search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1731274 [wpt PR 30792] - Add WebIDL.idl as a dependency for webtransport idlharne...
[gecko.git] / dom / security / SecFetch.cpp
bloba1ca10bf3b4236297124cd5ae90d4074eaa0841e
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "SecFetch.h"
8 #include "nsIHttpChannel.h"
9 #include "nsContentUtils.h"
10 #include "nsIRedirectHistoryEntry.h"
11 #include "nsIReferrerInfo.h"
12 #include "mozIThirdPartyUtil.h"
13 #include "nsMixedContentBlocker.h"
14 #include "nsNetUtil.h"
15 #include "mozilla/BasePrincipal.h"
16 #include "mozilla/StaticPrefs_dom.h"
17
18 // Helper function which maps an internal content policy type
19 // to the corresponding destination for the context of SecFetch.
20 nsCString MapInternalContentPolicyTypeToDest(nsContentPolicyType aType) {
21 switch (aType) {
22 case nsIContentPolicy::TYPE_OTHER:
23 return "empty"_ns;
24 case nsIContentPolicy::TYPE_INTERNAL_SCRIPT:
25 case nsIContentPolicy::TYPE_INTERNAL_SCRIPT_PRELOAD:
26 case nsIContentPolicy::TYPE_INTERNAL_MODULE:
27 case nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD:
28 case nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS:
29 case nsIContentPolicy::TYPE_INTERNAL_CHROMEUTILS_COMPILED_SCRIPT:
30 case nsIContentPolicy::TYPE_INTERNAL_FRAME_MESSAGEMANAGER_SCRIPT:
31 case nsIContentPolicy::TYPE_SCRIPT:
32 return "script"_ns;
33 case nsIContentPolicy::TYPE_INTERNAL_WORKER:
34 return "worker"_ns;
35 case nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER:
36 return "sharedworker"_ns;
37 case nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER:
38 return "serviceworker"_ns;
39 case nsIContentPolicy::TYPE_INTERNAL_AUDIOWORKLET:
40 return "audioworklet"_ns;
41 case nsIContentPolicy::TYPE_INTERNAL_PAINTWORKLET:
42 return "paintworklet"_ns;
43 case nsIContentPolicy::TYPE_IMAGESET:
44 case nsIContentPolicy::TYPE_INTERNAL_IMAGE:
45 case nsIContentPolicy::TYPE_INTERNAL_IMAGE_PRELOAD:
46 case nsIContentPolicy::TYPE_INTERNAL_IMAGE_FAVICON:
47 case nsIContentPolicy::TYPE_IMAGE:
48 return "image"_ns;
49 case nsIContentPolicy::TYPE_STYLESHEET:
50 case nsIContentPolicy::TYPE_INTERNAL_STYLESHEET:
51 case nsIContentPolicy::TYPE_INTERNAL_STYLESHEET_PRELOAD:
52 return "style"_ns;
53 case nsIContentPolicy::TYPE_OBJECT:
54 case nsIContentPolicy::TYPE_INTERNAL_OBJECT:
55 return "object"_ns;
56 case nsIContentPolicy::TYPE_INTERNAL_EMBED:
57 return "embed"_ns;
58 case nsIContentPolicy::TYPE_DOCUMENT:
59 return "document"_ns;
60 case nsIContentPolicy::TYPE_SUBDOCUMENT:
61 case nsIContentPolicy::TYPE_INTERNAL_IFRAME:
62 return "iframe"_ns;
63 case nsIContentPolicy::TYPE_INTERNAL_FRAME:
64 return "frame"_ns;
65 case nsIContentPolicy::TYPE_PING:
66 return "empty"_ns;
67 case nsIContentPolicy::TYPE_XMLHTTPREQUEST:
68 case nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST:
69 return "empty"_ns;
70 case nsIContentPolicy::TYPE_INTERNAL_EVENTSOURCE:
71 return "empty"_ns;
72 case nsIContentPolicy::TYPE_OBJECT_SUBREQUEST:
73 return "empty"_ns;
74 case nsIContentPolicy::TYPE_DTD:
75 case nsIContentPolicy::TYPE_INTERNAL_DTD:
76 case nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD:
77 return "empty"_ns;
78 case nsIContentPolicy::TYPE_FONT:
79 case nsIContentPolicy::TYPE_INTERNAL_FONT_PRELOAD:
80 case nsIContentPolicy::TYPE_UA_FONT:
81 return "font"_ns;
82 case nsIContentPolicy::TYPE_MEDIA:
83 return "empty"_ns;
84 case nsIContentPolicy::TYPE_INTERNAL_AUDIO:
85 return "audio"_ns;
86 case nsIContentPolicy::TYPE_INTERNAL_VIDEO:
87 return "video"_ns;
88 case nsIContentPolicy::TYPE_INTERNAL_TRACK:
89 return "track"_ns;
90 case nsIContentPolicy::TYPE_WEBSOCKET:
91 return "websocket"_ns;
92 case nsIContentPolicy::TYPE_CSP_REPORT:
93 return "report"_ns;
