"));
+
+ // we only log http channels, unless loglevel is 5.
+ if (httpChannel || MOZ_LOG_TEST(sCSMLog, LogLevel::Verbose)) {
+ MOZ_LOG(sCSMLog, LogLevel::Verbose, ("doContentSecurityCheck:\n"));
+
+ nsAutoCString remoteType;
+ if (XRE_IsParentProcess()) {
+ nsCOMPtr<nsIParentChannel> parentChannel;
+ NS_QueryNotificationCallbacks(aChannel, parentChannel);
+ if (parentChannel) {
+ parentChannel->GetRemoteType(remoteType);
+ }
+ } else {
+ remoteType.Assign(
+ mozilla::dom::ContentChild::GetSingleton()->GetRemoteType());
+ }
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" processType: \"%s\"\n", remoteType.get()));
+
+ nsCOMPtr<nsIURI> channelURI;
+ nsAutoCString channelSpec;
+ nsAutoCString channelMethod;
+ NS_GetFinalChannelURI(aChannel, getter_AddRefs(channelURI));
+ if (channelURI) {
+ channelURI->GetSpec(channelSpec);
+ }
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" channelURI: \"%s\"\n", channelSpec.get()));
+
+ // Log HTTP-specific things
+ if (httpChannel) {
+ nsresult rv;
+ rv = httpChannel->GetRequestMethod(channelMethod);
+ if (!NS_FAILED(rv)) {
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" httpMethod: %s\n", channelMethod.get()));
+ }
+ }
+
+ // Log Principals
+ nsCOMPtr<nsIPrincipal> requestPrincipal = aLoadInfo->TriggeringPrincipal();
+ LogPrincipal(aLoadInfo->GetLoadingPrincipal(), u"loadingPrincipal"_ns, 1);
+ LogPrincipal(requestPrincipal, u"triggeringPrincipal"_ns, 1);
+ LogPrincipal(aLoadInfo->PrincipalToInherit(), u"principalToInherit"_ns, 1);
+
+ // Log Redirect Chain
+ MOZ_LOG(sCSMLog, LogLevel::Verbose, (" redirectChain:\n"));
+ for (nsIRedirectHistoryEntry* redirectHistoryEntry :
+ aLoadInfo->RedirectChain()) {
+ nsCOMPtr<nsIPrincipal> principal;
+ redirectHistoryEntry->GetPrincipal(getter_AddRefs(principal));
+ LogPrincipal(principal, u""_ns, 2);
+ }
+
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" internalContentPolicyType: %s\n",
+ NS_CP_ContentTypeName(aLoadInfo->InternalContentPolicyType())));
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" externalContentPolicyType: %s\n",
+ NS_CP_ContentTypeName(aLoadInfo->GetExternalContentPolicyType())));
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" upgradeInsecureRequests: %s\n",
+ aLoadInfo->GetUpgradeInsecureRequests() ? "true" : "false"));
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" initialSecurityChecksDone: %s\n",
+ aLoadInfo->GetInitialSecurityCheckDone() ? "true" : "false"));
+ MOZ_LOG(sCSMLog, LogLevel::Verbose,
+ (" allowDeprecatedSystemRequests: %s\n",
+ aLoadInfo->GetAllowDeprecatedSystemRequests() ? "true" : "false"));
+
+ // Log CSPrequestPrincipal
+ nsCOMPtr<nsIContentSecurityPolicy> csp = aLoadInfo->GetCsp();
+ MOZ_LOG(sCSMLog, LogLevel::Debug, (" CSP:"));
+ if (csp) {
+ nsAutoString parsedPolicyStr;
+ uint32_t count = 0;
+ csp->GetPolicyCount(&count);
+ for (uint32_t i = 0; i < count; ++i) {
+ csp->GetPolicyString(i, parsedPolicyStr);
+ // we need to add quotation marks, as otherwise yaml parsers may fail
+ // with CSP directives
+ // no need to escape quote marks in the parsed policy string, as URLs in
+ // there are already encoded
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ (" - \"%s\"\n", NS_ConvertUTF16toUTF8(parsedPolicyStr).get()));
+ }
+ }
+
+ // Security Flags
+ MOZ_LOG(sCSMLog, LogLevel::Verbose, (" securityFlags:"));
+ LogSecurityFlags(aLoadInfo->GetSecurityFlags());
+ LogHTTPSOnlyInfo(aLoadInfo);
+ MOZ_LOG(sCSMLog, LogLevel::Debug, ("\n#DebugDoContentSecurityCheck End\n"));
+ }
+}
+
+/* static */
+void nsContentSecurityManager::MeasureUnexpectedPrivilegedLoads(
+ nsILoadInfo* aLoadInfo, nsIURI* aFinalURI, const nsACString& aRemoteType) {
+ if (!StaticPrefs::dom_security_unexpected_system_load_telemetry_enabled()) {
+ return;
+ }
+ nsContentSecurityUtils::DetectJsHacks();
+ nsContentSecurityUtils::DetectCssHacks();
+ // The detection only work on the main-thread.
+ // To avoid races and early reports, we need to ensure the checks actually
+ // happened.
+ if (MOZ_UNLIKELY(sJSHacksPresent || !sJSHacksChecked || sCSSHacksPresent ||
+ !sCSSHacksChecked)) {
+ return;
+ }
+
+ ExtContentPolicyType contentPolicyType =
+ aLoadInfo->GetExternalContentPolicyType();
+ // restricting reported types to script, styles and documents
+ // to be continued in follow-ups of bug 1697163.
