/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsAboutProtocolUtils.h" #include "nsArray.h" #include "nsContentSecurityManager.h" #include "nsContentSecurityUtils.h" #include "nsContentPolicyUtils.h" #include "nsEscape.h" #include "nsDataHandler.h" #include "nsIChannel.h" #include "nsIContentPolicy.h" #include "nsIHttpChannelInternal.h" #include "nsINode.h" #include "nsIStreamListener.h" #include "nsILoadInfo.h" #include "nsIMIMEService.h" #include "nsIOService.h" #include "nsContentUtils.h" #include "nsCORSListenerProxy.h" #include "nsIParentChannel.h" #include "nsIRedirectHistoryEntry.h" #include "nsIXULRuntime.h" #include "nsNetUtil.h" #include "nsReadableUtils.h" #include "nsSandboxFlags.h" #include "nsIXPConnect.h" #include "mozilla/BasePrincipal.h" #include "mozilla/ClearOnShutdown.h" #include "mozilla/CmdLineAndEnvUtils.h" #include "mozilla/dom/Element.h" #include "mozilla/dom/nsMixedContentBlocker.h" #include "mozilla/dom/BrowserChild.h" #include "mozilla/dom/ContentChild.h" #include "mozilla/dom/ContentParent.h" #include "mozilla/dom/Document.h" #include "mozilla/extensions/WebExtensionPolicy.h" #include "mozilla/Components.h" #include "mozilla/ExtensionPolicyService.h" #include "mozilla/Logging.h" #include "mozilla/Maybe.h" #include "mozilla/Preferences.h" #include "mozilla/StaticPrefs_dom.h" #include "mozilla/StaticPrefs_security.h" #include "mozilla/Telemetry.h" #include "mozilla/TelemetryComms.h" #include "xpcpublic.h" #include "nsMimeTypes.h" #include "jsapi.h" #include "js/RegExp.h" using namespace mozilla; using namespace mozilla::dom; using namespace mozilla::Telemetry; NS_IMPL_ISUPPORTS(nsContentSecurityManager, nsIContentSecurityManager, nsIChannelEventSink) mozilla::LazyLogModule sCSMLog("CSMLog"); // These first two are used for off-the-main-thread checks of // general.config.filename // (which can't be checked off-main-thread). Atomic sJSHacksChecked(false); Atomic sJSHacksPresent(false); Atomic sCSSHacksChecked(false); Atomic sCSSHacksPresent(false); Atomic sTelemetryEventEnabled(false); /* static */ bool nsContentSecurityManager::AllowTopLevelNavigationToDataURI( nsIChannel* aChannel) { // Let's block all toplevel document navigations to a data: URI. // In all cases where the toplevel document is navigated to a // data: URI the triggeringPrincipal is a contentPrincipal, or // a NullPrincipal. In other cases, e.g. typing a data: URL into // the URL-Bar, the triggeringPrincipal is a SystemPrincipal; // we don't want to block those loads. Only exception, loads coming // from an external applicaton (e.g. Thunderbird) don't load // using a contentPrincipal, but we want to block those loads. if (!StaticPrefs::security_data_uri_block_toplevel_data_uri_navigations()) { return true; } nsCOMPtr loadInfo = aChannel->LoadInfo(); if (loadInfo->GetExternalContentPolicyType() != ExtContentPolicy::TYPE_DOCUMENT) { return true; } if (loadInfo->GetForceAllowDataURI()) { // if the loadinfo explicitly allows the data URI navigation, let's allow it // now return true; } nsCOMPtr uri; nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri)); NS_ENSURE_SUCCESS(rv, true); bool isDataURI = uri->SchemeIs("data"); if (!isDataURI) { return true; } nsAutoCString spec; rv = uri->GetSpec(spec); NS_ENSURE_SUCCESS(rv, true); nsAutoCString contentType; bool base64; rv = nsDataHandler::ParseURI(spec, contentType, nullptr, base64, nullptr); NS_ENSURE_SUCCESS(rv, true); // Allow data: images as long as they are not SVGs if (StringBeginsWith(contentType, "image/"_ns) && !contentType.EqualsLiteral("image/svg+xml")) { return true; } // Allow all data: PDFs. or JSON documents if (contentType.EqualsLiteral(APPLICATION_JSON) || contentType.EqualsLiteral(TEXT_JSON) || contentType.EqualsLiteral(APPLICATION_PDF)) { return true; } // Redirecting to a toplevel data: URI is not allowed, hence we make // sure the RedirectChain is empty. if (!loadInfo->GetLoadTriggeredFromExternal() && loadInfo->TriggeringPrincipal()->IsSystemPrincipal() && loadInfo->RedirectChain().IsEmpty()) { return true; } ReportBlockedDataURI(uri, loadInfo); return false; } void nsContentSecurityManager::ReportBlockedDataURI(nsIURI* aURI, nsILoadInfo* aLoadInfo, bool aIsRedirect) { // We're going to block the request, construct the localized error message to // report to the console. nsAutoCString dataSpec; aURI->GetSpec(dataSpec); if (dataSpec.Length() > 50) { dataSpec.Truncate(50); dataSpec.AppendLiteral("..."); } AutoTArray params; CopyUTF8toUTF16(NS_UnescapeURL(dataSpec), *params.AppendElement()); nsAutoString errorText; const char* stringID = aIsRedirect ? "BlockRedirectToDataURI" : "BlockTopLevelDataURINavigation"; nsresult rv = nsContentUtils::FormatLocalizedString( nsContentUtils::eSECURITY_PROPERTIES, stringID, params, errorText); if (NS_FAILED(rv)) { return; } // Report the localized error message to the console for the loading // BrowsingContext's current inner window. RefPtr target = aLoadInfo->GetBrowsingContext(); nsContentUtils::ReportToConsoleByWindowID( errorText, nsIScriptError::warningFlag, "DATA_URI_BLOCKED"_ns, target ? target->GetCurrentInnerWindowId() : 0); } /* static */ bool nsContentSecurityManager::AllowInsecureRedirectToDataURI( nsIChannel* aNewChannel) { nsCOMPtr loadInfo = aNewChannel->LoadInfo(); if (loadInfo->GetExternalContentPolicyType() != ExtContentPolicy::TYPE_SCRIPT) { return true; } nsCOMPtr newURI; nsresult rv = NS_GetFinalChannelURI(aNewChannel, getter_AddRefs(newURI)); if (NS_FAILED(rv) || !newURI) { return true; } bool isDataURI = newURI->SchemeIs("data"); if (!isDataURI) { return true; } // Web Extensions are exempt from that restriction and are allowed to redirect // a channel to a data: URI. When a web extension redirects a channel, we set // a flag on the loadInfo which allows us to identify such redirects here. if (loadInfo->GetAllowInsecureRedirectToDataURI()) { return true; } ReportBlockedDataURI(newURI, loadInfo, true); return false; } static nsresult ValidateSecurityFlags(nsILoadInfo* aLoadInfo) { nsSecurityFlags securityMode = aLoadInfo->GetSecurityMode(); // We should never perform a security check on a loadInfo that uses the flag // SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, because that is only used for // temporary loadInfos used for explicit nsIContentPolicy checks, but never be // set as a security flag on an actual channel. if (securityMode != nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT && securityMode != nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED && securityMode != nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT && securityMode != nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL && securityMode != nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT) { MOZ_ASSERT( false, "need one securityflag from nsILoadInfo to perform security checks"); return NS_ERROR_FAILURE; } // all good, found the right security flags return NS_OK; } static already_AddRefed GetExtensionSandboxPrincipal( nsILoadInfo* aLoadInfo) { // An extension is allowed to load resources from itself when its pages are // loaded into a sandboxed frame. Extension resources in a sandbox have // a null principal and no access to extension APIs. See "sandbox" in // MDN extension docs for more information. if (!aLoadInfo->TriggeringPrincipal()->GetIsNullPrincipal()) { return nullptr; } RefPtr doc; aLoadInfo->GetLoadingDocument(getter_AddRefs(doc)); if (!doc || !