Source code

Revision control

Other Tools

1
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
3
/* This Source Code Form is subject to the terms of the Mozilla Public
4
* License, v. 2.0. If a copy of the MPL was not distributed with this
5
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7
#include "nsScriptSecurityManager.h"
8
9
#include "mozilla/ArrayUtils.h"
10
#include "mozilla/StaticPrefs_extensions.h"
11
#include "mozilla/StaticPrefs_security.h"
12
#include "mozilla/StoragePrincipalHelper.h"
13
14
#include "xpcpublic.h"
15
#include "XPCWrapper.h"
16
#include "nsILoadContext.h"
17
#include "nsIScriptObjectPrincipal.h"
18
#include "nsIScriptContext.h"
19
#include "nsIScriptError.h"
20
#include "nsINestedURI.h"
21
#include "nspr.h"
22
#include "nsJSPrincipals.h"
23
#include "mozilla/BasePrincipal.h"
24
#include "ExpandedPrincipal.h"
25
#include "SystemPrincipal.h"
26
#include "DomainPolicy.h"
27
#include "nsString.h"
28
#include "nsCRT.h"
29
#include "nsCRTGlue.h"
30
#include "nsContentSecurityUtils.h"
31
#include "nsDocShell.h"
32
#include "nsError.h"
33
#include "nsGlobalWindowInner.h"
34
#include "nsDOMCID.h"
35
#include "nsTextFormatter.h"
36
#include "nsIStringBundle.h"
37
#include "nsNetUtil.h"
38
#include "nsIEffectiveTLDService.h"
39
#include "nsDirectoryServiceDefs.h"
40
#include "nsIScriptGlobalObject.h"
41
#include "nsPIDOMWindow.h"
42
#include "nsIDocShell.h"
43
#include "nsIConsoleService.h"
44
#include "nsIOService.h"
45
#include "nsIContent.h"
46
#include "nsDOMJSUtils.h"
47
#include "nsAboutProtocolUtils.h"
48
#include "nsIClassInfo.h"
49
#include "nsIURIFixup.h"
50
#include "nsIChromeRegistry.h"
51
#include "nsIResProtocolHandler.h"
52
#include "nsIContentSecurityPolicy.h"
53
#include "mozilla/Components.h"
54
#include "mozilla/Preferences.h"
55
#include "mozilla/dom/BindingUtils.h"
56
#include "mozilla/NullPrincipal.h"
57
#include <stdint.h>
58
#include "mozilla/dom/ContentChild.h"
59
#include "mozilla/dom/ContentParent.h"
60
#include "mozilla/dom/nsCSPContext.h"
61
#include "mozilla/dom/ScriptSettings.h"
62
#include "mozilla/ClearOnShutdown.h"
63
#include "mozilla/StaticPtr.h"
64
#include "mozilla/dom/WorkerCommon.h"
65
#include "mozilla/dom/WorkerPrivate.h"
66
#include "nsContentUtils.h"
67
#include "nsJSUtils.h"
68
#include "nsILoadInfo.h"
69
70
// This should be probably defined on some other place... but I couldn't find it
71
#define WEBAPPS_PERM_NAME "webapps-manage"
72
73
using namespace mozilla;
74
using namespace mozilla::dom;
75
76
nsIIOService* nsScriptSecurityManager::sIOService = nullptr;
77
bool nsScriptSecurityManager::sStrictFileOriginPolicy = true;
78
79
namespace {
80
81
class BundleHelper {
82
public:
83
NS_INLINE_DECL_REFCOUNTING(BundleHelper)
84
85
static nsIStringBundle* GetOrCreate() {
86
MOZ_ASSERT(!sShutdown);
87
88
// Already shutting down. Nothing should require the use of the string
89
// bundle when shutting down.
90
if (sShutdown) {
91
return nullptr;
92
}
93
94
if (!sSelf) {
95
sSelf = new BundleHelper();
96
}
97
98
return sSelf->GetOrCreateInternal();
99
}
100
101
static void Shutdown() {
102
sSelf = nullptr;
103
sShutdown = true;
104
}
105
106
private:
107
~BundleHelper() = default;
108
109
nsIStringBundle* GetOrCreateInternal() {
110
if (!mBundle) {
111
nsCOMPtr<nsIStringBundleService> bundleService =
112
mozilla::services::GetStringBundleService();
113
if (NS_WARN_IF(!bundleService)) {
114
return nullptr;
115
}
116
117
nsresult rv = bundleService->CreateBundle(
119
getter_AddRefs(mBundle));
120
if (NS_WARN_IF(NS_FAILED(rv))) {
121
return nullptr;
122
}
123
}
124
125
return mBundle;
126
}
127
128
nsCOMPtr<nsIStringBundle> mBundle;
129
130
static StaticRefPtr<BundleHelper> sSelf;
131
static bool sShutdown;
132
};
133
134
StaticRefPtr<BundleHelper> BundleHelper::sSelf;
135
bool BundleHelper::sShutdown = false;
136
137
} // namespace
138
139
///////////////////////////
140
// Convenience Functions //
141
///////////////////////////
142
143
class nsAutoInPrincipalDomainOriginSetter {
144
public:
145
nsAutoInPrincipalDomainOriginSetter() { ++sInPrincipalDomainOrigin; }
146
~nsAutoInPrincipalDomainOriginSetter() { --sInPrincipalDomainOrigin; }
147
static uint32_t sInPrincipalDomainOrigin;
148
};
149
uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin;
150
151
static nsresult GetOriginFromURI(nsIURI* aURI, nsACString& aOrigin) {
152
if (!aURI) {
153
return NS_ERROR_NULL_POINTER;
154
}
155
if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin > 1) {
156
// Allow a single recursive call to GetPrincipalDomainOrigin, since that
157
// might be happening on a different principal from the first call. But
158
// after that, cut off the recursion; it just indicates that something
159
// we're doing in this method causes us to reenter a security check here.
160
return NS_ERROR_NOT_AVAILABLE;
161
}
162
163
nsAutoInPrincipalDomainOriginSetter autoSetter;
164
165
nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
166
NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
167
168
nsAutoCString hostPort;
169
170
nsresult rv = uri->GetHostPort(hostPort);
171
if (NS_SUCCEEDED(rv)) {
172
nsAutoCString scheme;
173
rv = uri->GetScheme(scheme);
174
NS_ENSURE_SUCCESS(rv, rv);
175
aOrigin = scheme + NS_LITERAL_CSTRING("://") + hostPort;
176
} else {
177
// Some URIs (e.g., nsSimpleURI) don't support host. Just
178
// get the full spec.
179
rv = uri->GetSpec(aOrigin);
180
NS_ENSURE_SUCCESS(rv, rv);
181
}
182
183
return NS_OK;
184
}
185
186
static nsresult GetPrincipalDomainOrigin(nsIPrincipal* aPrincipal,
187
nsACString& aOrigin) {
188
aOrigin.Truncate();
189
nsCOMPtr<nsIURI> uri;
190
aPrincipal->GetDomain(getter_AddRefs(uri));
191
nsresult rv = GetOriginFromURI(uri, aOrigin);
192
if (NS_SUCCEEDED(rv)) {
193
return rv;
194
}
195
// If there is no Domain fallback to the Principals Origin
196
return aPrincipal->GetOriginNoSuffix(aOrigin);
197
}
198
199
inline void SetPendingExceptionASCII(JSContext* cx, const char* aMsg) {
200
JS_ReportErrorASCII(cx, "%s", aMsg);
201
}
202
203
inline void SetPendingException(JSContext* cx, const char16_t* aMsg) {
204
NS_ConvertUTF16toUTF8 msg(aMsg);
205
JS_ReportErrorUTF8(cx, "%s", msg.get());
206
}
207
208
/* static */
209
bool nsScriptSecurityManager::SecurityCompareURIs(nsIURI* aSourceURI,
210
nsIURI* aTargetURI) {
211
return NS_SecurityCompareURIs(aSourceURI, aTargetURI,
212
sStrictFileOriginPolicy);
213
}
214
215
// SecurityHashURI is consistent with SecurityCompareURIs because
216
// NS_SecurityHashURI is consistent with NS_SecurityCompareURIs. See
217
// nsNetUtil.h.
218
uint32_t nsScriptSecurityManager::SecurityHashURI(nsIURI* aURI) {
219
return NS_SecurityHashURI(aURI);
220
}
221
222
/*
223
* GetChannelResultPrincipal will return the principal that the resource
224
* returned by this channel will use. For example, if the resource is in
225
* a sandbox, it will return the nullprincipal. If the resource is forced
226
* to inherit principal, it will return the principal of its parent. If
227
* the load doesn't require sandboxing or inheriting, it will return the same
228
* principal as GetChannelURIPrincipal. Namely the principal of the URI
229
* that is being loaded.
