1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 #include "nsIHttpChannel.h"
9 #include "nsContentUtils.h"
10 #include "nsIRedirectHistoryEntry.h"
11 #include "nsIReferrerInfo.h"
12 #include "mozIThirdPartyUtil.h"
13 #include "nsMixedContentBlocker.h"
14 #include "nsNetUtil.h"
15 #include "mozilla/BasePrincipal.h"
16 #include "mozilla/StaticPrefs_dom.h"
18 // Helper function which maps an internal content policy type
19 // to the corresponding destination for the context of SecFetch.
20 nsCString
MapInternalContentPolicyTypeToDest(nsContentPolicyType aType
) {
22 case nsIContentPolicy::TYPE_OTHER
:
24 case nsIContentPolicy::TYPE_INTERNAL_SCRIPT
:
25 case nsIContentPolicy::TYPE_INTERNAL_SCRIPT_PRELOAD
:
26 case nsIContentPolicy::TYPE_INTERNAL_MODULE
:
27 case nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD
:
28 case nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS
:
29 case nsIContentPolicy::TYPE_INTERNAL_CHROMEUTILS_COMPILED_SCRIPT
:
30 case nsIContentPolicy::TYPE_INTERNAL_FRAME_MESSAGEMANAGER_SCRIPT
:
31 case nsIContentPolicy::TYPE_SCRIPT
:
33 case nsIContentPolicy::TYPE_INTERNAL_WORKER
:
34 case nsIContentPolicy::TYPE_INTERNAL_WORKER_STATIC_MODULE
:
36 case nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER
:
37 return "sharedworker"_ns
;
38 case nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER
:
39 return "serviceworker"_ns
;
40 case nsIContentPolicy::TYPE_INTERNAL_AUDIOWORKLET
:
41 return "audioworklet"_ns
;
42 case nsIContentPolicy::TYPE_INTERNAL_PAINTWORKLET
:
43 return "paintworklet"_ns
;
44 case nsIContentPolicy::TYPE_IMAGESET
:
45 case nsIContentPolicy::TYPE_INTERNAL_IMAGE
:
46 case nsIContentPolicy::TYPE_INTERNAL_IMAGE_PRELOAD
:
47 case nsIContentPolicy::TYPE_INTERNAL_IMAGE_FAVICON
:
48 case nsIContentPolicy::TYPE_IMAGE
:
50 case nsIContentPolicy::TYPE_STYLESHEET
:
51 case nsIContentPolicy::TYPE_INTERNAL_STYLESHEET
:
52 case nsIContentPolicy::TYPE_INTERNAL_STYLESHEET_PRELOAD
:
54 case nsIContentPolicy::TYPE_OBJECT
:
55 case nsIContentPolicy::TYPE_INTERNAL_OBJECT
:
57 case nsIContentPolicy::TYPE_INTERNAL_EMBED
:
59 case nsIContentPolicy::TYPE_DOCUMENT
:
61 case nsIContentPolicy::TYPE_SUBDOCUMENT
:
62 case nsIContentPolicy::TYPE_INTERNAL_IFRAME
:
64 case nsIContentPolicy::TYPE_INTERNAL_FRAME
:
66 case nsIContentPolicy::TYPE_PING
:
68 case nsIContentPolicy::TYPE_XMLHTTPREQUEST
:
69 case nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST
:
71 case nsIContentPolicy::TYPE_INTERNAL_EVENTSOURCE
:
73 case nsIContentPolicy::TYPE_OBJECT_SUBREQUEST
:
75 case nsIContentPolicy::TYPE_DTD
:
76 case nsIContentPolicy::TYPE_INTERNAL_DTD
:
77 case nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD
:
79 case nsIContentPolicy::TYPE_FONT
:
80 case nsIContentPolicy::TYPE_INTERNAL_FONT_PRELOAD
:
81 case nsIContentPolicy::TYPE_UA_FONT
:
83 case nsIContentPolicy::TYPE_MEDIA
:
85 case nsIContentPolicy::TYPE_INTERNAL_AUDIO
:
87 case nsIContentPolicy::TYPE_INTERNAL_VIDEO
:
89 case nsIContentPolicy::TYPE_INTERNAL_TRACK
:
91 case nsIContentPolicy::TYPE_WEBSOCKET
:
93 case nsIContentPolicy::TYPE_CSP_REPORT
:
95 case nsIContentPolicy::TYPE_XSLT
:
97 case nsIContentPolicy::TYPE_BEACON
:
99 case nsIContentPolicy::TYPE_FETCH
:
100 case nsIContentPolicy::TYPE_INTERNAL_FETCH_PRELOAD
:
102 case nsIContentPolicy::TYPE_WEB_MANIFEST
:
103 return "manifest"_ns
;
104 case nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD
:
106 case nsIContentPolicy::TYPE_SPECULATIVE
:
108 case nsIContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA
:
110 case nsIContentPolicy::TYPE_WEB_IDENTITY
:
111 return "webidentity"_ns
;
112 case nsIContentPolicy::TYPE_WEB_TRANSPORT
:
113 return "webtransport"_ns
;
114 case nsIContentPolicy::TYPE_END
:
115 case nsIContentPolicy::TYPE_INVALID
:
117 // Do not add default: so that compilers can catch the missing case.
