1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 #include "nsIHttpChannel.h"
9 #include "nsContentUtils.h"
10 #include "nsIRedirectHistoryEntry.h"
11 #include "nsIReferrerInfo.h"
12 #include "mozIThirdPartyUtil.h"
13 #include "nsMixedContentBlocker.h"
14 #include "nsNetUtil.h"
15 #include "mozilla/BasePrincipal.h"
16 #include "mozilla/StaticPrefs_dom.h"
18 // Helper function which maps an internal content policy type
19 // to the corresponding destination for the context of SecFetch.
20 nsCString
MapInternalContentPolicyTypeToDest(nsContentPolicyType aType
) {
22 case nsIContentPolicy::TYPE_OTHER
:
24 case nsIContentPolicy::TYPE_INTERNAL_SCRIPT
:
25 case nsIContentPolicy::TYPE_INTERNAL_SCRIPT_PRELOAD
:
26 case nsIContentPolicy::TYPE_INTERNAL_MODULE
:
27 case nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD
:
28 case nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS
:
29 case nsIContentPolicy::TYPE_INTERNAL_CHROMEUTILS_COMPILED_SCRIPT
:
30 case nsIContentPolicy::TYPE_INTERNAL_FRAME_MESSAGEMANAGER_SCRIPT
:
31 case nsIContentPolicy::TYPE_SCRIPT
:
33 case nsIContentPolicy::TYPE_INTERNAL_WORKER
:
35 case nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER
:
36 return "sharedworker"_ns
;
37 case nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER
:
38 return "serviceworker"_ns
;
39 case nsIContentPolicy::TYPE_INTERNAL_AUDIOWORKLET
:
40 return "audioworklet"_ns
;
41 case nsIContentPolicy::TYPE_INTERNAL_PAINTWORKLET
:
42 return "paintworklet"_ns
;
43 case nsIContentPolicy::TYPE_IMAGESET
:
44 case nsIContentPolicy::TYPE_INTERNAL_IMAGE
:
45 case nsIContentPolicy::TYPE_INTERNAL_IMAGE_PRELOAD
:
46 case nsIContentPolicy::TYPE_INTERNAL_IMAGE_FAVICON
:
47 case nsIContentPolicy::TYPE_IMAGE
:
49 case nsIContentPolicy::TYPE_STYLESHEET
:
50 case nsIContentPolicy::TYPE_INTERNAL_STYLESHEET
:
51 case nsIContentPolicy::TYPE_INTERNAL_STYLESHEET_PRELOAD
:
53 case nsIContentPolicy::TYPE_OBJECT
:
54 case nsIContentPolicy::TYPE_INTERNAL_OBJECT
:
56 case nsIContentPolicy::TYPE_INTERNAL_EMBED
:
58 case nsIContentPolicy::TYPE_DOCUMENT
:
60 case nsIContentPolicy::TYPE_SUBDOCUMENT
:
61 case nsIContentPolicy::TYPE_INTERNAL_IFRAME
:
63 case nsIContentPolicy::TYPE_INTERNAL_FRAME
:
65 case nsIContentPolicy::TYPE_PING
:
67 case nsIContentPolicy::TYPE_XMLHTTPREQUEST
:
68 case nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST
:
70 case nsIContentPolicy::TYPE_INTERNAL_EVENTSOURCE
:
72 case nsIContentPolicy::TYPE_OBJECT_SUBREQUEST
:
74 case nsIContentPolicy::TYPE_DTD
:
75 case nsIContentPolicy::TYPE_INTERNAL_DTD
:
76 case nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD
:
78 case nsIContentPolicy::TYPE_FONT
:
79 case nsIContentPolicy::TYPE_INTERNAL_FONT_PRELOAD
:
80 case nsIContentPolicy::TYPE_UA_FONT
:
82 case nsIContentPolicy::TYPE_MEDIA
:
84 case nsIContentPolicy::TYPE_INTERNAL_AUDIO
:
86 case nsIContentPolicy::TYPE_INTERNAL_VIDEO
:
88 case nsIContentPolicy::TYPE_INTERNAL_TRACK
:
90 case nsIContentPolicy::TYPE_WEBSOCKET
:
91 return "websocket"_ns
;
92 case nsIContentPolicy::TYPE_CSP_REPORT
:
94 case nsIContentPolicy::TYPE_XSLT
:
96 case nsIContentPolicy::TYPE_BEACON
:
98 case nsIContentPolicy::TYPE_FETCH
:
99 case nsIContentPolicy::TYPE_INTERNAL_FETCH_PRELOAD
:
101 case nsIContentPolicy::TYPE_WEB_MANIFEST
:
102 return "manifest"_ns
;
103 case nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD
:
105 case nsIContentPolicy::TYPE_SPECULATIVE
:
107 case nsIContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA
:
109 case nsIContentPolicy::TYPE_WEB_IDENTITY
:
110 return "webidentity"_ns
;
111 case nsIContentPolicy::TYPE_INVALID
:
113 // Do not add default: so that compilers can catch the missing case.