230
*/
231
NS_IMETHODIMP
232
nsScriptSecurityManager::GetChannelResultPrincipal(nsIChannel* aChannel,
233
nsIPrincipal** aPrincipal) {
234
return GetChannelResultPrincipal(aChannel, aPrincipal,
235
/*aIgnoreSandboxing*/ false);
236
}
237
238
nsresult nsScriptSecurityManager::GetChannelResultPrincipalIfNotSandboxed(
239
nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
240
return GetChannelResultPrincipal(aChannel, aPrincipal,
241
/*aIgnoreSandboxing*/ true);
242
}
243
244
NS_IMETHODIMP
245
nsScriptSecurityManager::GetChannelResultStoragePrincipal(
246
nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
247
nsCOMPtr<nsIPrincipal> principal;
248
nsresult rv = GetChannelResultPrincipal(aChannel, getter_AddRefs(principal),
249
/*aIgnoreSandboxing*/ false);
250
if (NS_WARN_IF(NS_FAILED(rv))) {
251
return rv;
252
}
253
254
return StoragePrincipalHelper::Create(aChannel, principal, aPrincipal);
255
}
256
257
NS_IMETHODIMP
258
nsScriptSecurityManager::GetChannelResultPrincipals(
259
nsIChannel* aChannel, nsIPrincipal** aPrincipal,
260
nsIPrincipal** aStoragePrincipal) {
261
nsresult rv = GetChannelResultPrincipal(aChannel, aPrincipal,
262
/*aIgnoreSandboxing*/ false);
263
if (NS_WARN_IF(NS_FAILED(rv))) {
264
return rv;
265
}
266
267
if (!(*aPrincipal)->GetIsContentPrincipal()) {
268
// If for some reason we don't have a content principal here, just reuse our
269
// principal for the storage principal too, since attempting to create a
270
// storage principal would fail anyway.
271
nsCOMPtr<nsIPrincipal> copy = *aPrincipal;
272
copy.forget(aStoragePrincipal);
273
return NS_OK;
274
}
275
276
return StoragePrincipalHelper::Create(aChannel, *aPrincipal,
277
aStoragePrincipal);
278
}
279
280
nsresult nsScriptSecurityManager::GetChannelResultPrincipal(
281
nsIChannel* aChannel, nsIPrincipal** aPrincipal, bool aIgnoreSandboxing) {
282
MOZ_ASSERT(aChannel, "Must have channel!");
283
284
// Check whether we have an nsILoadInfo that says what we should do.
285
nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
286
if (loadInfo->GetForceInheritPrincipalOverruleOwner()) {
287
nsCOMPtr<nsIPrincipal> principalToInherit =
288
loadInfo->FindPrincipalToInherit(aChannel);
289
principalToInherit.forget(aPrincipal);
290
return NS_OK;
291
}
292
293
nsCOMPtr<nsISupports> owner;
294
aChannel->GetOwner(getter_AddRefs(owner));
295
if (owner) {
296
CallQueryInterface(owner, aPrincipal);
297
if (*aPrincipal) {
298
return NS_OK;
299
}
300
}
301
302
if (!aIgnoreSandboxing && loadInfo->GetLoadingSandboxed()) {
303
nsCOMPtr<nsIPrincipal> sandboxedLoadingPrincipal =
304
loadInfo->GetSandboxedLoadingPrincipal();
305
MOZ_ASSERT(sandboxedLoadingPrincipal);
306
sandboxedLoadingPrincipal.forget(aPrincipal);
307
return NS_OK;
308
}
309
310
bool forceInherit = loadInfo->GetForceInheritPrincipal();
311
if (aIgnoreSandboxing && !forceInherit) {
312
// Check if SEC_FORCE_INHERIT_PRINCIPAL was dropped because of
313
// sandboxing:
314
if (loadInfo->GetLoadingSandboxed() &&
315
loadInfo->GetForceInheritPrincipalDropped()) {
316
forceInherit = true;
317
}
318
}
319
if (forceInherit) {
320
nsCOMPtr<nsIPrincipal> principalToInherit =
321
loadInfo->FindPrincipalToInherit(aChannel);
322
principalToInherit.forget(aPrincipal);
323
return NS_OK;
324
}
325
326
auto securityMode = loadInfo->GetSecurityMode();
327
// The data: inheritance flags should only apply to the initial load,
328
// not to loads that it might have redirected to.
329
if (loadInfo->RedirectChain().IsEmpty() &&
330
(securityMode == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS ||
331
securityMode == nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS ||
332
securityMode == nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS)) {
333
nsCOMPtr<nsIURI> uri;
334
nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
335
NS_ENSURE_SUCCESS(rv, rv);
336
337
nsCOMPtr<nsIPrincipal> principalToInherit =
338
loadInfo->FindPrincipalToInherit(aChannel);
339
bool inheritForAboutBlank = loadInfo->GetAboutBlankInherits();
340
341
if (nsContentUtils::ChannelShouldInheritPrincipal(
342
principalToInherit, uri, inheritForAboutBlank, false)) {
343
principalToInherit.forget(aPrincipal);
344
return NS_OK;
345
}
346
}
347
return GetChannelURIPrincipal(aChannel, aPrincipal);
348
}
349
350
/* The principal of the URI that this channel is loading. This is never
351
* affected by things like sandboxed loads, or loads where we forcefully
352
* inherit the principal. Think of this as the principal of the server
353
* which this channel is loading from. Most callers should use
354
* GetChannelResultPrincipal instead of GetChannelURIPrincipal. Only
355
* call GetChannelURIPrincipal if you are sure that you want the
356
* principal that matches the uri, even in cases when the load is
357
* sandboxed or when the load could be a blob or data uri (i.e even when
358
* you encounter loads that may or may not be sandboxed and loads
359
* that may or may not inherit)."
360
*/
361
NS_IMETHODIMP
362
nsScriptSecurityManager::GetChannelURIPrincipal(nsIChannel* aChannel,
363
nsIPrincipal** aPrincipal) {
364
MOZ_ASSERT(aChannel, "Must have channel!");
365
366
// Get the principal from the URI. Make sure this does the same thing
367
// as Document::Reset and PrototypeDocumentContentSink::Init.
368
nsCOMPtr<nsIURI> uri;
369
nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
370
NS_ENSURE_SUCCESS(rv, rv);
371
372
nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
373
374
// Inherit the origin attributes from loadInfo.
375
// If this is a top-level document load, the origin attributes of the
376
// loadInfo will be set from nsDocShell::DoURILoad.
377
// For subresource loading, the origin attributes of the loadInfo is from
378
// its loadingPrincipal.
379
OriginAttributes attrs = loadInfo->GetOriginAttributes();
380
381
nsCOMPtr<nsIPrincipal> prin =
382
BasePrincipal::CreateContentPrincipal(uri, attrs);
383
prin.forget(aPrincipal);
384
return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
385
}
386
387
/////////////////////////////
388
// nsScriptSecurityManager //
389
/////////////////////////////
390
391
////////////////////////////////////
392
// Methods implementing ISupports //
393
////////////////////////////////////
394
NS_IMPL_ISUPPORTS(nsScriptSecurityManager, nsIScriptSecurityManager)
395
396
///////////////////////////////////////////////////
397
// Methods implementing nsIScriptSecurityManager //
398
///////////////////////////////////////////////////
399
400
///////////////// Security Checks /////////////////
401
402
bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
403
JSContext* cx, JS::HandleString aCode) {
404
MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
405
406
// Get the window, if any, corresponding to the current global
407
nsCOMPtr<nsIContentSecurityPolicy> csp;
408
if (nsGlobalWindowInner* win = xpc::CurrentWindowOrNull(cx)) {
409
csp = win->GetCsp();
410
}
411
412
nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
413
if (!csp) {
414
if (!StaticPrefs::extensions_content_script_csp_enabled()) {
415
return true;
416
}
417
// Get the CSP for addon sandboxes. If the principal is expanded and has a
418
// csp, we're probably in luck.
419
auto* basePrin = BasePrincipal::Cast(subjectPrincipal);
420
// ContentScriptAddonPolicy means it is also an expanded principal, thus
421
// this is in a sandbox used as a content script.
