Source code

Revision control

Other Tools

1
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
3
/* This Source Code Form is subject to the terms of the Mozilla Public
4
* License, v. 2.0. If a copy of the MPL was not distributed with this
5
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7
#include "nsScriptSecurityManager.h"
8
9
#include "mozilla/ArrayUtils.h"
10
#include "mozilla/StaticPrefs_extensions.h"
11
#include "mozilla/StaticPrefs_security.h"
12
#include "mozilla/StoragePrincipalHelper.h"
13
14
#include "xpcpublic.h"
15
#include "XPCWrapper.h"
16
#include "nsIInputStreamChannel.h"
17
#include "nsILoadContext.h"
18
#include "nsIServiceManager.h"
19
#include "nsIScriptObjectPrincipal.h"
20
#include "nsIScriptContext.h"
21
#include "nsIScriptError.h"
22
#include "nsIURL.h"
23
#include "nsIURIMutator.h"
24
#include "nsINestedURI.h"
25
#include "nspr.h"
26
#include "nsJSPrincipals.h"
27
#include "mozilla/BasePrincipal.h"
28
#include "ExpandedPrincipal.h"
29
#include "SystemPrincipal.h"
30
#include "DomainPolicy.h"
31
#include "nsString.h"
32
#include "nsCRT.h"
33
#include "nsCRTGlue.h"
34
#include "nsContentSecurityUtils.h"
35
#include "nsDocShell.h"
36
#include "nsError.h"
37
#include "nsGlobalWindowInner.h"
38
#include "nsDOMCID.h"
39
#include "nsTextFormatter.h"
40
#include "nsIStringBundle.h"
41
#include "nsNetUtil.h"
42
#include "nsIEffectiveTLDService.h"
43
#include "nsIProperties.h"
44
#include "nsDirectoryServiceDefs.h"
45
#include "nsIFile.h"
46
#include "nsIFileURL.h"
47
#include "nsIZipReader.h"
48
#include "nsIScriptGlobalObject.h"
49
#include "nsPIDOMWindow.h"
50
#include "nsIDocShell.h"
51
#include "nsIPrompt.h"
52
#include "nsIWindowWatcher.h"
53
#include "nsIConsoleService.h"
54
#include "nsIOService.h"
55
#include "nsIContent.h"
56
#include "nsDOMJSUtils.h"
57
#include "nsAboutProtocolUtils.h"
58
#include "nsIClassInfo.h"
59
#include "nsIURIFixup.h"
60
#include "nsIChromeRegistry.h"
61
#include "nsIResProtocolHandler.h"
62
#include "nsIContentSecurityPolicy.h"
63
#include "nsIAsyncVerifyRedirectCallback.h"
64
#include "mozilla/Components.h"
65
#include "mozilla/Preferences.h"
66
#include "mozilla/dom/BindingUtils.h"
67
#include "mozilla/NullPrincipal.h"
68
#include <stdint.h>
69
#include "mozilla/dom/nsCSPContext.h"
70
#include "mozilla/dom/ScriptSettings.h"
71
#include "mozilla/ClearOnShutdown.h"
72
#include "mozilla/StaticPtr.h"
73
#include "mozilla/dom/WorkerCommon.h"
74
#include "mozilla/dom/WorkerPrivate.h"
75
#include "nsContentUtils.h"
76
#include "nsJSUtils.h"
77
#include "nsILoadInfo.h"
78
#include "nsIDOMXULCommandDispatcher.h"
79
#include "nsITreeSelection.h"
80
81
// This should be probably defined on some other place... but I couldn't find it
82
#define WEBAPPS_PERM_NAME "webapps-manage"
83
84
using namespace mozilla;
85
using namespace mozilla::dom;
86
87
nsIIOService* nsScriptSecurityManager::sIOService = nullptr;
88
JSContext* nsScriptSecurityManager::sContext = nullptr;
89
bool nsScriptSecurityManager::sStrictFileOriginPolicy = true;
90
91
namespace {
92
93
class BundleHelper {
94
public:
95
NS_INLINE_DECL_REFCOUNTING(BundleHelper)
96
97
static nsIStringBundle* GetOrCreate() {
98
MOZ_ASSERT(!sShutdown);
99
100
// Already shutting down. Nothing should require the use of the string
101
// bundle when shutting down.
102
if (sShutdown) {
103
return nullptr;
104
}
105
106
if (!sSelf) {
107
sSelf = new BundleHelper();
108
}
109
110
return sSelf->GetOrCreateInternal();
111
}
112
113
static void Shutdown() {
114
sSelf = nullptr;
115
sShutdown = true;
116
}
117
118
private:
119
~BundleHelper() = default;
120
121
nsIStringBundle* GetOrCreateInternal() {
122
if (!mBundle) {
123
nsCOMPtr<nsIStringBundleService> bundleService =
124
mozilla::services::GetStringBundleService();
125
if (NS_WARN_IF(!bundleService)) {
126
return nullptr;
127
}
128
129
nsresult rv = bundleService->CreateBundle(
131
getter_AddRefs(mBundle));
132
if (NS_WARN_IF(NS_FAILED(rv))) {
133
return nullptr;
134
}
135
}
136
137
return mBundle;
138
}
139
140
nsCOMPtr<nsIStringBundle> mBundle;
141
142
static StaticRefPtr<BundleHelper> sSelf;
143
static bool sShutdown;
144
};
145
146
StaticRefPtr<BundleHelper> BundleHelper::sSelf;
147
bool BundleHelper::sShutdown = false;
148
149
} // namespace
150
151
///////////////////////////
152
// Convenience Functions //
153
///////////////////////////
154
155
class nsAutoInPrincipalDomainOriginSetter {
156
public:
157
nsAutoInPrincipalDomainOriginSetter() { ++sInPrincipalDomainOrigin; }
158
~nsAutoInPrincipalDomainOriginSetter() { --sInPrincipalDomainOrigin; }
159
static uint32_t sInPrincipalDomainOrigin;
160
};
161
uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin;
162
163
static nsresult GetOriginFromURI(nsIURI* aURI, nsACString& aOrigin) {
164
if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin > 1) {
165
// Allow a single recursive call to GetPrincipalDomainOrigin, since that
166
// might be happening on a different principal from the first call. But
167
// after that, cut off the recursion; it just indicates that something
168
// we're doing in this method causes us to reenter a security check here.
169
return NS_ERROR_NOT_AVAILABLE;
170
}
171
172
nsAutoInPrincipalDomainOriginSetter autoSetter;
173
174
nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
175
NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
176
177
nsAutoCString hostPort;
178
179
nsresult rv = uri->GetHostPort(hostPort);
180
if (NS_SUCCEEDED(rv)) {
181
nsAutoCString scheme;
182
rv = uri->GetScheme(scheme);
183
NS_ENSURE_SUCCESS(rv, rv);
184
aOrigin = scheme + NS_LITERAL_CSTRING("://") + hostPort;
185
} else {
186
// Some URIs (e.g., nsSimpleURI) don't support host. Just
187
// get the full spec.
188
rv = uri->GetSpec(aOrigin);
189
NS_ENSURE_SUCCESS(rv, rv);
190
}
191
192
return NS_OK;
193
}
194
195
static nsresult GetPrincipalDomainOrigin(nsIPrincipal* aPrincipal,
196
nsACString& aOrigin) {
197
nsCOMPtr<nsIURI> uri;
198
aPrincipal->GetDomain(getter_AddRefs(uri));
199
if (!uri) {
200
aPrincipal->GetURI(getter_AddRefs(uri));
201
}
202
NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
203
204
return GetOriginFromURI(uri, aOrigin);
205
}
206
207
inline void SetPendingExceptionASCII(JSContext* cx, const char* aMsg) {
208
JS_ReportErrorASCII(cx, "%s", aMsg);
209
}
210
211
inline void SetPendingException(JSContext* cx, const char16_t* aMsg) {
212
NS_ConvertUTF16toUTF8 msg(aMsg);
213
JS_ReportErrorUTF8(cx, "%s", msg.get());
214
}
215
216
/* static */
217
bool nsScriptSecurityManager::SecurityCompareURIs(nsIURI* aSourceURI,
218
nsIURI* aTargetURI) {
219
return NS_SecurityCompareURIs(aSourceURI, aTargetURI,
220
sStrictFileOriginPolicy);
221
}
222
223
// SecurityHashURI is consistent with SecurityCompareURIs because
224
// NS_SecurityHashURI is consistent with NS_SecurityCompareURIs. See
225
// nsNetUtil.h.
