Source code

Revision control

Copy as Markdown

Other Tools

// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs";
import { AppConstants } from "resource://gre/modules/AppConstants.sys.mjs";
const lazy = {};
ChromeUtils.defineESModuleGetters(lazy, {
ContextualIdentityService:
"resource://gre/modules/ContextualIdentityService.sys.mjs",
FormHistory: "resource://gre/modules/FormHistory.sys.mjs",
PlacesUtils: "resource://gre/modules/PlacesUtils.sys.mjs",
PrincipalsCollector: "resource://gre/modules/PrincipalsCollector.sys.mjs",
});
XPCOMUtils.defineLazyPreferenceGetter(
lazy,
"useOldClearHistoryDialog",
"privacy.sanitize.useOldClearHistoryDialog",
false
);
var logConsole;
function log(...msgs) {
if (!logConsole) {
logConsole = console.createInstance({
prefix: "Sanitizer",
maxLogLevelPref: "browser.sanitizer.loglevel",
});
}
logConsole.log(...msgs);
}
// Used as unique id for pending sanitizations.
var gPendingSanitizationSerial = 0;
var gPrincipalsCollector = null;
export var Sanitizer = {
/**
* Whether we should sanitize on shutdown.
*/
PREF_SANITIZE_ON_SHUTDOWN: "privacy.sanitize.sanitizeOnShutdown",
/**
* During a sanitization this is set to a JSON containing an array of the
* pending sanitizations. This allows to retry sanitizations on startup in
* case they dind't run or were interrupted by a crash.
* Use addPendingSanitization and removePendingSanitization to manage it.
*/
PREF_PENDING_SANITIZATIONS: "privacy.sanitize.pending",
/**
* Pref branches to fetch sanitization options from.
*/
PREF_CPD_BRANCH: "privacy.cpd.",
/*
* We need to choose between two branches for shutdown since there are separate prefs for the new
* clear history dialog
*/
get PREF_SHUTDOWN_BRANCH() {
return lazy.useOldClearHistoryDialog
? "privacy.clearOnShutdown."
: "privacy.clearOnShutdown_v2.";
},
/**
* The fallback timestamp used when no argument is given to
* Sanitizer.getClearRange.
*/
PREF_TIMESPAN: "privacy.sanitize.timeSpan",
/**
* Pref to newTab segregation. If true, on shutdown, the private container
* used in about:newtab is cleaned up. Exposed because used in tests.
*/
PREF_NEWTAB_SEGREGATION:
"privacy.usercontext.about_newtab_segregation.enabled",
/**
* Time span constants corresponding to values of the privacy.sanitize.timeSpan
* pref. Used to determine how much history to clear, for various items
*/
TIMESPAN_EVERYTHING: 0,
TIMESPAN_HOUR: 1,
TIMESPAN_2HOURS: 2,
TIMESPAN_4HOURS: 3,
TIMESPAN_TODAY: 4,
TIMESPAN_5MIN: 5,
TIMESPAN_24HOURS: 6,
/**
* Mapping time span constants to get total time in ms from the selected
* time spans
*/
timeSpanMsMap: {
TIMESPAN_5MIN: 300000, // 5*60*1000
TIMESPAN_HOUR: 3600000, // 60*60*1000
TIMESPAN_2HOURS: 7200000, // 2*60*60*1000
TIMESPAN_4HOURS: 14400000, // 4*60*60*1000
TIMESPAN_24HOURS: 86400000, // 24*60*60*1000
get TIMESPAN_TODAY() {
return Date.now() - new Date().setHours(0, 0, 0, 0);
}, // time spent today
},
/**
* Whether we should sanitize on shutdown.
* When this is set, a pending sanitization should also be added and removed
* when shutdown sanitization is complete. This allows to retry incomplete
* sanitizations on startup.
*/
shouldSanitizeOnShutdown: false,
/**
* Whether we should sanitize the private container for about:newtab.
*/
shouldSanitizeNewTabContainer: false,
/**
* Shows a sanitization dialog to the user. Returns after the dialog box has
* closed.
*
* @param parentWindow the browser window to use as parent for the created
* dialog.
* @param {string} mode - flag to let the dialog know if it is opened
* using the clear on shutdown (clearOnShutdown) settings option
* in about:preferences or in a clear site data context (clearSiteData)
*
* @throws if parentWindow is undefined or doesn't have a gDialogBox.
*/
showUI(parentWindow, mode) {
// Treat the hidden window as not being a parent window:
if (
parentWindow?.document.documentURI ==
"chrome://browser/content/hiddenWindowMac.xhtml"
) {
parentWindow = null;
}
let dialogFile = lazy.useOldClearHistoryDialog
? "sanitize.xhtml"
: "sanitize_v2.xhtml";
if (parentWindow?.gDialogBox) {
parentWindow.gDialogBox.open(`chrome://browser/content/${dialogFile}`, {
inBrowserWindow: true,
mode,
});
} else {
Services.ww.openWindow(
parentWindow,
"Sanitize",
"chrome,titlebar,dialog,centerscreen,modal",
{ needNativeUI: true, mode }
);
}
},
/**
* Performs startup tasks:
* - Checks if sanitizations were not completed during the last session.
* - Registers sanitize-on-shutdown.
*/
async onStartup() {
// First, collect pending sanitizations from the last session, before we
// add pending sanitizations for this session.
let pendingSanitizations = getAndClearPendingSanitizations();
log("Pending sanitizations:", pendingSanitizations);
// Check if we should sanitize on shutdown.
this.shouldSanitizeOnShutdown = Services.prefs.getBoolPref(
Sanitizer.PREF_SANITIZE_ON_SHUTDOWN,
false
);
Services.prefs.addObserver(Sanitizer.PREF_SANITIZE_ON_SHUTDOWN, this, true);
// Add a pending shutdown sanitization, if necessary.
if (this.shouldSanitizeOnShutdown) {
let itemsToClear = getItemsToClearFromPrefBranch(
Sanitizer.PREF_SHUTDOWN_BRANCH
);
addPendingSanitization("shutdown", itemsToClear, {});
}
// Shutdown sanitization is always pending, but the user may change the
// sanitize on shutdown prefs during the session. Then the pending
// sanitization would become stale and must be updated.