422
if (basePrin->ContentScriptAddonPolicy()) {
423
basePrin->As<ExpandedPrincipal>()->GetCsp(getter_AddRefs(csp));
424
}
425
// don't do anything unless there's a CSP
426
if (!csp) {
427
return true;
428
}
429
}
430
431
nsCOMPtr<nsICSPEventListener> cspEventListener;
432
if (!NS_IsMainThread()) {
433
WorkerPrivate* workerPrivate =
434
mozilla::dom::GetWorkerPrivateFromContext(cx);
435
if (workerPrivate) {
436
cspEventListener = workerPrivate->CSPEventListener();
437
}
438
}
439
440
bool evalOK = true;
441
bool reportViolation = false;
442
nsresult rv = csp->GetAllowsEval(&reportViolation, &evalOK);
443
444
// A little convoluted. We want the scriptSample for a) reporting a violation
445
// or b) passing it to AssertEvalNotUsingSystemPrincipal or c) we're in the
446
// parent process. So do the work to get it if either of those cases is true.
447
nsAutoJSString scriptSample;
448
if (reportViolation || subjectPrincipal->IsSystemPrincipal() ||
449
XRE_IsE10sParentProcess()) {
450
if (NS_WARN_IF(!scriptSample.init(cx, aCode))) {
451
JS_ClearPendingException(cx);
452
return false;
453
}
454
}
455
456
#if !defined(ANDROID)
457
if (!nsContentSecurityUtils::IsEvalAllowed(
458
cx, subjectPrincipal->IsSystemPrincipal(), scriptSample)) {
459
return false;
460
}
461
#endif
462
463
if (NS_FAILED(rv)) {
464
NS_WARNING("CSP: failed to get allowsEval");
465
return true; // fail open to not break sites.
466
}
467
468
if (reportViolation) {
469
JS::AutoFilename scriptFilename;
470
nsAutoString fileName;
471
unsigned lineNum = 0;
472
unsigned columnNum = 0;
473
if (JS::DescribeScriptedCaller(cx, &scriptFilename, &lineNum, &columnNum)) {
474
if (const char* file = scriptFilename.get()) {
475
CopyUTF8toUTF16(nsDependentCString(file), fileName);
476
}
477
} else {
478
MOZ_ASSERT(!JS_IsExceptionPending(cx));
479
}
480
csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
481
nullptr, // triggering element
482
cspEventListener, fileName, scriptSample, lineNum,
483
columnNum, EmptyString(), EmptyString());
484
}
485
486
return evalOK;
487
}
488
489
// static
490
bool nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals* first,
491
JSPrincipals* second) {
492
return nsJSPrincipals::get(first)->Subsumes(nsJSPrincipals::get(second));
493
}
494
495
NS_IMETHODIMP
496
nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI,
497
nsIURI* aTargetURI,
498
bool reportError,
499
bool aFromPrivateWindow) {
500
// Please note that aFromPrivateWindow is only 100% accurate if
501
// reportError is true.
502
if (!SecurityCompareURIs(aSourceURI, aTargetURI)) {
503
if (reportError) {
504
ReportError("CheckSameOriginError", aSourceURI, aTargetURI,
505
aFromPrivateWindow);
506
}
507
return NS_ERROR_DOM_BAD_URI;
508
}
509
return NS_OK;
510
}
511
512
NS_IMETHODIMP
513
nsScriptSecurityManager::CheckLoadURIFromScript(JSContext* cx, nsIURI* aURI) {
514
// Get principal of currently executing script.
515
MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
516
nsIPrincipal* principal = nsContentUtils::SubjectPrincipal();
517
nsresult rv = CheckLoadURIWithPrincipal(
518
// Passing 0 for the window ID here is OK, because we will report a
519
// script-visible exception anyway.
520
principal, aURI, nsIScriptSecurityManager::STANDARD, 0);
521
if (NS_SUCCEEDED(rv)) {
522
// OK to load
523
return NS_OK;
524
}
525
526
// Report error.
527
nsAutoCString spec;
528
if (NS_FAILED(aURI->GetAsciiSpec(spec))) return NS_ERROR_FAILURE;
529
nsAutoCString msg("Access to '");
530
msg.Append(spec);
531
msg.AppendLiteral("' from script denied");
532
SetPendingExceptionASCII(cx, msg.get());
533
return NS_ERROR_DOM_BAD_URI;
534
}
535
536
/**
537
* Helper method to handle cases where a flag passed to
538
* CheckLoadURIWithPrincipal means denying loading if the given URI has certain
539
* nsIProtocolHandler flags set.
540
* @return if success, access is allowed. Otherwise, deny access
541
*/
542
static nsresult DenyAccessIfURIHasFlags(nsIURI* aURI, uint32_t aURIFlags) {
543
MOZ_ASSERT(aURI, "Must have URI!");
544
545
bool uriHasFlags;
546
nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &uriHasFlags);
547
NS_ENSURE_SUCCESS(rv, rv);
548
549
if (uriHasFlags) {
550
return NS_ERROR_DOM_BAD_URI;
551
}
552
553
return NS_OK;
554
}
555
556
static bool EqualOrSubdomain(nsIURI* aProbeArg, nsIURI* aBase) {
557
nsresult rv;
558
nsCOMPtr<nsIURI> probe = aProbeArg;
559
560
nsCOMPtr<nsIEffectiveTLDService> tldService =
561
do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
562
NS_ENSURE_TRUE(tldService, false);
563
while (true) {
564
if (nsScriptSecurityManager::SecurityCompareURIs(probe, aBase)) {
565
return true;
566
}
567
568
nsAutoCString host, newHost;
569
rv = probe->GetHost(host);
570
NS_ENSURE_SUCCESS(rv, false);
571
572
rv = tldService->GetNextSubDomain(host, newHost);
573
if (rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS) {
574
return false;
575
}
576
NS_ENSURE_SUCCESS(rv, false);
577
rv = NS_MutateURI(probe).SetHost(newHost).Finalize(probe);
578
NS_ENSURE_SUCCESS(rv, false);
579
}
580
}
581
582
NS_IMETHODIMP
583
nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
584
nsIURI* aTargetURI,
585
uint32_t aFlags,
586
uint64_t aInnerWindowID) {
587
MOZ_ASSERT(aPrincipal, "CheckLoadURIWithPrincipal must have a principal");
588
589
// If someone passes a flag that we don't understand, we should
590
// fail, because they may need a security check that we don't
591
// provide.
592
NS_ENSURE_FALSE(
593
aFlags &
594
~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
595
nsIScriptSecurityManager::ALLOW_CHROME |
596
nsIScriptSecurityManager::DISALLOW_SCRIPT |
597
nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL |
598
nsIScriptSecurityManager::DONT_REPORT_ERRORS),
599
NS_ERROR_UNEXPECTED);
600
NS_ENSURE_ARG_POINTER(aPrincipal);
601
NS_ENSURE_ARG_POINTER(aTargetURI);
602
603
// If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
604
// would do such inheriting. That would be URIs that do not have their own
605
// security context. We do this even for the system principal.
606
if (aFlags & nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL) {
607
nsresult rv = DenyAccessIfURIHasFlags(
608
aTargetURI, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT);
609
NS_ENSURE_SUCCESS(rv, rv);
610
}
611
612
if (aPrincipal == mSystemPrincipal) {
613
// Allow access
614
return NS_OK;
615
}
616
617
nsCOMPtr<nsIURI> sourceURI;
618
aPrincipal->GetURI(getter_AddRefs(sourceURI));
619
if (!sourceURI) {
620
auto* basePrin = BasePrincipal::Cast(aPrincipal);
621
if (basePrin->Is<ExpandedPrincipal>()) {
622
auto expanded = basePrin->As<ExpandedPrincipal>();
623
for (auto& prin : expanded->AllowList()) {
624
nsresult rv =
625
CheckLoadURIWithPrincipal(prin, aTargetURI, aFlags, aInnerWindowID);
626
if (NS_SUCCEEDED(rv)) {
627
// Allow access if it succeeded with one of the allowlisted principals
628
return NS_OK;
629
}
630
}
631
// None of our allowlisted principals worked.
632
return NS_ERROR_DOM_BAD_URI;
633
}
634
NS_ERROR(
635
"Non-system principals or expanded principal passed to "
636
"CheckLoadURIWithPrincipal "
637
"must have a URI!");
638
return NS_ERROR_UNEXPECTED;
639
}
640
641
// Automatic loads are not allowed from certain protocols.