226
uint32_t nsScriptSecurityManager::SecurityHashURI(nsIURI* aURI) {
227
return NS_SecurityHashURI(aURI);
228
}
229
230
/*
231
* GetChannelResultPrincipal will return the principal that the resource
232
* returned by this channel will use. For example, if the resource is in
233
* a sandbox, it will return the nullprincipal. If the resource is forced
234
* to inherit principal, it will return the principal of its parent. If
235
* the load doesn't require sandboxing or inheriting, it will return the same
236
* principal as GetChannelURIPrincipal. Namely the principal of the URI
237
* that is being loaded.
238
*/
239
NS_IMETHODIMP
240
nsScriptSecurityManager::GetChannelResultPrincipal(nsIChannel* aChannel,
241
nsIPrincipal** aPrincipal) {
242
return GetChannelResultPrincipal(aChannel, aPrincipal,
243
/*aIgnoreSandboxing*/ false);
244
}
245
246
nsresult nsScriptSecurityManager::GetChannelResultPrincipalIfNotSandboxed(
247
nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
248
return GetChannelResultPrincipal(aChannel, aPrincipal,
249
/*aIgnoreSandboxing*/ true);
250
}
251
252
NS_IMETHODIMP
253
nsScriptSecurityManager::GetChannelResultStoragePrincipal(
254
nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
255
nsCOMPtr<nsIPrincipal> principal;
256
nsresult rv = GetChannelResultPrincipal(aChannel, getter_AddRefs(principal),
257
/*aIgnoreSandboxing*/ false);
258
if (NS_WARN_IF(NS_FAILED(rv))) {
259
return rv;
260
}
261
262
return StoragePrincipalHelper::Create(aChannel, principal, aPrincipal);
263
}
264
265
NS_IMETHODIMP
266
nsScriptSecurityManager::GetChannelResultPrincipals(
267
nsIChannel* aChannel, nsIPrincipal** aPrincipal,
268
nsIPrincipal** aStoragePrincipal) {
269
nsresult rv = GetChannelResultPrincipal(aChannel, aPrincipal,
270
/*aIgnoreSandboxing*/ false);
271
if (NS_WARN_IF(NS_FAILED(rv))) {
272
return rv;
273
}
274
275
if (!(*aPrincipal)->GetIsContentPrincipal()) {
276
// If for some reason we don't have a content principal here, just reuse our
277
// principal for the storage principal too, since attempting to create a
278
// storage principal would fail anyway.
279
nsCOMPtr<nsIPrincipal> copy = *aPrincipal;
280
copy.forget(aStoragePrincipal);
281
return NS_OK;
282
}
283
284
return StoragePrincipalHelper::Create(aChannel, *aPrincipal,
285
aStoragePrincipal);
286
}
287
288
nsresult nsScriptSecurityManager::GetChannelResultPrincipal(
289
nsIChannel* aChannel, nsIPrincipal** aPrincipal, bool aIgnoreSandboxing) {
290
MOZ_ASSERT(aChannel, "Must have channel!");
291
292
// Check whether we have an nsILoadInfo that says what we should do.
293
nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
294
if (loadInfo->GetForceInheritPrincipalOverruleOwner()) {
295
nsCOMPtr<nsIPrincipal> principalToInherit =
296
loadInfo->FindPrincipalToInherit(aChannel);
297
principalToInherit.forget(aPrincipal);
298
return NS_OK;
299
}
300
301
nsCOMPtr<nsISupports> owner;
302
aChannel->GetOwner(getter_AddRefs(owner));
303
if (owner) {
304
CallQueryInterface(owner, aPrincipal);
305
if (*aPrincipal) {
306
return NS_OK;
307
}
308
}
309
310
if (!aIgnoreSandboxing && loadInfo->GetLoadingSandboxed()) {
311
nsCOMPtr<nsIPrincipal> sandboxedLoadingPrincipal =
312
loadInfo->GetSandboxedLoadingPrincipal();
313
MOZ_ASSERT(sandboxedLoadingPrincipal);
314
sandboxedLoadingPrincipal.forget(aPrincipal);
315
return NS_OK;
316
}
317
318
bool forceInherit = loadInfo->GetForceInheritPrincipal();
319
if (aIgnoreSandboxing && !forceInherit) {
320
// Check if SEC_FORCE_INHERIT_PRINCIPAL was dropped because of
321
// sandboxing:
322
if (loadInfo->GetLoadingSandboxed() &&
323
loadInfo->GetForceInheritPrincipalDropped()) {
324
forceInherit = true;
325
}
326
}
327
if (forceInherit) {
328
nsCOMPtr<nsIPrincipal> principalToInherit =
329
loadInfo->FindPrincipalToInherit(aChannel);
330
principalToInherit.forget(aPrincipal);
331
return NS_OK;
332
}
333
334
auto securityMode = loadInfo->GetSecurityMode();
335
// The data: inheritance flags should only apply to the initial load,
336
// not to loads that it might have redirected to.
337
if (loadInfo->RedirectChain().IsEmpty() &&
338
(securityMode == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS ||
339
securityMode == nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS ||
340
securityMode == nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS)) {
341
nsCOMPtr<nsIURI> uri;
342
nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
343
NS_ENSURE_SUCCESS(rv, rv);
344
345
nsCOMPtr<nsIPrincipal> principalToInherit =
346
loadInfo->FindPrincipalToInherit(aChannel);
347
bool inheritForAboutBlank = loadInfo->GetAboutBlankInherits();
348
349
if (nsContentUtils::ChannelShouldInheritPrincipal(
350
principalToInherit, uri, inheritForAboutBlank, false)) {
351
principalToInherit.forget(aPrincipal);
352
return NS_OK;
353
}
354
}
355
return GetChannelURIPrincipal(aChannel, aPrincipal);
356
}
357
358
/* The principal of the URI that this channel is loading. This is never
359
* affected by things like sandboxed loads, or loads where we forcefully
360
* inherit the principal. Think of this as the principal of the server
361
* which this channel is loading from. Most callers should use
362
* GetChannelResultPrincipal instead of GetChannelURIPrincipal. Only
363
* call GetChannelURIPrincipal if you are sure that you want the
364
* principal that matches the uri, even in cases when the load is
365
* sandboxed or when the load could be a blob or data uri (i.e even when
366
* you encounter loads that may or may not be sandboxed and loads
367
* that may or may not inherit)."
368
*/
369
NS_IMETHODIMP
370
nsScriptSecurityManager::GetChannelURIPrincipal(nsIChannel* aChannel,
371
nsIPrincipal** aPrincipal) {
372
MOZ_ASSERT(aChannel, "Must have channel!");
373
374
// Get the principal from the URI. Make sure this does the same thing
375
// as Document::Reset and PrototypeDocumentContentSink::Init.
376
nsCOMPtr<nsIURI> uri;
377
nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
378
NS_ENSURE_SUCCESS(rv, rv);
379
380
nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
381
382
// Inherit the origin attributes from loadInfo.
383
// If this is a top-level document load, the origin attributes of the
384
// loadInfo will be set from nsDocShell::DoURILoad.
385
// For subresource loading, the origin attributes of the loadInfo is from
386
// its loadingPrincipal.
387
OriginAttributes attrs = loadInfo->GetOriginAttributes();
388
389
nsCOMPtr<nsIPrincipal> prin =
390
BasePrincipal::CreateContentPrincipal(uri, attrs);
391
prin.forget(aPrincipal);
392
return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
393
}
394
395
/////////////////////////////
396
// nsScriptSecurityManager //
397
/////////////////////////////
398
399
////////////////////////////////////
400
// Methods implementing ISupports //
401
////////////////////////////////////
402
NS_IMPL_ISUPPORTS(nsScriptSecurityManager, nsIScriptSecurityManager)
403
404
///////////////////////////////////////////////////
405
// Methods implementing nsIScriptSecurityManager //
406
///////////////////////////////////////////////////
407
408
///////////////// Security Checks /////////////////
409
410
bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
411
JSContext* cx, JS::HandleValue aValue) {
412
MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
413
414
// Get the window, if any, corresponding to the current global
415
nsCOMPtr<nsIContentSecurityPolicy> csp;
416
if (nsGlobalWindowInner* win = xpc::CurrentWindowOrNull(cx)) {
417
csp = win->GetCsp();
418
}
419
420
nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
421
if (!csp) {
422
if (!StaticPrefs::extensions_content_script_csp_enabled()) {
423
return true;
424
}
425
// Get the CSP for addon sandboxes. If the principal is expanded and has a
426
// csp, we're probably in luck.
