dom/security/ReferrerInfo.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef mozilla_dom_ReferrerInfo_h
   8 #define mozilla_dom_ReferrerInfo_h
   9
  10 #include "nsCOMPtr.h"
  11 #include "nsIReferrerInfo.h"
  12 #include "nsReadableUtils.h"
  13 #include "mozilla/Maybe.h"
  14 #include "mozilla/HashFunctions.h"
  15 #include "mozilla/dom/ReferrerPolicyBinding.h"
  16
  17 #define REFERRERINFOF_CONTRACTID "@mozilla.org/referrer-info;1"
  18 // 041a129f-10ce-4bda-a60d-e027a26d5ed0
  19 #define REFERRERINFO_CID                             \
  20   {                                                  \
  21     0x041a129f, 0x10ce, 0x4bda, {                    \
  22       0xa6, 0x0d, 0xe0, 0x27, 0xa2, 0x6d, 0x5e, 0xd0 \
  23     }                                                \
  24   }
  25
  26 class nsIHttpChannel;
  27 class nsIURI;
  28 class nsIChannel;
  29 class nsILoadInfo;
  30 class nsINode;
  31 class nsIPrincipal;
  32
  33 namespace mozilla {
  34 class StyleSheet;
  35 class URLAndReferrerInfo;
  36
  37 namespace net {
  38 class HttpBaseChannel;
  39 class nsHttpChannel;
  40 }  // namespace net
  41 }  // namespace mozilla
  42
  43 using mozilla::Maybe;
  44
  45 namespace mozilla::dom {
  46
  47 /**
  48  * The ReferrerInfo class holds the raw referrer and potentially a referrer
  49  * policy which allows to query the computed referrer which should be applied to
  50  * a channel as the actual referrer value.
  51  *
  52  * The ReferrerInfo class solely contains readonly fields and represents a 1:1
  53  * sync to the referrer header of the corresponding channel. In turn that means
  54  * the class is immutable - so any modifications require to clone the current
  55  * ReferrerInfo.
  56  *
  57  * For example if a request undergoes a redirect, the new channel
  58  * will need a new ReferrerInfo clone with members being updated accordingly.
  59  */
  60
  61 class ReferrerInfo : public nsIReferrerInfo {
  62  public:
  63   typedef enum ReferrerPolicy ReferrerPolicyEnum;
  64   ReferrerInfo();
  65
  66   explicit ReferrerInfo(
  67       nsIURI* aOriginalReferrer,
  68       ReferrerPolicyEnum aPolicy = ReferrerPolicy::_empty,
  69       bool aSendReferrer = true,
  70       const Maybe<nsCString>& aComputedReferrer = Maybe<nsCString>());
  71
  72   // Creates already initialized ReferrerInfo from an element or a document.
  73   explicit ReferrerInfo(const Element&);
  74   explicit ReferrerInfo(const Document&);
  75
  76   // create an exact copy of the ReferrerInfo
  77   already_AddRefed<ReferrerInfo> Clone() const;
  78
  79   // create an copy of the ReferrerInfo with new referrer policy
  80   already_AddRefed<ReferrerInfo> CloneWithNewPolicy(
  81       ReferrerPolicyEnum aPolicy) const;
  82
  83   // create an copy of the ReferrerInfo with new send referrer
  84   already_AddRefed<ReferrerInfo> CloneWithNewSendReferrer(
  85       bool aSendReferrer) const;
  86
  87   // create an copy of the ReferrerInfo with new original referrer
  88   already_AddRefed<ReferrerInfo> CloneWithNewOriginalReferrer(
  89       nsIURI* aOriginalReferrer) const;
  90
  91   // Record the telemetry for the referrer policy.
  92   void RecordTelemetry(nsIHttpChannel* aChannel);
  93
  94   /*
  95    * Helper function to create a new ReferrerInfo object from other. We will not
  96    * pass in any computed values and override referrer policy if needed
  97    *
  98    * @param aOther the other referrerInfo object to init from.
  99    * @param aPolicyOverride referrer policy to override if necessary.