(doc->GetSandboxFlags() & SANDBOXED_ORIGIN)) { return nullptr; } // node principal is also a null principal here, so we need to // create a principal using documentURI, which is the moz-extension // uri for the page if this is an extension sandboxed page. nsCOMPtr docPrincipal = BasePrincipal::CreateContentPrincipal( doc->GetDocumentURI(), doc->NodePrincipal()->OriginAttributesRef()); if (!BasePrincipal::Cast(docPrincipal)->AddonPolicy()) { return nullptr; } return docPrincipal.forget(); } static bool IsImageLoadInEditorAppType(nsILoadInfo* aLoadInfo) { // Editor apps get special treatment here, editors can load images // from anywhere. This allows editor to insert images from file:// // into documents that are being edited. nsContentPolicyType type = aLoadInfo->InternalContentPolicyType(); if (type != nsIContentPolicy::TYPE_INTERNAL_IMAGE && type != nsIContentPolicy::TYPE_INTERNAL_IMAGE_PRELOAD && type != nsIContentPolicy::TYPE_INTERNAL_IMAGE_FAVICON && type != nsIContentPolicy::TYPE_IMAGESET) { return false; } auto appType = nsIDocShell::APP_TYPE_UNKNOWN; nsINode* node = aLoadInfo->LoadingNode(); if (!node) { return false; } Document* doc = node->OwnerDoc(); if (!doc) { return false; } nsCOMPtr docShellTreeItem = doc->GetDocShell(); if (!docShellTreeItem) { return false; } nsCOMPtr root; docShellTreeItem->GetInProcessRootTreeItem(getter_AddRefs(root)); nsCOMPtr docShell(do_QueryInterface(root)); if (docShell) { appType = docShell->GetAppType(); } return appType == nsIDocShell::APP_TYPE_EDITOR; } static nsresult DoCheckLoadURIChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo) { // In practice, these DTDs are just used for localization, so applying the // same principal check as Fluent. if (aLoadInfo->InternalContentPolicyType() == nsIContentPolicy::TYPE_INTERNAL_DTD) { RefPtr doc; aLoadInfo->GetLoadingDocument(getter_AddRefs(doc)); bool allowed = false; aLoadInfo->TriggeringPrincipal()->IsL10nAllowed( doc ? doc->GetDocumentURI() : nullptr, &allowed); return allowed ? NS_OK : NS_ERROR_DOM_BAD_URI; } // This is used in order to allow a privileged DOMParser to parse documents // that need to access localization DTDs. We just allow through // TYPE_INTERNAL_FORCE_ALLOWED_DTD no matter what the triggering principal is. if (aLoadInfo->InternalContentPolicyType() == nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD) { return NS_OK; } if (IsImageLoadInEditorAppType(aLoadInfo)) { return NS_OK; } nsCOMPtr triggeringPrincipal = aLoadInfo->TriggeringPrincipal(); nsCOMPtr addonPrincipal = GetExtensionSandboxPrincipal(aLoadInfo); if (addonPrincipal) { // call CheckLoadURIWithPrincipal() as below to continue other checks, but // with the addon principal. triggeringPrincipal = addonPrincipal; } // Only call CheckLoadURIWithPrincipal() using the TriggeringPrincipal and not // the LoadingPrincipal when SEC_ALLOW_CROSS_ORIGIN_* security flags are set, // to allow, e.g. user stylesheets to load chrome:// URIs. return nsContentUtils::GetSecurityManager()->CheckLoadURIWithPrincipal( triggeringPrincipal, aURI, aLoadInfo->CheckLoadURIFlags(), aLoadInfo->GetInnerWindowID()); } static bool URIHasFlags(nsIURI* aURI, uint32_t aURIFlags) { bool hasFlags; nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &hasFlags); NS_ENSURE_SUCCESS(rv, false); return hasFlags; } static nsresult DoSOPChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo, nsIChannel* aChannel) { if (aLoadInfo->GetAllowChrome() && (URIHasFlags(aURI, nsIProtocolHandler::URI_IS_UI_RESOURCE) || nsContentUtils::SchemeIs(aURI, "moz-safe-about"))) { // UI resources are allowed. return DoCheckLoadURIChecks(aURI, aLoadInfo); } if (NS_HasBeenCrossOrigin(aChannel, true)) { NS_SetRequestBlockingReason(aLoadInfo, nsILoadInfo::BLOCKING_REASON_NOT_SAME_ORIGIN); return NS_ERROR_DOM_BAD_URI; } return NS_OK; } static nsresult DoCORSChecks(nsIChannel* aChannel, nsILoadInfo* aLoadInfo, nsCOMPtr& aInAndOutListener) { MOZ_RELEASE_ASSERT(aInAndOutListener, "can not perform CORS checks without a listener"); // No need to set up CORS if TriggeringPrincipal is the SystemPrincipal. if (aLoadInfo->TriggeringPrincipal()->IsSystemPrincipal()) { return NS_OK; } // We use the triggering principal here, rather than the loading principal // to ensure that anonymous CORS content in the browser resources and in // WebExtensions is allowed to load. nsIPrincipal* principal = aLoadInfo->TriggeringPrincipal(); RefPtr corsListener = new nsCORSListenerProxy( aInAndOutListener, principal, aLoadInfo->GetCookiePolicy() == nsILoadInfo::SEC_COOKIES_INCLUDE); // XXX: @arg: DataURIHandling::Allow // lets use DataURIHandling::Allow for now and then decide on callsite basis. // see also: // http://mxr.mozilla.org/mozilla-central/source/dom/security/nsCORSListenerProxy.h#33 nsresult rv = corsListener->Init(aChannel, DataURIHandling::Allow); NS_ENSURE_SUCCESS(rv, rv); aInAndOutListener = corsListener; return NS_OK; } static nsresult DoContentSecurityChecks(nsIChannel* aChannel, nsILoadInfo* aLoadInfo) { ExtContentPolicyType contentPolicyType = aLoadInfo->GetExternalContentPolicyType(); nsContentPolicyType internalContentPolicyType = aLoadInfo->InternalContentPolicyType(); nsCString mimeTypeGuess; nsCOMPtr uri; nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri)); NS_ENSURE_SUCCESS(rv, rv); switch (contentPolicyType) { case ExtContentPolicy::TYPE_OTHER: { mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_SCRIPT: { mimeTypeGuess = "application/javascript"_ns; break; } case ExtContentPolicy::TYPE_IMAGE: { mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_STYLESHEET: { mimeTypeGuess = "text/css"_ns; break; } case ExtContentPolicy::TYPE_OBJECT: { mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_DOCUMENT: { mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_SUBDOCUMENT: { mimeTypeGuess = "text/html"_ns; break; } case ExtContentPolicy::TYPE_PING: { mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_XMLHTTPREQUEST: { #ifdef DEBUG { nsCOMPtr node = aLoadInfo->LoadingNode(); MOZ_ASSERT(!node || node->NodeType() == nsINode::DOCUMENT_NODE, "type_xml requires requestingContext of type Document"); } #endif // We're checking for the external TYPE_XMLHTTPREQUEST here in case // an addon creates a request with that type. if (internalContentPolicyType == nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST || internalContentPolicyType == nsIContentPolicy::TYPE_XMLHTTPREQUEST) { mimeTypeGuess.Truncate(); } else { MOZ_ASSERT(internalContentPolicyType == nsIContentPolicy::TYPE_INTERNAL_EVENTSOURCE, "can not set mime type guess for unexpected internal type"); mimeTypeGuess = nsLiteralCString(TEXT_EVENT_STREAM); } break; } case ExtContentPolicy::TYPE_OBJECT_SUBREQUEST: { mimeTypeGuess.Truncate(); #ifdef DEBUG { nsCOMPtr node = aLoadInfo->LoadingNode(); MOZ_ASSERT( !node || node->NodeType() == nsINode::ELEMENT_NODE, "type_subrequest requires requestingContext of type Element"); } #endif break; } case ExtContentPolicy::TYPE_DTD: { mimeTypeGuess.Truncate(); #ifdef DEBUG { nsCOMPtr node = aLoadInfo->LoadingNode(); MOZ_ASSERT(!node || node->NodeType() == nsINode::DOCUMENT_NODE, "type_dtd requires requestingContext of type Document"); } #endif break; } case ExtContentPolicy::TYPE_FONT: case ExtContentPolicy::TYPE_UA_FONT: { mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_MEDIA: { if (internalContentPolicyType == nsIContentPolicy::TYPE_INTERNAL_TRACK) { mimeTypeGuess = "text/vtt"_ns; } else { mimeTypeGuess.Truncate(); } #ifdef DEBUG { nsCOMPtr node = aLoadInfo->LoadingNode(); MOZ_ASSERT(!node || node->NodeType() == nsINode::ELEMENT_NODE, "type_media requires requestingContext of type Element"); } #endif break; } case ExtContentPolicy::TYPE_WEBSOCKET: { // Websockets have to use the proxied URI: // ws:// instead of http:// for CSP checks nsCOMPtr httpChannelInternal = do_QueryInterface(aChannel); MOZ_ASSERT(httpChannelInternal); if (httpChannelInternal) { rv = httpChannelInternal->GetProxyURI(getter_AddRefs(uri)); MOZ_ASSERT(NS_SUCCEEDED(rv)); } mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_CSP_REPORT: { mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_XSLT: { mimeTypeGuess = "application/xml"_ns; #ifdef DEBUG { nsCOMPtr node = aLoadInfo->LoadingNode(); MOZ_ASSERT(!node || node->NodeType() == nsINode::DOCUMENT_NODE, "type_xslt requires requestingContext of type Document"); } #endif break; } case ExtContentPolicy::TYPE_BEACON: { mimeTypeGuess.Truncate(); #ifdef DEBUG { nsCOMPtr node = aLoadInfo->LoadingNode(); MOZ_ASSERT(!node || node->NodeType() == nsINode::DOCUMENT_NODE, "type_beacon requires requestingContext of type Document"); } #endif break; } case ExtContentPolicy::TYPE_FETCH: { mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_IMAGESET: { mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_WEB_MANIFEST: { mimeTypeGuess = "application/manifest+json"_ns; break; } case ExtContentPolicy::TYPE_SAVEAS_DOWNLOAD: { mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_SPECULATIVE: { mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA: { mimeTypeGuess.Truncate(); break; } case ExtContentPolicy::TYPE_INVALID: MOZ_ASSERT(false, "can not perform security check without a valid contentType"); // Do not add default: so that compilers can catch the missing case. } int16_t shouldLoad = nsIContentPolicy::ACCEPT; rv = NS_CheckContentLoadPolicy(uri, aLoadInfo, mimeTypeGuess, &shouldLoad, nsContentUtils::GetContentPolicy()); if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) { NS_SetRequestBlockingReasonIfNull( aLoadInfo, nsILoadInfo::BLOCKING_REASON_CONTENT_POLICY_GENERAL); if (NS_SUCCEEDED(rv) && (contentPolicyType == ExtContentPolicy::TYPE_DOCUMENT || contentPolicyType == ExtContentPolicy::TYPE_SUBDOCUMENT)) { if (shouldLoad == nsIContentPolicy::REJECT_TYPE) { // for docshell loads we might have to return SHOW_ALT. return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT; } if (shouldLoad == nsIContentPolicy::REJECT_POLICY) { return NS_ERROR_BLOCKED_BY_POLICY; } } return NS_ERROR_CONTENT_BLOCKED; } return NS_OK; } static void LogHTTPSOnlyInfo(nsILoadInfo* aLoadInfo) { MOZ_LOG(sCSMLog, LogLevel::Verbose, (" httpsOnlyFirstStatus:")); uint32_t httpsOnlyStatus = aLoadInfo->GetHttpsOnlyStatus(); if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UNINITIALIZED) { MOZ_LOG(sCSMLog, LogLevel::Verbose, (" - HTTPS_ONLY_UNINITIALIZED")); } if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UPGRADED_LISTENER_NOT_REGISTERED) { MOZ_LOG(sCSMLog, LogLevel::Verbose, (" - HTTPS_ONLY_UPGRADED_LISTENER_NOT_REGISTERED")); } if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UPGRADED_LISTENER_REGISTERED) { MOZ_LOG(sCSMLog, LogLevel::Verbose, (" - HTTPS_ONLY_UPGRADED_LISTENER_REGISTERED")); } if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_EXEMPT) { MOZ_LOG(sCSMLog, LogLevel::Verbose, (" - HTTPS_ONLY_EXEMPT")); } if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_TOP_LEVEL_LOAD_IN_PROGRESS) { MOZ_LOG(sCSMLog, LogLevel::Verbose, (" - HTTPS_ONLY_TOP_LEVEL_LOAD_IN_PROGRESS")); } if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_DOWNLOAD_IN_PROGRESS) { MOZ_LOG(sCSMLog, LogLevel::Verbose, (" - HTTPS_ONLY_DOWNLOAD_IN_PROGRESS")); } if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_DO_NOT_LOG_TO_CONSOLE) { MOZ_LOG(sCSMLog, LogLevel::Verbose, (" - HTTPS_ONLY_DO_NOT_LOG_TO_CONSOLE")); } if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UPGRADED_HTTPS_FIRST) { MOZ_LOG(sCSMLog, LogLevel::Verbose, (" - HTTPS_ONLY_UPGRADED_HTTPS_FIRST")); } } static void LogPrincipal(nsIPrincipal* aPrincipal, const nsAString& aPrincipalName, const uint8_t& aNestingLevel) { nsPrintfCString aIndentationString("%*s", aNestingLevel * 2, ""); if (aPrincipal && aPrincipal->IsSystemPrincipal()) { MOZ_LOG(sCSMLog, LogLevel::Debug, ("%s%s: SystemPrincipal\n", aIndentationString.get(), NS_ConvertUTF16toUTF8(aPrincipalName).get())); return; } if (aPrincipal) { if (aPrincipal->GetIsNullPrincipal()) { MOZ_LOG(sCSMLog, LogLevel::Debug, ("%s%s: NullPrincipal\n", aIndentationString.get(), NS_ConvertUTF16toUTF8(aPrincipalName).get())); return; } if (aPrincipal->GetIsExpandedPrincipal()) { nsCOMPtr expanded(do_QueryInterface(aPrincipal)); nsAutoCString origin; origin.AssignLiteral("[Expanded Principal ["); StringJoinAppend(origin, ", "_ns, expanded->AllowList(), [](nsACString& dest, nsIPrincipal* principal) { nsAutoCString subOrigin; DebugOnly rv = principal->GetOrigin(subOrigin); MOZ_ASSERT(NS_SUCCEEDED(rv)); dest.Append(subOrigin); }); origin.AppendLiteral("]]"); MOZ_LOG(sCSMLog, LogLevel::Debug, ("%s%s: %s\n", aIndentationString.get(), NS_ConvertUTF16toUTF8(aPrincipalName).get(), origin.get())); return; } nsAutoCString principalSpec; aPrincipal->GetAsciiSpec(principalSpec); if (aPrincipalName.IsEmpty()) { MOZ_LOG(sCSMLog, LogLevel::Debug, ("%s - \"%s\"\n", aIndentationString.get(), principalSpec.get())); } else { MOZ_LOG( sCSMLog, LogLevel::Debug, ("%s%s: \"%s\"\n", aIndentationString.get(), NS_ConvertUTF16toUTF8(aPrincipalName).get(), principalSpec.get())); } return; } MOZ_LOG(sCSMLog, LogLevel::Debug, ("%s%s: nullptr\n", aIndentationString.get(), NS_ConvertUTF16toUTF8(aPrincipalName).get())); } static void LogSecurityFlags(nsSecurityFlags securityFlags) { struct DebugSecFlagType { unsigned long secFlag; char secTypeStr[128]; }; static const DebugSecFlagType secTypes[] = { {nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, "SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK"}, {nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT, "SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT"}, {nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED, "SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED"}, {nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT, "SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT"}, {nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL, "SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL"}, {nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT, "SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT"}, {nsILoadInfo::SEC_COOKIES_DEFAULT, "SEC_COOKIES_DEFAULT"}, {nsILoadInfo::SEC_COOKIES_INCLUDE, "SEC_COOKIES_INCLUDE"}, {nsILoadInfo::SEC_COOKIES_SAME_ORIGIN, "SEC_COOKIES_SAME_ORIGIN"}, {nsILoadInfo::SEC_COOKIES_OMIT, "SEC_COOKIES_OMIT"}, {nsILoadInfo::SEC_FORCE_INHERIT_PRINCIPAL, "SEC_FORCE_INHERIT_PRINCIPAL"}, {nsILoadInfo::SEC_ABOUT_BLANK_INHERITS, "SEC_ABOUT_BLANK_INHERITS"}, {nsILoadInfo::SEC_ALLOW_CHROME, "SEC_ALLOW_CHROME"}, {nsILoadInfo::SEC_DISALLOW_SCRIPT, "SEC_DISALLOW_SCRIPT"}, {nsILoadInfo::SEC_DONT_FOLLOW_REDIRECTS, "SEC_DONT_FOLLOW_REDIRECTS"}, {nsILoadInfo::SEC_LOAD_ERROR_PAGE, "SEC_LOAD_ERROR_PAGE"}, {nsILoadInfo::SEC_FORCE_INHERIT_PRINCIPAL_OVERRULE_OWNER, "SEC_FORCE_INHERIT_PRINCIPAL_OVERRULE_OWNER"}}; for (const DebugSecFlagType& flag : secTypes) { if (securityFlags & flag.secFlag) { // the logging level should be in sync with the logging level in // DebugDoContentSecurityCheck() MOZ_LOG(sCSMLog, LogLevel::Verbose, (" - %s\n", flag.secTypeStr)); } } } static void DebugDoContentSecurityCheck(nsIChannel* aChannel, nsILoadInfo* aLoadInfo) { nsCOMPtr httpChannel(do_QueryInterface(aChannel)); MOZ_LOG(sCSMLog, LogLevel::Debug, ("\n#DebugDoContentSecurityCheck Begin\n")); // we only log http channels, unless loglevel is 5. if (httpChannel || MOZ_LOG_TEST(sCSMLog, LogLevel::Verbose)) { MOZ_LOG(sCSMLog, LogLevel::Verbose, ("doContentSecurityCheck:\n")); nsAutoCString remoteType; if (XRE_IsParentProcess()) { nsCOMPtr parentChannel; NS_QueryNotificationCallbacks(aChannel, parentChannel); if (parentChannel) { parentChannel->GetRemoteType(remoteType); } } else { remoteType.Assign( mozilla::dom::ContentChild::GetSingleton()->GetRemoteType()); } MOZ_LOG(sCSMLog, LogLevel::Verbose, (" processType: \"%s\"\n", remoteType.get())); nsCOMPtr channelURI; nsAutoCString channelSpec; nsAutoCString channelMethod; NS_GetFinalChannelURI(aChannel, getter_AddRefs(channelURI)); if (channelURI) { channelURI->GetSpec(channelSpec); } MOZ_LOG(sCSMLog, LogLevel::Verbose, (" channelURI: \"%s\"\n", channelSpec.get())); // Log HTTP-specific things if (httpChannel) { nsresult rv; rv = httpChannel->GetRequestMethod(channelMethod); if (!NS_FAILED(rv)) { MOZ_LOG(sCSMLog, LogLevel::Verbose, (" httpMethod: %s\n", channelMethod.get())); } } // Log Principals nsCOMPtr requestPrincipal = aLoadInfo->TriggeringPrincipal(); LogPrincipal(aLoadInfo->GetLoadingPrincipal(), u"loadingPrincipal"_ns, 1); LogPrincipal(requestPrincipal, u"triggeringPrincipal"_ns, 1); LogPrincipal(aLoadInfo->PrincipalToInherit(), u"principalToInherit"_ns, 1); // Log Redirect Chain MOZ_LOG(sCSMLog, LogLevel::Verbose, (" redirectChain:\n")); for (nsIRedirectHistoryEntry* redirectHistoryEntry : aLoadInfo->RedirectChain()) { nsCOMPtr principal; redirectHistoryEntry->GetPrincipal(getter_AddRefs(principal)); LogPrincipal(principal, u""_ns, 2); } MOZ_LOG(sCSMLog, LogLevel::Verbose, (" internalContentPolicyType: %s\n", NS_CP_ContentTypeName(aLoadInfo->InternalContentPolicyType()))); MOZ_LOG(sCSMLog, LogLevel::Verbose, (" externalContentPolicyType: %s\n", NS_CP_ContentTypeName(aLoadInfo->GetExternalContentPolicyType()))); MOZ_LOG(sCSMLog, LogLevel::Verbose, (" upgradeInsecureRequests: %s\n", aLoadInfo->GetUpgradeInsecureRequests() ? "true" : "false")); MOZ_LOG(sCSMLog, LogLevel::Verbose, (" initialSecurityChecksDone: %s\n", aLoadInfo->GetInitialSecurityCheckDone() ? "true" : "false")); MOZ_LOG(sCSMLog, LogLevel::Verbose, (" allowDeprecatedSystemRequests: %s\n", aLoadInfo->GetAllowDeprecatedSystemRequests() ? "true" : "false")); // Log CSPrequestPrincipal nsCOMPtr csp = aLoadInfo->GetCsp(); MOZ_LOG(sCSMLog, LogLevel::Debug, (" CSP:")); if (csp) { nsAutoString parsedPolicyStr; uint32_t count = 0; csp->GetPolicyCount(&count); for (uint32_t i = 0; i < count; ++i) { csp->GetPolicyString(i, parsedPolicyStr); // we need to add quotation marks, as otherwise yaml parsers may fail // with CSP directives // no need to escape quote marks in the parsed policy string, as URLs in // there are already encoded MOZ_LOG(sCSMLog, LogLevel::Debug, (" - \"%s\"\n", NS_ConvertUTF16toUTF8(parsedPolicyStr).get())); } } // Security Flags MOZ_LOG(sCSMLog, LogLevel::Verbose, (" securityFlags:")); LogSecurityFlags(aLoadInfo->GetSecurityFlags()); LogHTTPSOnlyInfo(aLoadInfo); MOZ_LOG(sCSMLog, LogLevel::Debug, ("\n#DebugDoContentSecurityCheck End\n")); } } /* static */ void nsContentSecurityManager::MeasureUnexpectedPrivilegedLoads( nsILoadInfo* aLoadInfo, nsIURI* aFinalURI, const nsACString& aRemoteType) { if (!StaticPrefs::dom_security_unexpected_system_load_telemetry_enabled()) { return; } nsContentSecurityUtils::DetectJsHacks(); nsContentSecurityUtils::DetectCssHacks(); // The detection only work on the main-thread. // To avoid races and early reports, we need to ensure the checks actually // happened. if (MOZ_UNLIKELY(sJSHacksPresent || !sJSHacksChecked || sCSSHacksPresent || !sCSSHacksChecked)) { return; } ExtContentPolicyType contentPolicyType = aLoadInfo->GetExternalContentPolicyType(); // restricting reported types to script, styles and documents // to be continued in follow-ups of bug 1697163. if (contentPolicyType != ExtContentPolicyType::TYPE_SCRIPT && contentPolicyType != ExtContentPolicyType::TYPE_STYLESHEET && contentPolicyType != ExtContentPolicyType::TYPE_DOCUMENT) { return; } // Gather redirected schemes in string nsAutoCString loggedRedirects; const nsTArray>& redirects = aLoadInfo->RedirectChain(); if (!redirects.IsEmpty()) { nsCOMPtr end = redirects.LastElement(); for (nsIRedirectHistoryEntry* entry : redirects) { nsCOMPtr principal; entry->GetPrincipal(getter_AddRefs(principal)); if (principal) { nsAutoCString scheme; principal->GetScheme(scheme); loggedRedirects.Append(scheme); if (entry != end) { loggedRedirects.AppendLiteral(", "); } } } } nsAutoCString uriString; if (aFinalURI) { aFinalURI->GetAsciiSpec(uriString); } else { uriString.AssignLiteral(""); } FilenameTypeAndDetails fileNameTypeAndDetails = nsContentSecurityUtils::FilenameToFilenameType( NS_ConvertUTF8toUTF16(uriString), true); nsCString loggedFileDetails = "unknown"_ns; if (fileNameTypeAndDetails.second.isSome()) { loggedFileDetails.Assign( NS_ConvertUTF16toUTF8(fileNameTypeAndDetails.second.value())); } // sanitize remoteType because it may contain sensitive // info, like URLs. e.g. `webIsolated=https://example.com` nsAutoCString loggedRemoteType(dom::RemoteTypePrefix(aRemoteType)); nsAutoCString loggedContentType(NS_CP_ContentTypeName(contentPolicyType)); MOZ_LOG(sCSMLog, LogLevel::Debug, ("UnexpectedPrivilegedLoadTelemetry:\n")); MOZ_LOG(sCSMLog, LogLevel::Debug, ("- contentType: %s\n", loggedContentType.get())); MOZ_LOG(sCSMLog, LogLevel::Debug, ("- URL (not to be reported): %s\n", uriString.get())); MOZ_LOG(sCSMLog, LogLevel::Debug, ("- remoteType: %s\n", loggedRemoteType.get())); MOZ_LOG(sCSMLog, LogLevel::Debug, ("- fileInfo: %s\n", fileNameTypeAndDetails.first.get())); MOZ_LOG(sCSMLog, LogLevel::Debug, ("- fileDetails: %s\n", loggedFileDetails.get())); MOZ_LOG(sCSMLog, LogLevel::Debug, ("- redirects: %s\n\n", loggedRedirects.get())); // Send Telemetry auto extra = Some>( {EventExtraEntry{"contenttype"_ns, loggedContentType}, EventExtraEntry{"remotetype"_ns, loggedRemoteType}, EventExtraEntry{"filedetails"_ns, loggedFileDetails}, EventExtraEntry{"redirects"_ns, loggedRedirects}}); if (!sTelemetryEventEnabled.exchange(true)) { Telemetry::SetEventRecordingEnabled("security"_ns, true); } Telemetry::EventID