427
auto* basePrin = BasePrincipal::Cast(subjectPrincipal);
428
// ContentScriptAddonPolicy means it is also an expanded principal, thus
429
// this is in a sandbox used as a content script.
430
if (basePrin->ContentScriptAddonPolicy()) {
431
basePrin->As<ExpandedPrincipal>()->GetCsp(getter_AddRefs(csp));
432
}
433
// don't do anything unless there's a CSP
434
if (!csp) {
435
return true;
436
}
437
}
438
439
nsCOMPtr<nsICSPEventListener> cspEventListener;
440
if (!NS_IsMainThread()) {
441
WorkerPrivate* workerPrivate =
442
mozilla::dom::GetWorkerPrivateFromContext(cx);
443
if (workerPrivate) {
444
cspEventListener = workerPrivate->CSPEventListener();
445
}
446
}
447
448
bool evalOK = true;
449
bool reportViolation = false;
450
nsresult rv = csp->GetAllowsEval(&reportViolation, &evalOK);
451
452
// A little convoluted. We want the scriptSample for a) reporting a violation
453
// or b) passing it to AssertEvalNotUsingSystemPrincipal or c) we're in the
454
// parent process. So do the work to get it if either of those cases is true.
455
nsAutoJSString scriptSample;
456
if (reportViolation || subjectPrincipal->IsSystemPrincipal() ||
457
XRE_IsE10sParentProcess()) {
458
JS::Rooted<JSString*> jsString(cx, JS::ToString(cx, aValue));
459
if (NS_WARN_IF(!jsString)) {
460
JS_ClearPendingException(cx);
461
return false;
462
}
463
464
if (NS_WARN_IF(!scriptSample.init(cx, jsString))) {
465
JS_ClearPendingException(cx);
466
return false;
467
}
468
}
469
470
#if !defined(ANDROID)
471
if (!nsContentSecurityUtils::IsEvalAllowed(
472
cx, subjectPrincipal->IsSystemPrincipal(), scriptSample)) {
473
return false;
474
}
475
#endif
476
477
if (NS_FAILED(rv)) {
478
NS_WARNING("CSP: failed to get allowsEval");
479
return true; // fail open to not break sites.
480
}
481
482
if (reportViolation) {
483
JS::AutoFilename scriptFilename;
484
nsAutoString fileName;
485
unsigned lineNum = 0;
486
unsigned columnNum = 0;
487
if (JS::DescribeScriptedCaller(cx, &scriptFilename, &lineNum, &columnNum)) {
488
if (const char* file = scriptFilename.get()) {
489
CopyUTF8toUTF16(nsDependentCString(file), fileName);
490
}
491
} else {
492
MOZ_ASSERT(!JS_IsExceptionPending(cx));
493
}
494
csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
495
nullptr, // triggering element
496
cspEventListener, fileName, scriptSample, lineNum,
497
columnNum, EmptyString(), EmptyString());
498
}
499
500
return evalOK;
501
}
502
503
// static
504
bool nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals* first,
505
JSPrincipals* second) {
506
return nsJSPrincipals::get(first)->Subsumes(nsJSPrincipals::get(second));
507
}
508
509
NS_IMETHODIMP
510
nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI,
511
nsIURI* aTargetURI,
512
bool reportError,
513
bool aFromPrivateWindow) {
514
// Please note that aFromPrivateWindow is only 100% accurate if
515
// reportError is true.
516
if (!SecurityCompareURIs(aSourceURI, aTargetURI)) {
517
if (reportError) {
518
ReportError("CheckSameOriginError", aSourceURI, aTargetURI,
519
aFromPrivateWindow);
520
}
521
return NS_ERROR_DOM_BAD_URI;
522
}
523
return NS_OK;
524
}
525
526
/*static*/
527
uint32_t nsScriptSecurityManager::HashPrincipalByOrigin(
528
nsIPrincipal* aPrincipal) {
529
nsCOMPtr<nsIURI> uri;
530
aPrincipal->GetDomain(getter_AddRefs(uri));
531
if (!uri) aPrincipal->GetURI(getter_AddRefs(uri));
532
return SecurityHashURI(uri);
533
}
534
535
NS_IMETHODIMP
536
nsScriptSecurityManager::CheckLoadURIFromScript(JSContext* cx, nsIURI* aURI) {
537
// Get principal of currently executing script.
538
MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
539
nsIPrincipal* principal = nsContentUtils::SubjectPrincipal();
540
nsresult rv = CheckLoadURIWithPrincipal(principal, aURI,
541
nsIScriptSecurityManager::STANDARD);
542
if (NS_SUCCEEDED(rv)) {
543
// OK to load
544
return NS_OK;
545
}
546
547
// Report error.
548
nsAutoCString spec;
549
if (NS_FAILED(aURI->GetAsciiSpec(spec))) return NS_ERROR_FAILURE;
550
nsAutoCString msg("Access to '");
551
msg.Append(spec);
552
msg.AppendLiteral("' from script denied");
553
SetPendingExceptionASCII(cx, msg.get());
554
return NS_ERROR_DOM_BAD_URI;
555
}
556
557
/**
558
* Helper method to handle cases where a flag passed to
559
* CheckLoadURIWithPrincipal means denying loading if the given URI has certain
560
* nsIProtocolHandler flags set.
561
* @return if success, access is allowed. Otherwise, deny access
562
*/
563
static nsresult DenyAccessIfURIHasFlags(nsIURI* aURI, uint32_t aURIFlags) {
564
MOZ_ASSERT(aURI, "Must have URI!");
565
566
bool uriHasFlags;
567
nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &uriHasFlags);
568
NS_ENSURE_SUCCESS(rv, rv);
569
570
if (uriHasFlags) {
571
return NS_ERROR_DOM_BAD_URI;
572
}
573
574
return NS_OK;
575
}
576
577
static bool EqualOrSubdomain(nsIURI* aProbeArg, nsIURI* aBase) {
578
nsresult rv;
579
nsCOMPtr<nsIURI> probe = aProbeArg;
580
581
nsCOMPtr<nsIEffectiveTLDService> tldService =
582
do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
583
NS_ENSURE_TRUE(tldService, false);
584
while (true) {
585
if (nsScriptSecurityManager::SecurityCompareURIs(probe, aBase)) {
586
return true;
587
}
588
589
nsAutoCString host, newHost;
590
rv = probe->GetHost(host);
591
NS_ENSURE_SUCCESS(rv, false);
592
593
rv = tldService->GetNextSubDomain(host, newHost);
594
if (rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS) {
595
return false;
596
}
597
NS_ENSURE_SUCCESS(rv, false);
598
rv = NS_MutateURI(probe).SetHost(newHost).Finalize(probe);
599
NS_ENSURE_SUCCESS(rv, false);
600
}
601
}
602
603
NS_IMETHODIMP
604
nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
605
nsIURI* aTargetURI,
606
uint32_t aFlags) {
607
MOZ_ASSERT(aPrincipal, "CheckLoadURIWithPrincipal must have a principal");
608
609
// If someone passes a flag that we don't understand, we should
610
// fail, because they may need a security check that we don't
611
// provide.
612
NS_ENSURE_FALSE(
613
aFlags &
614
~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
615
nsIScriptSecurityManager::ALLOW_CHROME |
616
nsIScriptSecurityManager::DISALLOW_SCRIPT |
617
nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL |
618
nsIScriptSecurityManager::DONT_REPORT_ERRORS),
619
NS_ERROR_UNEXPECTED);
620
NS_ENSURE_ARG_POINTER(aPrincipal);
621
NS_ENSURE_ARG_POINTER(aTargetURI);
622
623
// If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
624
// would do such inheriting. That would be URIs that do not have their own
625
// security context. We do this even for the system principal.
626
if (aFlags & nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL) {
627
nsresult rv = DenyAccessIfURIHasFlags(
628
aTargetURI, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT);
629
NS_ENSURE_SUCCESS(rv, rv);
630
}
631
632
if (aPrincipal == mSystemPrincipal) {
633
// Allow access
634
return NS_OK;
635
}
636
637
nsCOMPtr<nsIURI> sourceURI;
638
aPrincipal->GetURI(getter_AddRefs(sourceURI));
639
if (!sourceURI) {
640
auto* basePrin = BasePrincipal::Cast(aPrincipal);
641
if (basePrin->Is<ExpandedPrincipal>()) {
642
auto expanded = basePrin->As<ExpandedPrincipal>();
643
for (auto& prin : expanded->AllowList()) {
644
nsresult rv = CheckLoadURIWithPrincipal(prin, aTargetURI, aFlags);
645
if (NS_SUCCEEDED(rv)) {
646
// Allow access if it succeeded with one of the allowlisted principals
647
return NS_OK;
648
}
649
}
650
// None of our allowlisted principals worked.