642
if (aFlags &
643
nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT) {
644
nsresult rv = DenyAccessIfURIHasFlags(
645
sourceURI,
646
nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT);
647
NS_ENSURE_SUCCESS(rv, rv);
648
}
649
650
// If either URI is a nested URI, get the base URI
651
nsCOMPtr<nsIURI> sourceBaseURI = NS_GetInnermostURI(sourceURI);
652
nsCOMPtr<nsIURI> targetBaseURI = NS_GetInnermostURI(aTargetURI);
653
654
//-- get the target scheme
655
nsAutoCString targetScheme;
656
nsresult rv = targetBaseURI->GetScheme(targetScheme);
657
if (NS_FAILED(rv)) return rv;
658
659
//-- Some callers do not allow loading javascript:
660
if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
661
targetScheme.EqualsLiteral("javascript")) {
662
return NS_ERROR_DOM_BAD_URI;
663
}
664
665
// Check for uris that are only loadable by principals that subsume them
666
bool hasFlags;
667
rv = NS_URIChainHasFlags(
668
targetBaseURI, nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS, &hasFlags);
669
NS_ENSURE_SUCCESS(rv, rv);
670
671
if (hasFlags) {
672
// check nothing else in the URI chain has flags that prevent
673
// access:
674
rv = CheckLoadURIFlags(
675
sourceURI, aTargetURI, sourceBaseURI, targetBaseURI, aFlags,
676
aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0,
677
aInnerWindowID);
678
NS_ENSURE_SUCCESS(rv, rv);
679
// Check the principal is allowed to load the target.
680
if (aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS) {
681
return aPrincipal->CheckMayLoad(targetBaseURI, false);
682
}
683
return aPrincipal->CheckMayLoadWithReporting(targetBaseURI, false,
684
aInnerWindowID);
685
}
686
687
//-- get the source scheme
688
nsAutoCString sourceScheme;
689
rv = sourceBaseURI->GetScheme(sourceScheme);
690
if (NS_FAILED(rv)) return rv;
691
692
if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
693
// A null principal can target its own URI.
694
if (sourceURI == aTargetURI) {
695
return NS_OK;
696
}
697
} else if (StaticPrefs::
698
security_view_source_reachable_from_inner_protocol() &&
699
sourceScheme.EqualsIgnoreCase(targetScheme.get()) &&
700
aTargetURI->SchemeIs("view-source")) {
701
// exception for foo: linking to view-source:foo for reftests...
702
return NS_OK;
703
} else if (sourceScheme.EqualsIgnoreCase("file") &&
704
targetScheme.EqualsIgnoreCase("moz-icon")) {
705
// exception for file: linking to moz-icon://.ext?size=...
706
// Note that because targetScheme is the base (innermost) URI scheme,
707
// this does NOT allow file -> moz-icon:file:///... links.
708
// This is intentional.
709
return NS_OK;
710
}
711
712
// Check for webextension
713
rv = NS_URIChainHasFlags(
714
aTargetURI, nsIProtocolHandler::URI_LOADABLE_BY_EXTENSIONS, &hasFlags);
715
NS_ENSURE_SUCCESS(rv, rv);
716
717
if (hasFlags && BasePrincipal::Cast(aPrincipal)->AddonPolicy()) {
718
return NS_OK;
719
}
720
721
// If we get here, check all the schemes can link to each other, from the top
722
// down:
723
nsCaseInsensitiveCStringComparator stringComparator;
724
nsCOMPtr<nsIURI> currentURI = sourceURI;
725
nsCOMPtr<nsIURI> currentOtherURI = aTargetURI;
726
727
bool denySameSchemeLinks = false;
728
rv = NS_URIChainHasFlags(aTargetURI,
729
nsIProtocolHandler::URI_SCHEME_NOT_SELF_LINKABLE,
730
&denySameSchemeLinks);
731
if (NS_FAILED(rv)) return rv;
732
733
while (currentURI && currentOtherURI) {
734
nsAutoCString scheme, otherScheme;
735
currentURI->GetScheme(scheme);
736
currentOtherURI->GetScheme(otherScheme);
737
738
bool schemesMatch = scheme.Equals(otherScheme, stringComparator);
739
bool isSamePage = false;
740
// about: URIs are special snowflakes.
741
if (scheme.EqualsLiteral("about") && schemesMatch) {
742
nsAutoCString moduleName, otherModuleName;
743
// about: pages can always link to themselves:
744
isSamePage =
745
NS_SUCCEEDED(NS_GetAboutModuleName(currentURI, moduleName)) &&
746
NS_SUCCEEDED(
747
NS_GetAboutModuleName(currentOtherURI, otherModuleName)) &&
748
moduleName.Equals(otherModuleName);
749
if (!isSamePage) {
750
// We will have allowed the load earlier if the source page has
751
// system principal. So we know the source has a content
752
// principal, and it's trying to link to something else.
753
// Linkable about: pages are always reachable, even if we hit
754
// the CheckLoadURIFlags call below.
755
// We punch only 1 other hole: iff the source is unlinkable,
756
// we let them link to other pages explicitly marked SAFE
757
// for content. This avoids world-linkable about: pages linking
758
// to non-world-linkable about: pages.
759
nsCOMPtr<nsIAboutModule> module, otherModule;
760
bool knowBothModules =
761
NS_SUCCEEDED(
762
NS_GetAboutModule(currentURI, getter_AddRefs(module))) &&
763
NS_SUCCEEDED(NS_GetAboutModule(currentOtherURI,
764
getter_AddRefs(otherModule)));
765
uint32_t aboutModuleFlags = 0;
766
uint32_t otherAboutModuleFlags = 0;
767
knowBothModules =
768
knowBothModules &&
769
NS_SUCCEEDED(module->GetURIFlags(currentURI, &aboutModuleFlags)) &&
770
NS_SUCCEEDED(otherModule->GetURIFlags(currentOtherURI,
771
&otherAboutModuleFlags));
772
if (knowBothModules) {
773
isSamePage = !(aboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) &&
774
(otherAboutModuleFlags &
775
nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT);
776
if (isSamePage &&
777
otherAboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) {
778
// XXXgijs: this is a hack. The target will be nested
779
// (with innerURI of moz-safe-about:whatever), and
780
// the source isn't, so we won't pass if we finish
781
// the loop. We *should* pass, though, so return here.
782
// This hack can go away when bug 1228118 is fixed.
783
return NS_OK;
784
}
785
}
786
}
787
} else {
788
bool equalExceptRef = false;
789
rv = currentURI->EqualsExceptRef(currentOtherURI, &equalExceptRef);
790
isSamePage = NS_SUCCEEDED(rv) && equalExceptRef;
791
}
792
793
// If schemes are not equal, or they're equal but the target URI
794
// is different from the source URI and doesn't always allow linking
795
// from the same scheme, check if the URI flags of the current target
796
// URI allow the current source URI to link to it.
797
// The policy is specified by the protocol flags on both URIs.
798
if (!schemesMatch || (denySameSchemeLinks && !isSamePage)) {
799
return CheckLoadURIFlags(
800
currentURI, currentOtherURI, sourceBaseURI, targetBaseURI, aFlags,
801
aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0,
802
aInnerWindowID);
803
}
804
// Otherwise... check if we can nest another level:
805
nsCOMPtr<nsINestedURI> nestedURI = do_QueryInterface(currentURI);
806
nsCOMPtr<nsINestedURI> nestedOtherURI = do_QueryInterface(currentOtherURI);
807
808
// If schemes match and neither URI is nested further, we're OK.
809
if (!nestedURI && !nestedOtherURI) {
810
return NS_OK;
811
}
812
// If one is nested and the other isn't, something is wrong.
813
if (!nestedURI != !nestedOtherURI) {
814
return NS_ERROR_DOM_BAD_URI;
815
}
816
// Otherwise, both should be nested and we'll go through the loop again.
817
nestedURI->GetInnerURI(getter_AddRefs(currentURI));
818
nestedOtherURI->GetInnerURI(getter_AddRefs(currentOtherURI));
819
}
820
821
// We should never get here. We should always return from inside the loop.
822
return NS_ERROR_DOM_BAD_URI;
823
}
824
825
/**
826
* Helper method to check whether the target URI and its innermost ("base") URI
827
* has protocol flags that should stop it from being loaded by the source URI
828
* (and/or the source URI's innermost ("base") URI), taking into account any
829
* nsIScriptSecurityManager flags originally passed to
830
* CheckLoadURIWithPrincipal and friends.
831
*
832
* @return if success, access is allowed. Otherwise, deny access
833
*/
834
nsresult nsScriptSecurityManager::CheckLoadURIFlags(
835
nsIURI* aSourceURI, nsIURI* aTargetURI, nsIURI* aSourceBaseURI,
836
nsIURI* aTargetBaseURI, uint32_t aFlags, bool aFromPrivateWindow,
837
uint64_t aInnerWindowID) {
838
// Note that the order of policy checks here is very important!