 100    */
 101   static already_AddRefed<nsIReferrerInfo> CreateFromOtherAndPolicyOverride(
 102       nsIReferrerInfo* aOther, ReferrerPolicyEnum aPolicyOverride);
 103
 104   /*
 105    * Helper function to create a new ReferrerInfo object from a given document
 106    * and override referrer policy if needed (for example, when parsing link
 107    * header or speculative loading).
 108    *
 109    * @param aDocument the document to init referrerInfo object.
 110    * @param aPolicyOverride referrer policy to override if necessary.
 111    */
 112   static already_AddRefed<nsIReferrerInfo> CreateFromDocumentAndPolicyOverride(
 113       Document* aDoc, ReferrerPolicyEnum aPolicyOverride);
 114
 115   /*
 116    * Implements step 3.1 and 3.3 of the Determine request's Referrer algorithm
 117    * from the Referrer Policy specification.
 118    *
 119    * https://w3c.github.io/webappsec/specs/referrer-policy/#determine-requests-referrer
 120    */
 121   static already_AddRefed<nsIReferrerInfo> CreateForFetch(
 122       nsIPrincipal* aPrincipal, Document* aDoc);
 123
 124   /**
 125    * Helper function to create new ReferrerInfo object from a given external
 126    * stylesheet. The returned nsIReferrerInfo object will be used for any
 127    * requests or resources referenced by the sheet.
 128    *
 129    * @param aSheet the stylesheet to init referrerInfo.
 130    * @param aPolicy referrer policy from header if there's any.
 131    */
 132   static already_AddRefed<nsIReferrerInfo> CreateForExternalCSSResources(
 133       StyleSheet* aExternalSheet,
 134       ReferrerPolicyEnum aPolicy = ReferrerPolicy::_empty);
 135
 136   /**
 137    * Helper function to create new ReferrerInfo object from a given document.
 138    * The returned nsIReferrerInfo object will be used for any requests or
 139    * resources referenced by internal stylesheet (for example style="" or
 140    * wrapped by <style> tag).
 141    *
 142    * @param aDocument the document to init referrerInfo object.
 143    */
 144   static already_AddRefed<nsIReferrerInfo> CreateForInternalCSSResources(
 145       Document* aDocument);
 146
 147   /**
 148    * Helper function to create new ReferrerInfo object from a given document.
 149    * The returned nsIReferrerInfo object will be used for any requests or
 150    * resources referenced by SVG.
 151    *
 152    * @param aDocument the document to init referrerInfo object.
 153    */
 154   static already_AddRefed<nsIReferrerInfo> CreateForSVGResources(
 155       Document* aDocument);
 156
 157   /**
 158    * Check whether the given referrer's scheme is allowed to be computed and
 159    * sent. The allowlist schemes are: http, https.
 160    */
 161   static bool IsReferrerSchemeAllowed(nsIURI* aReferrer);
 162
 163   /*
 164    * The Referrer Policy should be inherited for nested browsing contexts that
 165    * are not created from responses. Such as: srcdoc, data, blob.
 166    */
 167   static bool ShouldResponseInheritReferrerInfo(nsIChannel* aChannel);
 168
 169   /*
 170    * Check whether referrer is allowed to send in secure to insecure scenario.
 171    */
 172   static nsresult HandleSecureToInsecureReferral(nsIURI* aOriginalURI,
 173                                                  nsIURI* aURI,
 174                                                  ReferrerPolicyEnum aPolicy,
 175                                                  bool& aAllowed);
 176
 177   /**
 178    * Returns true if the given channel is cross-origin request
 179    *
 180    * Computing whether the request is cross-origin may be expensive, so please
 181    * do that in cases where we're going to use this information later on.
 182    */
 183   static bool IsCrossOriginRequest(nsIHttpChannel* aChannel);
 184
 185   /**
 186    * Returns true if the given channel is cross-site request.
 187    */
 188   static bool IsCrossSiteRequest(nsIHttpChannel* aChannel);
 189
 190   /**
 191    * Returns true if the given channel is suppressed by Referrer-Policy header
 192    * and should set "null" to Origin header.
