search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1795172 [wpt PR 36447] - Disallow culled inlines in repeated content., a=testonly
[gecko.git] / dom / security / SecFetch.cpp
blob06aa3de699ebd6576ca2689964676a4f92d31529
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "SecFetch.h"
8 #include "nsIHttpChannel.h"
9 #include "nsContentUtils.h"
10 #include "nsIRedirectHistoryEntry.h"
11 #include "nsIReferrerInfo.h"
12 #include "mozIThirdPartyUtil.h"
13 #include "nsMixedContentBlocker.h"
14 #include "nsNetUtil.h"
15 #include "mozilla/BasePrincipal.h"
16 #include "mozilla/StaticPrefs_dom.h"
17
18 // Helper function which maps an internal content policy type
19 // to the corresponding destination for the context of SecFetch.
20 nsCString MapInternalContentPolicyTypeToDest(nsContentPolicyType aType) {
21 switch (aType) {
22 case nsIContentPolicy::TYPE_OTHER:
23 return "empty"_ns;
24 case nsIContentPolicy::TYPE_INTERNAL_SCRIPT:
25 case nsIContentPolicy::TYPE_INTERNAL_SCRIPT_PRELOAD:
26 case nsIContentPolicy::TYPE_INTERNAL_MODULE:
27 case nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD:
28 case nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS:
29 case nsIContentPolicy::TYPE_INTERNAL_CHROMEUTILS_COMPILED_SCRIPT:
30 case nsIContentPolicy::TYPE_INTERNAL_FRAME_MESSAGEMANAGER_SCRIPT:
31 case nsIContentPolicy::TYPE_SCRIPT:
32 return "script"_ns;
33 case nsIContentPolicy::TYPE_INTERNAL_WORKER:
34 return "worker"_ns;
35 case nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER:
36 return "sharedworker"_ns;
37 case nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER:
38 return "serviceworker"_ns;
39 case nsIContentPolicy::TYPE_INTERNAL_AUDIOWORKLET:
40 return "audioworklet"_ns;
41 case nsIContentPolicy::TYPE_INTERNAL_PAINTWORKLET:
42 return "paintworklet"_ns;
43 case nsIContentPolicy::TYPE_IMAGESET:
44 case nsIContentPolicy::TYPE_INTERNAL_IMAGE:
45 case nsIContentPolicy::TYPE_INTERNAL_IMAGE_PRELOAD:
46 case nsIContentPolicy::TYPE_INTERNAL_IMAGE_FAVICON:
47 case nsIContentPolicy::TYPE_IMAGE:
48 return "image"_ns;
49 case nsIContentPolicy::TYPE_STYLESHEET:
50 case nsIContentPolicy::TYPE_INTERNAL_STYLESHEET:
51 case nsIContentPolicy::TYPE_INTERNAL_STYLESHEET_PRELOAD:
52 return "style"_ns;
53 case nsIContentPolicy::TYPE_OBJECT:
54 case nsIContentPolicy::TYPE_INTERNAL_OBJECT:
55 return "object"_ns;
56 case nsIContentPolicy::TYPE_INTERNAL_EMBED:
57 return "embed"_ns;
58 case nsIContentPolicy::TYPE_DOCUMENT:
59 return "document"_ns;
60 case nsIContentPolicy::TYPE_SUBDOCUMENT:
61 case nsIContentPolicy::TYPE_INTERNAL_IFRAME:
62 return "iframe"_ns;
63 case nsIContentPolicy::TYPE_INTERNAL_FRAME:
64 return "frame"_ns;
65 case nsIContentPolicy::TYPE_PING:
66 return "empty"_ns;
67 case nsIContentPolicy::TYPE_XMLHTTPREQUEST:
68 case nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST:
69 return "empty"_ns;
70 case nsIContentPolicy::TYPE_INTERNAL_EVENTSOURCE:
71 return "empty"_ns;
72 case nsIContentPolicy::TYPE_OBJECT_SUBREQUEST:
73 return "empty"_ns;
74 case nsIContentPolicy::TYPE_DTD:
75 case nsIContentPolicy::TYPE_INTERNAL_DTD:
76 case nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD:
77 return "empty"_ns;
78 case nsIContentPolicy::TYPE_FONT:
79 case nsIContentPolicy::TYPE_INTERNAL_FONT_PRELOAD:
80 case nsIContentPolicy::TYPE_UA_FONT:
81 return "font"_ns;
82 case nsIContentPolicy::TYPE_MEDIA:
83 return "empty"_ns;
84 case nsIContentPolicy::TYPE_INTERNAL_AUDIO:
85 return "audio"_ns;
86 case nsIContentPolicy::TYPE_INTERNAL_VIDEO:
87 return "video"_ns;
88 case nsIContentPolicy::TYPE_INTERNAL_TRACK:
