search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
no bug - Bumping Firefox l10n changesets r=release a=l10n-bump DONTBUILD CLOSED TREE
[gecko.git] / dom / security / SecFetch.cpp
blob17f4a23e0e2c8b25eff4fc0bb53af6ef39db6a21
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "SecFetch.h"
8 #include "nsIHttpChannel.h"
9 #include "nsContentUtils.h"
10 #include "nsIRedirectHistoryEntry.h"
11 #include "nsIReferrerInfo.h"
12 #include "mozIThirdPartyUtil.h"
13 #include "nsMixedContentBlocker.h"
14 #include "nsNetUtil.h"
15 #include "mozilla/BasePrincipal.h"
16 #include "mozilla/StaticPrefs_dom.h"
17
18 // Helper function which maps an internal content policy type
19 // to the corresponding destination for the context of SecFetch.
20 nsCString MapInternalContentPolicyTypeToDest(nsContentPolicyType aType) {
21 switch (aType) {
22 case nsIContentPolicy::TYPE_OTHER:
23 return "empty"_ns;
24 case nsIContentPolicy::TYPE_INTERNAL_SCRIPT:
25 case nsIContentPolicy::TYPE_INTERNAL_SCRIPT_PRELOAD:
26 case nsIContentPolicy::TYPE_INTERNAL_MODULE:
27 case nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD:
28 case nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS:
29 case nsIContentPolicy::TYPE_INTERNAL_CHROMEUTILS_COMPILED_SCRIPT:
30 case nsIContentPolicy::TYPE_INTERNAL_FRAME_MESSAGEMANAGER_SCRIPT:
31 case nsIContentPolicy::TYPE_SCRIPT:
32 return "script"_ns;
33 case nsIContentPolicy::TYPE_INTERNAL_WORKER:
34 case nsIContentPolicy::TYPE_INTERNAL_WORKER_STATIC_MODULE:
35 return "worker"_ns;
36 case nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER:
37 return "sharedworker"_ns;
38 case nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER:
39 return "serviceworker"_ns;
40 case nsIContentPolicy::TYPE_INTERNAL_AUDIOWORKLET:
41 return "audioworklet"_ns;
42 case nsIContentPolicy::TYPE_INTERNAL_PAINTWORKLET:
43 return "paintworklet"_ns;
44 case nsIContentPolicy::TYPE_IMAGESET:
45 case nsIContentPolicy::TYPE_INTERNAL_IMAGE:
46 case nsIContentPolicy::TYPE_INTERNAL_IMAGE_PRELOAD:
47 case nsIContentPolicy::TYPE_INTERNAL_IMAGE_FAVICON:
48 case nsIContentPolicy::TYPE_IMAGE:
49 return "image"_ns;
50 case nsIContentPolicy::TYPE_STYLESHEET:
51 case nsIContentPolicy::TYPE_INTERNAL_STYLESHEET:
52 case nsIContentPolicy::TYPE_INTERNAL_STYLESHEET_PRELOAD:
53 return "style"_ns;
54 case nsIContentPolicy::TYPE_OBJECT:
55 case nsIContentPolicy::TYPE_INTERNAL_OBJECT:
56 return "object"_ns;
57 case nsIContentPolicy::TYPE_INTERNAL_EMBED:
58 return "embed"_ns;
59 case nsIContentPolicy::TYPE_DOCUMENT:
60 return "document"_ns;
61 case nsIContentPolicy::TYPE_SUBDOCUMENT:
62 case nsIContentPolicy::TYPE_INTERNAL_IFRAME:
63 return "iframe"_ns;
64 case nsIContentPolicy::TYPE_INTERNAL_FRAME:
65 return "frame"_ns;
66 case nsIContentPolicy::TYPE_PING:
67 return "empty"_ns;
68 case nsIContentPolicy::TYPE_XMLHTTPREQUEST:
69 case nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST:
70 return "empty"_ns;
71 case nsIContentPolicy::TYPE_INTERNAL_EVENTSOURCE:
72 return "empty"_ns;
73 case nsIContentPolicy::TYPE_OBJECT_SUBREQUEST:
74 return "empty"_ns;
75 case nsIContentPolicy::TYPE_DTD:
76 case nsIContentPolicy::TYPE_INTERNAL_DTD:
77 case nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD:
78 return "empty"_ns;
79 case nsIContentPolicy::TYPE_FONT:
80 case nsIContentPolicy::TYPE_INTERNAL_FONT_PRELOAD:
81 case nsIContentPolicy::TYPE_UA_FONT:
82 return "font"_ns;
83 case nsIContentPolicy::TYPE_MEDIA:
84 return "empty"_ns;
85 case nsIContentPolicy::TYPE_INTERNAL_AUDIO:
86 return "audio"_ns;
87 case nsIContentPolicy::TYPE_INTERNAL_VIDEO:
88 return "video"_ns;
89 case nsIContentPolicy::TYPE_INTERNAL_TRACK:
90 return "track"_ns;