839
// We start from most restrictive and work our way down.
840
bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
841
const char* errorTag = "CheckLoadURIError";
842
843
nsAutoCString targetScheme;
844
nsresult rv = aTargetBaseURI->GetScheme(targetScheme);
845
if (NS_FAILED(rv)) return rv;
846
847
// Check for system target URI
848
rv = DenyAccessIfURIHasFlags(aTargetURI,
849
nsIProtocolHandler::URI_DANGEROUS_TO_LOAD);
850
if (NS_FAILED(rv)) {
851
// Deny access, since the origin principal is not system
852
if (reportErrors) {
853
ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
854
aInnerWindowID);
855
}
856
return rv;
857
}
858
859
// Used by ExtensionProtocolHandler to prevent loading extension resources
860
// in private contexts if the extension does not have permission.
861
if (aFromPrivateWindow) {
862
rv = DenyAccessIfURIHasFlags(
863
aTargetURI, nsIProtocolHandler::URI_DISALLOW_IN_PRIVATE_CONTEXT);
864
if (NS_FAILED(rv)) {
865
if (reportErrors) {
866
ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
867
aInnerWindowID);
868
}
869
return rv;
870
}
871
}
872
873
// Check for chrome target URI
874
bool hasFlags = false;
875
rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_UI_RESOURCE,
876
&hasFlags);
877
NS_ENSURE_SUCCESS(rv, rv);
878
if (hasFlags) {
879
if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
880
// Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
881
// target if ALLOW_CHROME is set.
882
//
883
// ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
884
// loads (since docshell loads run the loaded content with its origin
885
// principal). So we're effectively allowing resource://, chrome://,
886
// and moz-icon:// source URIs to load resource://, chrome://, and
887
// moz-icon:// files, so long as they're not loading it as a document.
888
bool sourceIsUIResource;
889
rv = NS_URIChainHasFlags(aSourceBaseURI,
890
nsIProtocolHandler::URI_IS_UI_RESOURCE,
891
&sourceIsUIResource);
892
NS_ENSURE_SUCCESS(rv, rv);
893
if (sourceIsUIResource) {
894
return NS_OK;
895
}
896
897
if (targetScheme.EqualsLiteral("resource")) {
898
if (StaticPrefs::security_all_resource_uri_content_accessible()) {
899
return NS_OK;
900
}
901
902
nsCOMPtr<nsIProtocolHandler> ph;
903
rv = sIOService->GetProtocolHandler("resource", getter_AddRefs(ph));
904
NS_ENSURE_SUCCESS(rv, rv);
905
if (!ph) {
906
return NS_ERROR_DOM_BAD_URI;
907
}
908
909
nsCOMPtr<nsIResProtocolHandler> rph = do_QueryInterface(ph);
910
if (!rph) {
911
return NS_ERROR_DOM_BAD_URI;
912
}
913
914
bool accessAllowed = false;
915
rph->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
916
if (accessAllowed) {
917
return NS_OK;
918
}
919
} else if (targetScheme.EqualsLiteral("chrome")) {
920
// Allow the load only if the chrome package is allowlisted.
921
nsCOMPtr<nsIXULChromeRegistry> reg(
922
do_GetService(NS_CHROMEREGISTRY_CONTRACTID));
923
if (reg) {
924
bool accessAllowed = false;
925
reg->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
926
if (accessAllowed) {
927
return NS_OK;
928
}
929
}
930
} else if (targetScheme.EqualsLiteral("moz-page-thumb")) {
931
if (XRE_IsParentProcess()) {
932
return NS_OK;
933
}
934
935
auto& remoteType = dom::ContentChild::GetSingleton()->GetRemoteType();
936
if (remoteType.EqualsLiteral(PRIVILEGEDABOUT_REMOTE_TYPE)) {
937
return NS_OK;
938
}
939
}
940
}
941
942
if (reportErrors) {
943
ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
944
aInnerWindowID);
945
}
946
return NS_ERROR_DOM_BAD_URI;
947
}
948
949
// Check for target URI pointing to a file
950
rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_LOCAL_FILE,
951
&hasFlags);
952
NS_ENSURE_SUCCESS(rv, rv);
953
if (hasFlags) {
954
// Allow domains that were allowlisted in the prefs. In 99.9% of cases,
955
// this array is empty.
956
bool isAllowlisted;
957
MOZ_ALWAYS_SUCCEEDS(InFileURIAllowlist(aSourceURI, &isAllowlisted));
958
if (isAllowlisted) {
959
return NS_OK;
960
}
961
962
// Allow chrome://
963
if (aSourceBaseURI->SchemeIs("chrome")) {
964
return NS_OK;
965
}
966
967
// Nothing else.
968
if (reportErrors) {
969
ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
970
aInnerWindowID);
971
}
972
return NS_ERROR_DOM_BAD_URI;
973
}
974
975
#ifdef DEBUG
976
{
977
// Everyone is allowed to load this. The case URI_LOADABLE_BY_SUBSUMERS
978
// is handled by the caller which is just delegating to us as a helper.
979
bool hasSubsumersFlag = false;
980
NS_URIChainHasFlags(aTargetBaseURI,
981
nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
982
&hasSubsumersFlag);
983
bool hasLoadableByAnyone = false;
984
NS_URIChainHasFlags(aTargetBaseURI,
985
nsIProtocolHandler::URI_LOADABLE_BY_ANYONE,
986
&hasLoadableByAnyone);
987
MOZ_ASSERT(hasLoadableByAnyone || hasSubsumersFlag,
988
"why do we get here and do not have any of the two flags set?");
989
}
990
#endif
991
992
return NS_OK;
993
}
994
995
nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
996
const nsACString& aSourceSpec,
997
const nsACString& aTargetSpec,
998
bool aFromPrivateWindow,
999
uint64_t aInnerWindowID) {
1000
if (aSourceSpec.IsEmpty() || aTargetSpec.IsEmpty()) {
1001
return NS_OK;
1002
}
1003
1004
nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1005
if (NS_WARN_IF(!bundle)) {
1006
return NS_OK;
1007
}
1008
1009
// Localize the error message
1010
nsAutoString message;
1011
AutoTArray<nsString, 2> formatStrings;
1012
CopyASCIItoUTF16(aSourceSpec, *formatStrings.AppendElement());
1013
CopyASCIItoUTF16(aTargetSpec, *formatStrings.AppendElement());
1014
nsresult rv =
1015
bundle->FormatStringFromName(aMessageTag, formatStrings, message);
1016
NS_ENSURE_SUCCESS(rv, rv);
1017
1018
nsCOMPtr<nsIConsoleService> console(
1019
do_GetService(NS_CONSOLESERVICE_CONTRACTID));
1020
NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
1021
nsCOMPtr<nsIScriptError> error(do_CreateInstance(NS_SCRIPTERROR_CONTRACTID));
1022
NS_ENSURE_TRUE(error, NS_ERROR_FAILURE);
1023
1024
// using category of "SOP" so we can link to MDN
1025
if (aInnerWindowID != 0) {
1026
rv = error->InitWithWindowID(message, EmptyString(), EmptyString(), 0, 0,
1027
nsIScriptError::errorFlag,
1028
NS_LITERAL_CSTRING("SOP"), aInnerWindowID,
1029
true /* From chrome context */);
1030
} else {
1031
rv = error->Init(message, EmptyString(), EmptyString(), 0, 0,
1032
nsIScriptError::errorFlag, "SOP", aFromPrivateWindow,
1033
true /* From chrome context */);
1034
}
1035
NS_ENSURE_SUCCESS(rv, rv);
1036
console->LogMessage(error);
1037
return NS_OK;
1038
}
1039
1040
nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1041
nsIURI* aSource, nsIURI* aTarget,
1042
bool aFromPrivateWindow,
1043
uint64_t aInnerWindowID) {
1044
NS_ENSURE_TRUE(aSource && aTarget, NS_ERROR_NULL_POINTER);
1045
1046
// Get the source URL spec
1047
nsAutoCString sourceSpec;
1048
nsresult rv = aSource->GetAsciiSpec(sourceSpec);
1049
NS_ENSURE_SUCCESS(rv, rv);
1050
1051
// Get the target URL spec
1052
nsAutoCString targetSpec;
1053
rv = aTarget->GetAsciiSpec(targetSpec);
1054
NS_ENSURE_SUCCESS(rv, rv);
1055
1056
return ReportError(aMessageTag, sourceSpec, targetSpec, aFromPrivateWindow,
1057
aInnerWindowID);
1058
}
1059
1060
NS_IMETHODIMP
1061
nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(
1062
nsIPrincipal* aPrincipal, const nsACString& aTargetURIStr,
1063
uint32_t aFlags) {
1064
nsresult rv;
1065
nsCOMPtr<nsIURI> target;
1066
rv = NS_NewURI(getter_AddRefs(target), aTargetURIStr);
1067
NS_ENSURE_SUCCESS(rv, rv);
1068
1069
rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1070
if (rv == NS_ERROR_DOM_BAD_URI) {
1071
// Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1072
// return values.