651
return NS_ERROR_DOM_BAD_URI;
652
}
653
NS_ERROR(
654
"Non-system principals or expanded principal passed to "
655
"CheckLoadURIWithPrincipal "
656
"must have a URI!");
657
return NS_ERROR_UNEXPECTED;
658
}
659
660
// Automatic loads are not allowed from certain protocols.
661
if (aFlags &
662
nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT) {
663
nsresult rv = DenyAccessIfURIHasFlags(
664
sourceURI,
665
nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT);
666
NS_ENSURE_SUCCESS(rv, rv);
667
}
668
669
// If either URI is a nested URI, get the base URI
670
nsCOMPtr<nsIURI> sourceBaseURI = NS_GetInnermostURI(sourceURI);
671
nsCOMPtr<nsIURI> targetBaseURI = NS_GetInnermostURI(aTargetURI);
672
673
//-- get the target scheme
674
nsAutoCString targetScheme;
675
nsresult rv = targetBaseURI->GetScheme(targetScheme);
676
if (NS_FAILED(rv)) return rv;
677
678
//-- Some callers do not allow loading javascript:
679
if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
680
targetScheme.EqualsLiteral("javascript")) {
681
return NS_ERROR_DOM_BAD_URI;
682
}
683
684
// Check for uris that are only loadable by principals that subsume them
685
bool hasFlags;
686
rv = NS_URIChainHasFlags(
687
targetBaseURI, nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS, &hasFlags);
688
NS_ENSURE_SUCCESS(rv, rv);
689
690
if (hasFlags) {
691
// check nothing else in the URI chain has flags that prevent
692
// access:
693
rv = CheckLoadURIFlags(
694
sourceURI, aTargetURI, sourceBaseURI, targetBaseURI, aFlags,
695
aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0);
696
NS_ENSURE_SUCCESS(rv, rv);
697
// Check the principal is allowed to load the target.
698
return aPrincipal->CheckMayLoad(targetBaseURI, true, false);
699
}
700
701
//-- get the source scheme
702
nsAutoCString sourceScheme;
703
rv = sourceBaseURI->GetScheme(sourceScheme);
704
if (NS_FAILED(rv)) return rv;
705
706
if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
707
// A null principal can target its own URI.
708
if (sourceURI == aTargetURI) {
709
return NS_OK;
710
}
711
} else if (StaticPrefs::
712
security_view_source_reachable_from_inner_protocol() &&
713
sourceScheme.EqualsIgnoreCase(targetScheme.get()) &&
714
aTargetURI->SchemeIs("view-source")) {
715
// exception for foo: linking to view-source:foo for reftests...
716
return NS_OK;
717
} else if (sourceScheme.EqualsIgnoreCase("file") &&
718
targetScheme.EqualsIgnoreCase("moz-icon")) {
719
// exception for file: linking to moz-icon://.ext?size=...
720
// Note that because targetScheme is the base (innermost) URI scheme,
721
// this does NOT allow file -> moz-icon:file:///... links.
722
// This is intentional.
723
return NS_OK;
724
}
725
726
// Check for webextension
727
rv = NS_URIChainHasFlags(
728
aTargetURI, nsIProtocolHandler::URI_LOADABLE_BY_EXTENSIONS, &hasFlags);
729
NS_ENSURE_SUCCESS(rv, rv);
730
731
if (hasFlags && BasePrincipal::Cast(aPrincipal)->AddonPolicy()) {
732
return NS_OK;
733
}
734
735
// If we get here, check all the schemes can link to each other, from the top
736
// down:
737
nsCaseInsensitiveCStringComparator stringComparator;
738
nsCOMPtr<nsIURI> currentURI = sourceURI;
739
nsCOMPtr<nsIURI> currentOtherURI = aTargetURI;
740
741
bool denySameSchemeLinks = false;
742
rv = NS_URIChainHasFlags(aTargetURI,
743
nsIProtocolHandler::URI_SCHEME_NOT_SELF_LINKABLE,
744
&denySameSchemeLinks);
745
if (NS_FAILED(rv)) return rv;
746
747
while (currentURI && currentOtherURI) {
748
nsAutoCString scheme, otherScheme;
749
currentURI->GetScheme(scheme);
750
currentOtherURI->GetScheme(otherScheme);
751
752
bool schemesMatch = scheme.Equals(otherScheme, stringComparator);
753
bool isSamePage = false;
754
// about: URIs are special snowflakes.
755
if (scheme.EqualsLiteral("about") && schemesMatch) {
756
nsAutoCString moduleName, otherModuleName;
757
// about: pages can always link to themselves:
758
isSamePage =
759
NS_SUCCEEDED(NS_GetAboutModuleName(currentURI, moduleName)) &&
760
NS_SUCCEEDED(
761
NS_GetAboutModuleName(currentOtherURI, otherModuleName)) &&
762
moduleName.Equals(otherModuleName);
763
if (!isSamePage) {
764
// We will have allowed the load earlier if the source page has
765
// system principal. So we know the source has a content
766
// principal, and it's trying to link to something else.
767
// Linkable about: pages are always reachable, even if we hit
768
// the CheckLoadURIFlags call below.
769
// We punch only 1 other hole: iff the source is unlinkable,
770
// we let them link to other pages explicitly marked SAFE
771
// for content. This avoids world-linkable about: pages linking
772
// to non-world-linkable about: pages.
773
nsCOMPtr<nsIAboutModule> module, otherModule;
774
bool knowBothModules =
775
NS_SUCCEEDED(
776
NS_GetAboutModule(currentURI, getter_AddRefs(module))) &&
777
NS_SUCCEEDED(NS_GetAboutModule(currentOtherURI,
778
getter_AddRefs(otherModule)));
779
uint32_t aboutModuleFlags = 0;
780
uint32_t otherAboutModuleFlags = 0;
781
knowBothModules =
782
knowBothModules &&
783
NS_SUCCEEDED(module->GetURIFlags(currentURI, &aboutModuleFlags)) &&
784
NS_SUCCEEDED(otherModule->GetURIFlags(currentOtherURI,
785
&otherAboutModuleFlags));
786
if (knowBothModules) {
787
isSamePage = !(aboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) &&
788
(otherAboutModuleFlags &
789
nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT);
790
if (isSamePage &&
791
otherAboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) {
792
// XXXgijs: this is a hack. The target will be nested
793
// (with innerURI of moz-safe-about:whatever), and
794
// the source isn't, so we won't pass if we finish
795
// the loop. We *should* pass, though, so return here.
796
// This hack can go away when bug 1228118 is fixed.
797
return NS_OK;
798
}
799
}
800
}
801
} else {
802
bool equalExceptRef = false;
803
rv = currentURI->EqualsExceptRef(currentOtherURI, &equalExceptRef);
804
isSamePage = NS_SUCCEEDED(rv) && equalExceptRef;
805
}
806
807
// If schemes are not equal, or they're equal but the target URI
808
// is different from the source URI and doesn't always allow linking
809
// from the same scheme, check if the URI flags of the current target
810
// URI allow the current source URI to link to it.
811
// The policy is specified by the protocol flags on both URIs.
812
if (!schemesMatch || (denySameSchemeLinks && !isSamePage)) {
813
return CheckLoadURIFlags(
814
currentURI, currentOtherURI, sourceBaseURI, targetBaseURI, aFlags,
815
aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0);
816
}
817
// Otherwise... check if we can nest another level:
818
nsCOMPtr<nsINestedURI> nestedURI = do_QueryInterface(currentURI);
819
nsCOMPtr<nsINestedURI> nestedOtherURI = do_QueryInterface(currentOtherURI);
820
821
// If schemes match and neither URI is nested further, we're OK.
822
if (!nestedURI && !nestedOtherURI) {
823
return NS_OK;
824
}
825
// If one is nested and the other isn't, something is wrong.
826
if (!nestedURI != !nestedOtherURI) {
827
return NS_ERROR_DOM_BAD_URI;
828
}
829
// Otherwise, both should be nested and we'll go through the loop again.
830
nestedURI->GetInnerURI(getter_AddRefs(currentURI));
831
nestedOtherURI->GetInnerURI(getter_AddRefs(currentOtherURI));
832
}
833
834
// We should never get here. We should always return from inside the loop.