91 case nsIContentPolicy::TYPE_WEBSOCKET:
92 return "empty"_ns;
93 case nsIContentPolicy::TYPE_CSP_REPORT:
94 return "report"_ns;
95 case nsIContentPolicy::TYPE_XSLT:
96 return "xslt"_ns;
97 case nsIContentPolicy::TYPE_BEACON:
98 return "empty"_ns;
99 case nsIContentPolicy::TYPE_FETCH:
100 case nsIContentPolicy::TYPE_INTERNAL_FETCH_PRELOAD:
101 return "empty"_ns;
102 case nsIContentPolicy::TYPE_WEB_MANIFEST:
103 return "manifest"_ns;
104 case nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD:
105 return "empty"_ns;
106 case nsIContentPolicy::TYPE_SPECULATIVE:
107 return "empty"_ns;
108 case nsIContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA:
109 return "empty"_ns;
110 case nsIContentPolicy::TYPE_WEB_IDENTITY:
111 return "webidentity"_ns;
112 case nsIContentPolicy::TYPE_WEB_TRANSPORT:
113 return "webtransport"_ns;
114 case nsIContentPolicy::TYPE_END:
115 case nsIContentPolicy::TYPE_INVALID:
116 break;
117 // Do not add default: so that compilers can catch the missing case.
118 }
119
120 MOZ_CRASH("Unhandled nsContentPolicyType value");
121 }
122
123 // Helper function to determine if a ExpandedPrincipal is of the same-origin as
124 // a URI in the sec-fetch context.
125 void IsExpandedPrincipalSameOrigin(
126 nsCOMPtr<nsIExpandedPrincipal> aExpandedPrincipal, nsIURI* aURI,
127 bool* aRes) {
128 *aRes = false;
129 for (const auto& principal : aExpandedPrincipal->AllowList()) {
130 // Ignore extension principals to continue treating
131 // "moz-extension:"-requests as not "same-origin".
132 if (!mozilla::BasePrincipal::Cast(principal)->AddonPolicy()) {
133 // A ExpandedPrincipal usually has at most one ContentPrincipal, so we can
134 // check IsSameOrigin on it here and return early.
135 mozilla::BasePrincipal::Cast(principal)->IsSameOrigin(aURI, aRes);
136 return;
137 }
138 }
139 }
140
141 // Helper function to determine whether a request (including involved
142 // redirects) is same-origin in the context of SecFetch.
143 bool IsSameOrigin(nsIHttpChannel* aHTTPChannel) {
144 nsCOMPtr<nsIURI> channelURI;
145 NS_GetFinalChannelURI(aHTTPChannel, getter_AddRefs(channelURI));
146
147 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
148
149 if (mozilla::BasePrincipal::Cast(loadInfo->TriggeringPrincipal())
150 ->AddonPolicy()) {
151 // If an extension triggered the load that has access to the URI then the
152 // load is considered as same-origin.
153 return mozilla::BasePrincipal::Cast(loadInfo->TriggeringPrincipal())
154 ->AddonAllowsLoad(channelURI);
155 }
156
157 bool isSameOrigin = false;
158 if (nsContentUtils::IsExpandedPrincipal(loadInfo->TriggeringPrincipal())) {
159 nsCOMPtr<nsIExpandedPrincipal> ep =
160 do_QueryInterface(loadInfo->TriggeringPrincipal());
161 IsExpandedPrincipalSameOrigin(ep, channelURI, &isSameOrigin);
162 } else {
163 isSameOrigin = loadInfo->TriggeringPrincipal()->IsSameOrigin(channelURI);
164 }
165
166 // if the initial request is not same-origin, we can return here
167 // because we already know it's not a same-origin request
168 if (!isSameOrigin) {
169 return false;
170 }
171
172 // let's further check all the hoops in the redirectChain to
173 // ensure all involved redirects are same-origin
174 nsCOMPtr<nsIPrincipal> redirectPrincipal;
175 for (nsIRedirectHistoryEntry* entry : loadInfo->RedirectChain()) {
176 entry->GetPrincipal(getter_AddRefs(redirectPrincipal));
177 if (redirectPrincipal && !redirectPrincipal->IsSameOrigin(channelURI)) {
178 return false;
179 }
180 }
181
182 // must be a same-origin request
183 return true;
184 }
185
186 // Helper function to determine whether a request (including involved
187 // redirects) is same-site in the context of SecFetch.