+ if (contentPolicyType != ExtContentPolicyType::TYPE_SCRIPT &&
+ contentPolicyType != ExtContentPolicyType::TYPE_STYLESHEET &&
+ contentPolicyType != ExtContentPolicyType::TYPE_DOCUMENT) {
+ return;
+ }
+
+ // Gather redirected schemes in string
+ nsAutoCString loggedRedirects;
+ const nsTArray<nsCOMPtr<nsIRedirectHistoryEntry>>& redirects =
+ aLoadInfo->RedirectChain();
+ if (!redirects.IsEmpty()) {
+ nsCOMPtr<nsIRedirectHistoryEntry> end = redirects.LastElement();
+ for (nsIRedirectHistoryEntry* entry : redirects) {
+ nsCOMPtr<nsIPrincipal> principal;
+ entry->GetPrincipal(getter_AddRefs(principal));
+ if (principal) {
+ nsAutoCString scheme;
+ principal->GetScheme(scheme);
+ loggedRedirects.Append(scheme);
+ if (entry != end) {
+ loggedRedirects.AppendLiteral(", ");
+ }
+ }
+ }
+ }
+
+ nsAutoCString uriString;
+ if (aFinalURI) {
+ aFinalURI->GetAsciiSpec(uriString);
+ } else {
+ uriString.AssignLiteral("");
+ }
+ FilenameTypeAndDetails fileNameTypeAndDetails =
+ nsContentSecurityUtils::FilenameToFilenameType(
+ NS_ConvertUTF8toUTF16(uriString), true);
+
+ nsCString loggedFileDetails = "unknown"_ns;
+ if (fileNameTypeAndDetails.second.isSome()) {
+ loggedFileDetails.Assign(
+ NS_ConvertUTF16toUTF8(fileNameTypeAndDetails.second.value()));
+ }
+ // sanitize remoteType because it may contain sensitive
+ // info, like URLs. e.g. `webIsolated=https://example.com`
+ nsAutoCString loggedRemoteType(dom::RemoteTypePrefix(aRemoteType));
+ nsAutoCString loggedContentType(NS_CP_ContentTypeName(contentPolicyType));
+
+ MOZ_LOG(sCSMLog, LogLevel::Debug, ("UnexpectedPrivilegedLoadTelemetry:\n"));
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("- contentType: %s\n", loggedContentType.get()));
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("- URL (not to be reported): %s\n", uriString.get()));
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("- remoteType: %s\n", loggedRemoteType.get()));
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("- fileInfo: %s\n", fileNameTypeAndDetails.first.get()));
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("- fileDetails: %s\n", loggedFileDetails.get()));
+ MOZ_LOG(sCSMLog, LogLevel::Debug,
+ ("- redirects: %s\n\n", loggedRedirects.get()));
+
+ // Send Telemetry
+ auto extra = Some<nsTArray<EventExtraEntry>>(
+ {EventExtraEntry{"contenttype"_ns, loggedContentType},
+ EventExtraEntry{"remotetype"_ns, loggedRemoteType},
+ EventExtraEntry{"filedetails"_ns, loggedFileDetails},
+ EventExtraEntry{"redirects"_ns, loggedRedirects}});
+
+ if (!sTelemetryEventEnabled.exchange(true)) {
+ Telemetry::SetEventRecordingEnabled("security"_ns, true);
+ }
+
+ Telemetry::EventID eventType =
+ Telemetry::EventID::Security_Unexpectedload_Systemprincipal;
+ Telemetry::RecordEvent(eventType, mozilla::Some(fileNameTypeAndDetails.first),
+ extra);
+}
+
+/* static */
+nsSecurityFlags nsContentSecurityManager::ComputeSecurityFlags(
+ mozilla::CORSMode aCORSMode, CORSSecurityMapping aCORSSecurityMapping) {
+ if (aCORSSecurityMapping == CORSSecurityMapping::DISABLE_CORS_CHECKS) {
+ return nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL;
+ }
+
+ switch (aCORSMode) {
+ case CORS_NONE:
+ if (aCORSSecurityMapping == CORSSecurityMapping::REQUIRE_CORS_CHECKS) {
+ // CORS_NONE gets treated like CORS_ANONYMOUS in this mode
+ return nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT |
+ nsILoadInfo::SEC_COOKIES_SAME_ORIGIN;
+ } else if (aCORSSecurityMapping ==
+ CORSSecurityMapping::CORS_NONE_MAPS_TO_INHERITED_CONTEXT) {
+ // CORS_NONE inherits
+ return nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT;
+ } else {
+ // CORS_NONE_MAPS_TO_DISABLED_CORS_CHECKS, the only remaining enum
+ // variant. CORSSecurityMapping::DISABLE_CORS_CHECKS returned early.
+ MOZ_ASSERT(aCORSSecurityMapping ==
+ CORSSecurityMapping::CORS_NONE_MAPS_TO_DISABLED_CORS_CHECKS);
+ return nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL;
+ }
+ case CORS_ANONYMOUS:
+ return nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT |
+ nsILoadInfo::SEC_COOKIES_SAME_ORIGIN;
+ case CORS_USE_CREDENTIALS:
+ return nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT |
+ nsILoadInfo::SEC_COOKIES_INCLUDE;
+ break;
+ default:
+ MOZ_ASSERT_UNREACHABLE("Invalid aCORSMode enum value");
+ return nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT |
+ nsILoadInfo::SEC_COOKIES_SAME_ORIGIN;
+ }
+}
+
+/* static */
+nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
+ nsIChannel* aChannel) {
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+ nsCOMPtr<nsIPrincipal> inspectedPrincipal = loadInfo->GetLoadingPrincipal();
+ if (!inspectedPrincipal) {
+ return NS_OK;
+ }
+ // Check if we are actually dealing with a privileged request
+ if (!inspectedPrincipal->IsSystemPrincipal()) {
+ return NS_OK;
+ }
+ // loads with the allow flag are waived through
+ // until refactored (e.g., Shavar, OCSP)
+ if (loadInfo->GetAllowDeprecatedSystemRequests()) {
+ return NS_OK;
+ }
+ ExtContentPolicyType contentPolicyType =
+ loadInfo->GetExternalContentPolicyType();
+ // For now, let's not inspect top-level document loads
+ if (contentPolicyType == ExtContentPolicy::TYPE_DOCUMENT) {
+ return NS_OK;
+ }
+
+ // allowing some fetches due to their lowered risk
+ // i.e., data & downloads fetches do limited parsing, no rendering
+ // remote images are too widely used (favicons, about:addons etc.)
