diff options
Diffstat (limited to 'toolkit/mozapps/extensions/AddonContentPolicy.cpp')
| -rw-r--r-- | toolkit/mozapps/extensions/AddonContentPolicy.cpp | 484 |
1 files changed, 484 insertions, 0 deletions
diff --git a/toolkit/mozapps/extensions/AddonContentPolicy.cpp b/toolkit/mozapps/extensions/AddonContentPolicy.cpp new file mode 100644 index 0000000000..bffe78a7ba --- /dev/null +++ b/toolkit/mozapps/extensions/AddonContentPolicy.cpp @@ -0,0 +1,484 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "AddonContentPolicy.h" + +#include "mozilla/dom/nsCSPContext.h" +#include "nsCOMPtr.h" +#include "nsComponentManagerUtils.h" +#include "nsContentPolicyUtils.h" +#include "nsContentTypeParser.h" +#include "nsContentUtils.h" +#include "nsIConsoleService.h" +#include "nsIContentSecurityPolicy.h" +#include "nsIContent.h" +#include "mozilla/Components.h" +#include "mozilla/dom/Document.h" +#include "mozilla/intl/Localization.h" +#include "nsIEffectiveTLDService.h" +#include "nsIScriptError.h" +#include "nsIStringBundle.h" +#include "nsIUUIDGenerator.h" +#include "nsIURI.h" +#include "nsNetCID.h" +#include "nsNetUtil.h" + +using namespace mozilla; +using namespace mozilla::intl; + +/* Enforces content policies for WebExtension scopes. Currently: + * + * - Prevents loading scripts with a non-default JavaScript version. + * - Checks custom content security policies for sufficiently stringent + * script-src and other script-related directives. + * - We also used to validate object-src similarly to script-src, but that was + * dropped because NPAPI plugins are no longer supported (see bug 1766881). + */ + +#define VERSIONED_JS_BLOCKED_MESSAGE \ + u"Versioned JavaScript is a non-standard, deprecated extension, and is " \ + u"not supported in WebExtension code. For alternatives, please see: " \ + u"https://developer.mozilla.org/Add-ons/WebExtensions/Tips" + +AddonContentPolicy::AddonContentPolicy() = default; + +AddonContentPolicy::~AddonContentPolicy() = default; + +NS_IMPL_ISUPPORTS(AddonContentPolicy, nsIContentPolicy, nsIAddonContentPolicy) + +static nsresult GetWindowIDFromContext(nsISupports* aContext, + uint64_t* aResult) { + NS_ENSURE_TRUE(aContext, NS_ERROR_FAILURE); + + nsCOMPtr<nsIContent> content = do_QueryInterface(aContext); + NS_ENSURE_TRUE(content, NS_ERROR_FAILURE); + + nsCOMPtr<nsPIDOMWindowInner> window = content->OwnerDoc()->GetInnerWindow(); + NS_ENSURE_TRUE(window, NS_ERROR_FAILURE); + + *aResult = window->WindowID(); + return NS_OK; +} + +static nsresult LogMessage(const nsAString& aMessage, + const nsAString& aSourceName, + const nsAString& aSourceSample, + nsISupports* aContext) { + nsCOMPtr<nsIScriptError> error = do_CreateInstance(NS_SCRIPTERROR_CONTRACTID); + NS_ENSURE_TRUE(error, NS_ERROR_OUT_OF_MEMORY); + + uint64_t windowID = 0; + GetWindowIDFromContext(aContext, &windowID); + + nsresult rv = error->InitWithSanitizedSource( + aMessage, aSourceName, aSourceSample, 0, 0, nsIScriptError::errorFlag, + "JavaScript", windowID); + NS_ENSURE_SUCCESS(rv, rv); + + nsCOMPtr<nsIConsoleService> console = + do_GetService(NS_CONSOLESERVICE_CONTRACTID); + NS_ENSURE_TRUE(console, NS_ERROR_OUT_OF_MEMORY); + + console->LogMessage(error); + return NS_OK; +} + +// Content policy enforcement: + +NS_IMETHODIMP +AddonContentPolicy::ShouldLoad(nsIURI* aContentLocation, nsILoadInfo* aLoadInfo, + const nsACString& aMimeTypeGuess, + int16_t* aShouldLoad) { + if (!aContentLocation || !aLoadInfo) { + NS_SetRequestBlockingReason( + aLoadInfo, nsILoadInfo::BLOCKING_REASON_CONTENT_POLICY_WEBEXT); + *aShouldLoad = REJECT_REQUEST; + return NS_ERROR_FAILURE; + } + + ExtContentPolicyType contentType = aLoadInfo->GetExternalContentPolicyType(); + + *aShouldLoad = nsIContentPolicy::ACCEPT; + nsCOMPtr<nsIPrincipal> loadingPrincipal = aLoadInfo->GetLoadingPrincipal(); + if (!loadingPrincipal) { + return NS_OK; + } + + // Only apply this policy to requests from documents loaded from + // moz-extension URLs, or to resources being loaded from moz-extension URLs. + if (!