eventType = Telemetry::EventID::Security_Unexpectedload_Systemprincipal; Telemetry::RecordEvent(eventType, mozilla::Some(fileNameTypeAndDetails.first), extra); } /* static */ nsSecurityFlags nsContentSecurityManager::ComputeSecurityFlags( mozilla::CORSMode aCORSMode, CORSSecurityMapping aCORSSecurityMapping) { if (aCORSSecurityMapping == CORSSecurityMapping::DISABLE_CORS_CHECKS) { return nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL; } switch (aCORSMode) { case CORS_NONE: if (aCORSSecurityMapping == CORSSecurityMapping::REQUIRE_CORS_CHECKS) { // CORS_NONE gets treated like CORS_ANONYMOUS in this mode return nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT | nsILoadInfo::SEC_COOKIES_SAME_ORIGIN; } else if (aCORSSecurityMapping == CORSSecurityMapping::CORS_NONE_MAPS_TO_INHERITED_CONTEXT) { // CORS_NONE inherits return nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT; } else { // CORS_NONE_MAPS_TO_DISABLED_CORS_CHECKS, the only remaining enum // variant. CORSSecurityMapping::DISABLE_CORS_CHECKS returned early. MOZ_ASSERT(aCORSSecurityMapping == CORSSecurityMapping::CORS_NONE_MAPS_TO_DISABLED_CORS_CHECKS); return nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL; } case CORS_ANONYMOUS: return nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT | nsILoadInfo::SEC_COOKIES_SAME_ORIGIN; case CORS_USE_CREDENTIALS: return nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT | nsILoadInfo::SEC_COOKIES_INCLUDE; break; default: MOZ_ASSERT_UNREACHABLE("Invalid aCORSMode enum value"); return nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT | nsILoadInfo::SEC_COOKIES_SAME_ORIGIN; } } /* static */ nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext( nsIChannel* aChannel) { nsCOMPtr loadInfo = aChannel->LoadInfo(); nsCOMPtr inspectedPrincipal = loadInfo->GetLoadingPrincipal(); if (!inspectedPrincipal) { return NS_OK; } // Check if we are actually dealing with a privileged request if (!inspectedPrincipal->IsSystemPrincipal()) { return NS_OK; } // loads with the allow flag are waived through // until refactored (e.g., Shavar, OCSP) if (loadInfo->GetAllowDeprecatedSystemRequests()) { return NS_OK; } ExtContentPolicyType contentPolicyType = loadInfo->GetExternalContentPolicyType(); // For now, let's not inspect top-level document loads if (contentPolicyType == ExtContentPolicy::TYPE_DOCUMENT) { return NS_OK; } // allowing some fetches due to their lowered risk // i.e., data & downloads fetches do limited parsing, no rendering // remote images are too widely used (favicons, about:addons etc.) if ((contentPolicyType == ExtContentPolicy::TYPE_FETCH) || (contentPolicyType == ExtContentPolicy::TYPE_XMLHTTPREQUEST) || (contentPolicyType == ExtContentPolicy::TYPE_WEBSOCKET) || (contentPolicyType == ExtContentPolicy::TYPE_SAVEAS_DOWNLOAD) || (contentPolicyType == ExtContentPolicy::TYPE_IMAGE)) { return NS_OK; } // Allow the user interface (e.g., schemes like chrome, resource) nsCOMPtr finalURI; NS_GetFinalChannelURI(aChannel, getter_AddRefs(finalURI)); bool isUiResource = false; if (NS_SUCCEEDED(NS_URIChainHasFlags( finalURI, nsIProtocolHandler::URI_IS_UI_RESOURCE, &isUiResource)) && isUiResource) { return NS_OK; } // For about: and extension-based URIs, which don't get // URI_IS_UI_RESOURCE, first remove layers of view-source:, if present. nsCOMPtr innerURI = NS_GetInnermostURI(finalURI); nsAutoCString remoteType; if (XRE_IsParentProcess()) { nsCOMPtr parentChannel; NS_QueryNotificationCallbacks(aChannel, parentChannel); if (parentChannel) { parentChannel->GetRemoteType(remoteType); } } else { remoteType.Assign( mozilla::dom::ContentChild::GetSingleton()->GetRemoteType()); } // GetInnerURI can return null for malformed nested URIs like moz-icon:trash if (!innerURI) { MeasureUnexpectedPrivilegedLoads(loadInfo, innerURI, remoteType); if (StaticPrefs::security_disallow_privileged_no_finaluri_loads()) { aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED); return NS_ERROR_CONTENT_BLOCKED; } return NS_OK; } // loads of userContent.css during startup and tests that show up as file: if (innerURI->SchemeIs("file")) { if ((contentPolicyType == ExtContentPolicy::TYPE_STYLESHEET) || (contentPolicyType == ExtContentPolicy::TYPE_OTHER)) { return NS_OK; } } // (1) loads from within omni.ja and system add-ons use jar: // this is safe to allow, because we do not support remote jar. // (2) about: resources are always allowed: they are part of the build. // (3) extensions are signed or the user has made bad decisions. if (innerURI->SchemeIs("jar") || innerURI->SchemeIs("about") || innerURI->SchemeIs("moz-extension")) { return NS_OK; } nsAutoCString requestedURL; innerURI->GetAsciiSpec(requestedURL); MOZ_LOG(sCSMLog, LogLevel::Warning, ("SystemPrincipal should not load remote resources. URL: %s, type %d", requestedURL.get(), int(contentPolicyType))); // The load types that we want to disallow, will extend over time and // prioritized by risk. The most risky/dangerous are load-types are documents, // subdocuments, scripts and styles in that order. The most dangerous URL // schemes to cover are HTTP, HTTPS, data, blob in that order. Meta bug // 1725112 will track upcoming restrictions // Telemetry for unexpected privileged loads. // pref check & data sanitization happens in the called function MeasureUnexpectedPrivilegedLoads(loadInfo, innerURI, remoteType); // Relaxing restrictions for our test suites: // (1) AreNonLocalConnectionsDisabled() disables network, so // http://mochitest is actually local and allowed. (2) The marionette test // framework uses injections and data URLs to execute scripts, checking for // the environment variable breaks the attack but not the tests. if (xpc::AreNonLocalConnectionsDisabled() || mozilla::EnvHasValue("MOZ_MARIONETTE")) { bool disallowSystemPrincipalRemoteDocuments = Preferences::GetBool( "security.disallow_non_local_systemprincipal_in_tests"); if (disallowSystemPrincipalRemoteDocuments) { // our own mochitest needs NS_ASSERTION instead of MOZ_ASSERT NS_ASSERTION(false, "SystemPrincipal must not load remote documents."); aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED); return NS_ERROR_CONTENT_BLOCKED; } // but other mochitest are exempt from this return NS_OK; } if (contentPolicyType == ExtContentPolicy::TYPE_SUBDOCUMENT) { if (StaticPrefs::security_disallow_privileged_https_subdocuments_loads() && (innerURI->SchemeIs("http") || innerURI->SchemeIs("https"))) { MOZ_ASSERT( false, "Disallowing SystemPrincipal load of subdocuments on HTTP(S)."); aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED); return NS_ERROR_CONTENT_BLOCKED; } if ((StaticPrefs::security_disallow_privileged_data_subdocuments_loads()) && (innerURI->SchemeIs("data"))) { MOZ_ASSERT( false, "Disallowing SystemPrincipal load of subdocuments on data URL."); aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED); return NS_ERROR_CONTENT_BLOCKED; } } if (contentPolicyType == ExtContentPolicy::TYPE_SCRIPT) { if ((StaticPrefs::security_disallow_privileged_https_script_loads()) && (innerURI->SchemeIs("http") || innerURI->SchemeIs("https"))) { MOZ_ASSERT(false, "Disallowing SystemPrincipal load of scripts on