 193    */
 194   static bool ShouldSetNullOriginHeader(net::HttpBaseChannel* aChannel,
 195                                         nsIURI* aOriginURI);
 196
 197   /**
 198    * Getter for network.http.sendRefererHeader.
 199    */
 200   static uint32_t GetUserReferrerSendingPolicy();
 201
 202   /**
 203    * Getter for network.http.referer.XOriginPolicy.
 204    */
 205   static uint32_t GetUserXOriginSendingPolicy();
 206
 207   /**
 208    * Getter for network.http.referer.trimmingPolicy.
 209    */
 210   static uint32_t GetUserTrimmingPolicy();
 211
 212   /**
 213    * Getter for network.http.referer.XOriginTrimmingPolicy.
 214    */
 215   static uint32_t GetUserXOriginTrimmingPolicy();
 216
 217   /**
 218    * Return default referrer policy which is controlled by user
 219    * prefs:
 220    * network.http.referer.defaultPolicy for regular mode
 221    * network.http.referer.defaultPolicy.trackers for third-party trackers
 222    * in regular mode
 223    * network.http.referer.defaultPolicy.pbmode for private mode
 224    * network.http.referer.defaultPolicy.trackers.pbmode for third-party trackers
 225    * in private mode
 226    */
 227   static ReferrerPolicyEnum GetDefaultReferrerPolicy(
 228       nsIHttpChannel* aChannel = nullptr, nsIURI* aURI = nullptr,
 229       bool aPrivateBrowsing = false);
 230
 231   /**
 232    * Return default referrer policy for third party which is controlled by user
 233    * prefs:
 234    * network.http.referer.defaultPolicy.trackers for regular mode
 235    * network.http.referer.defaultPolicy.trackers.pbmode for private mode
 236    */
 237   static ReferrerPolicyEnum GetDefaultThirdPartyReferrerPolicy(
 238       bool aPrivateBrowsing = false);
 239
 240   /*
 241    * Helper function to parse ReferrerPolicy from meta tag referrer content.
 242    * For example: <meta name="referrer" content="origin">
 243    *
 244    * @param aContent content string to be transformed into ReferrerPolicyEnum,
 245    *                 e.g. "origin".
 246    */
 247   static ReferrerPolicyEnum ReferrerPolicyFromMetaString(
 248       const nsAString& aContent);
 249
 250   /*
 251    * Helper function to parse ReferrerPolicy from string content of
 252    * referrerpolicy attribute.
 253    * For example: <a href="http://example.com" referrerpolicy="no-referrer">
 254    *
 255    * @param aContent content string to be transformed into ReferrerPolicyEnum,
 256    *                 e.g. "no-referrer".
 257    */
 258   static ReferrerPolicyEnum ReferrerPolicyAttributeFromString(
 259       const nsAString& aContent);
 260
 261   /*
 262    * Helper function to parse ReferrerPolicy from string content of
 263    * Referrer-Policy header.
 264    * For example: Referrer-Policy: origin no-referrer
 265    * https://www.w3.org/tr/referrer-policy/#parse-referrer-policy-from-header
 266    *
 267    * @param aContent content string to be transformed into ReferrerPolicyEnum.
 268    *                e.g. "origin no-referrer"
 269    */
 270   static ReferrerPolicyEnum ReferrerPolicyFromHeaderString(
 271       const nsAString& aContent);
 272
 273   /*
 274    * Helper function to convert ReferrerPolicy enum to string
 275    *
 276    * @param aPolicy referrer policy to convert.
 277    */
 278   static const char* ReferrerPolicyToString(ReferrerPolicyEnum aPolicy);
 279
 280   /**
 281    * Hash function for this object
 282    */
 283   HashNumber Hash() const;
 284
 285   NS_DECL_THREADSAFE_ISUPPORTS
 286   NS_DECL_NSIREFERRERINFO
 287   NS_DECL_NSISERIALIZABLE
 288
 289  private:
 290   virtual ~ReferrerInfo() = default;
 291
 292   ReferrerInfo(const ReferrerInfo& rhs);
 293
 294   /*
 295    * Trimming policy when compute referrer, indicate how much information in the
 296    * referrer will be sent. Order matters here.