120 MOZ_CRASH("Unhandled nsContentPolicyType value");
123 // Helper function to determine if a ExpandedPrincipal is of the same-origin as
124 // a URI in the sec-fetch context.
125 void IsExpandedPrincipalSameOrigin(
126 nsCOMPtr
<nsIExpandedPrincipal
> aExpandedPrincipal
, nsIURI
* aURI
,
129 for (const auto& principal
: aExpandedPrincipal
->AllowList()) {
130 // Ignore extension principals to continue treating
131 // "moz-extension:"-requests as not "same-origin".
132 if (!mozilla::BasePrincipal::Cast(principal
)->AddonPolicy()) {
133 // A ExpandedPrincipal usually has at most one ContentPrincipal, so we can
134 // check IsSameOrigin on it here and return early.
135 mozilla::BasePrincipal::Cast(principal
)->IsSameOrigin(aURI
, aRes
);
141 // Helper function to determine whether a request (including involved
142 // redirects) is same-origin in the context of SecFetch.
143 bool IsSameOrigin(nsIHttpChannel
* aHTTPChannel
) {
144 nsCOMPtr
<nsIURI
> channelURI
;
145 NS_GetFinalChannelURI(aHTTPChannel
, getter_AddRefs(channelURI
));
147 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
149 if (mozilla::BasePrincipal::Cast(loadInfo
->TriggeringPrincipal())
151 // If an extension triggered the load that has access to the URI then the
152 // load is considered as same-origin.
153 return mozilla::BasePrincipal::Cast(loadInfo
->TriggeringPrincipal())
154 ->AddonAllowsLoad(channelURI
);
157 bool isSameOrigin
= false;
158 if (nsContentUtils::IsExpandedPrincipal(loadInfo
->TriggeringPrincipal())) {
159 nsCOMPtr
<nsIExpandedPrincipal
> ep
=
160 do_QueryInterface(loadInfo
->TriggeringPrincipal());
161 IsExpandedPrincipalSameOrigin(ep
, channelURI
, &isSameOrigin
);
163 isSameOrigin
= loadInfo
->TriggeringPrincipal()->IsSameOrigin(channelURI
);
166 // if the initial request is not same-origin, we can return here
167 // because we already know it's not a same-origin request
172 // let's further check all the hoops in the redirectChain to
173 // ensure all involved redirects are same-origin
174 nsCOMPtr
<nsIPrincipal
> redirectPrincipal
;
175 for (nsIRedirectHistoryEntry
* entry
: loadInfo
->RedirectChain()) {
176 entry
->GetPrincipal(getter_AddRefs(redirectPrincipal
));
177 if (redirectPrincipal
&& !redirectPrincipal
->IsSameOrigin(channelURI
)) {
182 // must be a same-origin request
186 // Helper function to determine whether a request (including involved
187 // redirects) is same-site in the context of SecFetch.