HTTP(S)."); aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED); return NS_ERROR_CONTENT_BLOCKED; } } if (contentPolicyType == ExtContentPolicy::TYPE_STYLESHEET) { if (StaticPrefs::security_disallow_privileged_https_stylesheet_loads() && (innerURI->SchemeIs("http") || innerURI->SchemeIs("https"))) { MOZ_ASSERT(false, "Disallowing SystemPrincipal load of stylesheets on HTTP(S)."); aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED); return NS_ERROR_CONTENT_BLOCKED; } } return NS_OK; } /* * Disallow about pages in the privilegedaboutcontext (e.g., password manager, * newtab etc.) to load remote scripts. Regardless of whether this is coming * from the contentprincipal or the systemprincipal. */ /* static */ nsresult nsContentSecurityManager::CheckAllowLoadInPrivilegedAboutContext( nsIChannel* aChannel) { // bail out if check is disabled if (StaticPrefs::security_disallow_privilegedabout_remote_script_loads()) { return NS_OK; } nsAutoCString remoteType; if (XRE_IsParentProcess()) { nsCOMPtr parentChannel; NS_QueryNotificationCallbacks(aChannel, parentChannel); if (parentChannel) { parentChannel->GetRemoteType(remoteType); } } else { remoteType.Assign( mozilla::dom::ContentChild::GetSingleton()->GetRemoteType()); } // only perform check for privileged about process if (!remoteType.Equals(PRIVILEGEDABOUT_REMOTE_TYPE)) { return NS_OK; } nsCOMPtr loadInfo = aChannel->LoadInfo(); ExtContentPolicyType contentPolicyType = loadInfo->GetExternalContentPolicyType(); // only check for script loads if (contentPolicyType != ExtContentPolicy::TYPE_SCRIPT) { return NS_OK; } nsCOMPtr finalURI; NS_GetFinalChannelURI(aChannel, getter_AddRefs(finalURI)); nsCOMPtr innerURI = NS_GetInnermostURI(finalURI); bool isLocal; NS_URIChainHasFlags(innerURI, nsIProtocolHandler::URI_IS_LOCAL_RESOURCE, &isLocal); // We allow URLs that are URI_IS_LOCAL (but that includes `data` // and `blob` which are also undesirable. if ((isLocal) && (!innerURI->SchemeIs("data")) && (!innerURI->SchemeIs("blob"))) { return NS_OK; } MOZ_ASSERT( false, "Disallowing privileged about process to load scripts on HTTP(S)."); aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED); return NS_ERROR_CONTENT_BLOCKED; } /* * Every protocol handler must set one of the six security flags * defined in nsIProtocolHandler - if not - deny the load. */ nsresult nsContentSecurityManager::CheckChannelHasProtocolSecurityFlag( nsIChannel* aChannel) { nsCOMPtr uri; nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri)); NS_ENSURE_SUCCESS(rv, rv); nsCOMPtr ios = do_GetIOService(&rv); NS_ENSURE_SUCCESS(rv, rv); uint32_t flags; rv = ios->GetDynamicProtocolFlags(uri, &flags); NS_ENSURE_SUCCESS(rv, rv); uint32_t securityFlagsSet = 0; if (flags & nsIProtocolHandler::WEBEXT_URI_WEB_ACCESSIBLE) { securityFlagsSet += 1; } if (flags & nsIProtocolHandler::URI_LOADABLE_BY_ANYONE) { securityFlagsSet += 1; } if (flags & nsIProtocolHandler::URI_DANGEROUS_TO_LOAD) { securityFlagsSet += 1; } if (flags & nsIProtocolHandler::URI_IS_UI_RESOURCE) { securityFlagsSet += 1; } if (flags & nsIProtocolHandler::URI_IS_LOCAL_FILE) { securityFlagsSet += 1; } if (flags & nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS) { securityFlagsSet += 1; } // Ensure that only "1" valid security flags is set. if (securityFlagsSet == 1) { return NS_OK; } MOZ_ASSERT(false, "protocol must use one valid security flag"); return NS_ERROR_CONTENT_BLOCKED; } // We should not allow loading non-JavaScript files as scripts using // a file:// URL. static nsresult CheckAllowFileProtocolScriptLoad(nsIChannel* aChannel) { nsCOMPtr loadInfo = aChannel->LoadInfo(); ExtContentPolicyType type = loadInfo->GetExternalContentPolicyType(); // Only check script loads. if (type != ExtContentPolicy::TYPE_SCRIPT) { return NS_OK; } if (!StaticPrefs::security_block_fileuri_script_with_wrong_mime()) { return NS_OK; } nsCOMPtr uri; nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri)); NS_ENSURE_SUCCESS(rv, rv); if (!uri || !uri->SchemeIs("file")) { return NS_OK; } nsCOMPtr mime = do_GetService("@mozilla.org/mime;1", &rv); NS_ENSURE_SUCCESS(rv, rv); // GetTypeFromURI fails for missing or unknown file-extensions. nsAutoCString contentType; rv = mime->GetTypeFromURI(uri, contentType); if (NS_FAILED(rv) || !nsContentUtils::IsJavascriptMIMEType( NS_ConvertUTF8toUTF16(contentType))) { nsCOMPtr doc; if (nsINode* node = loadInfo->LoadingNode()) { doc = node->OwnerDoc(); } nsAutoCString spec; uri->GetSpec(spec); AutoTArray params; CopyUTF8toUTF16(NS_UnescapeURL(spec), *params.AppendElement()); CopyUTF8toUTF16(NS_UnescapeURL(contentType), *params.AppendElement()); nsContentUtils::ReportToConsole(nsIScriptError::warningFlag, "FILE_SCRIPT_BLOCKED"_ns, doc, nsContentUtils::eSECURITY_PROPERTIES, "BlockFileScriptWithWrongMimeType", params); return NS_ERROR_CONTENT_BLOCKED; } return NS_OK; } // We should not allow loading non-JavaScript files as scripts using // a moz-extension:// URL. static nsresult CheckAllowExtensionProtocolScriptLoad(nsIChannel* aChannel) { nsCOMPtr loadInfo = aChannel->LoadInfo(); ExtContentPolicyType type = loadInfo->GetExternalContentPolicyType(); // Only check script loads. if (type != ExtContentPolicy::TYPE_SCRIPT) { return NS_OK; } nsCOMPtr uri; nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri)); NS_ENSURE_SUCCESS(rv, rv); if (!uri || !uri->SchemeIs("moz-extension")) { return NS_OK; } // We expect this code to never be hit off-the-main-thread (even worker // scripts are currently hitting only on the main thread, see // WorkerScriptLoader::DispatchLoadScript calling NS_DispatchToMainThread // internally), this diagnostic assertion is meant to let us notice if that // isn't the case anymore. MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread(), "Unexpected off-the-main-thread call to " "CheckAllowFileProtocolScriptLoad"); nsAutoCString host; rv = uri->GetHost(host); NS_ENSURE_SUCCESS(rv, rv); RefPtr targetPolicy = ExtensionPolicyService::GetCoreByHost(host); if (NS_WARN_IF(!targetPolicy) || targetPolicy->ManifestVersion() < 3) { return NS_OK; } nsCOMPtr mime = do_GetService("@mozilla.org/mime;1", &rv); NS_ENSURE_SUCCESS(rv, rv); // GetDefaultTypeFromExtension fails for missing or unknown file-extensions. nsAutoCString contentType; rv = mime->GetDefaultTypeFromURI(uri, contentType); if (NS_FAILED(rv) || !nsContentUtils::IsJavascriptMIMEType( NS_ConvertUTF8toUTF16(contentType))) { nsCOMPtr doc; if (nsINode* node = loadInfo->LoadingNode()) { doc = node->OwnerDoc(); } nsAutoCString spec; uri->GetSpec(spec); AutoTArray params; CopyUTF8toUTF16(NS_UnescapeURL(spec), *params.AppendElement()); nsContentUtils::ReportToConsole(nsIScriptError::warningFlag, "EXTENSION_SCRIPT_BLOCKED"_ns, doc, nsContentUtils::eSECURITY_PROPERTIES, "BlockExtensionScriptWithWrongExt", params); return NS_ERROR_CONTENT_BLOCKED; } return NS_OK; } // Validate that a load should be allowed based on its remote type. This // intentionally prevents some loads from occuring even using the system // principal, if they were started in a content process. static nsresult CheckAllowLoadByTriggeringRemoteType(nsIChannel* aChannel) { MOZ_ASSERT(aChannel); nsCOMPtr loadInfo = aChannel->LoadInfo(); // For now, only restrict loads for documents. We