Services.prefs.addObserver(Sanitizer.PREF_SHUTDOWN_BRANCH, this, true);
// Make sure that we are triggered during shutdown.
let shutdownClient = lazy.PlacesUtils.history.shutdownClient.jsclient;
// We need to pass to sanitize() (through sanitizeOnShutdown) a state object
// that tracks the status of the shutdown blocker. This `progress` object
// will be updated during sanitization and reported with the crash in case of
// a shutdown timeout.
// We use the `options` argument to pass the `progress` object to sanitize().
let progress = { isShutdown: true, clearHonoringExceptions: true };
shutdownClient.addBlocker(
"sanitize.js: Sanitize on shutdown",
() => sanitizeOnShutdown(progress),
{ fetchState: () => ({ progress }) }
);
this.shouldSanitizeNewTabContainer = Services.prefs.getBoolPref(
this.PREF_NEWTAB_SEGREGATION,
false
);
if (this.shouldSanitizeNewTabContainer) {
addPendingSanitization("newtab-container", [], {});
}
let i = pendingSanitizations.findIndex(s => s.id == "newtab-container");
if (i != -1) {
pendingSanitizations.splice(i, 1);
sanitizeNewTabSegregation();
}
// Finally, run the sanitizations that were left pending, because we crashed
// before completing them.
for (let { itemsToClear, options } of pendingSanitizations) {
try {
// We need to set this flag to watch out for the users exceptions like we do on shutdown
options.progress = { clearHonoringExceptions: true };
await this.sanitize(itemsToClear, options);
} catch (ex) {
console.error(
"A previously pending sanitization failed: ",
itemsToClear,
ex
);
}
}
},
/**
* Returns a 2 element array representing the start and end times,
* in the uSec-since-epoch format that PRTime likes. If we should
* clear everything, this function returns null.
*
* @param ts [optional] a timespan to convert to start and end time.
* Falls back to the privacy.sanitize.timeSpan preference
* if this argument is omitted.
* If this argument is provided, it has to be one of the
* Sanitizer.TIMESPAN_* constants. This function will
* throw an error otherwise.
*
* @return {Array} a 2-element Array containing the start and end times.
*/
getClearRange(ts) {
if (ts === undefined) {
ts = Services.prefs.getIntPref(Sanitizer.PREF_TIMESPAN);
}
if (ts === Sanitizer.TIMESPAN_EVERYTHING) {
return null;
}
// PRTime is microseconds while JS time is milliseconds
var endDate = Date.now() * 1000;
switch (ts) {
case Sanitizer.TIMESPAN_5MIN:
var startDate = endDate - 300000000; // 5*60*1000000
break;
case Sanitizer.TIMESPAN_HOUR:
startDate = endDate - 3600000000; // 1*60*60*1000000
break;
case Sanitizer.TIMESPAN_2HOURS:
startDate = endDate - 7200000000; // 2*60*60*1000000
break;
case Sanitizer.TIMESPAN_4HOURS:
startDate = endDate - 14400000000; // 4*60*60*1000000
break;
case Sanitizer.TIMESPAN_TODAY:
var d = new Date(); // Start with today
d.setHours(0); // zero us back to midnight...
d.setMinutes(0);
d.setSeconds(0);
d.setMilliseconds(0);
startDate = d.valueOf() * 1000; // convert to epoch usec
break;
case Sanitizer.TIMESPAN_24HOURS:
startDate = endDate - 86400000000; // 24*60*60*1000000
break;
default:
throw new Error("Invalid time span for clear private data: " + ts);
}
return [startDate, endDate];
},
/**
* Deletes privacy sensitive data in a batch, according to user preferences.
* Returns a promise which is resolved if no errors occurred. If an error
* occurs, a message is reported to the console and all other items are still
* cleared before the promise is finally rejected.
*
* @param [optional] itemsToClear
* Array of items to be cleared. if specified only those
* items get cleared, irrespectively of the preference settings.
* @param [optional] options
* Object whose properties are options for this sanitization:
* - ignoreTimespan (default: true): Time span only makes sense in
* certain cases. Consumers who want to only clear some private
* data can opt in by setting this to false, and can optionally
* specify a specific range.
* If timespan is not ignored, and range is not set, sanitize() will
* use the value of the timespan pref to determine a range.
* - range (default: null): array-tuple of [from, to] timestamps
* - privateStateForNewWindow (default: "non-private"): when clearing
* open windows, defines the private state for the newly opened window.
* @returns {object} An object containing debug information about the
* sanitization progress. This state object is also used as
* AsyncShutdown metadata.
*/
async sanitize(itemsToClear = null, options = {}) {
let progress = options.progress;
// initialise the principals collector
gPrincipalsCollector = new lazy.PrincipalsCollector();
if (!progress) {
progress = options.progress = {};
}
if (!itemsToClear) {
itemsToClear = getItemsToClearFromPrefBranch(this.PREF_CPD_BRANCH);
}
let promise = sanitizeInternal(this.items, itemsToClear, options);
// Depending on preferences, the sanitizer may perform asynchronous
// work before it starts cleaning up the Places database (e.g. closing
// windows). We need to make sure that the connection to that database
// hasn't been closed by the time we use it.