835
return NS_ERROR_DOM_BAD_URI;
836
}
837
838
/**
839
* Helper method to check whether the target URI and its innermost ("base") URI
840
* has protocol flags that should stop it from being loaded by the source URI
841
* (and/or the source URI's innermost ("base") URI), taking into account any
842
* nsIScriptSecurityManager flags originally passed to
843
* CheckLoadURIWithPrincipal and friends.
844
*
845
* @return if success, access is allowed. Otherwise, deny access
846
*/
847
nsresult nsScriptSecurityManager::CheckLoadURIFlags(
848
nsIURI* aSourceURI, nsIURI* aTargetURI, nsIURI* aSourceBaseURI,
849
nsIURI* aTargetBaseURI, uint32_t aFlags, bool aFromPrivateWindow) {
850
// Note that the order of policy checks here is very important!
851
// We start from most restrictive and work our way down.
852
bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
853
const char* errorTag = "CheckLoadURIError";
854
855
nsAutoCString targetScheme;
856
nsresult rv = aTargetBaseURI->GetScheme(targetScheme);
857
if (NS_FAILED(rv)) return rv;
858
859
// Check for system target URI
860
rv = DenyAccessIfURIHasFlags(aTargetURI,
861
nsIProtocolHandler::URI_DANGEROUS_TO_LOAD);
862
if (NS_FAILED(rv)) {
863
// Deny access, since the origin principal is not system
864
if (reportErrors) {
865
ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow);
866
}
867
return rv;
868
}
869
870
// Used by ExtensionProtocolHandler to prevent loading extension resources
871
// in private contexts if the extension does not have permission.
872
if (aFromPrivateWindow) {
873
rv = DenyAccessIfURIHasFlags(
874
aTargetURI, nsIProtocolHandler::URI_DISALLOW_IN_PRIVATE_CONTEXT);
875
if (NS_FAILED(rv)) {
876
if (reportErrors) {
877
ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow);
878
}
879
return rv;
880
}
881
}
882
883
// Check for chrome target URI
884
bool hasFlags = false;
885
rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_UI_RESOURCE,
886
&hasFlags);
887
NS_ENSURE_SUCCESS(rv, rv);
888
if (hasFlags) {
889
if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
890
// Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
891
// target if ALLOW_CHROME is set.
892
//
893
// ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
894
// loads (since docshell loads run the loaded content with its origin
895
// principal). So we're effectively allowing resource://, chrome://,
896
// and moz-icon:// source URIs to load resource://, chrome://, and
897
// moz-icon:// files, so long as they're not loading it as a document.
898
bool sourceIsUIResource;
899
rv = NS_URIChainHasFlags(aSourceBaseURI,
900
nsIProtocolHandler::URI_IS_UI_RESOURCE,
901
&sourceIsUIResource);
902
NS_ENSURE_SUCCESS(rv, rv);
903
if (sourceIsUIResource) {
904
return NS_OK;
905
}
906
907
if (targetScheme.EqualsLiteral("resource")) {
908
if (StaticPrefs::security_all_resource_uri_content_accessible()) {
909
return NS_OK;
910
}
911
912
nsCOMPtr<nsIProtocolHandler> ph;
913
rv = sIOService->GetProtocolHandler("resource", getter_AddRefs(ph));
914
NS_ENSURE_SUCCESS(rv, rv);
915
if (!ph) {
916
return NS_ERROR_DOM_BAD_URI;
917
}
918
919
nsCOMPtr<nsIResProtocolHandler> rph = do_QueryInterface(ph);
920
if (!rph) {
921
return NS_ERROR_DOM_BAD_URI;
922
}
923
924
bool accessAllowed = false;
925
rph->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
926
if (accessAllowed) {
927
return NS_OK;
928
}
929
} else if (targetScheme.EqualsLiteral("chrome")) {
930
// Allow the load only if the chrome package is allowlisted.
931
nsCOMPtr<nsIXULChromeRegistry> reg(
932
do_GetService(NS_CHROMEREGISTRY_CONTRACTID));
933
if (reg) {
934
bool accessAllowed = false;
935
reg->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
936
if (accessAllowed) {
937
return NS_OK;
938
}
939
}
940
}
941
}
942
943
if (reportErrors) {
944
ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow);
945
}
946
return NS_ERROR_DOM_BAD_URI;
947
}
948
949
// Check for target URI pointing to a file
950
rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_LOCAL_FILE,
951
&hasFlags);
952
NS_ENSURE_SUCCESS(rv, rv);
953
if (hasFlags) {
954
// Allow domains that were allowlisted in the prefs. In 99.9% of cases,
955
// this array is empty.
956
bool isAllowlisted;
957
MOZ_ALWAYS_SUCCEEDS(InFileURIAllowlist(aSourceURI, &isAllowlisted));
958
if (isAllowlisted) {
959
return NS_OK;
960
}
961
962
// Allow chrome://
963
if (aSourceBaseURI->SchemeIs("chrome")) {
964
return NS_OK;
965
}
966
967
// Nothing else.
968
if (reportErrors) {
969
ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow);
970
}
971
return NS_ERROR_DOM_BAD_URI;
972
}
973
974
// OK, everyone is allowed to load this, since unflagged handlers are
975
// deprecated but treated as URI_LOADABLE_BY_ANYONE. But check whether we
976
// need to warn. At some point we'll want to make this warning into an
977
// error and treat unflagged handlers as URI_DANGEROUS_TO_LOAD.
978
rv = NS_URIChainHasFlags(
979
aTargetBaseURI, nsIProtocolHandler::URI_LOADABLE_BY_ANYONE, &hasFlags);
980
NS_ENSURE_SUCCESS(rv, rv);
981
// NB: we also get here if the base URI is URI_LOADABLE_BY_SUBSUMERS,
982
// and none of the rest of the nested chain of URIs for aTargetURI
983
// prohibits the load, so avoid warning in that case:
984
bool hasSubsumersFlag = false;
985
rv = NS_URIChainHasFlags(aTargetBaseURI,
986
nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
987
&hasSubsumersFlag);
988
NS_ENSURE_SUCCESS(rv, rv);
989
if (!hasFlags && !hasSubsumersFlag) {
990
nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
991
if (bundle) {
992
nsAutoString message;
993
AutoTArray<nsString, 1> formatStrings;
994
CopyASCIItoUTF16(targetScheme, *formatStrings.AppendElement());
995
rv = bundle->FormatStringFromName("ProtocolFlagError", formatStrings,
996
message);
997
if (NS_SUCCEEDED(rv)) {
998
nsCOMPtr<nsIConsoleService> console(
999
do_GetService("@mozilla.org/consoleservice;1"));
1000
NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
1001
1002
console->LogStringMessage(message.get());
1003
}
1004
}
1005
}
1006
1007
return NS_OK;
1008
}
1009
1010
nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1011
nsIURI* aSource, nsIURI* aTarget,
1012
bool aFromPrivateWindow) {
1013
nsresult rv;
1014
NS_ENSURE_TRUE(aSource && aTarget, NS_ERROR_NULL_POINTER);
1015
1016
// Get the source URL spec
1017
nsAutoCString sourceSpec;
1018
rv = aSource->GetAsciiSpec(sourceSpec);
1019
NS_ENSURE_SUCCESS(rv, rv);
1020
1021
// Get the target URL spec
1022
nsAutoCString targetSpec;
1023
rv = aTarget->GetAsciiSpec(targetSpec);
1024
NS_ENSURE_SUCCESS(rv, rv);
1025
1026
nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1027
if (NS_WARN_IF(!bundle)) {
1028
return NS_OK;
1029
}
1030
1031
// Localize the error message
1032
nsAutoString message;
1033
AutoTArray<nsString, 2> formatStrings;
1034
CopyASCIItoUTF16(sourceSpec, *formatStrings.AppendElement());
1035
CopyASCIItoUTF16(targetSpec, *formatStrings.AppendElement());
1036
rv = bundle->FormatStringFromName(aMessageTag, formatStrings, message);
1037
NS_ENSURE_SUCCESS(rv, rv);
1038
1039
nsCOMPtr<nsIConsoleService> console(
1040
do_GetService(NS_CONSOLESERVICE_CONTRACTID));
1041
NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
1042
nsCOMPtr<nsIScriptError> error(do_CreateInstance(NS_SCRIPTERROR_CONTRACTID));
1043
NS_ENSURE_TRUE(error, NS_ERROR_FAILURE);
1044
1045
// using category of "SOP" so we can link to MDN
1046
rv = error->Init(message, EmptyString(), EmptyString(), 0, 0,
1047
nsIScriptError::errorFlag, "SOP", aFromPrivateWindow,
1048
true /* From chrome context */);
1049
NS_ENSURE_SUCCESS(rv, rv);
1050
console->LogMessage(error);
1051
return NS_OK;
1052
}
1053
1054
NS_IMETHODIMP
1055
nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(
1056
nsIPrincipal* aPrincipal, const nsACString& aTargetURIStr,
1057
uint32_t aFlags) {
1058
nsresult rv;
1059
nsCOMPtr<nsIURI> target;
1060
rv = NS_NewURI(getter_AddRefs(target), aTargetURIStr);
1061
NS_ENSURE_SUCCESS(rv, rv);
1062
1063
rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags);
1064
if (rv == NS_ERROR_DOM_BAD_URI) {
1065
// Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1066
// return values.