116 MOZ_CRASH("Unhandled nsContentPolicyType value");
119 // Helper function to determine if a ExpandedPrincipal is of the same-origin as
120 // a URI in the sec-fetch context.
121 void IsExpandedPrincipalSameOrigin(
122 nsCOMPtr
<nsIExpandedPrincipal
> aExpandedPrincipal
, nsIURI
* aURI
,
125 for (const auto& principal
: aExpandedPrincipal
->AllowList()) {
126 // Ignore extension principals to continue treating
127 // "moz-extension:"-requests as not "same-origin".
128 if (!mozilla::BasePrincipal::Cast(principal
)->AddonPolicy()) {
129 // A ExpandedPrincipal usually has at most one ContentPrincipal, so we can
130 // check IsSameOrigin on it here and return early.
131 mozilla::BasePrincipal::Cast(principal
)->IsSameOrigin(aURI
, aRes
);
137 // Helper function to determine whether a request (including involved
138 // redirects) is same-origin in the context of SecFetch.
139 bool IsSameOrigin(nsIHttpChannel
* aHTTPChannel
) {
140 nsCOMPtr
<nsIURI
> channelURI
;
141 NS_GetFinalChannelURI(aHTTPChannel
, getter_AddRefs(channelURI
));
143 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
145 if (mozilla::BasePrincipal::Cast(loadInfo
->TriggeringPrincipal())
147 // If an extension triggered the load that has access to the URI then the
148 // load is considered as same-origin.
149 return mozilla::BasePrincipal::Cast(loadInfo
->TriggeringPrincipal())
150 ->AddonAllowsLoad(channelURI
);
153 bool isSameOrigin
= false;
154 if (nsContentUtils::IsExpandedPrincipal(loadInfo
->TriggeringPrincipal())) {
155 nsCOMPtr
<nsIExpandedPrincipal
> ep
=
156 do_QueryInterface(loadInfo
->TriggeringPrincipal());
157 IsExpandedPrincipalSameOrigin(ep
, channelURI
, &isSameOrigin
);
159 isSameOrigin
= loadInfo
->TriggeringPrincipal()->IsSameOrigin(channelURI
);
162 // if the initial request is not same-origin, we can return here
163 // because we already know it's not a same-origin request
168 // let's further check all the hoops in the redirectChain to
169 // ensure all involved redirects are same-origin
170 nsCOMPtr
<nsIPrincipal
> redirectPrincipal
;
171 for (nsIRedirectHistoryEntry
* entry
: loadInfo
->RedirectChain()) {
172 entry
->GetPrincipal(getter_AddRefs(redirectPrincipal
));
173 if (redirectPrincipal
&& !redirectPrincipal
->IsSameOrigin(channelURI
)) {
178 // must be a same-origin request
182 // Helper function to determine whether a request (including involved
183 // redirects) is same-site in the context of SecFetch.