+ if ((contentPolicyType == ExtContentPolicy::TYPE_FETCH) ||
+ (contentPolicyType == ExtContentPolicy::TYPE_XMLHTTPREQUEST) ||
+ (contentPolicyType == ExtContentPolicy::TYPE_WEBSOCKET) ||
+ (contentPolicyType == ExtContentPolicy::TYPE_SAVEAS_DOWNLOAD) ||
+ (contentPolicyType == ExtContentPolicy::TYPE_IMAGE)) {
+ return NS_OK;
+ }
+
+ // Allow the user interface (e.g., schemes like chrome, resource)
+ nsCOMPtr<nsIURI> finalURI;
+ NS_GetFinalChannelURI(aChannel, getter_AddRefs(finalURI));
+ bool isUiResource = false;
+ if (NS_SUCCEEDED(NS_URIChainHasFlags(
+ finalURI, nsIProtocolHandler::URI_IS_UI_RESOURCE, &isUiResource)) &&
+ isUiResource) {
+ return NS_OK;
+ }
+ // For about: and extension-based URIs, which don't get
+ // URI_IS_UI_RESOURCE, first remove layers of view-source:, if present.
+ nsCOMPtr<nsIURI> innerURI = NS_GetInnermostURI(finalURI);
+
+ nsAutoCString remoteType;
+ if (XRE_IsParentProcess()) {
+ nsCOMPtr<nsIParentChannel> parentChannel;
+ NS_QueryNotificationCallbacks(aChannel, parentChannel);
+ if (parentChannel) {
+ parentChannel->GetRemoteType(remoteType);
+ }
+ } else {
+ remoteType.Assign(
+ mozilla::dom::ContentChild::GetSingleton()->GetRemoteType());
+ }
+
+ // GetInnerURI can return null for malformed nested URIs like moz-icon:trash
+ if (!innerURI) {
+ MeasureUnexpectedPrivilegedLoads(loadInfo, innerURI, remoteType);
+ if (StaticPrefs::security_disallow_privileged_no_finaluri_loads()) {
+ aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
+ return NS_ERROR_CONTENT_BLOCKED;
+ }
+ return NS_OK;
+ }
+ // loads of userContent.css during startup and tests that show up as file:
+ if (innerURI->SchemeIs("file")) {
+ if ((contentPolicyType == ExtContentPolicy::TYPE_STYLESHEET) ||
+ (contentPolicyType == ExtContentPolicy::TYPE_OTHER)) {
+ return NS_OK;
+ }
+ }
+ // (1) loads from within omni.ja and system add-ons use jar:
+ // this is safe to allow, because we do not support remote jar.
+ // (2) about: resources are always allowed: they are part of the build.
+ // (3) extensions are signed or the user has made bad decisions.
+ if (innerURI->SchemeIs("jar") || innerURI->SchemeIs("about") ||
+ innerURI->SchemeIs("moz-extension")) {
+ return NS_OK;
+ }
+
+ nsAutoCString requestedURL;
+ innerURI->GetAsciiSpec(requestedURL);
+ MOZ_LOG(sCSMLog, LogLevel::Warning,
+ ("SystemPrincipal should not load remote resources. URL: %s, type %d",
+ requestedURL.get(), int(contentPolicyType)));
+
+ // The load types that we want to disallow, will extend over time and
+ // prioritized by risk. The most risky/dangerous are load-types are documents,
+ // subdocuments, scripts and styles in that order. The most dangerous URL
+ // schemes to cover are HTTP, HTTPS, data, blob in that order. Meta bug
+ // 1725112 will track upcoming restrictions
+
+ // Telemetry for unexpected privileged loads.
+ // pref check & data sanitization happens in the called function
+ MeasureUnexpectedPrivilegedLoads(loadInfo, innerURI, remoteType);
+
+ // Relaxing restrictions for our test suites:
+ // (1) AreNonLocalConnectionsDisabled() disables network, so
+ // http://mochitest is actually local and allowed. (2) The marionette test
+ // framework uses injections and data URLs to execute scripts, checking for
+ // the environment variable breaks the attack but not the tests.