// Though, if this is a sanitize on shutdown, we already have a blocker.
if (!progress.isShutdown) {
let shutdownClient = lazy.PlacesUtils.history.shutdownClient.jsclient;
shutdownClient.addBlocker("sanitize.js: Sanitize", promise, {
fetchState: () => ({ progress }),
});
}
try {
await promise;
} finally {
Services.obs.notifyObservers(null, "sanitizer-sanitization-complete");
}
return progress;
},
observe(subject, topic, data) {
if (topic == "nsPref:changed") {
if (
data.startsWith(this.PREF_SHUTDOWN_BRANCH) &&
this.shouldSanitizeOnShutdown
) {
// Update the pending shutdown sanitization.
removePendingSanitization("shutdown");
let itemsToClear = getItemsToClearFromPrefBranch(
Sanitizer.PREF_SHUTDOWN_BRANCH
);
addPendingSanitization("shutdown", itemsToClear, {});
} else if (data == this.PREF_SANITIZE_ON_SHUTDOWN) {
this.shouldSanitizeOnShutdown = Services.prefs.getBoolPref(
Sanitizer.PREF_SANITIZE_ON_SHUTDOWN,
false
);
removePendingSanitization("shutdown");
if (this.shouldSanitizeOnShutdown) {
let itemsToClear = getItemsToClearFromPrefBranch(
Sanitizer.PREF_SHUTDOWN_BRANCH
);
addPendingSanitization("shutdown", itemsToClear, {});
}
} else if (data == this.PREF_NEWTAB_SEGREGATION) {
this.shouldSanitizeNewTabContainer = Services.prefs.getBoolPref(
this.PREF_NEWTAB_SEGREGATION,
false
);
removePendingSanitization("newtab-container");
if (this.shouldSanitizeNewTabContainer) {
addPendingSanitization("newtab-container", [], {});
}
}
}
},
QueryInterface: ChromeUtils.generateQI([
"nsIObserver",
"nsISupportsWeakReference",
]),
// This method is meant to be used by tests.
async runSanitizeOnShutdown() {
// The collector needs to be reset for each test, as the collection only happens
// once and does not update after that.
// Pretend that it has never been initialized to mimic the actual browser behavior
// by setting it to null.
// The actually initialization will happen either via sanitize() or directly in
// sanitizeOnShutdown.
gPrincipalsCollector = null;
return sanitizeOnShutdown({
isShutdown: true,
clearHonoringExceptions: true,
});
},
/**
* Migrate old sanitize prefs to the new prefs for the new
* clear history dialog. Does nothing if the migration was completed before
* based on the pref privacy.sanitize.cpd.hasMigratedToNewPrefs2 or
* privacy.sanitize.clearOnShutdown.hasMigratedToNewPrefs2
*
* @param {string} context - one of "clearOnShutdown" or "cpd", which indicates which
* pref branch to migrate prefs from based on the dialog context
*/
maybeMigratePrefs(context) {
// We are going to be migrating once more due to a backout in Bug 1894933
// The new migration prefs have a 2 appended to the context
if (
Services.prefs.getBoolPref(
`privacy.sanitize.${context}.hasMigratedToNewPrefs2`
)
) {
return;
}
// We have to remove the old privacy.sanitize.${context}.hasMigratedToNewPrefs pref
// if the user has it on their system
Services.prefs.clearUserPref(
`privacy.sanitize.${context}.hasMigratedToNewPrefs`
);
let cookies = Services.prefs.getBoolPref(`privacy.${context}.cookies`);
let history = Services.prefs.getBoolPref(`privacy.${context}.history`);
let cache = Services.prefs.getBoolPref(`privacy.${context}.cache`);
let siteSettings = Services.prefs.getBoolPref(
`privacy.${context}.siteSettings`
);
let newContext =
context == "clearOnShutdown" ? "clearOnShutdown_v2" : "clearHistory";
// We set cookiesAndStorage to true if cookies are enabled for clearing on shutdown
// regardless of what sessions and offlineApps are set to
// This is because cookie clearing behaviour takes precedence over sessions and offlineApps clearing.
Services.prefs.setBoolPref(
`privacy.${newContext}.cookiesAndStorage`,
cookies
);
// we set historyFormDataAndDownloads to true if history is enabled for clearing on
// shutdown, regardless of what form data is set to.
// This is because history clearing behavious takes precedence over formdata clearing.
Services.prefs.setBoolPref(
`privacy.${newContext}.historyFormDataAndDownloads`,
history
);
// cache and siteSettings follow the old dialog prefs
Services.prefs.setBoolPref(`privacy.${newContext}.cache`, cache);
Services.prefs.setBoolPref(
`privacy.${newContext}.siteSettings`,
siteSettings
);
Services.prefs.setBoolPref(
`privacy.sanitize.${context}.hasMigratedToNewPrefs2`,
true
);
},
// When making any changes to the sanitize implementations here,
// please check whether the changes are applicable to Android
// (mobile/shared/modules/geckoview/GeckoViewStorageController.sys.mjs) as well.
items: {
cache: {
async clear(range) {
let refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_CACHE", refObj);
await clearData(range, Ci.nsIClearDataService.CLEAR_ALL_CACHES);
TelemetryStopwatch.finish("FX_SANITIZE_CACHE", refObj);
},
},
cookies: {
async clear(range, { progress }, clearHonoringExceptions) {
let refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_COOKIES_2", refObj);
// This is true if called by sanitizeOnShutdown.