1073
return rv;
1074
}
1075
NS_ENSURE_SUCCESS(rv, rv);
1076
1077
// Now start testing fixup -- since aTargetURIStr is a string, not
1078
// an nsIURI, we may well end up fixing it up before loading.
1079
// Note: This needs to stay in sync with the nsIURIFixup api.
1080
nsCOMPtr<nsIURIFixup> fixup = components::URIFixup::Service();
1081
if (!fixup) {
1082
return rv;
1083
}
1084
1085
uint32_t flags[] = {nsIURIFixup::FIXUP_FLAG_NONE,
1086
nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS,
1087
nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP,
1088
nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI,
1089
nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP |
1090
nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI};
1091
1092
for (uint32_t i = 0; i < ArrayLength(flags); ++i) {
1093
uint32_t fixupFlags = flags[i];
1094
if (aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0) {
1095
fixupFlags |= nsIURIFixup::FIXUP_FLAG_PRIVATE_CONTEXT;
1096
}
1097
rv = fixup->CreateFixupURI(aTargetURIStr, fixupFlags, nullptr,
1098
getter_AddRefs(target));
1099
NS_ENSURE_SUCCESS(rv, rv);
1100
1101
rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1102
if (rv == NS_ERROR_DOM_BAD_URI) {
1103
// Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1104
// return values.
1105
return rv;
1106
}
1107
NS_ENSURE_SUCCESS(rv, rv);
1108
}
1109
1110
return rv;
1111
}
1112
1113
NS_IMETHODIMP
1114
nsScriptSecurityManager::InFileURIAllowlist(nsIURI* aUri, bool* aResult) {
1115
MOZ_ASSERT(aUri);
1116
MOZ_ASSERT(aResult);
1117
1118
*aResult = false;
1119
for (nsIURI* uri : EnsureFileURIAllowlist()) {
1120
if (EqualOrSubdomain(aUri, uri)) {
1121
*aResult = true;
1122
return NS_OK;
1123
}
1124
}
1125
1126
return NS_OK;
1127
}
1128
1129
///////////////// Principals ///////////////////////
1130
1131
NS_IMETHODIMP
1132
nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal** result) {
1133
NS_ADDREF(*result = mSystemPrincipal);
1134
1135
return NS_OK;
1136
}
1137
1138
NS_IMETHODIMP
1139
nsScriptSecurityManager::CreateContentPrincipal(
1140
nsIURI* aURI, JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1141
nsIPrincipal** aPrincipal) {
1142
OriginAttributes attrs;
1143
if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1144
return NS_ERROR_INVALID_ARG;
1145
}
1146
nsCOMPtr<nsIPrincipal> prin =
1147
BasePrincipal::CreateContentPrincipal(aURI, attrs);
1148
prin.forget(aPrincipal);
1149
return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1150
}
1151
1152
NS_IMETHODIMP
1153
nsScriptSecurityManager::CreateContentPrincipalFromOrigin(
1154
const nsACString& aOrigin, nsIPrincipal** aPrincipal) {
1155
if (StringBeginsWith(aOrigin, NS_LITERAL_CSTRING("["))) {
1156
return NS_ERROR_INVALID_ARG;
1157
}
1158
1159
if (StringBeginsWith(aOrigin,
1160
NS_LITERAL_CSTRING(NS_NULLPRINCIPAL_SCHEME ":"))) {
1161
return NS_ERROR_INVALID_ARG;
1162
}
1163
1164
nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(aOrigin);
1165
prin.forget(aPrincipal);
1166
return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1167
}
1168
1169
NS_IMETHODIMP
1170
nsScriptSecurityManager::PrincipalToJSON(nsIPrincipal* aPrincipal,
1171
nsACString& aJSON) {
1172
aJSON.Truncate();
1173
if (!aPrincipal) {
1174
return NS_ERROR_FAILURE;
1175
}
1176
1177
BasePrincipal::Cast(aPrincipal)->ToJSON(aJSON);
1178
1179
if (aJSON.IsEmpty()) {
1180
return NS_ERROR_FAILURE;
1181
}
1182
1183
return NS_OK;
1184
}
1185
1186
NS_IMETHODIMP
1187
nsScriptSecurityManager::JSONToPrincipal(const nsACString& aJSON,
1188
nsIPrincipal** aPrincipal) {
1189
if (aJSON.IsEmpty()) {
1190
return NS_ERROR_FAILURE;
1191
}
1192
1193
nsCOMPtr<nsIPrincipal> principal = BasePrincipal::FromJSON(aJSON);
1194
1195
if (!principal) {
1196
return NS_ERROR_FAILURE;
1197
}
1198
1199
principal.forget(aPrincipal);
1200
return NS_OK;
1201
}
1202
1203
NS_IMETHODIMP
1204
nsScriptSecurityManager::CreateNullPrincipal(
1205
JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1206
nsIPrincipal** aPrincipal) {
1207
OriginAttributes attrs;
1208
if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1209
return NS_ERROR_INVALID_ARG;
1210
}
1211
nsCOMPtr<nsIPrincipal> prin = NullPrincipal::Create(attrs);
1212
prin.forget(aPrincipal);
1213
return NS_OK;
1214
}
1215
1216
NS_IMETHODIMP
1217
nsScriptSecurityManager::GetLoadContextContentPrincipal(
1218
nsIURI* aURI, nsILoadContext* aLoadContext, nsIPrincipal** aPrincipal) {
1219
NS_ENSURE_STATE(aLoadContext);
1220
OriginAttributes docShellAttrs;
1221
aLoadContext->GetOriginAttributes(docShellAttrs);
1222
1223
nsCOMPtr<nsIPrincipal> prin =
1224
BasePrincipal::CreateContentPrincipal(aURI, docShellAttrs);
1225
prin.forget(aPrincipal);
1226
return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1227
}
1228
1229
NS_IMETHODIMP
1230
nsScriptSecurityManager::GetDocShellContentPrincipal(
1231
nsIURI* aURI, nsIDocShell* aDocShell, nsIPrincipal** aPrincipal) {
1232
nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(
1233
aURI, nsDocShell::Cast(aDocShell)->GetOriginAttributes());
1234
prin.forget(aPrincipal);
1235
return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1236
}
1237
1238
NS_IMETHODIMP
1239
nsScriptSecurityManager::PrincipalWithOA(
1240
nsIPrincipal* aPrincipal, JS::Handle<JS::Value> aOriginAttributes,
1241
JSContext* aCx, nsIPrincipal** aReturnPrincipal) {
1242
if (!aPrincipal) {
1243
return NS_OK;
1244
}
1245
if (aPrincipal->GetIsContentPrincipal()) {
1246
OriginAttributes attrs;
1247
if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1248
return NS_ERROR_INVALID_ARG;
1249
}
1250
RefPtr<ContentPrincipal> copy = new ContentPrincipal();
1251
auto* contentPrincipal = static_cast<ContentPrincipal*>(aPrincipal);
1252
nsresult rv = copy->Init(contentPrincipal, attrs);
1253
NS_ENSURE_SUCCESS(rv, rv);
1254
copy.forget(aReturnPrincipal);
1255
} else {
1256
// We do this for null principals, system principals (both fine)
1257
// ... and expanded principals, where we should probably do something
1258
// cleverer, but I also don't think we care too much.
1259
nsCOMPtr<nsIPrincipal> prin = aPrincipal;
1260
prin.forget(aReturnPrincipal);
1261
}
1262
1263
return *aReturnPrincipal ? NS_OK : NS_ERROR_FAILURE;
1264
}
1265
1266
NS_IMETHODIMP
1267
nsScriptSecurityManager::CanCreateWrapper(JSContext* cx, const nsIID& aIID,
1268
nsISupports* aObj,
1269
nsIClassInfo* aClassInfo) {
1270
// XXX Special case for Exception ?
1271
1272
// We give remote-XUL allowlisted domains a free pass here. See bug 932906.
