1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* This module implements the policy to block websites from being visited,
* or to only allow certain websites to be visited.
*
* The blocklist takes as input an array of MatchPattern strings, as documented
* at https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Match_patterns.
*
* The exceptions list takes the same as input. This list opens up
* exceptions for rules on the blocklist that might be too strict.
*
* In addition to that, this allows the user to create an allowlist approach,
* by using the special "<all_urls>" pattern for the blocklist, and then
* adding all allowlisted websites on the exceptions list.
*
* Note that this module only blocks top-level website navigations and embeds.
* It does not block any other accesses to these urls: image tags, scripts, XHR, etc.,
* because that could cause unexpected breakage. This is a policy to block
* users from visiting certain websites, and not from blocking any network
* connections to those websites. If the admin is looking for that, the recommended
* way is to configure that with extensions or through a company firewall.
*/
import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs";
const LIST_LENGTH_LIMIT = 1000;
const PREF_LOGLEVEL = "browser.policies.loglevel";
const lazy = {};
XPCOMUtils.defineLazyGetter(lazy, "log", () => {
let { ConsoleAPI } = ChromeUtils.importESModule(
"resource://gre/modules/Console.sys.mjs"
);
return new ConsoleAPI({
prefix: "WebsiteFilter Policy",
// tip: set maxLogLevel to "debug" and use log.debug() to create detailed
// messages during development. See LOG_LEVELS in Console.sys.mjs for details.
maxLogLevel: "error",
maxLogLevelPref: PREF_LOGLEVEL,
});
});
export let WebsiteFilter = {
init(blocklist, exceptionlist) {
let blockArray = [],
exceptionArray = [];
for (let i = 0; i < blocklist.length && i < LIST_LENGTH_LIMIT; i++) {
try {
let pattern = new MatchPattern(blocklist[i].toLowerCase());
blockArray.push(pattern);
lazy.log.debug(
`Pattern added to WebsiteFilter. Block: ${blocklist[i]}`
);
} catch (e) {
lazy.log.error(
`Invalid pattern on WebsiteFilter. Block: ${blocklist[i]}`
);
}
}
this._blockPatterns = new MatchPatternSet(blockArray);
for (let i = 0; i < exceptionlist.length && i < LIST_LENGTH_LIMIT; i++) {
try {
let pattern = new MatchPattern(exceptionlist[i].toLowerCase());
exceptionArray.push(pattern);
lazy.log.debug(
`Pattern added to WebsiteFilter. Exception: ${exceptionlist[i]}`
);
} catch (e) {
lazy.log.error(
`Invalid pattern on WebsiteFilter. Exception: ${exceptionlist[i]}`
);
}
}
if (exceptionArray.length) {
this._exceptionsPatterns = new MatchPatternSet(exceptionArray);
}
let registrar = Components.manager.QueryInterface(Ci.nsIComponentRegistrar);
if (!registrar.isContractIDRegistered(this.contractID)) {
registrar.registerFactory(
this.classID,
this.classDescription,
this.contractID,
this
);
Services.catMan.addCategoryEntry(
"content-policy",
this.contractID,
this.contractID,
false,
true
);
}
// We have to do this to catch 30X redirects.
// See bug 456957.
Services.obs.addObserver(this, "http-on-examine-response", true);
},
shouldLoad(contentLocation, loadInfo, mimeTypeGuess) {
let contentType = loadInfo.externalContentPolicyType;
let url = contentLocation.spec;
if (contentLocation.scheme == "view-source") {
url = contentLocation.pathQueryRef;
} else if (url.toLowerCase().startsWith("about:reader")) {
url = decodeURIComponent(
url.toLowerCase().substr("about:reader?url=".length)
);
}
if (
contentType == Ci.nsIContentPolicy.TYPE_DOCUMENT ||
contentType == Ci.nsIContentPolicy.TYPE_SUBDOCUMENT
) {
if (this._blockPatterns.matches(url.toLowerCase())) {
if (
!this._exceptionsPatterns ||
!this._exceptionsPatterns.matches(url.toLowerCase())
) {
return Ci.nsIContentPolicy.REJECT_POLICY;
}
}
}
return Ci.nsIContentPolicy.ACCEPT;
},
shouldProcess(contentLocation, loadInfo, mimeTypeGuess) {
return Ci.nsIContentPolicy.ACCEPT;
},
observe(subject, topic, data) {
try {
let channel = subject.QueryInterface(Ci.nsIHttpChannel);
if (
!channel.isDocument ||
channel.responseStatus < 300 ||
channel.responseStatus >= 400
) {
return;
}
let location = channel.getResponseHeader("location");
// location might not be a fully qualified URL
let url;
try {
url = new URL(location);
} catch (e) {
url = new URL(location, channel.URI.spec);
}
if (this._blockPatterns.matches(url.href.toLowerCase())) {
if (
!this._exceptionsPatterns ||
!this._exceptionsPatterns.matches(url.href.toLowerCase())
) {
channel.cancel(Cr.NS_ERROR_BLOCKED_BY_POLICY);
}
}
} catch (e) {}
},
classDescription: "Policy Engine File Content Policy",
contractID: "@mozilla-org/policy-engine-file-content-policy-service;1",
classID: Components.ID("{c0bbb557-813e-4e25-809d-b46a531a258f}"),
QueryInterface: ChromeUtils.generateQI([
"nsIContentPolicy",
"nsIObserver",
"nsISupportsWeakReference",
]),
createInstance(iid) {
return this.QueryInterface(iid);
},
isAllowed(url) {
if (this._blockPatterns?.matches(url.toLowerCase())) {
if (
!this._exceptionsPatterns ||
!this._exceptionsPatterns.matches(url.toLowerCase())
) {
return false;
}
}
return true;
},
};
|