(aContentLocation->SchemeIs("moz-extension") || + loadingPrincipal->SchemeIs("moz-extension"))) { + return NS_OK; + } + + if (contentType == ExtContentPolicy::TYPE_SCRIPT) { + NS_ConvertUTF8toUTF16 typeString(aMimeTypeGuess); + nsContentTypeParser mimeParser(typeString); + + // Reject attempts to load JavaScript scripts with a non-default version. + nsAutoString mimeType, version; + if (NS_SUCCEEDED(mimeParser.GetType(mimeType)) && + nsContentUtils::IsJavascriptMIMEType(mimeType) && + NS_SUCCEEDED(mimeParser.GetParameter("version", version))) { + NS_SetRequestBlockingReason( + aLoadInfo, nsILoadInfo::BLOCKING_REASON_CONTENT_POLICY_WEBEXT); + *aShouldLoad = nsIContentPolicy::REJECT_REQUEST; + + nsCString sourceName; + loadingPrincipal->GetExposableSpec(sourceName); + NS_ConvertUTF8toUTF16 nameString(sourceName); + + nsCOMPtr<nsISupports> context = aLoadInfo->GetLoadingContext(); + LogMessage(nsLiteralString(VERSIONED_JS_BLOCKED_MESSAGE), nameString, + typeString, context); + return NS_OK; + } + } + + return NS_OK; +} + +NS_IMETHODIMP +AddonContentPolicy::ShouldProcess(nsIURI* aContentLocation, + nsILoadInfo* aLoadInfo, + const nsACString& aMimeTypeGuess, + int16_t* aShouldProcess) { + *aShouldProcess = nsIContentPolicy::ACCEPT; + return NS_OK; +} + +// CSP Validation: + +static const char* allowedSchemes[] = {"blob", "filesystem", nullptr}; + +static const char* allowedHostSchemes[] = {"http", "https", "moz-extension", + nullptr}; + +/** + * Validates a CSP directive to ensure that it is sufficiently stringent. + * In particular, ensures that: + * + * - No remote sources are allowed other than from https: schemes + * + * - No remote sources specify host wildcards for generic domains + * (*.blogspot.com, *.com, *) + * + * - All remote sources and local extension sources specify a host + * + * - No scheme sources are allowed other than blob:, filesystem:, + * moz-extension:, and https: + * + * - No keyword sources are allowed other than 'none', 'self', 'unsafe-eval', + * and hash sources. + * + * Manifest V3 limits CSP for extension_pages, the script-src and + * worker-src directives may only be the following: + * - self + * - none + */ +class CSPValidator final : public nsCSPSrcVisitor { + public: + CSPValidator(nsAString& aURL, CSPDirective aDirective, + bool aDirectiveRequired = true, uint32_t aPermittedPolicy = 0) + : mURL(aURL), + mDirective(CSP_CSPDirectiveToString(aDirective)), + mPermittedPolicy(aPermittedPolicy), + mDirectiveRequired(aDirectiveRequired), + mFoundSelf(false) { + // Start with the default error message for a missing directive, since no + // visitors will be called if the directive isn't present. + mError.SetIsVoid(true); + } + + // Visitors + + bool visitSchemeSrc(const nsCSPSchemeSrc& src) override { + nsAutoString scheme; + src.getScheme(scheme); + + if (SchemeInList(scheme, allowedHostSchemes)) { + FormatError("csp-error-missing-host"_ns, "scheme"_ns, scheme); + return false; + } + if (!SchemeInList(scheme, allowedSchemes)) { + FormatError("csp-error-illegal-protocol"_ns, "scheme"_ns, scheme); + return false; + } + return true; + }; + + bool visitHostSrc(const nsCSPHostSrc& src) override { + nsAutoString scheme, host; + + src.getScheme(scheme); + src.getHost(host); + + if (scheme.LowerCaseEqualsLiteral("http")) { + // Allow localhost on http + if (mPermittedPolicy & nsIAddonContentPolicy::CSP_ALLOW_LOCALHOST && + HostIsLocal(host)) { + return true; + } + FormatError("csp-error-illegal-protocol"_ns, "scheme"_ns, scheme); + return false; + } + if (scheme.LowerCaseEqualsLiteral("https")) { + if (mPermittedPolicy & nsIAddonContentPolicy::CSP_ALLOW_LOCALHOST && + HostIsLocal(host)) { + return true; + } + if (!