// On shutdown we clear by principal to be able to honor the users exceptions
if (clearHonoringExceptions) {
progress.step = "getAllPrincipals";
let principalsForShutdownClearing =
await gPrincipalsCollector.getAllPrincipals(progress);
await maybeSanitizeSessionPrincipals(
progress,
principalsForShutdownClearing,
Ci.nsIClearDataService.CLEAR_COOKIES |
Ci.nsIClearDataService.CLEAR_COOKIE_BANNER_EXECUTED_RECORD |
Ci.nsIClearDataService.CLEAR_FINGERPRINTING_PROTECTION_STATE |
Ci.nsIClearDataService.CLEAR_BOUNCE_TRACKING_PROTECTION_STATE
);
} else {
// Not on shutdown
await clearData(
range,
Ci.nsIClearDataService.CLEAR_COOKIES |
Ci.nsIClearDataService.CLEAR_COOKIE_BANNER_EXECUTED_RECORD |
Ci.nsIClearDataService.CLEAR_FINGERPRINTING_PROTECTION_STATE |
Ci.nsIClearDataService.CLEAR_BOUNCE_TRACKING_PROTECTION_STATE
);
}
await clearData(range, Ci.nsIClearDataService.CLEAR_MEDIA_DEVICES);
TelemetryStopwatch.finish("FX_SANITIZE_COOKIES_2", refObj);
},
},
offlineApps: {
async clear(range, { progress }, clearHonoringExceptions) {
// This is true if called by sanitizeOnShutdown.
// On shutdown we clear by principal to be able to honor the users exceptions
if (clearHonoringExceptions) {
progress.step = "getAllPrincipals";
let principalsForShutdownClearing =
await gPrincipalsCollector.getAllPrincipals(progress);
await maybeSanitizeSessionPrincipals(
progress,
principalsForShutdownClearing,
Ci.nsIClearDataService.CLEAR_DOM_STORAGES |
Ci.nsIClearDataService.CLEAR_COOKIE_BANNER_EXECUTED_RECORD |
Ci.nsIClearDataService.CLEAR_FINGERPRINTING_PROTECTION_STATE
);
} else {
// Not on shutdown
await clearData(
range,
Ci.nsIClearDataService.CLEAR_DOM_STORAGES |
Ci.nsIClearDataService.CLEAR_COOKIE_BANNER_EXECUTED_RECORD |
Ci.nsIClearDataService.CLEAR_FINGERPRINTING_PROTECTION_STATE
);
}
},
},
history: {
async clear(range, { progress }) {
// TODO: This check is needed for the case that this method is invoked directly and not via the sanitizer.sanitize API.
// This can be removed once bug 1803799 has landed.
if (!gPrincipalsCollector) {
gPrincipalsCollector = new lazy.PrincipalsCollector();
}
progress.step = "getAllPrincipals";
let principals = await gPrincipalsCollector.getAllPrincipals(progress);
let refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_HISTORY", refObj);
progress.step = "clearing browsing history";
await clearData(
range,
Ci.nsIClearDataService.CLEAR_HISTORY |
Ci.nsIClearDataService.CLEAR_CONTENT_BLOCKING_RECORDS
);
// storageAccessAPI permissions record every site that the user
// interacted with and thus mirror history quite closely. It makes
// sense to clear them when we clear history. However, since their absence
// indicates that we can purge cookies and site data for tracking origins without
// user interaction, we need to ensure that we only delete those permissions that
// do not have any existing storage.
progress.step = "clearing user interaction";
await new Promise(resolve => {
Services.clearData.deleteUserInteractionForClearingHistory(
principals,
range ? range[0] : 0,
resolve
);
});
TelemetryStopwatch.finish("FX_SANITIZE_HISTORY", refObj);
},
},
formdata: {
async clear(range) {
let seenException;
let refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_FORMDATA", refObj);
try {
// Clear undo history of all search bars.
for (let currentWindow of Services.wm.getEnumerator(
"navigator:browser"
)) {
let currentDocument = currentWindow.document;
// searchBar may not exist if it's in the customize mode.
let searchBar = currentDocument.getElementById("searchbar");
if (searchBar) {
let input = searchBar.textbox;
input.value = "";
input.editor?.clearUndoRedo();
}
let tabBrowser = currentWindow.gBrowser;
if (!tabBrowser) {
// No tab browser? This means that it's too early during startup (typically,
// Session Restore hasn't completed yet). Since we don't have find
// bars at that stage and since Session Restore will not restore
// find bars further down during startup, we have nothing to clear.
continue;
}
for (let tab of tabBrowser.tabs) {
if (tabBrowser.isFindBarInitialized(tab)) {
tabBrowser.getCachedFindBar(tab).clear();
}
}
// Clear any saved find value
tabBrowser._lastFindValue = "";
}
} catch (ex) {
seenException = ex;
}
try {
let change = { op: "remove" };
if (range) {
[change.firstUsedStart, change.firstUsedEnd] = range;
}
await lazy.FormHistory.update(change).catch(e => {
seenException = new Error("Error " + e.result + ": " + e.message);
});
} catch (ex) {
seenException = ex;
}
TelemetryStopwatch.finish("FX_SANITIZE_FORMDATA", refObj);
if (seenException) {
throw seenException;
}
},
},
downloads: {
async clear(range) {
let refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_DOWNLOADS", refObj);
await clearData(range, Ci.nsIClearDataService.CLEAR_DOWNLOADS);
TelemetryStopwatch.finish("FX_SANITIZE_DOWNLOADS", refObj);
},
},
sessions: {
async clear(range) {
let refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_SESSIONS", refObj);
await clearData(
range,
Ci.nsIClearDataService.CLEAR_AUTH_TOKENS |
Ci.nsIClearDataService.CLEAR_AUTH_CACHE
);
TelemetryStopwatch.finish("FX_SANITIZE_SESSIONS", refObj);
},
},
siteSettings: {
async clear(range) {
let refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_SITESETTINGS", refObj);
await clearData(
range,
Ci.nsIClearDataService.CLEAR_SITE_PERMISSIONS |
Ci.nsIClearDataService.CLEAR_CONTENT_PREFERENCES |
Ci.nsIClearDataService.CLEAR_DOM_PUSH_NOTIFICATIONS |
Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE |
Ci.nsIClearDataService.CLEAR_CERT_EXCEPTIONS |
Ci.nsIClearDataService.CLEAR_CREDENTIAL_MANAGER_STATE |
Ci.nsIClearDataService.CLEAR_COOKIE_BANNER_EXCEPTION |
Ci.nsIClearDataService.CLEAR_FINGERPRINTING_PROTECTION_STATE
);
TelemetryStopwatch.finish("FX_SANITIZE_SITESETTINGS", refObj);
},
},
openWindows: {
_canCloseWindow(win) {
if (win.CanCloseWindow()) {
// We already showed PermitUnload for the window, so let's
// make sure we don't do it again when we actually close the
// window.
win.skipNextCanClose = true;
return true;
}
return false;
},
_resetAllWindowClosures(windowList) {
for (let win of windowList) {
win.skipNextCanClose = false;
}
},
async clear(range, { privateStateForNewWindow = "non-private" }) {
// NB: this closes all *browser* windows, not other windows like the library, about window,
// browser console, etc.