+ if (xpc::AreNonLocalConnectionsDisabled() ||
+ mozilla::EnvHasValue("MOZ_MARIONETTE")) {
+ bool disallowSystemPrincipalRemoteDocuments = Preferences::GetBool(
+ "security.disallow_non_local_systemprincipal_in_tests");
+ if (disallowSystemPrincipalRemoteDocuments) {
+ // our own mochitest needs NS_ASSERTION instead of MOZ_ASSERT
+ NS_ASSERTION(false, "SystemPrincipal must not load remote documents.");
+ aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
+ return NS_ERROR_CONTENT_BLOCKED;
+ }
+ // but other mochitest are exempt from this
+ return NS_OK;
+ }
+
+ if (contentPolicyType == ExtContentPolicy::TYPE_SUBDOCUMENT) {
+ if (StaticPrefs::security_disallow_privileged_https_subdocuments_loads() &&
+ (innerURI->SchemeIs("http") || innerURI->SchemeIs("https"))) {
+ MOZ_ASSERT(
+ false,
+ "Disallowing SystemPrincipal load of subdocuments on HTTP(S).");
+ aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
+ return NS_ERROR_CONTENT_BLOCKED;
+ }
+ if ((StaticPrefs::security_disallow_privileged_data_subdocuments_loads()) &&
+ (innerURI->SchemeIs("data"))) {
+ MOZ_ASSERT(
+ false,
+ "Disallowing SystemPrincipal load of subdocuments on data URL.");
+ aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
+ return NS_ERROR_CONTENT_BLOCKED;
+ }
+ }
+ if (contentPolicyType == ExtContentPolicy::TYPE_SCRIPT) {
+ if ((StaticPrefs::security_disallow_privileged_https_script_loads()) &&
+ (innerURI->SchemeIs("http") || innerURI->SchemeIs("https"))) {
+ MOZ_ASSERT(false,
+ "Disallowing SystemPrincipal load of scripts on HTTP(S).");
+ aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
+ return NS_ERROR_CONTENT_BLOCKED;
+ }
+ }
+ if (contentPolicyType == ExtContentPolicy::TYPE_STYLESHEET) {
+ if (StaticPrefs::security_disallow_privileged_https_stylesheet_loads() &&
+ (innerURI->SchemeIs("http") || innerURI->SchemeIs("https"))) {
+ MOZ_ASSERT(false,
+ "Disallowing SystemPrincipal load of stylesheets on HTTP(S).");
+ aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
+ return NS_ERROR_CONTENT_BLOCKED;
+ }
+ }
+ return NS_OK;
+}
+
+/*
+ * Disallow about pages in the privilegedaboutcontext (e.g., password manager,
+ * newtab etc.) to load remote scripts. Regardless of whether this is coming
+ * from the contentprincipal or the systemprincipal.
+ */
+/* static */
+nsresult nsContentSecurityManager::CheckAllowLoadInPrivilegedAboutContext(
+ nsIChannel* aChannel) {
+ // bail out if check is disabled
+ if (StaticPrefs::security_disallow_privilegedabout_remote_script_loads()) {
+ return NS_OK;
+ }
+
+ nsAutoCString remoteType;
+ if (XRE_IsParentProcess()) {
+ nsCOMPtr<nsIParentChannel> parentChannel;
+ NS_QueryNotificationCallbacks(aChannel, parentChannel);
+ if (parentChannel) {
+ parentChannel->GetRemoteType(remoteType);
+ }
+ } else {
+ remoteType.Assign(
+ mozilla::dom::ContentChild::GetSingleton()->GetRemoteType());
+ }
+
+ // only perform check for privileged about process
+ if (!remoteType.Equals(PRIVILEGEDABOUT_REMOTE_TYPE)) {
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+ ExtContentPolicyType contentPolicyType =
+ loadInfo->GetExternalContentPolicyType();
+ // only check for script loads
+ if (contentPolicyType != ExtContentPolicy::TYPE_SCRIPT) {
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsIURI> finalURI;
+ NS_GetFinalChannelURI(aChannel, getter_AddRefs(finalURI));
+ nsCOMPtr<nsIURI> innerURI = NS_GetInnermostURI(finalURI);
+
+ bool isLocal;
+ NS_URIChainHasFlags(innerURI, nsIProtocolHandler::URI_IS_LOCAL_RESOURCE,
+ &isLocal);
+ // We allow URLs that are URI_IS_LOCAL (but that includes `data`
+ // and `blob` which are also undesirable.
+ if ((isLocal) && (!innerURI->SchemeIs("data")) &&
+ (!innerURI->SchemeIs("blob"))) {
+ return NS_OK;
+ }
+ MOZ_ASSERT(
+ false,
+ "Disallowing privileged about process to load scripts on HTTP(S).");
+ aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
+ return NS_ERROR_CONTENT_BLOCKED;
+}
+
+/*
+ * Every protocol handler must set one of the six security flags
+ * defined in nsIProtocolHandler - if not - deny the load.
+ */
+nsresult nsContentSecurityManager::CheckChannelHasProtocolSecurityFlag(
+ nsIChannel* aChannel) {
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ nsCOMPtr<nsIIOService> ios = do_GetIOService(&rv);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ uint32_t flags;
+ rv = ios->GetDynamicProtocolFlags(uri, &flags);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ uint32_t securityFlagsSet = 0;
+ if (flags & nsIProtocolHandler::WEBEXT_URI_WEB_ACCESSIBLE) {
+ securityFlagsSet += 1;
+ }
+ if (flags & nsIProtocolHandler::URI_LOADABLE_BY_ANYONE) {
+ securityFlagsSet += 1;
+ }
+ if (flags & nsIProtocolHandler::URI_DANGEROUS_TO_LOAD) {
+ securityFlagsSet += 1;
+ }
+ if (flags & nsIProtocolHandler::URI_IS_UI_RESOURCE) {
+ securityFlagsSet += 1;
+ }
+ if (flags & nsIProtocolHandler::URI_IS_LOCAL_FILE) {
+ securityFlagsSet += 1;
+ }
+ if (flags & nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS) {
+ securityFlagsSet += 1;
+ }
+
+ // Ensure that only "1" valid security flags is set.
