1 files changed, 170 insertions, 0 deletions
diff --git a/toolkit/mozapps/extensions/AddonManagerWebAPI.cpp b/toolkit/mozapps/extensions/AddonManagerWebAPI.cpp
new file mode 100644
index 0000000000..08ca2d1ec9
--- /dev/null
+++ b/toolkit/mozapps/extensions/AddonManagerWebAPI.cpp
@@ -0,0 +1,170 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "AddonManagerWebAPI.h"
+
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/dom/Document.h"
+#include "mozilla/dom/Navigator.h"
+#include "mozilla/dom/NavigatorBinding.h"
+
+#include "mozilla/Preferences.h"
+#include "mozilla/StaticPrefs_extensions.h"
+#include "nsGlobalWindow.h"
+#include "xpcpublic.h"
+
+#include "nsIDocShell.h"
+#include "nsIScriptObjectPrincipal.h"
+
+namespace mozilla {
+using namespace mozilla::dom;
+
+#ifndef MOZ_THUNDERBIRD
+#  define MOZ_AMO_HOSTNAME "addons.mozilla.org"
+#  define MOZ_AMO_STAGE_HOSTNAME "addons.allizom.org"
+#  define MOZ_AMO_DEV_HOSTNAME "addons-dev.allizom.org"
+#else
+#  define MOZ_AMO_HOSTNAME "addons.thunderbird.net"
+#  define MOZ_AMO_STAGE_HOSTNAME "addons-stage.thunderbird.net"
+#  undef MOZ_AMO_DEV_HOSTNAME
+#endif
+
+static bool IsValidHost(const nsACString& host) {
+  // This hidden pref allows users to disable mozAddonManager entirely if they
+  // want for fingerprinting resistance. Someone like Tor browser will use this
+  // pref.
+  if (StaticPrefs::privacy_resistFingerprinting_block_mozAddonManager()) {
+    return false;
+  }
+
+  if (host.EqualsLiteral(MOZ_AMO_HOSTNAME)) {
+    return true;
+  }
+
+  // When testing allow access to the developer sites.
+  if (StaticPrefs::extensions_webapi_testing()) {
+    if (host.LowerCaseEqualsLiteral(MOZ_AMO_STAGE_HOSTNAME) ||
+#ifdef MOZ_AMO_DEV_HOSTNAME
+        host.LowerCaseEqualsLiteral(MOZ_AMO_DEV_HOSTNAME) ||
+#endif
+        host.LowerCaseEqualsLiteral("example.com")) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+// Checks if the given uri is secure and matches one of the hosts allowed to
+// access the API.
+bool AddonManagerWebAPI::IsValidSite(nsIURI* uri) {
+  if (!uri) {
+    return false;
+  }
+
+  if (!uri->SchemeIs("https")) {
+    if (!(xpc::IsInAutomation() &&
+          StaticPrefs::extensions_webapi_testing_http())) {
+      return false;
+    }
+  }
+
+  nsAutoCString host;
+  nsresult rv = uri->GetHost(host);
+  if (NS_FAILED(rv)) {
+    return false;
+  }
+
+  return IsValidHost(host);
+}
+
+#ifndef ANDROID
+bool AddonManagerWebAPI::IsAPIEnabled(JSContext* aCx, JSObject* aGlobal) {
+  MOZ_DIAGNOSTIC_ASSERT(JS_IsGlobalObject(aGlobal));
+  nsCOMPtr<nsPIDOMWindowInner> win = xpc::WindowOrNull(aGlobal);
+  if (!win) {
+    return false;
+  }
+
+  // Check that the current window and all parent frames are allowed access to
+  // the API.
+  while (win) {
+    nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(win);
+    if (!sop) {
+      return false;
+    }
+
+    nsCOMPtr<nsIPrincipal> principal = sop->GetPrincipal();
+    if (!principal) {
+      return false;
+    }
+
+    // Reaching a window with a system principal means we have reached
+    // privileged UI of some kind so stop at this point and allow access.
+    if (principal->IsSystemPrincipal()) {
+      return true;
+    }
+
+    nsCOMPtr<nsIDocShell> docShell = win->GetDocShell();
+    if (!docShell) {
+      // This window has been torn down so don't allow access to the API.
+      return false;
+    }
+
+    if (!IsValidSite(win->GetDocumentURI())) {
+      return false;
+    }
+
+    // Checks whether there is a parent frame of the same type. This won't cross
+    // mozbrowser or chrome or fission/process boundaries.
+    nsCOMPtr<nsIDocShellTreeItem> parent;
+    nsresult rv = docShell->GetInProcessSameTypeParent(getter_AddRefs(parent));
+    if (NS_FAILED(rv)) {
+      return false;
+    }
+
+    // No parent means we've hit a mozbrowser or chrome or process boundary.
+    if (!parent) {
+      // With Fission, a cross-origin iframe has an out-of-process parent, but
+      // DocShell knows nothing about it. We need to ask BrowsingContext here,
+      // and only allow API access if AMO is actually at the top, not framed
+      // by evilleagueofevil.com.
+      return docShell->GetBrowsingContext()->IsTopContent();
+    }
+
+    Document* doc = win->GetDoc();
+    if (!doc) {
+      return false;
+    }
+
+    doc = doc->GetInProcessParentDocument();
+    if (!doc) {
+      // Getting here means something has been torn down so fail safe.
+      return false;
+    }
+
+    win = doc->GetInnerWindow();
+  }
+
+  // Found a document with no inner window, don't grant access to the API.
+  return false;
+}
+#else   // We don't support mozAddonManager on Android
+bool AddonManagerWebAPI::IsAPIEnabled(JSContext* aCx, JSObject* aGlobal) {
+  return false;
+}
+#endif  // ifndef ANDROID
+
+namespace dom {
+
+bool AddonManagerPermissions::IsHostPermitted(const GlobalObject& /*unused*/,
+                                              const nsAString& host) {
+  return IsValidHost(NS_ConvertUTF16toUTF8(host));
+}
+
+}  // namespace dom
+
+}  // namespace mozilla