// Keep track of the time in case we get stuck in la-la-land because of onbeforeunload
// dialogs
let startDate = Date.now();
// First check if all these windows are OK with being closed:
let windowList = [];
for (let someWin of Services.wm.getEnumerator("navigator:browser")) {
windowList.push(someWin);
// If someone says "no" to a beforeunload prompt, we abort here:
if (!this._canCloseWindow(someWin)) {
this._resetAllWindowClosures(windowList);
throw new Error(
"Sanitize could not close windows: cancelled by user"
);
}
// ...however, beforeunload prompts spin the event loop, and so the code here won't get
// hit until the prompt has been dismissed. If more than 1 minute has elapsed since we
// started prompting, stop, because the user might not even remember initiating the
// 'forget', and the timespans will be all wrong by now anyway:
if (Date.now() > startDate + 60 * 1000) {
this._resetAllWindowClosures(windowList);
throw new Error("Sanitize could not close windows: timeout");
}
}
if (!windowList.length) {
return;
}
// If/once we get here, we should actually be able to close all windows.
let refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_OPENWINDOWS", refObj);
// First create a new window. We do this first so that on non-mac, we don't
// accidentally close the app by closing all the windows.
let handler = Cc["@mozilla.org/browser/clh;1"].getService(
Ci.nsIBrowserHandler
);
let defaultArgs = handler.defaultArgs;
let features = "chrome,all,dialog=no," + privateStateForNewWindow;
let newWindow = windowList[0].openDialog(
AppConstants.BROWSER_CHROME_URL,
"_blank",
features,
defaultArgs
);
let onFullScreen = null;
if (AppConstants.platform == "macosx") {
onFullScreen = function (e) {
newWindow.removeEventListener("fullscreen", onFullScreen);
let docEl = newWindow.document.documentElement;
let sizemode = docEl.getAttribute("sizemode");
if (!newWindow.fullScreen && sizemode == "fullscreen") {
docEl.setAttribute("sizemode", "normal");
e.preventDefault();
e.stopPropagation();
return false;
}
return undefined;
};
newWindow.addEventListener("fullscreen", onFullScreen);
}
let promiseReady = new Promise(resolve => {
// Window creation and destruction is asynchronous. We need to wait
// until all existing windows are fully closed, and the new window is
// fully open, before continuing. Otherwise the rest of the sanitizer
// could run too early (and miss new cookies being set when a page
// closes) and/or run too late (and not have a fully-formed window yet
// in existence). See bug 1088137.
let newWindowOpened = false;
let onWindowOpened = function (subject) {
if (subject != newWindow) {
return;
}
Services.obs.removeObserver(
onWindowOpened,
"browser-delayed-startup-finished"
);
if (AppConstants.platform == "macosx") {
newWindow.removeEventListener("fullscreen", onFullScreen);
}
newWindowOpened = true;
// If we're the last thing to happen, invoke callback.
if (numWindowsClosing == 0) {
TelemetryStopwatch.finish("FX_SANITIZE_OPENWINDOWS", refObj);
resolve();
}
};
let numWindowsClosing = windowList.length;
let onWindowClosed = function () {
numWindowsClosing--;
if (numWindowsClosing == 0) {
Services.obs.removeObserver(
onWindowClosed,
"xul-window-destroyed"
);
// If we're the last thing to happen, invoke callback.
if (newWindowOpened) {
TelemetryStopwatch.finish("FX_SANITIZE_OPENWINDOWS", refObj);
resolve();
}
}
};
Services.obs.addObserver(
onWindowOpened,
"browser-delayed-startup-finished"
);
Services.obs.addObserver(onWindowClosed, "xul-window-destroyed");
});
// Start the process of closing windows
while (windowList.length) {
windowList.pop().close();
}
newWindow.focus();
await promiseReady;
},
},
pluginData: {
async clear() {},
},
// Combine History and Form Data clearing for the
// new clear history dialog box.
historyFormDataAndDownloads: {
async clear(range, { progress }) {
progress.step = "getAllPrincipals";
let principals = await gPrincipalsCollector.getAllPrincipals(progress);
let refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_HISTORY", refObj);
progress.step = "clearing browsing history";
await clearData(
range,
Ci.nsIClearDataService.CLEAR_HISTORY |
Ci.nsIClearDataService.CLEAR_CONTENT_BLOCKING_RECORDS
);
// storageAccessAPI permissions record every site that the user
// interacted with and thus mirror history quite closely. It makes
// sense to clear them when we clear history. However, since their absence
// indicates that we can purge cookies and site data for tracking origins without
// user interaction, we need to ensure that we only delete those permissions that
// do not have any existing storage.
progress.step = "clearing user interaction";
await new Promise(resolve => {
Services.clearData.deleteUserInteractionForClearingHistory(
principals,
range ? range[0] : 0,
resolve
);
});
TelemetryStopwatch.finish("FX_SANITIZE_HISTORY", refObj);
// Clear form data
let seenException;
refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_FORMDATA", refObj);
try {
// Clear undo history of all search bars.