+ if (securityFlagsSet == 1) {
+ return NS_OK;
+ }
+
+ MOZ_ASSERT(false, "protocol must use one valid security flag");
+ return NS_ERROR_CONTENT_BLOCKED;
+}
+
+// We should not allow loading non-JavaScript files as scripts using
+// a file:// URL.
+static nsresult CheckAllowFileProtocolScriptLoad(nsIChannel* aChannel) {
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+ ExtContentPolicyType type = loadInfo->GetExternalContentPolicyType();
+
+ // Only check script loads.
+ if (type != ExtContentPolicy::TYPE_SCRIPT) {
+ return NS_OK;
+ }
+
+ if (!StaticPrefs::security_block_fileuri_script_with_wrong_mime()) {
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (!uri || !uri->SchemeIs("file")) {
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsIMIMEService> mime = do_GetService("@mozilla.org/mime;1", &rv);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // GetTypeFromURI fails for missing or unknown file-extensions.
+ nsAutoCString contentType;
+ rv = mime->GetTypeFromURI(uri, contentType);
+ if (NS_FAILED(rv) || !nsContentUtils::IsJavascriptMIMEType(
+ NS_ConvertUTF8toUTF16(contentType))) {
+ nsCOMPtr<Document> doc;
+ if (nsINode* node = loadInfo->LoadingNode()) {
+ doc = node->OwnerDoc();
+ }
+
+ nsAutoCString spec;
+ uri->GetSpec(spec);
+
+ AutoTArray<nsString, 1> params;
+ CopyUTF8toUTF16(NS_UnescapeURL(spec), *params.AppendElement());
+ CopyUTF8toUTF16(NS_UnescapeURL(contentType), *params.AppendElement());
+
+ nsContentUtils::ReportToConsole(nsIScriptError::warningFlag,
+ "FILE_SCRIPT_BLOCKED"_ns, doc,
+ nsContentUtils::eSECURITY_PROPERTIES,
+ "BlockFileScriptWithWrongMimeType", params);
+
+ return NS_ERROR_CONTENT_BLOCKED;
+ }
+
+ return NS_OK;
+}
+
+// We should not allow loading non-JavaScript files as scripts using
+// a moz-extension:// URL.
+static nsresult CheckAllowExtensionProtocolScriptLoad(nsIChannel* aChannel) {
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+ ExtContentPolicyType type = loadInfo->GetExternalContentPolicyType();
+
+ // Only check script loads.
+ if (type != ExtContentPolicy::TYPE_SCRIPT) {
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (!uri || !uri->SchemeIs("moz-extension")) {
+ return NS_OK;
+ }
+
+ // We expect this code to never be hit off-the-main-thread (even worker
+ // scripts are currently hitting only on the main thread, see
+ // WorkerScriptLoader::DispatchLoadScript calling NS_DispatchToMainThread
+ // internally), this diagnostic assertion is meant to let us notice if that
+ // isn't the case anymore.
+ MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread(),
+ "Unexpected off-the-main-thread call to "
+ "CheckAllowFileProtocolScriptLoad");
+
+ nsAutoCString host;
+ rv = uri->GetHost(host);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ RefPtr<extensions::WebExtensionPolicyCore> targetPolicy =
+ ExtensionPolicyService::GetCoreByHost(host);
+
+ if (NS_WARN_IF(!targetPolicy) || targetPolicy->ManifestVersion() < 3) {
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsIMIMEService> mime = do_GetService("@mozilla.org/mime;1", &rv);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // GetDefaultTypeFromExtension fails for missing or unknown file-extensions.
+ nsAutoCString contentType;
+ rv = mime->GetDefaultTypeFromURI(uri, contentType);
+ if (NS_FAILED(rv) || !nsContentUtils::IsJavascriptMIMEType(
+ NS_ConvertUTF8toUTF16(contentType))) {
+ nsCOMPtr<Document> doc;
+ if (nsINode* node = loadInfo->LoadingNode()) {
+ doc = node->OwnerDoc();
+ }
+
+ nsAutoCString spec;
+ uri->GetSpec(spec);
+
+ AutoTArray<nsString, 1> params;
+ CopyUTF8toUTF16(NS_UnescapeURL(spec), *params.AppendElement());
+
+ nsContentUtils::ReportToConsole(nsIScriptError::warningFlag,
+ "EXTENSION_SCRIPT_BLOCKED"_ns, doc,
+ nsContentUtils::eSECURITY_PROPERTIES,
+ "BlockExtensionScriptWithWrongExt", params);
+
+ return NS_ERROR_CONTENT_BLOCKED;
+ }
+
+ return NS_OK;
+}
+
+// Validate that a load should be allowed based on its remote type. This
+// intentionally prevents some loads from occuring even using the system
+// principal, if they were started in a content process.
+static nsresult CheckAllowLoadByTriggeringRemoteType(nsIChannel* aChannel) {
+ MOZ_ASSERT(aChannel);
+
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+
+ // For now, only restrict loads for documents. We currently have no
+ // interesting subresource checks for protocols which are are not fully
+ // handled within the content process.
+ ExtContentPolicy contentPolicyType = loadInfo->GetExternalContentPolicyType();
+ if (contentPolicyType != ExtContentPolicy::TYPE_DOCUMENT &&
+ contentPolicyType != ExtContentPolicy::TYPE_SUBDOCUMENT &&
+ contentPolicyType != ExtContentPolicy::TYPE_OBJECT) {
+ return NS_OK;
+ }
+
+ MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread(),
+ "Unexpected off-the-main-thread call to "
+ "CheckAllowLoadByTriggeringRemoteType");
+
+ // Due to the way that session history is handled without SHIP, we cannot run
+ // these checks when SHIP is disabled.