89 return "track"_ns;
90 case nsIContentPolicy::TYPE_WEBSOCKET:
91 return "websocket"_ns;
92 case nsIContentPolicy::TYPE_CSP_REPORT:
93 return "report"_ns;
94 case nsIContentPolicy::TYPE_XSLT:
95 return "xslt"_ns;
96 case nsIContentPolicy::TYPE_BEACON:
97 return "empty"_ns;
98 case nsIContentPolicy::TYPE_FETCH:
99 case nsIContentPolicy::TYPE_INTERNAL_FETCH_PRELOAD:
100 return "empty"_ns;
101 case nsIContentPolicy::TYPE_WEB_MANIFEST:
102 return "manifest"_ns;
103 case nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD:
104 return "empty"_ns;
105 case nsIContentPolicy::TYPE_SPECULATIVE:
106 return "empty"_ns;
107 case nsIContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA:
108 return "empty"_ns;
109 case nsIContentPolicy::TYPE_WEB_IDENTITY:
110 return "webidentity"_ns;
111 case nsIContentPolicy::TYPE_INVALID:
112 break;
113 // Do not add default: so that compilers can catch the missing case.
114 }
115
116 MOZ_CRASH("Unhandled nsContentPolicyType value");
117 }
118
119 // Helper function to determine if a ExpandedPrincipal is of the same-origin as
120 // a URI in the sec-fetch context.
121 void IsExpandedPrincipalSameOrigin(
122 nsCOMPtr<nsIExpandedPrincipal> aExpandedPrincipal, nsIURI* aURI,
123 bool* aRes) {
124 *aRes = false;
125 for (const auto& principal : aExpandedPrincipal->AllowList()) {
126 // Ignore extension principals to continue treating
127 // "moz-extension:"-requests as not "same-origin".
128 if (!mozilla::BasePrincipal::Cast(principal)->AddonPolicy()) {
129 // A ExpandedPrincipal usually has at most one ContentPrincipal, so we can
130 // check IsSameOrigin on it here and return early.
131 mozilla::BasePrincipal::Cast(principal)->IsSameOrigin(aURI, aRes);
132 return;
133 }
134 }
135 }
136
137 // Helper function to determine whether a request (including involved
138 // redirects) is same-origin in the context of SecFetch.
139 bool IsSameOrigin(nsIHttpChannel* aHTTPChannel) {
140 nsCOMPtr<nsIURI> channelURI;
141 NS_GetFinalChannelURI(aHTTPChannel, getter_AddRefs(channelURI));
142
143 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
144
145 if (mozilla::BasePrincipal::Cast(loadInfo->TriggeringPrincipal())
146 ->AddonPolicy()) {
147 // If an extension triggered the load that has access to the URI then the
148 // load is considered as same-origin.
149 return mozilla::BasePrincipal::Cast(loadInfo->TriggeringPrincipal())
150 ->AddonAllowsLoad(channelURI);
151 }
152
153 bool isSameOrigin = false;
154 if (nsContentUtils::IsExpandedPrincipal(loadInfo->TriggeringPrincipal())) {
155 nsCOMPtr<nsIExpandedPrincipal> ep =
156 do_QueryInterface(loadInfo->TriggeringPrincipal());
157 IsExpandedPrincipalSameOrigin(ep, channelURI, &isSameOrigin);
158 } else {
159 isSameOrigin = loadInfo->TriggeringPrincipal()->IsSameOrigin(channelURI);
160 }
161
162 // if the initial request is not same-origin, we can return here
163 // because we already know it's not a same-origin request
164 if (!isSameOrigin) {
165 return false;
166 }
167
168 // let's further check all the hoops in the redirectChain to
169 // ensure all involved redirects are same-origin
170 nsCOMPtr<nsIPrincipal> redirectPrincipal;
171 for (nsIRedirectHistoryEntry* entry : loadInfo->RedirectChain()) {
172 entry->GetPrincipal(getter_AddRefs(redirectPrincipal));
173 if (redirectPrincipal && !redirectPrincipal->IsSameOrigin(channelURI)) {
174 return false;
175 }
176 }
177
178 // must be a same-origin request
179 return true;
180 }
181
182 // Helper function to determine whether a request (including involved
183 // redirects) is same-site in the context of SecFetch.