188 bool IsSameSite(nsIChannel* aHTTPChannel) {
189 nsCOMPtr<mozIThirdPartyUtil> thirdPartyUtil =
190 do_GetService(THIRDPARTYUTIL_CONTRACTID);
191 if (!thirdPartyUtil) {
192 return false;
193 }
194
195 nsAutoCString hostDomain;
196 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
197 nsresult rv = loadInfo->TriggeringPrincipal()->GetBaseDomain(hostDomain);
198 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
199
200 nsAutoCString channelDomain;
201 nsCOMPtr<nsIURI> channelURI;
202 NS_GetFinalChannelURI(aHTTPChannel, getter_AddRefs(channelURI));
203 rv = thirdPartyUtil->GetBaseDomain(channelURI, channelDomain);
204 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
205
206 // if the initial request is not same-site, or not https, we can
207 // return here because we already know it's not a same-site request
208 if (!hostDomain.Equals(channelDomain) ||
209 (!loadInfo->TriggeringPrincipal()->SchemeIs("https") &&
210 !nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackHost(
211 hostDomain))) {
212 return false;
213 }
214
215 // let's further check all the hoops in the redirectChain to
216 // ensure all involved redirects are same-site and https
217 nsCOMPtr<nsIPrincipal> redirectPrincipal;
218 for (nsIRedirectHistoryEntry* entry : loadInfo->RedirectChain()) {
219 entry->GetPrincipal(getter_AddRefs(redirectPrincipal));
220 if (redirectPrincipal) {
221 redirectPrincipal->GetBaseDomain(hostDomain);
222 if (!hostDomain.Equals(channelDomain) ||
223 !redirectPrincipal->SchemeIs("https")) {
224 return false;
225 }
226 }
227 }
228
229 // must be a same-site request
230 return true;
231 }
232
233 // Helper function to determine whether a request was triggered
234 // by the end user in the context of SecFetch.
235 bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* aHTTPChannel) {
236 /*
237 * The goal is to distinguish between "webby" navigations that are controlled
238 * by a given website (e.g. links, the window.location setter,form
239 * submissions, etc.), and those that are not (e.g. user interaction with a
240 * user agent’s address bar, bookmarks, etc).
241 */
242 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
243 ExtContentPolicyType contentType = loadInfo->GetExternalContentPolicyType();
244
245 // A request issued by the browser is always user initiated.
246 if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal() &&
247 contentType == ExtContentPolicy::TYPE_OTHER) {
248 return true;
249 }
250
251 // only requests wich result in type "document" are subject to
252 // user initiated actions in the context of SecFetch.
253 if (contentType != ExtContentPolicy::TYPE_DOCUMENT &&
254 contentType != ExtContentPolicy::TYPE_SUBDOCUMENT) {
255 return false;
256 }
257
258 // The load is considered user triggered if it was triggered by an external
259 // application.
260 if (loadInfo->GetLoadTriggeredFromExternal()) {
261 return true;
262 }
263
264 // sec-fetch-site can only be user triggered if the load was user triggered.
265 if (!loadInfo->GetHasValidUserGestureActivation()) {
266 return false;
267 }
268
269 // We can assert that the navigation must be "webby" if the load was triggered
270 // by a meta refresh. See also Bug 1647128.
271 if (loadInfo->GetIsMetaRefresh()) {
272 return false;
273 }
274
275 // All web requests have a valid "original" referrer set in the
276 // ReferrerInfo which we can use to determine whether a request
277 // was triggered by a user or not.