1273
JS::Rooted<JS::Realm*> contextRealm(cx, JS::GetCurrentRealmOrNull(cx));
1274
MOZ_RELEASE_ASSERT(contextRealm);
1275
if (!xpc::AllowContentXBLScope(contextRealm)) {
1276
return NS_OK;
1277
}
1278
1279
if (nsContentUtils::IsCallerChrome()) {
1280
return NS_OK;
1281
}
1282
1283
//-- Access denied, report an error
1284
nsAutoCString originUTF8;
1285
nsIPrincipal* subjectPrincipal = nsContentUtils::SubjectPrincipal();
1286
GetPrincipalDomainOrigin(subjectPrincipal, originUTF8);
1287
NS_ConvertUTF8toUTF16 originUTF16(originUTF8);
1288
nsAutoCString classInfoNameUTF8;
1289
if (aClassInfo) {
1290
aClassInfo->GetClassDescription(classInfoNameUTF8);
1291
}
1292
if (classInfoNameUTF8.IsEmpty()) {
1293
classInfoNameUTF8.AssignLiteral("UnnamedClass");
1294
}
1295
1296
nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1297
if (NS_WARN_IF(!bundle)) {
1298
return NS_OK;
1299
}
1300
1301
NS_ConvertUTF8toUTF16 classInfoUTF16(classInfoNameUTF8);
1302
nsresult rv;
1303
nsAutoString errorMsg;
1304
if (originUTF16.IsEmpty()) {
1305
AutoTArray<nsString, 1> formatStrings = {classInfoUTF16};
1306
rv = bundle->FormatStringFromName("CreateWrapperDenied", formatStrings,
1307
errorMsg);
1308
} else {
1309
AutoTArray<nsString, 2> formatStrings = {classInfoUTF16, originUTF16};
1310
rv = bundle->FormatStringFromName("CreateWrapperDeniedForOrigin",
1311
formatStrings, errorMsg);
1312
}
1313
NS_ENSURE_SUCCESS(rv, rv);
1314
1315
SetPendingException(cx, errorMsg.get());
1316
return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1317
}
1318
1319
NS_IMETHODIMP
1320
nsScriptSecurityManager::CanCreateInstance(JSContext* cx, const nsCID& aCID) {
1321
if (nsContentUtils::IsCallerChrome()) {
1322
return NS_OK;
1323
}
1324
1325
//-- Access denied, report an error
1326
nsAutoCString errorMsg("Permission denied to create instance of class. CID=");
1327
char cidStr[NSID_LENGTH];
1328
aCID.ToProvidedString(cidStr);
1329
errorMsg.Append(cidStr);
1330
SetPendingExceptionASCII(cx, errorMsg.get());
1331
return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1332
}
1333
1334
NS_IMETHODIMP
1335
nsScriptSecurityManager::CanGetService(JSContext* cx, const nsCID& aCID) {
1336
if (nsContentUtils::IsCallerChrome()) {
1337
return NS_OK;
1338
}
1339
1340
//-- Access denied, report an error
1341
nsAutoCString errorMsg("Permission denied to get service. CID=");
1342
char cidStr[NSID_LENGTH];
1343
aCID.ToProvidedString(cidStr);
1344
errorMsg.Append(cidStr);
1345
SetPendingExceptionASCII(cx, errorMsg.get());
1346
return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1347
}
1348
1349
const char sJSEnabledPrefName[] = "javascript.enabled";
1350
const char sFileOriginPolicyPrefName[] =
1351
"security.fileuri.strict_origin_policy";
1352
1353
static const char* kObservedPrefs[] = {sJSEnabledPrefName,
1354
sFileOriginPolicyPrefName,
1355
"capability.policy.", nullptr};
1356
1357
/////////////////////////////////////////////
1358
// Constructor, Destructor, Initialization //
1359
/////////////////////////////////////////////
1360
nsScriptSecurityManager::nsScriptSecurityManager(void)
1361
: mPrefInitialized(false), mIsJavaScriptEnabled(false) {
1362
static_assert(
1363
sizeof(intptr_t) == sizeof(void*),
1364
"intptr_t and void* have different lengths on this platform. "
1365
"This may cause a security failure with the SecurityLevel union.");
1366
}
1367
1368
nsresult nsScriptSecurityManager::Init() {
1369
nsresult rv = CallGetService(NS_IOSERVICE_CONTRACTID, &sIOService);
1370
NS_ENSURE_SUCCESS(rv, rv);
1371
1372
InitPrefs();
1373
1374
// Create our system principal singleton
1375
RefPtr<SystemPrincipal> system = SystemPrincipal::Create();
1376
1377
mSystemPrincipal = system;
1378
1379
return NS_OK;
1380
}
1381
1382
void nsScriptSecurityManager::InitJSCallbacks(JSContext* aCx) {
1383
//-- Register security check callback in the JS engine
1384
// Currently this is used to control access to function.caller
1385
1386
static const JSSecurityCallbacks securityCallbacks = {
1387
ContentSecurityPolicyPermitsJSAction,
1388
JSPrincipalsSubsume,
1389
};
1390
1391
MOZ_ASSERT(!JS_GetSecurityCallbacks(aCx));
1392
JS_SetSecurityCallbacks(aCx, &securityCallbacks);
1393
JS_InitDestroyPrincipalsCallback(aCx, nsJSPrincipals::Destroy);
1394
1395
JS_SetTrustedPrincipals(aCx, BasePrincipal::Cast(mSystemPrincipal));
1396
}
1397
1398
/* static */
1399
void nsScriptSecurityManager::ClearJSCallbacks(JSContext* aCx) {
1400
JS_SetSecurityCallbacks(aCx, nullptr);
1401
JS_SetTrustedPrincipals(aCx, nullptr);
1402
}
1403
1404
static StaticRefPtr<nsScriptSecurityManager> gScriptSecMan;
1405
1406
nsScriptSecurityManager::~nsScriptSecurityManager(void) {
1407
Preferences::UnregisterPrefixCallbacks(
1408
nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1409
if (mDomainPolicy) {
1410
mDomainPolicy->Deactivate();
1411
}
1412
// ContentChild might hold a reference to the domain policy,
1413
// and it might release it only after the security manager is
1414
// gone. But we can still assert this for the main process.
1415
MOZ_ASSERT_IF(XRE_IsParentProcess(), !mDomainPolicy);
1416
}
1417
1418
void nsScriptSecurityManager::Shutdown() {
1419
NS_IF_RELEASE(sIOService);
1420
BundleHelper::Shutdown();
1421
}
1422
1423
nsScriptSecurityManager* nsScriptSecurityManager::GetScriptSecurityManager() {
1424
return gScriptSecMan;
1425
}
1426
1427
/* static */
1428
void nsScriptSecurityManager::InitStatics() {
1429
RefPtr<nsScriptSecurityManager> ssManager = new nsScriptSecurityManager();
1430
nsresult rv = ssManager->Init();
1431
if (NS_FAILED(rv)) {
1432
MOZ_CRASH("ssManager->Init() failed");
1433
}
1434
1435
ClearOnShutdown(&gScriptSecMan);
1436
gScriptSecMan = ssManager;
1437
}
1438
1439
// Currently this nsGenericFactory constructor is used only from FastLoad
1440
// (XPCOM object deserialization) code, when "creating" the system principal
1441
// singleton.
1442
already_AddRefed<SystemPrincipal>
1443
nsScriptSecurityManager::SystemPrincipalSingletonConstructor() {
1444
if (gScriptSecMan)
1445
return do_AddRef(gScriptSecMan->mSystemPrincipal)
1446
.downcast<SystemPrincipal>();
1447
return nullptr;
1448
}
1449
1450
struct IsWhitespace {
1451
static bool Test(char aChar) { return NS_IsAsciiWhitespace(aChar); };
1452
};
1453
struct IsWhitespaceOrComma {
1454
static bool Test(char aChar) {
1455
return aChar == ',' || NS_IsAsciiWhitespace(aChar);
1456
};
1457
};
1458
1459
template <typename Predicate>
1460
uint32_t SkipPast(const nsCString& str, uint32_t base) {
1461
while (base < str.Length() && Predicate::Test(str[base])) {
1462
++base;
1463
}
1464
return base;
1465
}
1466
1467
template <typename Predicate>
1468
uint32_t SkipUntil(const nsCString& str, uint32_t base) {
1469
while (base < str.Length() && !Predicate::Test(str[base])) {
1470
++base;
1471
}
1472
return base;
1473
}
1474
1475
// static
1476
void nsScriptSecurityManager::ScriptSecurityPrefChanged(const char* aPref,
1477
void* aSelf) {
1478
static_cast<nsScriptSecurityManager*>(aSelf)->ScriptSecurityPrefChanged(
1479
aPref);
1480
}
1481
1482
inline void nsScriptSecurityManager::ScriptSecurityPrefChanged(
1483
const char* aPref) {
1484
MOZ_ASSERT(mPrefInitialized);
1485
mIsJavaScriptEnabled =
1486
Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
1487
sStrictFileOriginPolicy =
1488
Preferences::GetBool(sFileOriginPolicyPrefName, false);
1489
mFileURIAllowlist.reset();
1490
}
1491
1492
void nsScriptSecurityManager::AddSitesToFileURIAllowlist(
1493
const nsCString& aSiteList) {
1494
for (uint32_t base = SkipPast<IsWhitespace>(aSiteList, 0), bound = 0;
1495
base < aSiteList.Length();
1496
base = SkipPast<IsWhitespace>(aSiteList, bound)) {
1497
// Grab the current site.