 297    */
 298   enum TrimmingPolicy : uint32_t {
 299     ePolicyFullURI = 0,
 300     ePolicySchemeHostPortPath = 1,
 301     ePolicySchemeHostPort = 2,
 302   };
 303
 304   /*
 305    * Referrer sending policy, indicates type of action could trigger to send
 306    * referrer header, not send at all, send only with user's action (click on a
 307    * link) or send even with inline content request (image request).
 308    * Order matters here.
 309    */
 310   enum ReferrerSendingPolicy : uint32_t {
 311     ePolicyNotSend = 0,
 312     ePolicySendWhenUserTrigger = 1,
 313     ePolicySendInlineContent = 2,
 314   };
 315
 316   /*
 317    * Sending referrer when cross origin policy, indicates when referrer should
 318    * be send when compare 2 origins. Order matters here.
 319    */
 320   enum XOriginSendingPolicy : uint32_t {
 321     ePolicyAlwaysSend = 0,
 322     ePolicySendWhenSameDomain = 1,
 323     ePolicySendWhenSameHost = 2,
 324   };
 325
 326   /*
 327    * Handle user controlled pref network.http.referer.XOriginPolicy
 328    */
 329   nsresult HandleUserXOriginSendingPolicy(nsIURI* aURI, nsIURI* aReferrer,
 330                                           bool& aAllowed) const;
 331
 332   /*
 333    * Handle user controlled pref network.http.sendRefererHeader
 334    */
 335   nsresult HandleUserReferrerSendingPolicy(nsIHttpChannel* aChannel,
 336                                            bool& aAllowed) const;
 337
 338   /*
 339    * Compute trimming policy from user controlled prefs.
 340    * This function is called when we already made sure a nonempty referrer is
 341    * allowed to send.
 342    */
 343   TrimmingPolicy ComputeTrimmingPolicy(nsIHttpChannel* aChannel) const;
 344
 345   // HttpBaseChannel could access IsInitialized() and ComputeReferrer();
 346   friend class mozilla::net::HttpBaseChannel;
 347
 348   /*
 349    * Compute referrer for a given channel. The computation result then will be
 350    * stored in this class and then used to set the actual referrer header of
 351    * the channel. The computation could be controlled by several user prefs
 352    * which are defined in StaticPrefList.yaml (see StaticPrefList.yaml for more
 353    * details):
 354    *  network.http.sendRefererHeader
 355    *  network.http.referer.spoofSource
 356    *  network.http.referer.hideOnionSource
 357    *  network.http.referer.XOriginPolicy
 358    *  network.http.referer.trimmingPolicy
 359    *  network.http.referer.XOriginTrimmingPolicy
 360    */
 361   nsresult ComputeReferrer(nsIHttpChannel* aChannel);
 362
 363   /*
 364    * Check whether the ReferrerInfo has been initialized or not.
 365    */
 366   bool IsInitialized() { return mInitialized; }
 367
 368   // nsHttpChannel, Document could access IsPolicyOverrided();
 369   friend class mozilla::net::nsHttpChannel;
 370   friend class mozilla::dom::Document;
 371   /*
 372    * Check whether if unset referrer policy is overrided by default or not
 373    */
 374   bool IsPolicyOverrided() { return mOverridePolicyByDefault; }
 375
 376   /*
 377    *  Get origin string from a given valid referrer URI (http, https)
 378    *
 379    *  @aReferrer - the full referrer URI
 380    *  @aResult - the resulting aReferrer in string format.