(mPermittedPolicy & nsIAddonContentPolicy::CSP_ALLOW_REMOTE)) { + FormatError("csp-error-illegal-protocol"_ns, "scheme"_ns, scheme); + return false; + } + if (!HostIsAllowed(host)) { + FormatError("csp-error-illegal-host-wildcard"_ns, "scheme"_ns, scheme); + return false; + } + } else if (scheme.LowerCaseEqualsLiteral("moz-extension")) { + // The CSP parser silently converts 'self' keywords to the origin + // URL, so we need to reconstruct the URL to see if it was present. + if (!mFoundSelf) { + nsAutoString url(u"moz-extension://"); + url.Append(host); + + mFoundSelf = url.Equals(mURL); + } + + if (host.IsEmpty() || host.EqualsLiteral("*")) { + FormatError("csp-error-missing-host"_ns, "scheme"_ns, scheme); + return false; + } + } else if (!SchemeInList(scheme, allowedSchemes)) { + FormatError("csp-error-illegal-protocol"_ns, "scheme"_ns, scheme); + return false; + } + + return true; + }; + + bool visitKeywordSrc(const nsCSPKeywordSrc& src) override { + switch (src.getKeyword()) { + case CSP_NONE: + case CSP_SELF: + return true; + case CSP_WASM_UNSAFE_EVAL: + if (mPermittedPolicy & nsIAddonContentPolicy::CSP_ALLOW_WASM) { + return true; + } + // fall through to also check CSP_ALLOW_EVAL + [[fallthrough]]; + case CSP_UNSAFE_EVAL: + if (mPermittedPolicy & nsIAddonContentPolicy::CSP_ALLOW_EVAL) { + return true; + } + // fall through and produce an illegal-keyword error. + [[fallthrough]]; + default: + FormatError( + "csp-error-illegal-keyword"_ns, "keyword"_ns, + nsDependentString(CSP_EnumToUTF16Keyword(src.getKeyword()))); + return false; + } + }; + + bool visitNonceSrc(const nsCSPNonceSrc& src) override { + FormatError("csp-error-illegal-keyword"_ns, "keyword"_ns, u"'nonce-*'"_ns); + return false; + }; + + bool visitHashSrc(const nsCSPHashSrc& src) override { return true; }; + + // Accessors + + inline nsAString& GetError() { + if (mError.IsVoid() && mDirectiveRequired) { + FormatError("csp-error-missing-directive"_ns); + } + + return mError; + }; + + inline bool FoundSelf() { return mFoundSelf; }; + + // Formatters + + inline void FormatError(const nsACString& l10nId, + const nsACString& aKey = ""_ns, + const nsAString& aValue = u""_ns) { + nsTArray<nsCString> resIds = {"toolkit/global/cspErrors.ftl"_ns}; + RefPtr<intl::Localization> l10n = intl::Localization::Create(resIds, true); + + auto l10nArgs = dom::Optional<intl::L10nArgs>(); + l10nArgs.Construct(); + + auto dirArg = l10nArgs.Value().Entries().AppendElement(); + dirArg->mKey = "directive"; + dirArg->mValue.SetValue().SetAsUTF8String().Assign( + NS_ConvertUTF16toUTF8(mDirective)); + + if (!aKey.IsEmpty()) { + auto optArg = l10nArgs.Value().Entries().AppendElement(); + optArg->mKey = aKey; + optArg->mValue.SetValue().SetAsUTF8String().Assign( + NS_ConvertUTF16toUTF8(aValue)); + } + + nsAutoCString translation; + IgnoredErrorResult rv; + l10n->FormatValueSync(l10nId, l10nArgs, translation, rv); + if (rv.Failed()) { + mError.AssignLiteral("An unexpected error occurred"); + } else { + mError = NS_ConvertUTF8toUTF16(translation); + } + }; + + private: + // Validators + bool HostIsLocal(nsAString& host) { + return host.EqualsLiteral("localhost") || host.EqualsLiteral("127.0.0.1"); + } + + bool HostIsAllowed(nsAString& host) { + if (host.First() == '*') { + if (host.EqualsLiteral("*") || host[1] != '.') { + return false; + } + + host.Cut(0, 2); + + nsCOMPtr<nsIEffectiveTLDService> tldService = + do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID); + + if (!tldService) { + return false; + } + + NS_ConvertUTF16toUTF8 cHost(host); + nsAutoCString publicSuffix; + + nsresult rv = tldService->GetPublicSuffixFromHost(cHost, publicSuffix); + + return NS_SUCCEEDED(rv) && !cHost.Equals(publicSuffix); + } + + return true; + }; + + bool SchemeInList(nsAString& scheme, const char** schemes) { + for (; *schemes; schemes++) { + if (scheme.LowerCaseEqualsASCII(*schemes)) { + return true; + } + } + return false; + }; + + // Data members + + nsAutoString mURL; + NS_ConvertASCIItoUTF16 mDirective; + nsString mError; + + uint32_t mPermittedPolicy; + bool mDirectiveRequired; + bool mFoundSelf; +}; + +/** + * Validates a custom content security policy string for use by an add-on. + * In particular, ensures that: + * + * - That script-src (or default-src) directive is present, and meets + * the policies required by the CSPValidator class + * + * - The script-src directive includes the source 'self' + */ +NS_IMETHODIMP +AddonContentPolicy::ValidateAddonCSP(const nsAString& aPolicyString, + uint32_t aPermittedPolicy, + nsAString& aResult) { + nsresult rv; + + // Validate against a randomly-generated extension origin. + // There is no add-on-specific behavior in the CSP code, beyond the ability + // for add-ons to specify a custom policy, but the parser requires a valid + // origin in order to operate correctly. + nsAutoString url(u"moz-extension://"); + { + nsCOMPtr<nsIUUIDGenerator> uuidgen = components::UUIDGenerator::Service(); + NS_ENSURE_TRUE(uuidgen, NS_ERROR_FAILURE); + + nsID id; + rv = uuidgen->GenerateUUIDInPlace(&id); + NS_ENSURE_SUCCESS(rv, rv); + + char idString[NSID_LENGTH]; + id.ToProvidedString(idString); + + MOZ_RELEASE_ASSERT(idString[0] == '{' && idString[NSID_LENGTH - 2] == '}', + "UUID generator did not return a valid UUID"); + + url.AppendASCII(idString + 1, NSID_LENGTH - 3); + } + + RefPtr<BasePrincipal> principal = + BasePrincipal::CreateContentPrincipal(NS_ConvertUTF16toUTF8(url)); + + nsCOMPtr<nsIURI> selfURI; + principal->GetURI(getter_AddRefs(selfURI)); + RefPtr<nsCSPContext> csp = new nsCSPContext(); + rv = csp->SetRequestContextWithPrincipal(principal, selfURI, u""_ns, 0); + NS_ENSURE_SUCCESS(rv, rv); + csp->AppendPolicy(aPolicyString, false, false); + + const nsCSPPolicy* policy = csp->GetPolicy(0); + if (!policy) { + CSPValidator validator(url, nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE, + true, aPermittedPolicy); + aResult.Assign(validator.GetError()); + return NS_OK; + } + + bool haveValidDefaultSrc = false; + bool hasValidScriptSrc = false; + { + CSPDirective directive = nsIContentSecurityPolicy::DEFAULT_SRC_DIRECTIVE; + CSPValidator validator(url, directive); + + haveValidDefaultSrc = policy->visitDirectiveSrcs(directive, &validator); + } + + aResult.SetIsVoid(true); + { + CSPDirective directive = nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE; + CSPValidator validator(url, directive, !haveValidDefaultSrc, + aPermittedPolicy); + + if (!policy->visitDirectiveSrcs(directive, &validator)) { + aResult.Assign(validator.GetError()); + } else if (!validator.FoundSelf()) { + validator.FormatError("csp-error-missing-source"_ns, "source"_ns, + u"'self'"_ns); + aResult.Assign(validator.GetError()); + } + hasValidScriptSrc = true; + } + + if (aResult.IsVoid()) { + CSPDirective directive = nsIContentSecurityPolicy::WORKER_SRC_DIRECTIVE; + CSPValidator validator(url, directive, + !haveValidDefaultSrc && !hasValidScriptSrc, + aPermittedPolicy); + + if (!policy->visitDirectiveSrcs(directive, &validator)) { + aResult.Assign(validator.GetError()); + } + } + + return NS_OK; +} |