184 bool IsSameSite(nsIChannel* aHTTPChannel) {
185 nsCOMPtr<mozIThirdPartyUtil> thirdPartyUtil =
186 do_GetService(THIRDPARTYUTIL_CONTRACTID);
187 if (!thirdPartyUtil) {
188 return false;
189 }
190
191 nsAutoCString hostDomain;
192 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
193 nsresult rv = loadInfo->TriggeringPrincipal()->GetBaseDomain(hostDomain);
194 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
195
196 nsAutoCString channelDomain;
197 nsCOMPtr<nsIURI> channelURI;
198 NS_GetFinalChannelURI(aHTTPChannel, getter_AddRefs(channelURI));
199 rv = thirdPartyUtil->GetBaseDomain(channelURI, channelDomain);
200 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
201
202 // if the initial request is not same-site, or not https, we can
203 // return here because we already know it's not a same-site request
204 if (!hostDomain.Equals(channelDomain) ||
205 (!loadInfo->TriggeringPrincipal()->SchemeIs("https") &&
206 !nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackHost(
207 hostDomain))) {
208 return false;
209 }
210
211 // let's further check all the hoops in the redirectChain to
212 // ensure all involved redirects are same-site and https
213 nsCOMPtr<nsIPrincipal> redirectPrincipal;
214 for (nsIRedirectHistoryEntry* entry : loadInfo->RedirectChain()) {
215 entry->GetPrincipal(getter_AddRefs(redirectPrincipal));
216 if (redirectPrincipal) {
217 redirectPrincipal->GetBaseDomain(hostDomain);
218 if (!hostDomain.Equals(channelDomain) ||
219 !redirectPrincipal->SchemeIs("https")) {
220 return false;
221 }
222 }
223 }
224
225 // must be a same-site request
226 return true;
227 }
228
229 // Helper function to determine whether a request was triggered
230 // by the end user in the context of SecFetch.
231 bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* aHTTPChannel) {
232 /*
233 * The goal is to distinguish between "webby" navigations that are controlled
234 * by a given website (e.g. links, the window.location setter,form
235 * submissions, etc.), and those that are not (e.g. user interaction with a
236 * user agent’s address bar, bookmarks, etc).
237 */
238 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
239 ExtContentPolicyType contentType = loadInfo->GetExternalContentPolicyType();
240
241 // A request issued by the browser is always user initiated.
242 if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal() &&
243 contentType == ExtContentPolicy::TYPE_OTHER) {
244 return true;
245 }
246
247 // only requests wich result in type "document" are subject to
248 // user initiated actions in the context of SecFetch.
249 if (contentType != ExtContentPolicy::TYPE_DOCUMENT &&
250 contentType != ExtContentPolicy::TYPE_SUBDOCUMENT) {
251 return false;
252 }
253
254 // The load is considered user triggered if it was triggered by an external
255 // application.
256 if (loadInfo->GetLoadTriggeredFromExternal()) {
257 return true;
258 }
259
260 // sec-fetch-site can only be user triggered if the load was user triggered.
261 if (!loadInfo->GetHasValidUserGestureActivation()) {
262 return false;
263 }
264
265 // We can assert that the navigation must be "webby" if the load was triggered
266 // by a meta refresh. See also Bug 1647128.
267 if (loadInfo->GetIsMetaRefresh()) {
268 return false;
269 }
270
271 // All web requests have a valid "original" referrer set in the
272 // ReferrerInfo which we can use to determine whether a request
273 // was triggered by a user or not.