+ if (!mozilla::SessionHistoryInParent()) {
+ return NS_OK;
+ }
+
+ nsAutoCString triggeringRemoteType;
+ nsresult rv = loadInfo->GetTriggeringRemoteType(triggeringRemoteType);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // For now, only restrict loads coming from web remote types. In the future we
+ // may want to expand this a bit.
+ if (!StringBeginsWith(triggeringRemoteType, WEB_REMOTE_TYPE)) {
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsIURI> finalURI;
+ rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(finalURI));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // Don't allow web content processes to load non-remote about pages.
+ // NOTE: URIs with a `moz-safe-about:` inner scheme are safe to link to, so
+ // it's OK we miss them here.
+ nsCOMPtr<nsIURI> innermostURI = NS_GetInnermostURI(finalURI);
+ if (innermostURI->SchemeIs("about")) {
+ nsCOMPtr<nsIAboutModule> aboutModule;
+ rv = NS_GetAboutModule(innermostURI, getter_AddRefs(aboutModule));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ uint32_t aboutModuleFlags = 0;
+ rv = aboutModule->GetURIFlags(innermostURI, &aboutModuleFlags);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ if (!(aboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) &&
+ !(aboutModuleFlags & nsIAboutModule::URI_CAN_LOAD_IN_CHILD) &&
+ !(aboutModuleFlags & nsIAboutModule::URI_MUST_LOAD_IN_CHILD)) {
+ NS_WARNING(nsPrintfCString("Blocking load of about URI (%s) which cannot "
+ "be linked to in web content process",
+ finalURI->GetSpecOrDefault().get())
+ .get());
+#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
+ if (NS_SUCCEEDED(
+ loadInfo->TriggeringPrincipal()->CheckMayLoad(finalURI, true))) {
+ nsAutoCString aboutModuleName;
+ MOZ_ALWAYS_SUCCEEDS(
+ NS_GetAboutModuleName(innermostURI, aboutModuleName));
+ MOZ_CRASH_UNSAFE_PRINTF(
+ "Blocking load of about uri by content process which may have "
+ "otherwise succeeded [aboutModule=%s, isSystemPrincipal=%d]",
+ aboutModuleName.get(),
+ loadInfo->TriggeringPrincipal()->IsSystemPrincipal());
+ }
+#endif
+ return NS_ERROR_CONTENT_BLOCKED;
+ }
+ return NS_OK;
+ }
+
+ // Don't allow web content processes to load file documents. Loads of file
+ // URIs as subresources will be handled by the sandbox, and may be allowed in
+ // some cases.
+ bool localFile = false;
+ rv = NS_URIChainHasFlags(finalURI, nsIProtocolHandler::URI_IS_LOCAL_FILE,
+ &localFile);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (localFile) {
+ NS_WARNING(
+ nsPrintfCString(
+ "Blocking document load of file URI (%s) from web content process",
+ innermostURI->GetSpecOrDefault().get())
+ .get());
+#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
+ if (NS_SUCCEEDED(
+ loadInfo->TriggeringPrincipal()->CheckMayLoad(finalURI, true))) {
+ MOZ_CRASH_UNSAFE_PRINTF(
+ "Blocking document load of file URI by content process which may "
+ "have otherwise succeeded [isSystemPrincipal=%d]",
+ loadInfo->TriggeringPrincipal()->IsSystemPrincipal());
+ }
+#endif
+ return NS_ERROR_CONTENT_BLOCKED;
+ }
+
+ return NS_OK;
+}
+
+/*
+ * Based on the security flags provided in the loadInfo of the channel,
+ * doContentSecurityCheck() performs the following content security checks
+ * before opening the channel:
+ *
+ * (1) Same Origin Policy Check (if applicable)
+ * (2) Allow Cross Origin but perform sanity checks whether a principal
+ * is allowed to access the following URL.
+ * (3) Perform CORS check (if applicable)
+ * (4) ContentPolicy checks (Content-Security-Policy, Mixed Content, ...)
+ *
+ * @param aChannel
+ * The channel to perform the security checks on.
+ * @param aInAndOutListener
+ * The streamListener that is passed to channel->AsyncOpen() that is now
+ * potentially wrappend within nsCORSListenerProxy() and becomes the
+ * corsListener that now needs to be set as new streamListener on the channel.
+ */
+nsresult nsContentSecurityManager::doContentSecurityCheck(
+ nsIChannel* aChannel, nsCOMPtr<nsIStreamListener>& aInAndOutListener) {
+ NS_ENSURE_ARG(aChannel);
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+ if (MOZ_UNLIKELY(MOZ_LOG_TEST(sCSMLog, LogLevel::Verbose))) {
+ DebugDoContentSecurityCheck(aChannel, loadInfo);
+ }
+
+ nsresult rv = CheckAllowLoadInSystemPrivilegedContext(aChannel);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = CheckAllowLoadInPrivilegedAboutContext(aChannel);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // We want to also check redirected requests to ensure
+ // the target maintains the proper javascript file extensions.
+ rv = CheckAllowExtensionProtocolScriptLoad(aChannel);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = CheckChannelHasProtocolSecurityFlag(aChannel);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = CheckAllowLoadByTriggeringRemoteType(aChannel);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // if dealing with a redirected channel then we have already installed
+ // streamlistener and redirect proxies and so we are done.