for (let currentWindow of Services.wm.getEnumerator(
"navigator:browser"
)) {
let currentDocument = currentWindow.document;
// searchBar may not exist if it's in the customize mode.
let searchBar = currentDocument.getElementById("searchbar");
if (searchBar) {
let input = searchBar.textbox;
input.value = "";
input.editor?.clearUndoRedo();
}
let tabBrowser = currentWindow.gBrowser;
if (!tabBrowser) {
// No tab browser? This means that it's too early during startup (typically,
// Session Restore hasn't completed yet). Since we don't have find
// bars at that stage and since Session Restore will not restore
// find bars further down during startup, we have nothing to clear.
continue;
}
for (let tab of tabBrowser.tabs) {
if (tabBrowser.isFindBarInitialized(tab)) {
tabBrowser.getCachedFindBar(tab).clear();
}
}
// Clear any saved find value
tabBrowser._lastFindValue = "";
}
} catch (ex) {
seenException = ex;
}
try {
let change = { op: "remove" };
if (range) {
[change.firstUsedStart, change.firstUsedEnd] = range;
}
await lazy.FormHistory.update(change).catch(e => {
seenException = new Error("Error " + e.result + ": " + e.message);
});
} catch (ex) {
seenException = ex;
}
TelemetryStopwatch.finish("FX_SANITIZE_FORMDATA", refObj);
if (seenException) {
throw seenException;
}
// clear Downloads
refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_DOWNLOADS", refObj);
await clearData(range, Ci.nsIClearDataService.CLEAR_DOWNLOADS);
TelemetryStopwatch.finish("FX_SANITIZE_DOWNLOADS", refObj);
},
},
cookiesAndStorage: {
async clear(range, { progress }, clearHonoringExceptions) {
let refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_COOKIES_2", refObj);
// This is true if called by sanitizeOnShutdown.
// On shutdown we clear by principal to be able to honor the users exceptions
if (clearHonoringExceptions) {
progress.step = "getAllPrincipals";
let principalsForShutdownClearing =
await gPrincipalsCollector.getAllPrincipals(progress);
await maybeSanitizeSessionPrincipals(
progress,
principalsForShutdownClearing,
Ci.nsIClearDataService.CLEAR_COOKIES_AND_SITE_DATA
);
} else {
// Not on shutdown
await clearData(
range,
Ci.nsIClearDataService.CLEAR_COOKIES_AND_SITE_DATA
);
}
await clearData(range, Ci.nsIClearDataService.CLEAR_MEDIA_DEVICES);
TelemetryStopwatch.finish("FX_SANITIZE_COOKIES_2", refObj);
},
},
},
};
async function sanitizeInternal(items, aItemsToClear, options) {
let { ignoreTimespan = true, range, progress } = options;
let seenError = false;
// Shallow copy the array, as we are going to modify it in place later.
if (!Array.isArray(aItemsToClear)) {
throw new Error("Must pass an array of items to clear.");
}
let itemsToClear = [...aItemsToClear];
// Store the list of items to clear, in case we are killed before we
// get a chance to complete.
let uid = gPendingSanitizationSerial++;
// Shutdown sanitization is managed outside.
if (!progress.isShutdown) {
addPendingSanitization(uid, itemsToClear, options);
}
// Store the list of items to clear, for debugging/forensics purposes
for (let k of itemsToClear) {
progress[k] = "ready";
// Create a progress object specific to each cleaner. We'll pass down this
// to the cleaners instead of the main progress object, so they don't end
// up overriding properties each other.
// This specific progress is deleted if the cleaner completes successfully,
// so the metadata will only contain progress of unresolved cleaners.
progress[k + "Progress"] = {};
}
// Ensure open windows get cleared first, if they're in our list, so that
// they don't stick around in the recently closed windows list, and so we
// can cancel the whole thing if the user selects to keep a window open
// from a beforeunload prompt.
let openWindowsIndex = itemsToClear.indexOf("openWindows");
if (openWindowsIndex != -1) {
itemsToClear.splice(openWindowsIndex, 1);
await items.openWindows.clear(
null,
Object.assign(options, { progress: progress.openWindowsProgress })
);
progress.openWindows = "cleared";
delete progress.openWindowsProgress;
}
// If we ignore timespan, clear everything,
// otherwise, pick a range.
if (!ignoreTimespan && !range) {
range = Sanitizer.getClearRange();
}
// For performance reasons we start all the clear tasks at once, then wait
// for their promises later.
// Some of the clear() calls may raise exceptions (for example bug 265028),
// we catch and store them, but continue to sanitize as much as possible.
// Callers should check returned errors and give user feedback
// about items that could not be sanitized
let refObj = {};
TelemetryStopwatch.start("FX_SANITIZE_TOTAL", refObj);
let annotateError = (name, ex) => {
progress[name] = "failed";
seenError = true;
console.error("Error sanitizing " + name, ex);
};
// Array of objects in form { name, promise }.
// `name` is the item's name and `promise` may be a promise, if the
// sanitization is asynchronous, or the function return value, otherwise.
log("Running sanitization for:", itemsToClear);
let handles = [];
for (let name of itemsToClear) {
progress[name] = "blocking";
let item = items[name];
try {
// Catch errors here, so later we can just loop through these.