94 case nsIContentPolicy::TYPE_XSLT:
95 return "xslt"_ns;
96 case nsIContentPolicy::TYPE_BEACON:
97 return "empty"_ns;
98 case nsIContentPolicy::TYPE_FETCH:
99 case nsIContentPolicy::TYPE_INTERNAL_FETCH_PRELOAD:
100 return "empty"_ns;
101 case nsIContentPolicy::TYPE_WEB_MANIFEST:
102 return "manifest"_ns;
103 case nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD:
104 return "empty"_ns;
105 case nsIContentPolicy::TYPE_SPECULATIVE:
106 return "empty"_ns;
107 case nsIContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA:
108 return "empty"_ns;
109 case nsIContentPolicy::TYPE_INVALID:
110 break;
111 // Do not add default: so that compilers can catch the missing case.
112 }
113
114 MOZ_CRASH("Unhandled nsContentPolicyType value");
115 }
116
117 // Helper function to determine if a ExpandedPrincipal is of the same-origin as
118 // a URI in the sec-fetch context.
119 void IsExpandedPrincipalSameOrigin(
120 nsCOMPtr<nsIExpandedPrincipal> aExpandedPrincipal, nsIURI* aURI,
121 bool aIsPrivateWin, bool* aRes) {
122 *aRes = false;
123 for (const auto& principal : aExpandedPrincipal->AllowList()) {
124 // Ignore extension principals to continue treating
125 // "moz-extension:"-requests as not "same-origin".
126 if (!mozilla::BasePrincipal::Cast(principal)->AddonPolicy()) {
127 // A ExpandedPrincipal usually has at most one ContentPrincipal, so we can
128 // check IsSameOrigin on it here and return early.
129 mozilla::BasePrincipal::Cast(principal)->IsSameOrigin(aURI, aIsPrivateWin,
130 aRes);
131 return;
132 }
133 }
134 }
135
136 // Helper function to determine whether a request (including involved
137 // redirects) is same-origin in the context of SecFetch.
138 bool IsSameOrigin(nsIHttpChannel* aHTTPChannel) {
139 nsCOMPtr<nsIURI> channelURI;
140 NS_GetFinalChannelURI(aHTTPChannel, getter_AddRefs(channelURI));
141
142 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
143
144 if (mozilla::BasePrincipal::Cast(loadInfo->TriggeringPrincipal())
145 ->AddonPolicy()) {
146 // If an extension triggered the load that has access to the URI then the
147 // load is considered as same-origin.
148 return mozilla::BasePrincipal::Cast(loadInfo->TriggeringPrincipal())
149 ->AddonAllowsLoad(channelURI);
150 }
151
152 bool isPrivateWin = loadInfo->GetOriginAttributes().mPrivateBrowsingId > 0;
153 bool isSameOrigin = false;
154 if (nsContentUtils::IsExpandedPrincipal(loadInfo->TriggeringPrincipal())) {
155 nsCOMPtr<nsIExpandedPrincipal> ep =
156 do_QueryInterface(loadInfo->TriggeringPrincipal());
157 IsExpandedPrincipalSameOrigin(ep, channelURI, isPrivateWin, &isSameOrigin);
158 } else {
159 nsresult rv = loadInfo->TriggeringPrincipal()->IsSameOrigin(
160 channelURI, isPrivateWin, &isSameOrigin);
161 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
162 }
163
164 // if the initial request is not same-origin, we can return here
165 // because we already know it's not a same-origin request
166 if (!isSameOrigin) {
167 return false;
168 }
169
170 // let's further check all the hoops in the redirectChain to
171 // ensure all involved redirects are same-origin
172 nsCOMPtr<nsIPrincipal> redirectPrincipal;
173 for (nsIRedirectHistoryEntry* entry : loadInfo->RedirectChain()) {
174 entry->GetPrincipal(getter_AddRefs(redirectPrincipal));
175 if (redirectPrincipal) {
176 nsresult rv = redirectPrincipal->IsSameOrigin(channelURI, isPrivateWin,
177 &isSameOrigin);
178 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
179 if (!isSameOrigin) {
180 return false;
181 }
182 }
183 }
184
185 // must be a same-origin request
186 return true;
187 }
188
189 // Helper function to determine whether a request (including involved
190 // redirects) is same-site in the context of SecFetch.