+ if (loadInfo->GetInitialSecurityCheckDone()) {
+ return NS_OK;
+ }
+
+ // make sure that only one of the five security flags is set in the loadinfo
+ // e.g. do not require same origin and allow cross origin at the same time
+ rv = ValidateSecurityFlags(loadInfo);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ if (loadInfo->GetSecurityMode() ==
+ nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT) {
+ rv = DoCORSChecks(aChannel, loadInfo, aInAndOutListener);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ rv = CheckChannel(aChannel);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // Perform all ContentPolicy checks (MixedContent, CSP, ...)
+ rv = DoContentSecurityChecks(aChannel, loadInfo);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // Apply this after CSP to match Chrome.
+ rv = CheckFTPSubresourceLoad(aChannel);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = CheckAllowFileProtocolScriptLoad(aChannel);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // now lets set the initialSecurityFlag for subsequent calls
+ loadInfo->SetInitialSecurityCheckDone(true);
+
+ // all security checks passed - lets allow the load
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+nsContentSecurityManager::AsyncOnChannelRedirect(
+ nsIChannel* aOldChannel, nsIChannel* aNewChannel, uint32_t aRedirFlags,
+ nsIAsyncVerifyRedirectCallback* aCb) {
+ // Since we compare the principal from the loadInfo to the URI's
+ // princicpal, it's possible that the checks fail when doing an internal
+ // redirect. We can just return early instead, since we should never
+ // need to block an internal redirect.
+ if (aRedirFlags & nsIChannelEventSink::REDIRECT_INTERNAL) {
+ aCb->OnRedirectVerifyCallback(NS_OK);
+ return NS_OK;
+ }
+
+ nsCOMPtr<nsILoadInfo> loadInfo = aOldChannel->LoadInfo();
+ nsresult rv = CheckChannel(aNewChannel);
+ if (NS_SUCCEEDED(rv)) {
+ rv = CheckFTPSubresourceLoad(aNewChannel);
+ }
+ if (NS_FAILED(rv)) {
+ aOldChannel->Cancel(rv);
+ return rv;
+ }
+
+ // Also verify that the redirecting server is allowed to redirect to the
+ // given URI
+ nsCOMPtr<nsIPrincipal> oldPrincipal;
+ nsContentUtils::GetSecurityManager()->GetChannelResultPrincipal(
+ aOldChannel, getter_AddRefs(oldPrincipal));
+
+ nsCOMPtr<nsIURI> newURI;
+ Unused << NS_GetFinalChannelURI(aNewChannel, getter_AddRefs(newURI));
+ NS_ENSURE_STATE(oldPrincipal && newURI);
+
+ // Do not allow insecure redirects to data: URIs
+ if (!AllowInsecureRedirectToDataURI(aNewChannel)) {
+ // cancel the old channel and return an error
+ aOldChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
+ return NS_ERROR_CONTENT_BLOCKED;
+ }
+
+ const uint32_t flags =
+ nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
+ nsIScriptSecurityManager::DISALLOW_SCRIPT;
+ rv = nsContentUtils::GetSecurityManager()->CheckLoadURIWithPrincipal(
+ oldPrincipal, newURI, flags, loadInfo->GetInnerWindowID());
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ aCb->OnRedirectVerifyCallback(NS_OK);
+ return NS_OK;
+}
+
+static void AddLoadFlags(nsIRequest* aRequest, nsLoadFlags aNewFlags) {
+ nsLoadFlags flags;
+ aRequest->GetLoadFlags(&flags);
+ flags |= aNewFlags;
+ aRequest->SetLoadFlags(flags);
+}
+
+/*
+ * Check that this channel passes all security checks. Returns an error code
+ * if this requesst should not be permitted.
+ */
+nsresult nsContentSecurityManager::CheckChannel(nsIChannel* aChannel) {
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // Handle cookie policies
+ uint32_t cookiePolicy = loadInfo->GetCookiePolicy();
+ if (cookiePolicy == nsILoadInfo::SEC_COOKIES_SAME_ORIGIN) {
+ // We shouldn't have the SEC_COOKIES_SAME_ORIGIN flag for top level loads
+ MOZ_ASSERT(loadInfo->GetExternalContentPolicyType() !=
+ ExtContentPolicy::TYPE_DOCUMENT);
+ nsIPrincipal* loadingPrincipal = loadInfo->GetLoadingPrincipal();
+
+ // It doesn't matter what we pass for the second, data-inherits, argument.
+ // Any protocol which inherits won't pay attention to cookies anyway.
+ rv = loadingPrincipal->CheckMayLoad(uri, false);
+ if (NS_FAILED(rv)) {
+ AddLoadFlags(aChannel, nsIRequest::LOAD_ANONYMOUS);
+ }
+ } else if (cookiePolicy == nsILoadInfo::SEC_COOKIES_OMIT) {
+ AddLoadFlags(aChannel, nsIRequest::LOAD_ANONYMOUS);
+ }
+
+ if (!CrossOriginEmbedderPolicyAllowsCredentials(aChannel)) {
+ AddLoadFlags(aChannel, nsIRequest::LOAD_ANONYMOUS);
+ }
+
+ nsSecurityFlags securityMode = loadInfo->GetSecurityMode();
+
+ // CORS mode is handled by nsCORSListenerProxy
+ if (securityMode == nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT) {
+ if (NS_HasBeenCrossOrigin(aChannel)) {
+ loadInfo->MaybeIncreaseTainting(LoadTainting::CORS);
+ }
+ return NS_OK;
+ }
+
+ // Allow subresource loads if TriggeringPrincipal is the SystemPrincipal.