currently have no // interesting subresource checks for protocols which are are not fully // handled within the content process. ExtContentPolicy contentPolicyType = loadInfo->GetExternalContentPolicyType(); if (contentPolicyType != ExtContentPolicy::TYPE_DOCUMENT && contentPolicyType != ExtContentPolicy::TYPE_SUBDOCUMENT && contentPolicyType != ExtContentPolicy::TYPE_OBJECT) { return NS_OK; } MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread(), "Unexpected off-the-main-thread call to " "CheckAllowLoadByTriggeringRemoteType"); // Due to the way that session history is handled without SHIP, we cannot run // these checks when SHIP is disabled. if (!mozilla::SessionHistoryInParent()) { return NS_OK; } nsAutoCString triggeringRemoteType; nsresult rv = loadInfo->GetTriggeringRemoteType(triggeringRemoteType); NS_ENSURE_SUCCESS(rv, rv); // For now, only restrict loads coming from web remote types. In the future we // may want to expand this a bit. if (!StringBeginsWith(triggeringRemoteType, WEB_REMOTE_TYPE)) { return NS_OK; } nsCOMPtr finalURI; rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(finalURI)); NS_ENSURE_SUCCESS(rv, rv); // Don't allow web content processes to load non-remote about pages. // NOTE: URIs with a `moz-safe-about:` inner scheme are safe to link to, so // it's OK we miss them here. nsCOMPtr innermostURI = NS_GetInnermostURI(finalURI); if (innermostURI->SchemeIs("about")) { nsCOMPtr aboutModule; rv = NS_GetAboutModule(innermostURI, getter_AddRefs(aboutModule)); NS_ENSURE_SUCCESS(rv, rv); uint32_t aboutModuleFlags = 0; rv = aboutModule->GetURIFlags(innermostURI, &aboutModuleFlags); NS_ENSURE_SUCCESS(rv, rv); if (!(aboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) && !(aboutModuleFlags & nsIAboutModule::URI_CAN_LOAD_IN_CHILD) && !(aboutModuleFlags & nsIAboutModule::URI_MUST_LOAD_IN_CHILD)) { NS_WARNING(nsPrintfCString("Blocking load of about URI (%s) which cannot " "be linked to in web content process", finalURI->GetSpecOrDefault().get()) .get()); #ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED if (NS_SUCCEEDED( loadInfo->TriggeringPrincipal()->CheckMayLoad(finalURI, true))) { nsAutoCString aboutModuleName; MOZ_ALWAYS_SUCCEEDS( NS_GetAboutModuleName(innermostURI, aboutModuleName)); MOZ_CRASH_UNSAFE_PRINTF( "Blocking load of about uri by content process which may have " "otherwise succeeded [aboutModule=%s, isSystemPrincipal=%d]", aboutModuleName.get(), loadInfo->TriggeringPrincipal()->IsSystemPrincipal()); } #endif return NS_ERROR_CONTENT_BLOCKED; } return NS_OK; } // Don't allow web content processes to load file documents. Loads of file // URIs as subresources will be handled by the sandbox, and may be allowed in // some cases. bool localFile = false; rv = NS_URIChainHasFlags(finalURI, nsIProtocolHandler::URI_IS_LOCAL_FILE, &localFile); NS_ENSURE_SUCCESS(rv, rv); if (localFile) { NS_WARNING( nsPrintfCString( "Blocking document load of file URI (%s) from web content process", innermostURI->GetSpecOrDefault().get()) .get()); #ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED if (NS_SUCCEEDED( loadInfo->TriggeringPrincipal()->CheckMayLoad(finalURI, true))) { MOZ_CRASH_UNSAFE_PRINTF( "Blocking document load of file URI by content process which may " "have otherwise succeeded [isSystemPrincipal=%d]", loadInfo->TriggeringPrincipal()->IsSystemPrincipal()); } #endif return NS_ERROR_CONTENT_BLOCKED; } return NS_OK; } /* * Based on the security flags provided in the loadInfo of the channel, * doContentSecurityCheck() performs the following content security checks * before opening the channel: * * (1) Same Origin Policy Check (if applicable) * (2) Allow Cross Origin but perform sanity checks whether a principal * is allowed to access the following URL. * (3) Perform CORS check (if applicable) * (4) ContentPolicy checks (Content-Security-Policy, Mixed Content, ...) * * @param aChannel * The channel to perform the security checks on. * @param aInAndOutListener * The streamListener that is passed to channel->AsyncOpen() that is now * potentially wrappend within nsCORSListenerProxy() and becomes the * corsListener that now needs to be set as new streamListener on the channel. */ nsresult nsContentSecurityManager::doContentSecurityCheck( nsIChannel* aChannel, nsCOMPtr& aInAndOutListener) { NS_ENSURE_ARG(aChannel); nsCOMPtr loadInfo = aChannel->LoadInfo(); if (MOZ_UNLIKELY(MOZ_LOG_TEST(sCSMLog, LogLevel::Verbose))) { DebugDoContentSecurityCheck(aChannel, loadInfo); } nsresult rv = CheckAllowLoadInSystemPrivilegedContext(aChannel); NS_ENSURE_SUCCESS(rv, rv); rv = CheckAllowLoadInPrivilegedAboutContext(aChannel); NS_ENSURE_SUCCESS(rv, rv); // We want to also check redirected requests to ensure // the target maintains the proper javascript file extensions. rv = CheckAllowExtensionProtocolScriptLoad(aChannel); NS_ENSURE_SUCCESS(rv, rv); rv = CheckChannelHasProtocolSecurityFlag(aChannel); NS_ENSURE_SUCCESS(rv, rv); rv = CheckAllowLoadByTriggeringRemoteType(aChannel); NS_ENSURE_SUCCESS(rv, rv); // if dealing with a redirected channel then we have already installed // streamlistener and redirect proxies and so we are done. if (loadInfo->GetInitialSecurityCheckDone()) { return NS_OK; } // make sure that only one of the five security flags is set in the loadinfo // e.g. do not require same origin and allow cross origin at the same time rv = ValidateSecurityFlags(loadInfo); NS_ENSURE_SUCCESS(rv, rv); if (loadInfo->GetSecurityMode() == nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT) { rv = DoCORSChecks(aChannel, loadInfo, aInAndOutListener); NS_ENSURE_SUCCESS(rv, rv); } rv = CheckChannel(aChannel); NS_ENSURE_SUCCESS(rv, rv); // Perform all ContentPolicy checks (MixedContent, CSP, ...) rv = DoContentSecurityChecks(aChannel, loadInfo); NS_ENSURE_SUCCESS(rv, rv); rv = CheckAllowFileProtocolScriptLoad(aChannel); NS_ENSURE_SUCCESS(rv, rv); // now lets set the initialSecurityFlag for subsequent calls loadInfo->SetInitialSecurityCheckDone(true); // all security checks passed - lets allow the load return NS_OK; } NS_IMETHODIMP nsContentSecurityManager::AsyncOnChannelRedirect( nsIChannel* aOldChannel, nsIChannel* aNewChannel, uint32_t aRedirFlags, nsIAsyncVerifyRedirectCallback* aCb) { // Since we compare the principal from the loadInfo to the URI's // princicpal, it's possible that the checks fail when doing an internal // redirect. We can just return early instead, since we should never // need to block an internal redirect. if (aRedirFlags & nsIChannelEventSink::REDIRECT_INTERNAL) { aCb->OnRedirectVerifyCallback(NS_OK); return NS_OK; } nsCOMPtr loadInfo = aOldChannel->LoadInfo(); nsresult rv = CheckChannel(aNewChannel); if (NS_FAILED(rv)) { aOldChannel->Cancel(rv); return rv; } // Also verify that the redirecting server is allowed to redirect to the // given URI nsCOMPtr oldPrincipal; nsContentUtils::GetSecurityManager()->GetChannelResultPrincipal( aOldChannel, getter_AddRefs(oldPrincipal)); nsCOMPtr newURI; Unused << NS_GetFinalChannelURI(aNewChannel, getter_AddRefs(newURI)); NS_ENSURE_STATE(oldPrincipal && newURI); // Do not allow insecure redirects to data: URIs if (!AllowInsecureRedirectToDataURI(aNewChannel)) { // cancel the old channel and return an error