 381    */
 382   nsresult GetOriginFromReferrerURI(nsIURI* aReferrer,
 383                                     nsACString& aResult) const;
 384
 385   /*
 386    * Trim a given referrer with a given a trimming policy,
 387    */
 388   nsresult TrimReferrerWithPolicy(nsIURI* aReferrer,
 389                                   TrimmingPolicy aTrimmingPolicy,
 390                                   nsACString& aResult) const;
 391
 392   /**
 393    * Returns true if we should ignore less restricted referrer policies,
 394    * including 'unsafe_url', 'no_referrer_when_downgrade' and
 395    * 'origin_when_cross_origin', for the given channel. We only apply this
 396    * restriction for cross-site requests. For the same-site request, we will
 397    * still allow overriding the default referrer policy with less restricted
 398    * one.
 399    *
 400    * Note that the channel triggered by the system and the extension will be
 401    * exempt from this restriction.
 402    */
 403   bool ShouldIgnoreLessRestrictedPolicies(
 404       nsIHttpChannel* aChannel, const ReferrerPolicyEnum aPolicy) const;
 405
 406   /*
 407    *  Limit referrer length using the following ruleset:
 408    *   - If the length of referrer URL is over max length, strip down to origin.
 409    *   - If the origin is still over max length, remove the referrer entirely.
 410    *
 411    *  This function comlements TrimReferrerPolicy and needs to be called right
 412    *  after TrimReferrerPolicy.
 413    *
 414    *  @aChannel - used to query information needed for logging to the console.
 415    *  @aReferrer - the full referrer URI; needs to be identical to aReferrer
 416    *               passed to TrimReferrerPolicy.
 417    *  @aTrimmingPolicy - represents the trimming policy which was applied to the
 418    *                     referrer; needs to be identical to aTrimmingPolicy
 419    *                     passed to TrimReferrerPolicy.
 420    *  @aInAndOutTrimmedReferrer -  an in and outgoing argument representing the
 421    *                               referrer value. Please pass the result of
 422    *                               TrimReferrerWithPolicy as
 423    *                               aInAndOutTrimmedReferrer which will then be
 424    *                               reduced to the origin or completely truncated
 425    *                               in case the referrer value exceeds the length
 426    *                               limitation.
 427    */
 428   nsresult LimitReferrerLength(nsIHttpChannel* aChannel, nsIURI* aReferrer,
 429                                TrimmingPolicy aTrimmingPolicy,
 430                                nsACString& aInAndOutTrimmedReferrer) const;
 431
 432   /**
 433    * The helper function to read the old data format before gecko 100 for
 434    * deserialization.
 435    */
 436   nsresult ReadTailDataBeforeGecko100(const uint32_t& aData,
 437                                       nsIObjectInputStream* aInputStream);
 438
 439   /*
 440    * Write message to the error console
 441    */
 442   void LogMessageToConsole(nsIHttpChannel* aChannel, const char* aMsg,
 443                            const nsTArray<nsString>& aParams) const;
 444
 445   friend class mozilla::URLAndReferrerInfo;
 446
 447   nsCOMPtr<nsIURI> mOriginalReferrer;
 448
 449   ReferrerPolicyEnum mPolicy;
 450
 451   // The referrer policy that has been set originally for the channel. Note that
 452   // the policy may have been overridden by the default referrer policy, so we
 453   // need to keep track of this if we need to recover the original referrer
 454   // policy.
 455   ReferrerPolicyEnum mOriginalPolicy;
 456
 457   // Indicates if the referrer should be sent or not even when it's available
 458   // (default is true).
 459   bool mSendReferrer;
 460
 461   // Since the ReferrerInfo is immutable, we use this member as a helper to
 462   // ensure no one can call e.g. init() twice to modify state of the
 463   // ReferrerInfo.
 464   bool mInitialized;
 465
 466   // Indicates if unset referrer policy is overrided by default
 467   bool mOverridePolicyByDefault;
 468
 469   // Store a computed referrer for a given channel
 470   Maybe<nsCString> mComputedReferrer;
 471
 472 #ifdef DEBUG
 473   // Indicates if the telemetry has been recorded. This is used to make sure the
 474   // telemetry will be only recored once.
 475   bool mTelemetryRecorded = false;
 476 #endif  // DEBUG
 477 };
 478
 479 }  // namespace mozilla::dom
 480
 481 #endif  // mozilla_dom_ReferrerInfo_h