191 bool IsSameSite(nsIChannel* aHTTPChannel) {
192 nsCOMPtr<mozIThirdPartyUtil> thirdPartyUtil =
193 do_GetService(THIRDPARTYUTIL_CONTRACTID);
194 if (!thirdPartyUtil) {
195 return false;
196 }
197
198 nsAutoCString hostDomain;
199 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
200 nsresult rv = loadInfo->TriggeringPrincipal()->GetBaseDomain(hostDomain);
201 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
202
203 nsAutoCString channelDomain;
204 nsCOMPtr<nsIURI> channelURI;
205 NS_GetFinalChannelURI(aHTTPChannel, getter_AddRefs(channelURI));
206 rv = thirdPartyUtil->GetBaseDomain(channelURI, channelDomain);
207 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
208
209 // if the initial request is not same-site, or not https, we can
210 // return here because we already know it's not a same-site request
211 if (!hostDomain.Equals(channelDomain) ||
212 !loadInfo->TriggeringPrincipal()->SchemeIs("https")) {
213 return false;
214 }
215
216 // let's further check all the hoops in the redirectChain to
217 // ensure all involved redirects are same-site and https
218 nsCOMPtr<nsIPrincipal> redirectPrincipal;
219 for (nsIRedirectHistoryEntry* entry : loadInfo->RedirectChain()) {
220 entry->GetPrincipal(getter_AddRefs(redirectPrincipal));
221 if (redirectPrincipal) {
222 redirectPrincipal->GetBaseDomain(hostDomain);
223 if (!hostDomain.Equals(channelDomain) ||
224 !redirectPrincipal->SchemeIs("https")) {
225 return false;
226 }
227 }
228 }
229
230 // must be a same-site request
231 return true;
232 }
233
234 // Helper function to determine whether a request was triggered
235 // by the end user in the context of SecFetch.
236 bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* aHTTPChannel) {
237 /*
238 * The goal is to distinguish between "webby" navigations that are controlled
239 * by a given website (e.g. links, the window.location setter,form
240 * submissions, etc.), and those that are not (e.g. user interaction with a
241 * user agent’s address bar, bookmarks, etc).
242 */
243 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
244 ExtContentPolicyType contentType = loadInfo->GetExternalContentPolicyType();
245
246 // A request issued by the browser is always user initiated.
247 if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal() &&
248 contentType == ExtContentPolicy::TYPE_OTHER) {
249 return true;
250 }
251
252 // only requests wich result in type "document" are subject to
253 // user initiated actions in the context of SecFetch.
254 if (contentType != ExtContentPolicy::TYPE_DOCUMENT &&
255 contentType != ExtContentPolicy::TYPE_SUBDOCUMENT) {
256 return false;
257 }
258
259 // The load is considered user triggered if it was triggered by an external
260 // application.
261 if (loadInfo->GetLoadTriggeredFromExternal()) {
262 return true;
263 }
264
265 // sec-fetch-site can only be user triggered if the load was user triggered.
266 if (!loadInfo->GetHasValidUserGestureActivation()) {
267 return false;
268 }
269
270 // We can assert that the navigation must be "webby" if the load was triggered
271 // by a meta refresh. See also Bug 1647128.
272 if (loadInfo->GetIsMetaRefresh()) {
273 return false;
274 }
275
276 // All web requests have a valid "original" referrer set in the
277 // ReferrerInfo which we can use to determine whether a request
278 // was triggered by a user or not.