handles.push({
name,
promise: item
.clear(
range,
Object.assign(options, { progress: progress[name + "Progress"] }),
progress.clearHonoringExceptions
)
.then(
() => {
progress[name] = "cleared";
delete progress[name + "Progress"];
},
ex => annotateError(name, ex)
),
});
} catch (ex) {
annotateError(name, ex);
}
}
await Promise.all(handles.map(h => h.promise));
log("All sanitizations are complete");
TelemetryStopwatch.finish("FX_SANITIZE_TOTAL", refObj);
if (!progress.isShutdown) {
removePendingSanitization(uid);
}
progress = {};
if (seenError) {
throw new Error("Error sanitizing");
}
}
async function sanitizeOnShutdown(progress) {
log("Sanitizing on shutdown");
if (lazy.useOldClearHistoryDialog) {
progress.sanitizationPrefs = {
privacy_sanitize_sanitizeOnShutdown: Services.prefs.getBoolPref(
"privacy.sanitize.sanitizeOnShutdown"
),
privacy_clearOnShutdown_cookies: Services.prefs.getBoolPref(
"privacy.clearOnShutdown.cookies"
),
privacy_clearOnShutdown_history: Services.prefs.getBoolPref(
"privacy.clearOnShutdown.history"
),
privacy_clearOnShutdown_formdata: Services.prefs.getBoolPref(
"privacy.clearOnShutdown.formdata"
),
privacy_clearOnShutdown_downloads: Services.prefs.getBoolPref(
"privacy.clearOnShutdown.downloads"
),
privacy_clearOnShutdown_cache: Services.prefs.getBoolPref(
"privacy.clearOnShutdown.cache"
),
privacy_clearOnShutdown_sessions: Services.prefs.getBoolPref(
"privacy.clearOnShutdown.sessions"
),
privacy_clearOnShutdown_offlineApps: Services.prefs.getBoolPref(
"privacy.clearOnShutdown.offlineApps"
),
privacy_clearOnShutdown_siteSettings: Services.prefs.getBoolPref(
"privacy.clearOnShutdown.siteSettings"
),
privacy_clearOnShutdown_openWindows: Services.prefs.getBoolPref(
"privacy.clearOnShutdown.openWindows"
),
};
} else {
// Perform a migration if this is the first time sanitizeOnShutdown is
// running for the user with the new dialog
Sanitizer.maybeMigratePrefs("clearOnShutdown");
progress.sanitizationPrefs = {
privacy_sanitize_sanitizeOnShutdown: Services.prefs.getBoolPref(
"privacy.sanitize.sanitizeOnShutdown"
),
privacy_clearOnShutdown_v2_cookiesAndStorage: Services.prefs.getBoolPref(
"privacy.clearOnShutdown_v2.cookiesAndStorage"
),
privacy_clearOnShutdown_v2_historyFormDataAndDownloads:
Services.prefs.getBoolPref(
"privacy.clearOnShutdown_v2.historyFormDataAndDownloads"
),
privacy_clearOnShutdown_v2_cache: Services.prefs.getBoolPref(
"privacy.clearOnShutdown_v2.cache"
),
privacy_clearOnShutdown_v2_siteSettings: Services.prefs.getBoolPref(
"privacy.clearOnShutdown_v2.siteSettings"
),
};
}
let needsSyncSavePrefs = false;
if (Sanitizer.shouldSanitizeOnShutdown) {
// Need to sanitize upon shutdown
progress.advancement = "shutdown-cleaner";
let itemsToClear = getItemsToClearFromPrefBranch(
Sanitizer.PREF_SHUTDOWN_BRANCH
);
await Sanitizer.sanitize(itemsToClear, { progress });
// We didn't crash during shutdown sanitization, so annotate it to avoid
// sanitizing again on startup.
removePendingSanitization("shutdown");
needsSyncSavePrefs = true;
}
if (Sanitizer.shouldSanitizeNewTabContainer) {
progress.advancement = "newtab-segregation";
sanitizeNewTabSegregation();
removePendingSanitization("newtab-container");
needsSyncSavePrefs = true;
}
if (needsSyncSavePrefs) {
Services.prefs.savePrefFile(null);
}
if (!Sanitizer.shouldSanitizeOnShutdown) {
// In case the user has not activated sanitizeOnShutdown but has explicitely set exceptions
// to always clear particular origins, we clear those here
progress.advancement = "session-permission";
let exceptions = 0;
let selectedPrincipals = [];
// Let's see if we have to forget some particular site.
for (let permission of Services.perms.all) {
if (
permission.type != "cookie" ||
permission.capability != Ci.nsICookiePermission.ACCESS_SESSION
) {
continue;
}
// We consider just permissions set for http, https and file URLs.
if (!isSupportedPrincipal(permission.principal)) {
continue;
}
log(
"Custom session cookie permission detected for: " +
permission.principal.asciiSpec
);
exceptions++;
// We use just the URI here, because permissions ignore OriginAttributes.
// The principalsCollector is lazy, this is computed only once
if (!gPrincipalsCollector) {
gPrincipalsCollector = new lazy.PrincipalsCollector();
}
let principals = await gPrincipalsCollector.getAllPrincipals(progress);
selectedPrincipals.push(
...extractMatchingPrincipals(principals, permission.principal.host)
);
}
await maybeSanitizeSessionPrincipals(
progress,
selectedPrincipals,
Ci.nsIClearDataService.CLEAR_ALL_CACHES |
Ci.nsIClearDataService.CLEAR_COOKIES |
Ci.nsIClearDataService.CLEAR_DOM_STORAGES |
Ci.nsIClearDataService.CLEAR_EME |
Ci.nsIClearDataService.CLEAR_BOUNCE_TRACKING_PROTECTION_STATE
);
progress.sanitizationPrefs.session_permission_exceptions = exceptions;
}
progress.advancement = "done";
}
// Extracts the principals matching matchUri as root domain.
function extractMatchingPrincipals(principals, matchHost) {
return principals.filter(principal => {
return Services.eTLD.hasRootDomain(matchHost, principal.host);
});
}
/** This method receives a list of principals and it checks if some of them or
* some of their sub-domain need to be sanitize.
* @param {Object} progress - Object to keep track of the sanitization progress, prefs and mode
* @param {nsIPrincipal[]} principals - The principals generated by the PrincipalsCollector
* @param {int} flags - The cleaning categories that need to be cleaned for the principals.