188 bool IsSameSite(nsIChannel
* aHTTPChannel
) {
189 nsCOMPtr
<mozIThirdPartyUtil
> thirdPartyUtil
=
190 do_GetService(THIRDPARTYUTIL_CONTRACTID
);
191 if (!thirdPartyUtil
) {
195 nsAutoCString hostDomain
;
196 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
197 nsresult rv
= loadInfo
->TriggeringPrincipal()->GetBaseDomain(hostDomain
);
198 mozilla::Unused
<< NS_WARN_IF(NS_FAILED(rv
));
200 nsAutoCString channelDomain
;
201 nsCOMPtr
<nsIURI
> channelURI
;
202 NS_GetFinalChannelURI(aHTTPChannel
, getter_AddRefs(channelURI
));
203 rv
= thirdPartyUtil
->GetBaseDomain(channelURI
, channelDomain
);
204 mozilla::Unused
<< NS_WARN_IF(NS_FAILED(rv
));
206 // if the initial request is not same-site, or not https, we can
207 // return here because we already know it's not a same-site request
208 if (!hostDomain
.Equals(channelDomain
) ||
209 (!loadInfo
->TriggeringPrincipal()->SchemeIs("https") &&
210 !nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackHost(
215 // let's further check all the hoops in the redirectChain to
216 // ensure all involved redirects are same-site and https
217 nsCOMPtr
<nsIPrincipal
> redirectPrincipal
;
218 for (nsIRedirectHistoryEntry
* entry
: loadInfo
->RedirectChain()) {
219 entry
->GetPrincipal(getter_AddRefs(redirectPrincipal
));
220 if (redirectPrincipal
) {
221 redirectPrincipal
->GetBaseDomain(hostDomain
);
222 if (!hostDomain
.Equals(channelDomain
) ||
223 !redirectPrincipal
->SchemeIs("https")) {
229 // must be a same-site request
233 // Helper function to determine whether a request was triggered
234 // by the end user in the context of SecFetch.
235 bool IsUserTriggeredForSecFetchSite(nsIHttpChannel
* aHTTPChannel
) {
237 * The goal is to distinguish between "webby" navigations that are controlled
238 * by a given website (e.g. links, the window.location setter,form
239 * submissions, etc.), and those that are not (e.g. user interaction with a
240 * user agent’s address bar, bookmarks, etc).
242 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
243 ExtContentPolicyType contentType
= loadInfo
->GetExternalContentPolicyType();
245 // A request issued by the browser is always user initiated.
246 if (loadInfo
->TriggeringPrincipal()->IsSystemPrincipal() &&
247 contentType
== ExtContentPolicy::TYPE_OTHER
) {
251 // only requests wich result in type "document" are subject to
252 // user initiated actions in the context of SecFetch.
253 if (contentType
!= ExtContentPolicy::TYPE_DOCUMENT
&&
254 contentType
!= ExtContentPolicy::TYPE_SUBDOCUMENT
) {
258 // The load is considered user triggered if it was triggered by an external
260 if (loadInfo
->GetLoadTriggeredFromExternal()) {
264 // sec-fetch-site can only be user triggered if the load was user triggered.
265 if (!loadInfo
->GetHasValidUserGestureActivation()) {
269 // We can assert that the navigation must be "webby" if the load was triggered
270 // by a meta refresh. See also Bug 1647128.
271 if (loadInfo
->GetIsMetaRefresh()) {
275 // All web requests have a valid "original" referrer set in the
276 // ReferrerInfo which we can use to determine whether a request
277 // was triggered by a user or not.