274 nsCOMPtr<nsIReferrerInfo> referrerInfo = aHTTPChannel->GetReferrerInfo();
275 if (referrerInfo) {
276 nsCOMPtr<nsIURI> originalReferrer;
277 referrerInfo->GetOriginalReferrer(getter_AddRefs(originalReferrer));
278 if (originalReferrer) {
279 return false;
280 }
281 }
282
283 return true;
284 }
285
286 void mozilla::dom::SecFetch::AddSecFetchDest(nsIHttpChannel* aHTTPChannel) {
287 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
288 nsContentPolicyType contentType = loadInfo->InternalContentPolicyType();
289 nsCString dest = MapInternalContentPolicyTypeToDest(contentType);
290
291 nsresult rv =
292 aHTTPChannel->SetRequestHeader("Sec-Fetch-Dest"_ns, dest, false);
293 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
294 }
295
296 void mozilla::dom::SecFetch::AddSecFetchMode(nsIHttpChannel* aHTTPChannel) {
297 nsAutoCString mode("no-cors");
298
299 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
300 uint32_t securityMode = loadInfo->GetSecurityMode();
301 ExtContentPolicyType externalType = loadInfo->GetExternalContentPolicyType();
302
303 if (securityMode ==
304 nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT ||
305 securityMode == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED) {
306 mode = "same-origin"_ns;
307 } else if (securityMode ==
308 nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT) {
309 mode = "cors"_ns;
310 } else {
311 // If it's not one of the security modes above, then we ensure it's
312 // at least one of the others defined in nsILoadInfo
313 MOZ_ASSERT(
314 securityMode ==
315 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT ||
316 securityMode ==
317 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,
318 "unhandled security mode");
319 }
320
321 if (externalType == ExtContentPolicy::TYPE_DOCUMENT ||
322 externalType == ExtContentPolicy::TYPE_SUBDOCUMENT ||
323 externalType == ExtContentPolicy::TYPE_OBJECT) {
324 mode = "navigate"_ns;
325 } else if (externalType == ExtContentPolicy::TYPE_WEBSOCKET) {
326 mode = "websocket"_ns;
327 }
328
329 nsresult rv =
330 aHTTPChannel->SetRequestHeader("Sec-Fetch-Mode"_ns, mode, false);
331 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
332 }
333
334 void mozilla::dom::SecFetch::AddSecFetchSite(nsIHttpChannel* aHTTPChannel) {
335 nsAutoCString site("same-origin");
336
337 bool isSameOrigin = IsSameOrigin(aHTTPChannel);
338 if (!isSameOrigin) {
339 bool isSameSite = IsSameSite(aHTTPChannel);
340 if (isSameSite) {
341 site = "same-site"_ns;
342 } else {
343 site = "cross-site"_ns;
344 }
345 }
346
347 if (IsUserTriggeredForSecFetchSite(aHTTPChannel)) {
348 site = "none"_ns;
349 }
350
351 nsresult rv =
352 aHTTPChannel->SetRequestHeader("Sec-Fetch-Site"_ns, site, false);
353 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
354 }
355
356 void mozilla::dom::SecFetch::AddSecFetchUser(nsIHttpChannel* aHTTPChannel) {
357 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
358 ExtContentPolicyType externalType = loadInfo->GetExternalContentPolicyType();
359
360 // sec-fetch-user only applies to loads of type document or subdocument
361 if (externalType != ExtContentPolicy::TYPE_DOCUMENT &&
362 externalType != ExtContentPolicy::TYPE_SUBDOCUMENT) {
363 return;
364 }
365
366 // sec-fetch-user only applies if the request is user triggered.
367 // requests triggered by an external application are considerd user triggered.
368 if (!loadInfo->GetLoadTriggeredFromExternal() &&
369 !loadInfo->GetHasValidUserGestureActivation()) {
370 return;
371 }
372
373 nsAutoCString user("?1");
374 nsresult rv =
375 aHTTPChannel->SetRequestHeader("Sec-Fetch-User"_ns, user, false);
376 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
377 }
378
379 void mozilla::dom::SecFetch::AddSecFetchHeader(nsIHttpChannel* aHTTPChannel) {
380 // if sec-fetch-* is prefed off, then there is nothing to do
381 if (!StaticPrefs::dom_security_secFetch_enabled()) {
382 return;
383 }
384
385 nsCOMPtr<nsIURI> uri;
386 nsresult rv = aHTTPChannel->GetURI(getter_AddRefs(uri));
387 if (NS_WARN_IF(NS_FAILED(rv))) {
388 return;
389 }
390
391 // if we are not dealing with a potentially trustworthy URL, then
392 // there is nothing to do here
393 if (!nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(uri)) {
394 return;
395 }
396
397 AddSecFetchDest(aHTTPChannel);
398 AddSecFetchMode(aHTTPChannel);
399 AddSecFetchSite(aHTTPChannel);
400 AddSecFetchUser(aHTTPChannel);
401 }