+ if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal() &&
+ loadInfo->GetExternalContentPolicyType() !=
+ ExtContentPolicy::TYPE_DOCUMENT &&
+ loadInfo->GetExternalContentPolicyType() !=
+ ExtContentPolicy::TYPE_SUBDOCUMENT) {
+ return NS_OK;
+ }
+
+ // if none of the REQUIRE_SAME_ORIGIN flags are set, then SOP does not apply
+ if ((securityMode ==
+ nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT) ||
+ (securityMode == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED)) {
+ rv = DoSOPChecks(uri, loadInfo, aChannel);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ if ((securityMode ==
+ nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT) ||
+ (securityMode ==
+ nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL)) {
+ if (NS_HasBeenCrossOrigin(aChannel)) {
+ NS_ENSURE_FALSE(loadInfo->GetDontFollowRedirects(), NS_ERROR_DOM_BAD_URI);
+ loadInfo->MaybeIncreaseTainting(LoadTainting::Opaque);
+ }
+ // Please note that DoCheckLoadURIChecks should only be enforced for
+ // cross origin requests. If the flag SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT
+ // is set within the loadInfo, then CheckLoadURIWithPrincipal is performed
+ // within nsCorsListenerProxy
+ rv = DoCheckLoadURIChecks(uri, loadInfo);
+ NS_ENSURE_SUCCESS(rv, rv);
+ // TODO: Bug 1371237
+ // consider calling SetBlockedRequest in
+ // nsContentSecurityManager::CheckChannel
+ }
+
+ return NS_OK;
+}
+
+// https://fetch.spec.whatwg.org/#ref-for-cross-origin-embedder-policy-allows-credentials
+bool nsContentSecurityManager::CrossOriginEmbedderPolicyAllowsCredentials(
+ nsIChannel* aChannel) {
+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+
+ // 1. If request’s mode is not "no-cors", then return true.
+ //
+ // `no-cors` check applies to document navigation such that if it is
+ // an document navigation, this check should return true to allow
+ // credentials.
+ if (loadInfo->GetExternalContentPolicyType() ==
+ ExtContentPolicy::TYPE_DOCUMENT ||
+ loadInfo->GetExternalContentPolicyType() ==
+ ExtContentPolicy::TYPE_SUBDOCUMENT) {
+ return true;
+ }
+
+ if (loadInfo->GetSecurityMode() !=
+ nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL &&
+ loadInfo->GetSecurityMode() !=
+ nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT) {
+ return true;
+ }
+
+ // If request’s client’s policy container’s embedder policy’s value is not
+ // "credentialless", then return true.
+ if (loadInfo->GetLoadingEmbedderPolicy() !=
+ nsILoadInfo::EMBEDDER_POLICY_CREDENTIALLESS) {
+ return true;
+ }
+
+ // If request’s origin is same origin with request’s current URL’s origin and
+ // request does not have a redirect-tainted origin, then return true.
+ nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
+ nsCOMPtr<nsIPrincipal> resourcePrincipal;
+ ssm->GetChannelURIPrincipal(aChannel, getter_AddRefs(resourcePrincipal));
+
+ bool sameOrigin = resourcePrincipal->Equals(loadInfo->TriggeringPrincipal());
+ nsAutoCString serializedOrigin;
+ GetSerializedOrigin(loadInfo->TriggeringPrincipal(), resourcePrincipal,
+ serializedOrigin, loadInfo);
+ if (sameOrigin && !serializedOrigin.IsEmpty()) {
+ return true;
+ }
+
+ return false;
+}
+
+// https://fetch.spec.whatwg.org/#serializing-a-request-origin
+void nsContentSecurityManager::GetSerializedOrigin(
+ nsIPrincipal* aOrigin, nsIPrincipal* aResourceOrigin,
+ nsACString& aSerializedOrigin, nsILoadInfo* aLoadInfo) {
+ // The following for loop performs the
+ // https://fetch.spec.whatwg.org/#ref-for-concept-request-tainted-origin
+ nsCOMPtr<nsIPrincipal> lastOrigin;
+ for (nsIRedirectHistoryEntry* entry : aLoadInfo->RedirectChain()) {
+ if (!lastOrigin) {
+ entry->GetPrincipal(getter_AddRefs(lastOrigin));
+ continue;
+ }
+
+ nsCOMPtr<nsIPrincipal> currentOrigin;
+ entry->GetPrincipal(getter_AddRefs(currentOrigin));
+
+ if (!currentOrigin->Equals(lastOrigin) && !lastOrigin->Equals(aOrigin)) {
+ return;
+ }
+ lastOrigin = currentOrigin;
+ }
+
+ // When the redirectChain is empty, it means this is the first redirect.
+ // So according to the #serializing-a-request-origin spec, we don't
+ // have a redirect-tainted origin, so we return the origin of the request
+ // here.
+ if (!lastOrigin) {
+ aOrigin->GetAsciiOrigin(aSerializedOrigin);
+ return;
+ }
+
+ // Same as above, redirectChain doesn't contain the current redirect,
+ // so we have to do the check one last time here.
+ if (lastOrigin->Equals(aResourceOrigin) && !lastOrigin->Equals(aOrigin)) {
+ return;
+ }
+
+ aOrigin->GetAsciiOrigin(aSerializedOrigin);
+}
+
+// ==== nsIContentSecurityManager implementation =====
+
+NS_IMETHODIMP
+nsContentSecurityManager::PerformSecurityCheck(
+ nsIChannel* aChannel, nsIStreamListener* aStreamListener,
+ nsIStreamListener** outStreamListener) {
+ nsCOMPtr<nsIStreamListener> inAndOutListener = aStreamListener;
+ nsresult rv = doContentSecurityCheck(aChannel, inAndOutListener);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ inAndOutListener.forget(outStreamListener);
+ return NS_OK;
+}