184 bool IsSameSite(nsIChannel
* aHTTPChannel
) {
185 nsCOMPtr
<mozIThirdPartyUtil
> thirdPartyUtil
=
186 do_GetService(THIRDPARTYUTIL_CONTRACTID
);
187 if (!thirdPartyUtil
) {
191 nsAutoCString hostDomain
;
192 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
193 nsresult rv
= loadInfo
->TriggeringPrincipal()->GetBaseDomain(hostDomain
);
194 mozilla::Unused
<< NS_WARN_IF(NS_FAILED(rv
));
196 nsAutoCString channelDomain
;
197 nsCOMPtr
<nsIURI
> channelURI
;
198 NS_GetFinalChannelURI(aHTTPChannel
, getter_AddRefs(channelURI
));
199 rv
= thirdPartyUtil
->GetBaseDomain(channelURI
, channelDomain
);
200 mozilla::Unused
<< NS_WARN_IF(NS_FAILED(rv
));
202 // if the initial request is not same-site, or not https, we can
203 // return here because we already know it's not a same-site request
204 if (!hostDomain
.Equals(channelDomain
) ||
205 (!loadInfo
->TriggeringPrincipal()->SchemeIs("https") &&
206 !nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackHost(
211 // let's further check all the hoops in the redirectChain to
212 // ensure all involved redirects are same-site and https
213 nsCOMPtr
<nsIPrincipal
> redirectPrincipal
;
214 for (nsIRedirectHistoryEntry
* entry
: loadInfo
->RedirectChain()) {
215 entry
->GetPrincipal(getter_AddRefs(redirectPrincipal
));
216 if (redirectPrincipal
) {
217 redirectPrincipal
->GetBaseDomain(hostDomain
);
218 if (!hostDomain
.Equals(channelDomain
) ||
219 !redirectPrincipal
->SchemeIs("https")) {
225 // must be a same-site request
229 // Helper function to determine whether a request was triggered
230 // by the end user in the context of SecFetch.
231 bool IsUserTriggeredForSecFetchSite(nsIHttpChannel
* aHTTPChannel
) {
233 * The goal is to distinguish between "webby" navigations that are controlled
234 * by a given website (e.g. links, the window.location setter,form
235 * submissions, etc.), and those that are not (e.g. user interaction with a
236 * user agent’s address bar, bookmarks, etc).
238 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
239 ExtContentPolicyType contentType
= loadInfo
->GetExternalContentPolicyType();
241 // A request issued by the browser is always user initiated.
242 if (loadInfo
->TriggeringPrincipal()->IsSystemPrincipal() &&
243 contentType
== ExtContentPolicy::TYPE_OTHER
) {
247 // only requests wich result in type "document" are subject to
248 // user initiated actions in the context of SecFetch.
249 if (contentType
!= ExtContentPolicy::TYPE_DOCUMENT
&&
250 contentType
!= ExtContentPolicy::TYPE_SUBDOCUMENT
) {
254 // The load is considered user triggered if it was triggered by an external
256 if (loadInfo
->GetLoadTriggeredFromExternal()) {
260 // sec-fetch-site can only be user triggered if the load was user triggered.
261 if (!loadInfo
->GetHasValidUserGestureActivation()) {
265 // We can assert that the navigation must be "webby" if the load was triggered
266 // by a meta refresh. See also Bug 1647128.
267 if (loadInfo
->GetIsMetaRefresh()) {
271 // All web requests have a valid "original" referrer set in the
272 // ReferrerInfo which we can use to determine whether a request
273 // was triggered by a user or not.