278 nsCOMPtr<nsIReferrerInfo> referrerInfo = aHTTPChannel->GetReferrerInfo();
279 if (referrerInfo) {
280 nsCOMPtr<nsIURI> originalReferrer;
281 referrerInfo->GetOriginalReferrer(getter_AddRefs(originalReferrer));
282 if (originalReferrer) {
283 return false;
284 }
285 }
286
287 return true;
288 }
289
290 void mozilla::dom::SecFetch::AddSecFetchDest(nsIHttpChannel* aHTTPChannel) {
291 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
292 nsContentPolicyType contentType = loadInfo->InternalContentPolicyType();
293 nsCString dest = MapInternalContentPolicyTypeToDest(contentType);
294
295 nsresult rv =
296 aHTTPChannel->SetRequestHeader("Sec-Fetch-Dest"_ns, dest, false);
297 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
298 }
299
300 void mozilla::dom::SecFetch::AddSecFetchMode(nsIHttpChannel* aHTTPChannel) {
301 nsAutoCString mode("no-cors");
302
303 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
304 uint32_t securityMode = loadInfo->GetSecurityMode();
305 ExtContentPolicyType externalType = loadInfo->GetExternalContentPolicyType();
306
307 if (securityMode ==
308 nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT ||
309 securityMode == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED) {
310 mode = "same-origin"_ns;
311 } else if (securityMode ==
312 nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT) {
313 mode = "cors"_ns;
314 } else {
315 // If it's not one of the security modes above, then we ensure it's
316 // at least one of the others defined in nsILoadInfo
317 MOZ_ASSERT(
318 securityMode ==
319 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT ||
320 securityMode ==
321 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,
322 "unhandled security mode");
323 }
324
325 if (externalType == ExtContentPolicy::TYPE_DOCUMENT ||
326 externalType == ExtContentPolicy::TYPE_SUBDOCUMENT ||
327 externalType == ExtContentPolicy::TYPE_OBJECT) {
328 mode = "navigate"_ns;
329 } else if (externalType == ExtContentPolicy::TYPE_WEBSOCKET) {
330 mode = "websocket"_ns;
331 }
332
333 nsresult rv =
334 aHTTPChannel->SetRequestHeader("Sec-Fetch-Mode"_ns, mode, false);
335 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
336 }
337
338 void mozilla::dom::SecFetch::AddSecFetchSite(nsIHttpChannel* aHTTPChannel) {
339 nsAutoCString site("same-origin");
340
341 bool isSameOrigin = IsSameOrigin(aHTTPChannel);
342 if (!isSameOrigin) {
343 bool isSameSite = IsSameSite(aHTTPChannel);
344 if (isSameSite) {
345 site = "same-site"_ns;
346 } else {
347 site = "cross-site"_ns;
348 }
349 }
350
351 if (IsUserTriggeredForSecFetchSite(aHTTPChannel)) {
352 site = "none"_ns;
353 }
354
355 nsresult rv =
356 aHTTPChannel->SetRequestHeader("Sec-Fetch-Site"_ns, site, false);
357 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
358 }
359
360 void mozilla::dom::SecFetch::AddSecFetchUser(nsIHttpChannel* aHTTPChannel) {
361 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
362 ExtContentPolicyType externalType = loadInfo->GetExternalContentPolicyType();
363
364 // sec-fetch-user only applies to loads of type document or subdocument
365 if (externalType != ExtContentPolicy::TYPE_DOCUMENT &&
366 externalType != ExtContentPolicy::TYPE_SUBDOCUMENT) {
367 return;
368 }
369
370 // sec-fetch-user only applies if the request is user triggered.
371 // requests triggered by an external application are considerd user triggered.
372 if (!loadInfo->GetLoadTriggeredFromExternal() &&
373 !loadInfo->GetHasValidUserGestureActivation()) {
374 return;
375 }
376
377 nsAutoCString user("?1");
378 nsresult rv =
379 aHTTPChannel->SetRequestHeader("Sec-Fetch-User"_ns, user, false);
380 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
381 }
382
383 void mozilla::dom::SecFetch::AddSecFetchHeader(nsIHttpChannel* aHTTPChannel) {
384 nsCOMPtr<nsIURI> uri;
385 nsresult rv = aHTTPChannel->GetURI(getter_AddRefs(uri));
386 if (NS_WARN_IF(NS_FAILED(rv))) {
387 return;
388 }
389
390 // if we are not dealing with a potentially trustworthy URL, then
391 // there is nothing to do here
392 if (!nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(uri)) {
393 return;
394 }
395
396 // If we're dealing with a system XMLHttpRequest or fetch, don't add
397 // Sec- headers.
398 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
399 if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal()) {
400 ExtContentPolicy extType = loadInfo->GetExternalContentPolicyType();
401 if (extType == ExtContentPolicy::TYPE_FETCH ||
402 extType == ExtContentPolicy::TYPE_XMLHTTPREQUEST) {
403 return;
404 }
405 }
406
407 AddSecFetchDest(aHTTPChannel);
408 AddSecFetchMode(aHTTPChannel);
409 AddSecFetchSite(aHTTPChannel);
410 AddSecFetchUser(aHTTPChannel);
411 }