1498
bound = SkipUntil<IsWhitespace>(aSiteList, base);
1499
nsAutoCString site(Substring(aSiteList, base, bound - base));
1500
1501
// Check if the URI is schemeless. If so, add both http and https.
1502
nsAutoCString unused;
1503
if (NS_FAILED(sIOService->ExtractScheme(site, unused))) {
1504
AddSitesToFileURIAllowlist(NS_LITERAL_CSTRING("http://") + site);
1505
AddSitesToFileURIAllowlist(NS_LITERAL_CSTRING("https://") + site);
1506
continue;
1507
}
1508
1509
// Convert it to a URI and add it to our list.
1510
nsCOMPtr<nsIURI> uri;
1511
nsresult rv = NS_NewURI(getter_AddRefs(uri), site);
1512
if (NS_SUCCEEDED(rv)) {
1513
mFileURIAllowlist.ref().AppendElement(uri);
1514
} else {
1515
nsCOMPtr<nsIConsoleService> console(
1516
do_GetService("@mozilla.org/consoleservice;1"));
1517
if (console) {
1518
nsAutoString msg =
1519
NS_LITERAL_STRING(
1520
"Unable to to add site to file:// URI allowlist: ") +
1521
NS_ConvertASCIItoUTF16(site);
1522
console->LogStringMessage(msg.get());
1523
}
1524
}
1525
}
1526
}
1527
1528
nsresult nsScriptSecurityManager::InitPrefs() {
1529
nsIPrefBranch* branch = Preferences::GetRootBranch();
1530
NS_ENSURE_TRUE(branch, NS_ERROR_FAILURE);
1531
1532
mPrefInitialized = true;
1533
1534
// Set the initial value of the "javascript.enabled" prefs
1535
ScriptSecurityPrefChanged();
1536
1537
// set observer callbacks in case the value of the prefs change
1538
Preferences::RegisterPrefixCallbacks(
1539
nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1540
1541
return NS_OK;
1542
}
1543
1544
NS_IMETHODIMP
1545
nsScriptSecurityManager::GetDomainPolicyActive(bool* aRv) {
1546
*aRv = !!mDomainPolicy;
1547
return NS_OK;
1548
}
1549
1550
NS_IMETHODIMP
1551
nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy** aRv) {
1552
if (!XRE_IsParentProcess()) {
1553
return NS_ERROR_SERVICE_NOT_AVAILABLE;
1554
}
1555
1556
return ActivateDomainPolicyInternal(aRv);
1557
}
1558
1559
NS_IMETHODIMP
1560
nsScriptSecurityManager::ActivateDomainPolicyInternal(nsIDomainPolicy** aRv) {
1561
// We only allow one domain policy at a time. The holder of the previous
1562
// policy must explicitly deactivate it first.
1563
if (mDomainPolicy) {
1564
return NS_ERROR_SERVICE_NOT_AVAILABLE;
1565
}
1566
1567
mDomainPolicy = new DomainPolicy();
1568
nsCOMPtr<nsIDomainPolicy> ptr = mDomainPolicy;
1569
ptr.forget(aRv);
1570
return NS_OK;
1571
}
1572
1573
// Intentionally non-scriptable. Script must have a reference to the
1574
// nsIDomainPolicy to deactivate it.
1575
void nsScriptSecurityManager::DeactivateDomainPolicy() {
1576
mDomainPolicy = nullptr;
1577
}
1578
1579
void nsScriptSecurityManager::CloneDomainPolicy(DomainPolicyClone* aClone) {
1580
MOZ_ASSERT(aClone);
1581
if (mDomainPolicy) {
1582
mDomainPolicy->CloneDomainPolicy(aClone);
1583
} else {
1584
aClone->active() = false;
1585
}
1586
}
1587
1588
NS_IMETHODIMP
1589
nsScriptSecurityManager::PolicyAllowsScript(nsIURI* aURI, bool* aRv) {
1590
nsresult rv;
1591
1592
// Compute our rule. If we don't have any domain policy set up that might
1593
// provide exceptions to this rule, we're done.
1594
*aRv = mIsJavaScriptEnabled;
1595
if (!mDomainPolicy) {
1596
return NS_OK;
1597
}
1598
1599
// We have a domain policy. Grab the appropriate set of exceptions to the
1600
// rule (either the blocklist or the allowlist, depending on whether script
1601
// is enabled or disabled by default).
1602
nsCOMPtr<nsIDomainSet> exceptions;
1603
nsCOMPtr<nsIDomainSet> superExceptions;
1604
if (*aRv) {
1605
mDomainPolicy->GetBlocklist(getter_AddRefs(exceptions));
1606
mDomainPolicy->GetSuperBlocklist(getter_AddRefs(superExceptions));
1607
} else {
1608
mDomainPolicy->GetAllowlist(getter_AddRefs(exceptions));
1609
mDomainPolicy->GetSuperAllowlist(getter_AddRefs(superExceptions));
1610
}
1611
1612
bool contains;
1613
rv = exceptions->Contains(aURI, &contains);
1614
NS_ENSURE_SUCCESS(rv, rv);
1615
if (contains) {
1616
*aRv = !*aRv;
1617
return NS_OK;
1618
}
1619
rv = superExceptions->ContainsSuperDomain(aURI, &contains);
1620
NS_ENSURE_SUCCESS(rv, rv);
1621
if (contains) {
1622
*aRv = !*aRv;
1623
}
1624
1625
return NS_OK;
1626
}
1627
1628
const nsTArray<nsCOMPtr<nsIURI>>&
1629
nsScriptSecurityManager::EnsureFileURIAllowlist() {
1630
if (mFileURIAllowlist.isSome()) {
1631
return mFileURIAllowlist.ref();
1632
}
1633
1634
//
1635
// Rebuild the set of principals for which we allow file:// URI loads. This
1636
// implements a small subset of an old pref-based CAPS people that people
1637
// have come to depend on. See bug 995943.
1638
//
1639
1640
mFileURIAllowlist.emplace();
1641
nsAutoCString policies;
1642
mozilla::Preferences::GetCString("capability.policy.policynames", policies);
1643
for (uint32_t base = SkipPast<IsWhitespaceOrComma>(policies, 0), bound = 0;
1644
base < policies.Length();
1645
base = SkipPast<IsWhitespaceOrComma>(policies, bound)) {
1646
// Grab the current policy name.
1647
bound = SkipUntil<IsWhitespaceOrComma>(policies, base);
1648
auto policyName = Substring(policies, base, bound - base);
1649
1650
// Figure out if this policy allows loading file:// URIs. If not, we can
1651
// skip it.
1652
nsCString checkLoadURIPrefName =
1653
NS_LITERAL_CSTRING("capability.policy.") + policyName +
1654
NS_LITERAL_CSTRING(".checkloaduri.enabled");
1655
nsAutoString value;
1656
nsresult rv = Preferences::GetString(checkLoadURIPrefName.get(), value);
1657
if (NS_FAILED(rv) || !value.LowerCaseEqualsLiteral("allaccess")) {
1658
continue;
1659
}
1660
1661
// Grab the list of domains associated with this policy.
1662
nsCString domainPrefName = NS_LITERAL_CSTRING("capability.policy.") +
1663
policyName + NS_LITERAL_CSTRING(".sites");
1664
nsAutoCString siteList;
1665
Preferences::GetCString(domainPrefName.get(), siteList);
1666
AddSitesToFileURIAllowlist(siteList);
1667
}
1668
1669
return mFileURIAllowlist.ref();
1670
}