1067
return rv;
1068
}
1069
NS_ENSURE_SUCCESS(rv, rv);
1070
1071
// Now start testing fixup -- since aTargetURIStr is a string, not
1072
// an nsIURI, we may well end up fixing it up before loading.
1073
// Note: This needs to stay in sync with the nsIURIFixup api.
1074
nsCOMPtr<nsIURIFixup> fixup = components::URIFixup::Service();
1075
if (!fixup) {
1076
return rv;
1077
}
1078
1079
uint32_t flags[] = {nsIURIFixup::FIXUP_FLAG_NONE,
1080
nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS,
1081
nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP,
1082
nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI,
1083
nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP |
1084
nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI};
1085
1086
for (uint32_t i = 0; i < ArrayLength(flags); ++i) {
1087
uint32_t fixupFlags = flags[i];
1088
if (aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0) {
1089
fixupFlags |= nsIURIFixup::FIXUP_FLAG_PRIVATE_CONTEXT;
1090
}
1091
rv = fixup->CreateFixupURI(aTargetURIStr, fixupFlags, nullptr,
1092
getter_AddRefs(target));
1093
NS_ENSURE_SUCCESS(rv, rv);
1094
1095
rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags);
1096
if (rv == NS_ERROR_DOM_BAD_URI) {
1097
// Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1098
// return values.
1099
return rv;
1100
}
1101
NS_ENSURE_SUCCESS(rv, rv);
1102
}
1103
1104
return rv;
1105
}
1106
1107
NS_IMETHODIMP
1108
nsScriptSecurityManager::InFileURIAllowlist(nsIURI* aUri, bool* aResult) {
1109
MOZ_ASSERT(aUri);
1110
MOZ_ASSERT(aResult);
1111
1112
*aResult = false;
1113
for (nsIURI* uri : EnsureFileURIAllowlist()) {
1114
if (EqualOrSubdomain(aUri, uri)) {
1115
*aResult = true;
1116
return NS_OK;
1117
}
1118
}
1119
1120
return NS_OK;
1121
}
1122
1123
///////////////// Principals ///////////////////////
1124
1125
NS_IMETHODIMP
1126
nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal** result) {
1127
NS_ADDREF(*result = mSystemPrincipal);
1128
1129
return NS_OK;
1130
}
1131
1132
NS_IMETHODIMP
1133
nsScriptSecurityManager::CreateContentPrincipal(
1134
nsIURI* aURI, JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1135
nsIPrincipal** aPrincipal) {
1136
OriginAttributes attrs;
1137
if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1138
return NS_ERROR_INVALID_ARG;
1139
}
1140
nsCOMPtr<nsIPrincipal> prin =
1141
BasePrincipal::CreateContentPrincipal(aURI, attrs);
1142
prin.forget(aPrincipal);
1143
return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1144
}
1145
1146
NS_IMETHODIMP
1147
nsScriptSecurityManager::CreateContentPrincipalFromOrigin(
1148
const nsACString& aOrigin, nsIPrincipal** aPrincipal) {
1149
if (StringBeginsWith(aOrigin, NS_LITERAL_CSTRING("["))) {
1150
return NS_ERROR_INVALID_ARG;
1151
}
1152
1153
if (StringBeginsWith(aOrigin,
1154
NS_LITERAL_CSTRING(NS_NULLPRINCIPAL_SCHEME ":"))) {
1155
return NS_ERROR_INVALID_ARG;
1156
}
1157
1158
nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(aOrigin);
1159
prin.forget(aPrincipal);
1160
return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1161
}
1162
1163
NS_IMETHODIMP
1164
nsScriptSecurityManager::PrincipalToJSON(nsIPrincipal* aPrincipal,
1165
nsACString& aJSON) {
1166
aJSON.Truncate();
1167
if (!aPrincipal) {
1168
return NS_ERROR_FAILURE;
1169
}
1170
1171
BasePrincipal::Cast(aPrincipal)->ToJSON(aJSON);
1172
1173
if (aJSON.IsEmpty()) {
1174
return NS_ERROR_FAILURE;
1175
}
1176
1177
return NS_OK;
1178
}
1179
1180
NS_IMETHODIMP
1181
nsScriptSecurityManager::JSONToPrincipal(const nsACString& aJSON,
1182
nsIPrincipal** aPrincipal) {
1183
if (aJSON.IsEmpty()) {
1184
return NS_ERROR_FAILURE;
1185
}
1186
1187
nsCOMPtr<nsIPrincipal> principal = BasePrincipal::FromJSON(aJSON);
1188
1189
if (!principal) {
1190
return NS_ERROR_FAILURE;
1191
}
1192
1193
principal.forget(aPrincipal);
1194
return NS_OK;
1195
}
1196
1197
NS_IMETHODIMP
1198
nsScriptSecurityManager::CreateNullPrincipal(
1199
JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1200
nsIPrincipal** aPrincipal) {
1201
OriginAttributes attrs;
1202
if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1203
return NS_ERROR_INVALID_ARG;
1204
}
1205
nsCOMPtr<nsIPrincipal> prin = NullPrincipal::Create(attrs);
1206
prin.forget(aPrincipal);
1207
return NS_OK;
1208
}
1209
1210
NS_IMETHODIMP
1211
nsScriptSecurityManager::GetLoadContextContentPrincipal(
1212
nsIURI* aURI, nsILoadContext* aLoadContext, nsIPrincipal** aPrincipal) {
1213
NS_ENSURE_STATE(aLoadContext);
1214
OriginAttributes docShellAttrs;
1215
aLoadContext->GetOriginAttributes(docShellAttrs);
1216
1217
nsCOMPtr<nsIPrincipal> prin =
1218
BasePrincipal::CreateContentPrincipal(aURI, docShellAttrs);
1219
prin.forget(aPrincipal);
1220
return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1221
}
1222
1223
NS_IMETHODIMP
1224
nsScriptSecurityManager::GetDocShellContentPrincipal(
1225
nsIURI* aURI, nsIDocShell* aDocShell, nsIPrincipal** aPrincipal) {
1226
nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(
1227
aURI, nsDocShell::Cast(aDocShell)->GetOriginAttributes());
1228
prin.forget(aPrincipal);
1229
return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1230
}
1231
1232
NS_IMETHODIMP
1233
nsScriptSecurityManager::PrincipalWithOA(
1234
nsIPrincipal* aPrincipal, JS::Handle<JS::Value> aOriginAttributes,
1235
JSContext* aCx, nsIPrincipal** aReturnPrincipal) {
1236
if (!aPrincipal) {
1237
return NS_OK;
1238
}
1239
if (aPrincipal->GetIsContentPrincipal()) {
1240
OriginAttributes attrs;
1241
if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1242
return NS_ERROR_INVALID_ARG;
1243
}
1244
RefPtr<ContentPrincipal> copy = new ContentPrincipal();
1245
ContentPrincipal* contentPrincipal =
1246
static_cast<ContentPrincipal*>(aPrincipal);
1247
nsresult rv = copy->Init(contentPrincipal, attrs);
1248
NS_ENSURE_SUCCESS(rv, rv);
1249
copy.forget(aReturnPrincipal);
1250
} else {
1251
// We do this for null principals, system principals (both fine)
1252
// ... and expanded principals, where we should probably do something
1253
// cleverer, but I also don't think we care too much.
1254
nsCOMPtr<nsIPrincipal> prin = aPrincipal;
1255
prin.forget(aReturnPrincipal);
1256
}
1257
1258
return *aReturnPrincipal ? NS_OK : NS_ERROR_FAILURE;
1259
}
1260
1261
NS_IMETHODIMP
1262
nsScriptSecurityManager::CanCreateWrapper(JSContext* cx, const nsIID& aIID,
1263
nsISupports* aObj,
1264
nsIClassInfo* aClassInfo) {
1265
// XXX Special case for Exception ?