278 nsCOMPtr
<nsIReferrerInfo
> referrerInfo
= aHTTPChannel
->GetReferrerInfo();
280 nsCOMPtr
<nsIURI
> originalReferrer
;
281 referrerInfo
->GetOriginalReferrer(getter_AddRefs(originalReferrer
));
282 if (originalReferrer
) {
290 void mozilla::dom::SecFetch::AddSecFetchDest(nsIHttpChannel
* aHTTPChannel
) {
291 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
292 nsContentPolicyType contentType
= loadInfo
->InternalContentPolicyType();
293 nsCString dest
= MapInternalContentPolicyTypeToDest(contentType
);
296 aHTTPChannel
->SetRequestHeader("Sec-Fetch-Dest"_ns
, dest
, false);
297 mozilla::Unused
<< NS_WARN_IF(NS_FAILED(rv
));
300 void mozilla::dom::SecFetch::AddSecFetchMode(nsIHttpChannel
* aHTTPChannel
) {
301 nsAutoCString
mode("no-cors");
303 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
304 uint32_t securityMode
= loadInfo
->GetSecurityMode();
305 ExtContentPolicyType externalType
= loadInfo
->GetExternalContentPolicyType();
308 nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT
||
309 securityMode
== nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED
) {
310 mode
= "same-origin"_ns
;
311 } else if (securityMode
==
312 nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT
) {
315 // If it's not one of the security modes above, then we ensure it's
316 // at least one of the others defined in nsILoadInfo
319 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT
||
321 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL
,
322 "unhandled security mode");
325 if (externalType
== ExtContentPolicy::TYPE_DOCUMENT
||
326 externalType
== ExtContentPolicy::TYPE_SUBDOCUMENT
||
327 externalType
== ExtContentPolicy::TYPE_OBJECT
) {
328 mode
= "navigate"_ns
;
329 } else if (externalType
== ExtContentPolicy::TYPE_WEBSOCKET
) {
330 mode
= "websocket"_ns
;
334 aHTTPChannel
->SetRequestHeader("Sec-Fetch-Mode"_ns
, mode
, false);
335 mozilla::Unused
<< NS_WARN_IF(NS_FAILED(rv
));
338 void mozilla::dom::SecFetch::AddSecFetchSite(nsIHttpChannel
* aHTTPChannel
) {
339 nsAutoCString
site("same-origin");
341 bool isSameOrigin
= IsSameOrigin(aHTTPChannel
);
343 bool isSameSite
= IsSameSite(aHTTPChannel
);
345 site
= "same-site"_ns
;
347 site
= "cross-site"_ns
;
351 if (IsUserTriggeredForSecFetchSite(aHTTPChannel
)) {
356 aHTTPChannel
->SetRequestHeader("Sec-Fetch-Site"_ns
, site
, false);
357 mozilla::Unused
<< NS_WARN_IF(NS_FAILED(rv
));
360 void mozilla::dom::SecFetch::AddSecFetchUser(nsIHttpChannel
* aHTTPChannel
) {
361 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
362 ExtContentPolicyType externalType
= loadInfo
->GetExternalContentPolicyType();
364 // sec-fetch-user only applies to loads of type document or subdocument
365 if (externalType
!= ExtContentPolicy::TYPE_DOCUMENT
&&
366 externalType
!= ExtContentPolicy::TYPE_SUBDOCUMENT
) {
370 // sec-fetch-user only applies if the request is user triggered.
371 // requests triggered by an external application are considerd user triggered.
372 if (!loadInfo
->GetLoadTriggeredFromExternal() &&
373 !loadInfo
->GetHasValidUserGestureActivation()) {
377 nsAutoCString
user("?1");
379 aHTTPChannel
->SetRequestHeader("Sec-Fetch-User"_ns
, user
, false);
380 mozilla::Unused
<< NS_WARN_IF(NS_FAILED(rv
));
383 void mozilla::dom::SecFetch::AddSecFetchHeader(nsIHttpChannel
* aHTTPChannel
) {
384 nsCOMPtr
<nsIURI
> uri
;
385 nsresult rv
= aHTTPChannel
->GetURI(getter_AddRefs(uri
));
386 if (NS_WARN_IF(NS_FAILED(rv
))) {
390 // if we are not dealing with a potentially trustworthy URL, then
391 // there is nothing to do here
392 if (!nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(uri
)) {
396 // If we're dealing with a system XMLHttpRequest or fetch, don't add
398 nsCOMPtr
<nsILoadInfo
> loadInfo
= aHTTPChannel
->LoadInfo();
399 if (loadInfo
->TriggeringPrincipal()->IsSystemPrincipal()) {
400 ExtContentPolicy extType
= loadInfo
->GetExternalContentPolicyType();
401 if (extType
== ExtContentPolicy::TYPE_FETCH
||
402 extType
== ExtContentPolicy::TYPE_XMLHTTPREQUEST
) {
407 AddSecFetchDest(aHTTPChannel
);
408 AddSecFetchMode(aHTTPChannel
);
409 AddSecFetchSite(aHTTPChannel
);
410 AddSecFetchUser(aHTTPChannel
);