* @returns {Promise} - Resolves once the clearing of the principals to be cleared is done
*/
async function maybeSanitizeSessionPrincipals(progress, principals, flags) {
log("Sanitizing " + principals.length + " principals");
let promises = [];
let permissions = new Map();
Services.perms.getAllWithTypePrefix("cookie").forEach(perm => {
permissions.set(perm.principal.origin, perm);
});
principals.forEach(principal => {
progress.step = "checking-principal";
let cookieAllowed = cookiesAllowedForDomainOrSubDomain(
principal,
permissions
);
progress.step = "principal-checked:" + cookieAllowed;
if (!cookieAllowed) {
promises.push(sanitizeSessionPrincipal(progress, principal, flags));
}
});
progress.step = "promises:" + promises.length;
if (promises.length) {
await Promise.all(promises);
await new Promise(resolve =>
Services.clearData.cleanupAfterDeletionAtShutdown(flags, resolve)
);
}
progress.step = "promises resolved";
}
function cookiesAllowedForDomainOrSubDomain(principal, permissions) {
log("Checking principal: " + principal.asciiSpec);
// If we have the 'cookie' permission for this principal, let's return
// immediately.
let cookiePermission = checkIfCookiePermissionIsSet(principal);
if (cookiePermission != null) {
return cookiePermission;
}
for (let perm of permissions.values()) {
if (perm.type != "cookie") {
permissions.delete(perm.principal.origin);
continue;
}
// We consider just permissions set for http, https and file URLs.
if (!isSupportedPrincipal(perm.principal)) {
permissions.delete(perm.principal.origin);
continue;
}
// We don't care about scheme, port, and anything else.
if (Services.eTLD.hasRootDomain(perm.principal.host, principal.host)) {
log("Cookie check on principal: " + perm.principal.asciiSpec);
let rootDomainCookiePermission = checkIfCookiePermissionIsSet(
perm.principal
);
if (rootDomainCookiePermission != null) {
return rootDomainCookiePermission;
}
}
}
log("Cookie not allowed.");
return false;
}
/**
* Checks if a cookie permission is set for a given principal
* @returns {boolean} - true: cookie permission "ACCESS_ALLOW", false: cookie permission "ACCESS_DENY"/"ACCESS_SESSION"
* @returns {null} - No cookie permission is set for this principal
*/
function checkIfCookiePermissionIsSet(principal) {
let p = Services.perms.testPermissionFromPrincipal(principal, "cookie");
if (p == Ci.nsICookiePermission.ACCESS_ALLOW) {
log("Cookie allowed!");
return true;
}
if (
p == Ci.nsICookiePermission.ACCESS_DENY ||
p == Ci.nsICookiePermission.ACCESS_SESSION
) {
log("Cookie denied or session!");
return false;
}
// This is an old profile with unsupported permission values
if (p != Ci.nsICookiePermission.ACCESS_DEFAULT) {
log("Not supported cookie permission: " + p);
return false;
}
return null;
}
async function sanitizeSessionPrincipal(progress, principal, flags) {
log("Sanitizing principal: " + principal.asciiSpec);
await new Promise(resolve => {
progress.sanitizePrincipal = "started";
Services.clearData.deleteDataFromPrincipal(
principal,
true /* user request */,
flags,
resolve
);
});
progress.sanitizePrincipal = "completed";
}
function sanitizeNewTabSegregation() {
let identity = lazy.ContextualIdentityService.getPrivateIdentity(
"userContextIdInternal.thumbnail"
);
if (identity) {
Services.clearData.deleteDataFromOriginAttributesPattern({
userContextId: identity.userContextId,
});
}
}
/**
* Gets an array of items to clear from the given pref branch.
* @param branch The pref branch to fetch.
* @return Array of items to clear
*/
function getItemsToClearFromPrefBranch(branch) {
branch = Services.prefs.getBranch(branch);
return Object.keys(Sanitizer.items).filter(itemName => {
try {
return branch.getBoolPref(itemName);
} catch (ex) {
return false;
}
});
}
/**
* These functions are used to track pending sanitization on the next startup
* in case of a crash before a sanitization could happen.
* @param id A unique id identifying the sanitization
* @param itemsToClear The items to clear
* @param options The Sanitize options
*/
function addPendingSanitization(id, itemsToClear, options) {
let pendingSanitizations = safeGetPendingSanitizations();
pendingSanitizations.push({ id, itemsToClear, options });
Services.prefs.setStringPref(
Sanitizer.PREF_PENDING_SANITIZATIONS,
JSON.stringify(pendingSanitizations)
);
}
function removePendingSanitization(id) {
let pendingSanitizations = safeGetPendingSanitizations();
let i = pendingSanitizations.findIndex(s => s.id == id);
let [s] = pendingSanitizations.splice(i, 1);
Services.prefs.setStringPref(
Sanitizer.PREF_PENDING_SANITIZATIONS,
JSON.stringify(pendingSanitizations)
);
return s;
}
function getAndClearPendingSanitizations() {
let pendingSanitizations = safeGetPendingSanitizations();
if (pendingSanitizations.length) {
Services.prefs.clearUserPref(Sanitizer.PREF_PENDING_SANITIZATIONS);
}
return pendingSanitizations;
}
function safeGetPendingSanitizations() {
try {
return JSON.parse(
Services.prefs.getStringPref(Sanitizer.PREF_PENDING_SANITIZATIONS, "[]")
);
} catch (ex) {
console.error("Invalid JSON value for pending sanitizations: ", ex);
return [];
}
}
async function clearData(range, flags) {
if (range) {
await new Promise(resolve => {
Services.clearData.deleteDataInTimeRange(
range[0],
range[1],
true /* user request */,
flags,
resolve
);
});
} else {
await new Promise(resolve => {
Services.clearData.deleteData(flags, resolve);
});
}
}
function isSupportedPrincipal(principal) {
return ["http", "https", "file"].some(scheme => principal.schemeIs(scheme));
}