aOldChannel->Cancel(NS_ERROR_CONTENT_BLOCKED); return NS_ERROR_CONTENT_BLOCKED; } const uint32_t flags = nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT | nsIScriptSecurityManager::DISALLOW_SCRIPT; rv = nsContentUtils::GetSecurityManager()->CheckLoadURIWithPrincipal( oldPrincipal, newURI, flags, loadInfo->GetInnerWindowID()); NS_ENSURE_SUCCESS(rv, rv); aCb->OnRedirectVerifyCallback(NS_OK); return NS_OK; } static void AddLoadFlags(nsIRequest* aRequest, nsLoadFlags aNewFlags) { nsLoadFlags flags; aRequest->GetLoadFlags(&flags); flags |= aNewFlags; aRequest->SetLoadFlags(flags); } /* * Check that this channel passes all security checks. Returns an error code * if this requesst should not be permitted. */ nsresult nsContentSecurityManager::CheckChannel(nsIChannel* aChannel) { nsCOMPtr loadInfo = aChannel->LoadInfo(); nsCOMPtr uri; nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri)); NS_ENSURE_SUCCESS(rv, rv); // Handle cookie policies uint32_t cookiePolicy = loadInfo->GetCookiePolicy(); if (cookiePolicy == nsILoadInfo::SEC_COOKIES_SAME_ORIGIN) { // We shouldn't have the SEC_COOKIES_SAME_ORIGIN flag for top level loads MOZ_ASSERT(loadInfo->GetExternalContentPolicyType() != ExtContentPolicy::TYPE_DOCUMENT); nsIPrincipal* loadingPrincipal = loadInfo->GetLoadingPrincipal(); // It doesn't matter what we pass for the second, data-inherits, argument. // Any protocol which inherits won't pay attention to cookies anyway. rv = loadingPrincipal->CheckMayLoad(uri, false); if (NS_FAILED(rv)) { AddLoadFlags(aChannel, nsIRequest::LOAD_ANONYMOUS); } } else if (cookiePolicy == nsILoadInfo::SEC_COOKIES_OMIT) { AddLoadFlags(aChannel, nsIRequest::LOAD_ANONYMOUS); } if (!CrossOriginEmbedderPolicyAllowsCredentials(aChannel)) { AddLoadFlags(aChannel, nsIRequest::LOAD_ANONYMOUS); } nsSecurityFlags securityMode = loadInfo->GetSecurityMode(); // CORS mode is handled by nsCORSListenerProxy if (securityMode == nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT) { if (NS_HasBeenCrossOrigin(aChannel)) { loadInfo->MaybeIncreaseTainting(LoadTainting::CORS); } return NS_OK; } // Allow subresource loads if TriggeringPrincipal is the SystemPrincipal. if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal() && loadInfo->GetExternalContentPolicyType() != ExtContentPolicy::TYPE_DOCUMENT && loadInfo->GetExternalContentPolicyType() != ExtContentPolicy::TYPE_SUBDOCUMENT) { return NS_OK; } // if none of the REQUIRE_SAME_ORIGIN flags are set, then SOP does not apply if ((securityMode == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT) || (securityMode == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED)) { rv = DoSOPChecks(uri, loadInfo, aChannel); NS_ENSURE_SUCCESS(rv, rv); } if ((securityMode == nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT) || (securityMode == nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL)) { if (NS_HasBeenCrossOrigin(aChannel)) { NS_ENSURE_FALSE(loadInfo->GetDontFollowRedirects(), NS_ERROR_DOM_BAD_URI); loadInfo->MaybeIncreaseTainting(LoadTainting::Opaque); } // Please note that DoCheckLoadURIChecks should only be enforced for // cross origin requests. If the flag SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT // is set within the loadInfo, then CheckLoadURIWithPrincipal is performed // within nsCorsListenerProxy rv = DoCheckLoadURIChecks(uri, loadInfo); NS_ENSURE_SUCCESS(rv, rv); // TODO: Bug 1371237 // consider calling SetBlockedRequest in // nsContentSecurityManager::CheckChannel } return NS_OK; } // https://fetch.spec.whatwg.org/#ref-for-cross-origin-embedder-policy-allows-credentials bool nsContentSecurityManager::CrossOriginEmbedderPolicyAllowsCredentials( nsIChannel* aChannel) { nsCOMPtr loadInfo = aChannel->LoadInfo(); // 1. If request’s mode is not "no-cors", then return true. // // `no-cors` check applies to document navigation such that if it is // an document navigation, this check should return true to allow // credentials. if (loadInfo->GetExternalContentPolicyType() == ExtContentPolicy::TYPE_DOCUMENT || loadInfo->GetExternalContentPolicyType() == ExtContentPolicy::TYPE_SUBDOCUMENT || loadInfo->GetExternalContentPolicyType() == ExtContentPolicy::TYPE_WEBSOCKET) { return true; } if (loadInfo->GetSecurityMode() != nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL && loadInfo->GetSecurityMode() != nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT) { return true; } // If request’s client’s policy container’s embedder policy’s value is not // "credentialless", then return true. if (loadInfo->GetLoadingEmbedderPolicy() != nsILoadInfo::EMBEDDER_POLICY_CREDENTIALLESS) { return true; } // If request’s origin is same origin with request’s current URL’s origin and // request does not have a redirect-tainted origin, then return true. nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager(); nsCOMPtr resourcePrincipal; ssm->GetChannelURIPrincipal(aChannel, getter_AddRefs(resourcePrincipal)); bool sameOrigin = resourcePrincipal->Equals(loadInfo->TriggeringPrincipal()); nsAutoCString serializedOrigin; GetSerializedOrigin(loadInfo->TriggeringPrincipal(), resourcePrincipal, serializedOrigin, loadInfo); if (sameOrigin && !serializedOrigin.IsEmpty()) { return true; } return false; } // https://fetch.spec.whatwg.org/#serializing-a-request-origin void nsContentSecurityManager::GetSerializedOrigin( nsIPrincipal* aOrigin, nsIPrincipal* aResourceOrigin, nsACString& aSerializedOrigin, nsILoadInfo* aLoadInfo) { // The following for loop performs the // https://fetch.spec.whatwg.org/#ref-for-concept-request-tainted-origin nsCOMPtr lastOrigin; for (nsIRedirectHistoryEntry* entry : aLoadInfo->RedirectChain()) { if (!lastOrigin) { entry->GetPrincipal(getter_AddRefs(lastOrigin)); continue; } nsCOMPtr currentOrigin; entry->GetPrincipal(getter_AddRefs(currentOrigin)); if (!currentOrigin->Equals(lastOrigin) && !lastOrigin->Equals(aOrigin)) { return; } lastOrigin = currentOrigin; } // When the redirectChain is empty, it means this is the first redirect. // So according to the #serializing-a-request-origin spec, we don't // have a redirect-tainted origin, so we return the origin of the request // here. if (!lastOrigin) { aOrigin->GetAsciiOrigin(aSerializedOrigin); return; } // Same as above, redirectChain doesn't contain the current redirect, // so we have to do the check one last time here. if (lastOrigin->Equals(aResourceOrigin) && !lastOrigin->Equals(aOrigin)) { return; } aOrigin->GetAsciiOrigin(aSerializedOrigin); } // https://html.spec.whatwg.org/multipage/browsers.html#compatible-with-cross-origin-isolation bool nsContentSecurityManager::IsCompatibleWithCrossOriginIsolation( nsILoadInfo::CrossOriginEmbedderPolicy aPolicy) { return aPolicy == nsILoadInfo::EMBEDDER_POLICY_CREDENTIALLESS || aPolicy == nsILoadInfo::EMBEDDER_POLICY_REQUIRE_CORP; } // ==== nsIContentSecurityManager implementation ===== NS_IMETHODIMP nsContentSecurityManager::PerformSecurityCheck( nsIChannel* aChannel, nsIStreamListener* aStreamListener, nsIStreamListener** outStreamListener) { nsCOMPtr inAndOutListener = aStreamListener; nsresult rv = doContentSecurityCheck(aChannel, inAndOutListener); NS_ENSURE_SUCCESS(rv, rv); inAndOutListener.forget(outStreamListener); return NS_OK; }