1266
1267
// We give remote-XUL allowlisted domains a free pass here. See bug 932906.
1268
JS::Rooted<JS::Realm*> contextRealm(cx, JS::GetCurrentRealmOrNull(cx));
1269
MOZ_RELEASE_ASSERT(contextRealm);
1270
if (!xpc::AllowContentXBLScope(contextRealm)) {
1271
return NS_OK;
1272
}
1273
1274
if (nsContentUtils::IsCallerChrome()) {
1275
return NS_OK;
1276
}
1277
1278
//-- Access denied, report an error
1279
nsAutoCString originUTF8;
1280
nsIPrincipal* subjectPrincipal = nsContentUtils::SubjectPrincipal();
1281
GetPrincipalDomainOrigin(subjectPrincipal, originUTF8);
1282
NS_ConvertUTF8toUTF16 originUTF16(originUTF8);
1283
nsAutoCString classInfoNameUTF8;
1284
if (aClassInfo) {
1285
aClassInfo->GetClassDescription(classInfoNameUTF8);
1286
}
1287
if (classInfoNameUTF8.IsEmpty()) {
1288
classInfoNameUTF8.AssignLiteral("UnnamedClass");
1289
}
1290
1291
nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1292
if (NS_WARN_IF(!bundle)) {
1293
return NS_OK;
1294
}
1295
1296
NS_ConvertUTF8toUTF16 classInfoUTF16(classInfoNameUTF8);
1297
nsresult rv;
1298
nsAutoString errorMsg;
1299
if (originUTF16.IsEmpty()) {
1300
AutoTArray<nsString, 1> formatStrings = {classInfoUTF16};
1301
rv = bundle->FormatStringFromName("CreateWrapperDenied", formatStrings,
1302
errorMsg);
1303
} else {
1304
AutoTArray<nsString, 2> formatStrings = {classInfoUTF16, originUTF16};
1305
rv = bundle->FormatStringFromName("CreateWrapperDeniedForOrigin",
1306
formatStrings, errorMsg);
1307
}
1308
NS_ENSURE_SUCCESS(rv, rv);
1309
1310
SetPendingException(cx, errorMsg.get());
1311
return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1312
}
1313
1314
NS_IMETHODIMP
1315
nsScriptSecurityManager::CanCreateInstance(JSContext* cx, const nsCID& aCID) {
1316
if (nsContentUtils::IsCallerChrome()) {
1317
return NS_OK;
1318
}
1319
1320
//-- Access denied, report an error
1321
nsAutoCString errorMsg("Permission denied to create instance of class. CID=");
1322
char cidStr[NSID_LENGTH];
1323
aCID.ToProvidedString(cidStr);
1324
errorMsg.Append(cidStr);
1325
SetPendingExceptionASCII(cx, errorMsg.get());
1326
return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1327
}
1328
1329
NS_IMETHODIMP
1330
nsScriptSecurityManager::CanGetService(JSContext* cx, const nsCID& aCID) {
1331
if (nsContentUtils::IsCallerChrome()) {
1332
return NS_OK;
1333
}
1334
1335
//-- Access denied, report an error
1336
nsAutoCString errorMsg("Permission denied to get service. CID=");
1337
char cidStr[NSID_LENGTH];
1338
aCID.ToProvidedString(cidStr);
1339
errorMsg.Append(cidStr);
1340
SetPendingExceptionASCII(cx, errorMsg.get());
1341
return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1342
}
1343
1344
const char sJSEnabledPrefName[] = "javascript.enabled";
1345
const char sFileOriginPolicyPrefName[] =
1346
"security.fileuri.strict_origin_policy";
1347
1348
static const char* kObservedPrefs[] = {sJSEnabledPrefName,
1349
sFileOriginPolicyPrefName,
1350
"capability.policy.", nullptr};
1351
1352
/////////////////////////////////////////////
1353
// Constructor, Destructor, Initialization //
1354
/////////////////////////////////////////////
1355
nsScriptSecurityManager::nsScriptSecurityManager(void)
1356
: mPrefInitialized(false), mIsJavaScriptEnabled(false) {
1357
static_assert(
1358
sizeof(intptr_t) == sizeof(void*),
1359
"intptr_t and void* have different lengths on this platform. "
1360
"This may cause a security failure with the SecurityLevel union.");
1361
}
1362
1363
nsresult nsScriptSecurityManager::Init() {
1364
nsresult rv = CallGetService(NS_IOSERVICE_CONTRACTID, &sIOService);
1365
NS_ENSURE_SUCCESS(rv, rv);
1366
1367
InitPrefs();
1368
1369
// Create our system principal singleton
1370
RefPtr<SystemPrincipal> system = SystemPrincipal::Create();
1371
1372
mSystemPrincipal = system;
1373
1374
//-- Register security check callback in the JS engine
1375
// Currently this is used to control access to function.caller
1376
sContext = danger::GetJSContext();
1377
1378
static const JSSecurityCallbacks securityCallbacks = {
1379
ContentSecurityPolicyPermitsJSAction,
1380
JSPrincipalsSubsume,
1381
};
1382
1383
MOZ_ASSERT(!JS_GetSecurityCallbacks(sContext));
1384
JS_SetSecurityCallbacks(sContext, &securityCallbacks);
1385
JS_InitDestroyPrincipalsCallback(sContext, nsJSPrincipals::Destroy);
1386
1387
JS_SetTrustedPrincipals(sContext, system);
1388
1389
return NS_OK;
1390
}
1391
1392
static StaticRefPtr<nsScriptSecurityManager> gScriptSecMan;
1393
1394
nsScriptSecurityManager::~nsScriptSecurityManager(void) {
1395
Preferences::UnregisterPrefixCallbacks(
1396
nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1397
if (mDomainPolicy) {
1398
mDomainPolicy->Deactivate();
1399
}
1400
// ContentChild might hold a reference to the domain policy,
1401
// and it might release it only after the security manager is
1402
// gone. But we can still assert this for the main process.
1403
MOZ_ASSERT_IF(XRE_IsParentProcess(), !mDomainPolicy);
1404
}
1405
1406
void nsScriptSecurityManager::Shutdown() {
1407
if (sContext) {
1408
JS_SetSecurityCallbacks(sContext, nullptr);
1409
JS_SetTrustedPrincipals(sContext, nullptr);
1410
sContext = nullptr;
1411
}
1412
1413
NS_IF_RELEASE(sIOService);
1414
BundleHelper::Shutdown();
1415
}
1416
1417
nsScriptSecurityManager* nsScriptSecurityManager::GetScriptSecurityManager() {
1418
return gScriptSecMan;
1419
}
1420
1421
/* static */
1422
void nsScriptSecurityManager::InitStatics() {
1423
RefPtr<nsScriptSecurityManager> ssManager = new nsScriptSecurityManager();
1424
nsresult rv = ssManager->Init();
1425
if (NS_FAILED(rv)) {
1426
MOZ_CRASH("ssManager->Init() failed");
1427
}
1428
1429
ClearOnShutdown(&gScriptSecMan);
1430
gScriptSecMan = ssManager;
1431
}
1432
1433
// Currently this nsGenericFactory constructor is used only from FastLoad
1434
// (XPCOM object deserialization) code, when "creating" the system principal
1435
// singleton.
1436
already_AddRefed<SystemPrincipal>
1437
nsScriptSecurityManager::SystemPrincipalSingletonConstructor() {
1438
if (gScriptSecMan)
1439
return do_AddRef(gScriptSecMan->mSystemPrincipal)
1440
.downcast<SystemPrincipal>();
1441
return nullptr;
1442
}
1443
1444
struct IsWhitespace {
1445
static bool Test(char aChar) { return NS_IsAsciiWhitespace(aChar); };
1446
};
1447
struct IsWhitespaceOrComma {
1448
static bool Test(char aChar) {
1449
return aChar == ',' || NS_IsAsciiWhitespace(aChar);
1450
};
1451
};
1452
1453
template <typename Predicate>
1454
uint32_t SkipPast(const nsCString& str, uint32_t base) {
1455
while (base < str.Length() && Predicate::Test(str[base])) {
1456
++base;
1457
}
1458
return base;
1459
}
1460
1461
template <typename Predicate>
1462
uint32_t SkipUntil(const nsCString& str, uint32_t base) {
1463
while (base < str.Length() && !Predicate::Test(str[base])) {
1464
++base;
1465
}
1466
return base;
1467
}
1468
1469
// static
1470
void nsScriptSecurityManager::ScriptSecurityPrefChanged(const char* aPref,
1471
void* aSelf) {
1472
static_cast<nsScriptSecurityManager*>(aSelf)->ScriptSecurityPrefChanged(
1473
aPref);
1474
}
1475
1476
inline void nsScriptSecurityManager::ScriptSecurityPrefChanged(
1477
const char* aPref) {
1478
MOZ_ASSERT(mPrefInitialized);
1479
mIsJavaScriptEnabled =
1480
Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
1481
sStrictFileOriginPolicy =
1482
Preferences::GetBool(sFileOriginPolicyPrefName, false);
1483
mFileURIAllowlist.reset();
1484
}
1485
1486
void nsScriptSecurityManager::AddSitesToFileURIAllowlist(
1487
const nsCString& aSiteList) {
1488
for (uint32_t base = SkipPast<IsWhitespace>(aSiteList, 0), bound = 0;
1489
base < aSiteList.Length();
1490
base = SkipPast<IsWhitespace>(aSiteList, bound)) {
1491
// Grab the current site.