279 nsCOMPtr<nsIReferrerInfo> referrerInfo = aHTTPChannel->GetReferrerInfo();
280 if (referrerInfo) {
281 nsCOMPtr<nsIURI> originalReferrer;
282 referrerInfo->GetOriginalReferrer(getter_AddRefs(originalReferrer));
283 if (originalReferrer) {
284 return false;
285 }
286 }
287
288 return true;
289 }
290
291 void mozilla::dom::SecFetch::AddSecFetchDest(nsIHttpChannel* aHTTPChannel) {
292 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
293 nsContentPolicyType contentType = loadInfo->InternalContentPolicyType();
294 nsCString dest = MapInternalContentPolicyTypeToDest(contentType);
295
296 nsresult rv =
297 aHTTPChannel->SetRequestHeader("Sec-Fetch-Dest"_ns, dest, false);
298 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
299 }
300
301 void mozilla::dom::SecFetch::AddSecFetchMode(nsIHttpChannel* aHTTPChannel) {
302 nsAutoCString mode("no-cors");
303
304 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
305 uint32_t securityMode = loadInfo->GetSecurityMode();
306 ExtContentPolicyType externalType = loadInfo->GetExternalContentPolicyType();
307
308 if (securityMode ==
309 nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT ||
310 securityMode == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED) {
311 mode = "same-origin"_ns;
312 } else if (securityMode ==
313 nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT) {
314 mode = "cors"_ns;
315 } else {
316 // If it's not one of the security modes above, then we ensure it's
317 // at least one of the others defined in nsILoadInfo
318 MOZ_ASSERT(
319 securityMode ==
320 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT ||
321 securityMode ==
322 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,
323 "unhandled security mode");
324 }
325
326 if (externalType == ExtContentPolicy::TYPE_DOCUMENT ||
327 externalType == ExtContentPolicy::TYPE_SUBDOCUMENT ||
328 externalType == ExtContentPolicy::TYPE_OBJECT) {
329 mode = "navigate"_ns;
330 } else if (externalType == ExtContentPolicy::TYPE_WEBSOCKET) {
331 mode = "websocket"_ns;
332 }
333
334 nsresult rv =
335 aHTTPChannel->SetRequestHeader("Sec-Fetch-Mode"_ns, mode, false);
336 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
337 }
338
339 void mozilla::dom::SecFetch::AddSecFetchSite(nsIHttpChannel* aHTTPChannel) {
340 nsAutoCString site("same-origin");
341
342 bool isSameOrigin = IsSameOrigin(aHTTPChannel);
343 if (!isSameOrigin) {
344 bool isSameSite = IsSameSite(aHTTPChannel);
345 if (isSameSite) {
346 site = "same-site"_ns;
347 } else {
348 site = "cross-site"_ns;
349 }
350 }
351
352 if (IsUserTriggeredForSecFetchSite(aHTTPChannel)) {
353 site = "none"_ns;
354 }
355
356 nsresult rv =
357 aHTTPChannel->SetRequestHeader("Sec-Fetch-Site"_ns, site, false);
358 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
359 }
360
361 void mozilla::dom::SecFetch::AddSecFetchUser(nsIHttpChannel* aHTTPChannel) {
362 nsCOMPtr<nsILoadInfo> loadInfo = aHTTPChannel->LoadInfo();
363 ExtContentPolicyType externalType = loadInfo->GetExternalContentPolicyType();
364
365 // sec-fetch-user only applies to loads of type document or subdocument
366 if (externalType != ExtContentPolicy::TYPE_DOCUMENT &&
367 externalType != ExtContentPolicy::TYPE_SUBDOCUMENT) {
368 return;
369 }
370
371 // sec-fetch-user only applies if the request is user triggered.
372 // requests triggered by an external application are considerd user triggered.
373 if (!loadInfo->GetLoadTriggeredFromExternal() &&
374 !loadInfo->GetHasValidUserGestureActivation()) {
375 return;
376 }
377
378 nsAutoCString user("?1");
379 nsresult rv =
380 aHTTPChannel->SetRequestHeader("Sec-Fetch-User"_ns, user, false);
381 mozilla::Unused << NS_WARN_IF(NS_FAILED(rv));
382 }
383
384 void mozilla::dom::SecFetch::AddSecFetchHeader(nsIHttpChannel* aHTTPChannel) {
385 // if sec-fetch-* is prefed off, then there is nothing to do
386 if (!StaticPrefs::dom_security_secFetch_enabled()) {
387 return;
388 }
389
390 nsCOMPtr<nsIURI> uri;
391 nsresult rv = aHTTPChannel->GetURI(getter_AddRefs(uri));
392 if (NS_WARN_IF(NS_FAILED(rv))) {
393 return;
394 }
395
396 // if we are not dealing with a potentially trustworthy URL, then
397 // there is nothing to do here
398 if (!nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(uri)) {
399 return;
400 }
401
402 AddSecFetchDest(aHTTPChannel);
403 AddSecFetchMode(aHTTPChannel);
404 AddSecFetchSite(aHTTPChannel);
405 AddSecFetchUser(aHTTPChannel);
406 }