274 nsCOMPtr
<nsIReferrerInfo
> referrerInfo
= aHTTPChannel
->GetReferrerInfo();
276 nsCOMPtr
<nsIURI
> originalReferrer
;
277 referrerInfo
->GetOriginalReferrer(getter_AddRefs(originalReferrer
));
278 if (originalReferrer
) {
286 void mozilla::dom::SecFetch::AddSecFetchDest(nsIHttpChannel
* aHTTPChannel
) {
287 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
288 nsContentPolicyType contentType
= loadInfo
->InternalContentPolicyType();
289 nsCString dest
= MapInternalContentPolicyTypeToDest(contentType
);
292 aHTTPChannel
->SetRequestHeader("Sec-Fetch-Dest"_ns
, dest
, false);
293 mozilla::Unused
<< NS_WARN_IF(NS_FAILED(rv
));
296 void mozilla::dom::SecFetch::AddSecFetchMode(nsIHttpChannel
* aHTTPChannel
) {
297 nsAutoCString
mode("no-cors");
299 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
300 uint32_t securityMode
= loadInfo
->GetSecurityMode();
301 ExtContentPolicyType externalType
= loadInfo
->GetExternalContentPolicyType();
304 nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT
||
305 securityMode
== nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED
) {
306 mode
= "same-origin"_ns
;
307 } else if (securityMode
==
308 nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT
) {
311 // If it's not one of the security modes above, then we ensure it's
312 // at least one of the others defined in nsILoadInfo
315 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT
||
317 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL
,
318 "unhandled security mode");
321 if (externalType
== ExtContentPolicy::TYPE_DOCUMENT
||
322 externalType
== ExtContentPolicy::TYPE_SUBDOCUMENT
||
323 externalType
== ExtContentPolicy::TYPE_OBJECT
) {
324 mode
= "navigate"_ns
;
325 } else if (externalType
== ExtContentPolicy::TYPE_WEBSOCKET
) {
326 mode
= "websocket"_ns
;
330 aHTTPChannel
->SetRequestHeader("Sec-Fetch-Mode"_ns
, mode
, false);
331 mozilla::Unused
<< NS_WARN_IF(NS_FAILED(rv
));
334 void mozilla::dom::SecFetch::AddSecFetchSite(nsIHttpChannel
* aHTTPChannel
) {
335 nsAutoCString
site("same-origin");
337 bool isSameOrigin
= IsSameOrigin(aHTTPChannel
);
339 bool isSameSite
= IsSameSite(aHTTPChannel
);
341 site
= "same-site"_ns
;
343 site
= "cross-site"_ns
;
347 if (IsUserTriggeredForSecFetchSite(aHTTPChannel
)) {
352 aHTTPChannel
->SetRequestHeader("Sec-Fetch-Site"_ns
, site
, false);
353 mozilla::Unused
<< NS_WARN_IF(NS_FAILED(rv
));
356 void mozilla::dom::SecFetch::AddSecFetchUser(nsIHttpChannel
* aHTTPChannel
) {
357 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
358 ExtContentPolicyType externalType
= loadInfo
->GetExternalContentPolicyType();
360 // sec-fetch-user only applies to loads of type document or subdocument
361 if (externalType
!= ExtContentPolicy::TYPE_DOCUMENT
&&
362 externalType
!= ExtContentPolicy::TYPE_SUBDOCUMENT
) {
366 // sec-fetch-user only applies if the request is user triggered.
367 // requests triggered by an external application are considerd user triggered.
368 if (!loadInfo
->GetLoadTriggeredFromExternal() &&
369 !loadInfo
->GetHasValidUserGestureActivation()) {
373 nsAutoCString
user("?1");
375 aHTTPChannel
->SetRequestHeader("Sec-Fetch-User"_ns
, user
, false);
376 mozilla::Unused
<< NS_WARN_IF(NS_FAILED(rv
));
379 void mozilla::dom::SecFetch::AddSecFetchHeader(nsIHttpChannel
* aHTTPChannel
) {
380 // if sec-fetch-* is prefed off, then there is nothing to do
381 if (!StaticPrefs::dom_security_secFetch_enabled()) {
385 nsCOMPtr
<nsIURI
> uri
;
386 nsresult rv
= aHTTPChannel
->GetURI(getter_AddRefs(uri
));
387 if (NS_WARN_IF(NS_FAILED(rv
))) {
391 // if we are not dealing with a potentially trustworthy URL, then
392 // there is nothing to do here
393 if (!nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(uri
)) {
397 AddSecFetchDest(aHTTPChannel
);
398 AddSecFetchMode(aHTTPChannel
);
399 AddSecFetchSite(aHTTPChannel
);
400 AddSecFetchUser(aHTTPChannel
);