1492
bound = SkipUntil<IsWhitespace>(aSiteList, base);
1493
nsAutoCString site(Substring(aSiteList, base, bound - base));
1494
1495
// Check if the URI is schemeless. If so, add both http and https.
1496
nsAutoCString unused;
1497
if (NS_FAILED(sIOService->ExtractScheme(site, unused))) {
1498
AddSitesToFileURIAllowlist(NS_LITERAL_CSTRING("http://") + site);
1499
AddSitesToFileURIAllowlist(NS_LITERAL_CSTRING("https://") + site);
1500
continue;
1501
}
1502
1503
// Convert it to a URI and add it to our list.
1504
nsCOMPtr<nsIURI> uri;
1505
nsresult rv = NS_NewURI(getter_AddRefs(uri), site);
1506
if (NS_SUCCEEDED(rv)) {
1507
mFileURIAllowlist.ref().AppendElement(uri);
1508
} else {
1509
nsCOMPtr<nsIConsoleService> console(
1510
do_GetService("@mozilla.org/consoleservice;1"));
1511
if (console) {
1512
nsAutoString msg =
1513
NS_LITERAL_STRING(
1514
"Unable to to add site to file:// URI allowlist: ") +
1515
NS_ConvertASCIItoUTF16(site);
1516
console->LogStringMessage(msg.get());
1517
}
1518
}
1519
}
1520
}
1521
1522
nsresult nsScriptSecurityManager::InitPrefs() {
1523
nsIPrefBranch* branch = Preferences::GetRootBranch();
1524
NS_ENSURE_TRUE(branch, NS_ERROR_FAILURE);
1525
1526
mPrefInitialized = true;
1527
1528
// Set the initial value of the "javascript.enabled" prefs
1529
ScriptSecurityPrefChanged();
1530
1531
// set observer callbacks in case the value of the prefs change
1532
Preferences::RegisterPrefixCallbacks(
1533
nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1534
1535
return NS_OK;
1536
}
1537
1538
NS_IMETHODIMP
1539
nsScriptSecurityManager::GetDomainPolicyActive(bool* aRv) {
1540
*aRv = !!mDomainPolicy;
1541
return NS_OK;
1542
}
1543
1544
NS_IMETHODIMP
1545
nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy** aRv) {
1546
if (!XRE_IsParentProcess()) {
1547
return NS_ERROR_SERVICE_NOT_AVAILABLE;
1548
}
1549
1550
return ActivateDomainPolicyInternal(aRv);
1551
}
1552
1553
NS_IMETHODIMP
1554
nsScriptSecurityManager::ActivateDomainPolicyInternal(nsIDomainPolicy** aRv) {
1555
// We only allow one domain policy at a time. The holder of the previous
1556
// policy must explicitly deactivate it first.
1557
if (mDomainPolicy) {
1558
return NS_ERROR_SERVICE_NOT_AVAILABLE;
1559
}
1560
1561
mDomainPolicy = new DomainPolicy();
1562
nsCOMPtr<nsIDomainPolicy> ptr = mDomainPolicy;
1563
ptr.forget(aRv);
1564
return NS_OK;
1565
}
1566
1567
// Intentionally non-scriptable. Script must have a reference to the
1568
// nsIDomainPolicy to deactivate it.
1569
void nsScriptSecurityManager::DeactivateDomainPolicy() {
1570
mDomainPolicy = nullptr;
1571
}
1572
1573
void nsScriptSecurityManager::CloneDomainPolicy(DomainPolicyClone* aClone) {
1574
MOZ_ASSERT(aClone);
1575
if (mDomainPolicy) {
1576
mDomainPolicy->CloneDomainPolicy(aClone);
1577
} else {
1578
aClone->active() = false;
1579
}
1580
}
1581
1582
NS_IMETHODIMP
1583
nsScriptSecurityManager::PolicyAllowsScript(nsIURI* aURI, bool* aRv) {
1584
nsresult rv;
1585
1586
// Compute our rule. If we don't have any domain policy set up that might
1587
// provide exceptions to this rule, we're done.
1588
*aRv = mIsJavaScriptEnabled;
1589
if (!mDomainPolicy) {
1590
return NS_OK;
1591
}
1592
1593
// We have a domain policy. Grab the appropriate set of exceptions to the
1594
// rule (either the blocklist or the allowlist, depending on whether script
1595
// is enabled or disabled by default).
1596
nsCOMPtr<nsIDomainSet> exceptions;
1597
nsCOMPtr<nsIDomainSet> superExceptions;
1598
if (*aRv) {
1599
mDomainPolicy->GetBlocklist(getter_AddRefs(exceptions));
1600
mDomainPolicy->GetSuperBlocklist(getter_AddRefs(superExceptions));
1601
} else {
1602
mDomainPolicy->GetAllowlist(getter_AddRefs(exceptions));
1603
mDomainPolicy->GetSuperAllowlist(getter_AddRefs(superExceptions));
1604
}
1605
1606
bool contains;
1607
rv = exceptions->Contains(aURI, &contains);
1608
NS_ENSURE_SUCCESS(rv, rv);
1609
if (contains) {
1610
*aRv = !*aRv;
1611
return NS_OK;
1612
}
1613
rv = superExceptions->ContainsSuperDomain(aURI, &contains);
1614
NS_ENSURE_SUCCESS(rv, rv);
1615
if (contains) {
1616
*aRv = !*aRv;
1617
}
1618
1619
return NS_OK;
1620
}
1621
1622
const nsTArray<nsCOMPtr<nsIURI>>&
1623
nsScriptSecurityManager::EnsureFileURIAllowlist() {
1624
if (mFileURIAllowlist.isSome()) {
1625
return mFileURIAllowlist.ref();
1626
}
1627
1628
//
1629
// Rebuild the set of principals for which we allow file:// URI loads. This
1630
// implements a small subset of an old pref-based CAPS people that people
1631
// have come to depend on. See bug 995943.
1632
//
1633
1634
mFileURIAllowlist.emplace();
1635
nsAutoCString policies;
1636
mozilla::Preferences::GetCString("capability.policy.policynames", policies);
1637
for (uint32_t base = SkipPast<IsWhitespaceOrComma>(policies, 0), bound = 0;
1638
base < policies.Length();
1639
base = SkipPast<IsWhitespaceOrComma>(policies, bound)) {
1640
// Grab the current policy name.
1641
bound = SkipUntil<IsWhitespaceOrComma>(policies, base);
1642
auto policyName = Substring(policies, base, bound - base);
1643
1644
// Figure out if this policy allows loading file:// URIs. If not, we can
1645
// skip it.
1646
nsCString checkLoadURIPrefName =
1647
NS_LITERAL_CSTRING("capability.policy.") + policyName +
1648
NS_LITERAL_CSTRING(".checkloaduri.enabled");
1649
nsAutoString value;
1650
nsresult rv = Preferences::GetString(checkLoadURIPrefName.get(), value);
1651
if (NS_FAILED(rv) || !value.LowerCaseEqualsLiteral("allaccess")) {
1652
continue;
1653
}
1654
1655
// Grab the list of domains associated with this policy.
1656
nsCString domainPrefName = NS_LITERAL_CSTRING("capability.policy.") +
1657
policyName + NS_LITERAL_CSTRING(".sites");
1658
nsAutoCString siteList;
1659
Preferences::GetCString(domainPrefName.get(), siteList);
1660
AddSitesToFileURIAllowlist(siteList);
1661
}
1662
1663
return mFileURIAllowlist.ref();
1664
}