dom/security/nsCSPContext.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef nsCSPContext_h___
   8 #define nsCSPContext_h___
   9
  10 #include "mozilla/dom/nsCSPUtils.h"
  11 #include "mozilla/dom/SecurityPolicyViolationEvent.h"
  12 #include "mozilla/StaticPrefs_security.h"
  13 #include "nsIChannel.h"
  14 #include "nsIChannelEventSink.h"
  15 #include "nsIContentSecurityPolicy.h"
  16 #include "nsIInterfaceRequestor.h"
  17 #include "nsIStreamListener.h"
  18 #include "nsIWeakReferenceUtils.h"
  19 #include "nsXPCOM.h"
  20
  21 #define NS_CSPCONTEXT_CONTRACTID "@mozilla.org/cspcontext;1"
  22 // 09d9ed1a-e5d4-4004-bfe0-27ceb923d9ac
  23 #define NS_CSPCONTEXT_CID                            \
  24   {                                                  \
  25     0x09d9ed1a, 0xe5d4, 0x4004, {                    \
  26       0xbf, 0xe0, 0x27, 0xce, 0xb9, 0x23, 0xd9, 0xac \
  27     }                                                \
  28   }
  29
  30 class nsINetworkInterceptController;
  31 class nsIEventTarget;
  32 struct ConsoleMsgQueueElem;
  33
  34 namespace mozilla {
  35 namespace dom {
  36 class Element;
  37 }
  38 namespace ipc {
  39 class ContentSecurityPolicy;
  40 }
  41 }  // namespace mozilla
  42
  43 class nsCSPContext : public nsIContentSecurityPolicy {
  44  public:
  45   NS_DECL_ISUPPORTS
  46   NS_DECL_NSICONTENTSECURITYPOLICY
  47   NS_DECL_NSISERIALIZABLE
  48
  49  protected:
  50   virtual ~nsCSPContext();
  51
  52  public:
  53   nsCSPContext();
  54
  55   static bool Equals(nsIContentSecurityPolicy* aCSP,
  56                      nsIContentSecurityPolicy* aOtherCSP);
  57
  58   // Init a CSP from a different CSP
  59   nsresult InitFromOther(nsCSPContext* otherContext);
  60
  61   /**
  62    * SetRequestContextWithDocument() needs to be called before the
  63    * innerWindowID is initialized on the document. Use this function
  64    * to call back to flush queued up console messages and initialize
  65    * the innerWindowID. Node, If SetRequestContextWithPrincipal() was
  66    * called then we do not have a innerWindowID anyway and hence
  67    * we can not flush messages to the correct console.
  68    */
  69   void flushConsoleMessages();
  70
  71   void logToConsole(const char* aName, const nsTArray<nsString>& aParams,
  72                     const nsAString& aSourceName, const nsAString& aSourceLine,
  73                     uint32_t aLineNumber, uint32_t aColumnNumber,
  74                     uint32_t aSeverityFlag);
  75
  76   /**
  77    * Construct SecurityPolicyViolationEventInit structure.
  78    *
  79    * @param aBlockedURI
  80    *        A nsIURI: the source of the violation.
  81    * @param aOriginalUri
  82    *        The original URI if the blocked content is a redirect, else null
  83    * @param aViolatedDirective
  84    *        the directive that was violated (string).
  85    * @param aSourceFile
  86    *        name of the file containing the inline script violation
  87    * @param aScriptSample
  88    *        a sample of the violating inline script
  89    * @param aLineNum
  90    *        source line number of the violation (if available)
  91    * @param aColumnNum
  92    *        source column number of the violation (if available)
  93    * @param aViolationEventInit
  94    *        The output
  95    */
  96   nsresult GatherSecurityPolicyViolationEventData(
  97       nsIURI* aBlockedURI, const nsACString& aBlockedString,
  98       nsIURI* aOriginalURI, nsAString& aViolatedDirective,
  99       uint32_t aViolatedPolicyIndex, nsAString& aSourceFile,
 100       nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum,
 101       mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit);
 102
 103   nsresult SendReports(
 104       const mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit,
 105       uint32_t aViolatedPolicyIndex);
 106
 107   nsresult FireViolationEvent(
 108       mozilla::dom::Element* aTriggeringElement,
 109       nsICSPEventListener* aCSPEventListener,
 110       const mozilla::dom::SecurityPolicyViolationEventInit&
 111           aViolationEventInit);
 112
 113   enum BlockedContentSource {
 114     eUnknown,
 115     eInline,
 116     eEval,
 117     eSelf,
 118   };
 119
 120   nsresult AsyncReportViolation(
 121       mozilla::dom::Element* aTriggeringElement,
 122       nsICSPEventListener* aCSPEventListener, nsIURI* aBlockedURI,
 123       BlockedContentSource aBlockedContentSource, nsIURI* aOriginalURI,
 124       const nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex,
 125       const nsAString& aObserverSubject, const nsAString& aSourceFile,
 126       const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum);
 127
 128   // Hands off! Don't call this method unless you know what you
 129   // are doing. It's only supposed to be called from within
 130   // the principal destructor to avoid a tangling pointer.
 131   void clearLoadingPrincipal() { mLoadingPrincipal = nullptr; }
 132
 133   nsWeakPtr GetLoadingContext() { return mLoadingContext; }
 134
 135   static uint32_t ScriptSampleMaxLength() {
 136     return std::max(
 137         mozilla::StaticPrefs::security_csp_reporting_script_sample_max_length(),
 138         0);
 139   }
 140
 141   void AddIPCPolicy(const mozilla::ipc::ContentSecurityPolicy& aPolicy);
 142   void SerializePolicies(
 143       nsTArray<mozilla::ipc::ContentSecurityPolicy>& aPolicies);
 144
 145  private:
 146   void EnsureIPCPoliciesRead();
 147
 148   bool permitsInternal(CSPDirective aDir,
 149                        mozilla::dom::Element* aTriggeringElement,
 150                        nsICSPEventListener* aCSPEventListener,
 151                        nsIURI* aContentLocation, nsIURI* aOriginalURIIfRedirect,
 152                        const nsAString& aNonce, bool aSpecific,
 153                        bool aSendViolationReports,
 154                        bool aSendContentLocationInViolationReports,
 155                        bool aParserCreated);
 156
 157   // helper to report inline script/style violations
 158   void reportInlineViolation(CSPDirective aDirective,
 159                              mozilla::dom::Element* aTriggeringElement,
 160                              nsICSPEventListener* aCSPEventListener,
 161                              const nsAString& aNonce, const nsAString& aContent,
 162                              const nsAString& aViolatedDirective,
 163                              uint32_t aViolatedPolicyIndex,
 164                              uint32_t aLineNumber, uint32_t aColumnNumber);
 165
 166   nsString mReferrer;
 167   uint64_t mInnerWindowID;          // used for web console logging
 168   bool mSkipAllowInlineStyleCheck;  // used to allow Devtools to edit styles
 169   // When deserializing an nsCSPContext instance, we initially just keep the
 170   // policies unparsed. We will only reconstruct actual CSP policy instances
 171   // when there's an attempt to use the CSP. Given a better way to serialize/
 172   // deserialize individual nsCSPPolicy objects, this performance
 173   // optimization could go away.
 174   nsTArray<mozilla::ipc::ContentSecurityPolicy> mIPCPolicies;
 175   nsTArray<nsCSPPolicy*> mPolicies;
 176   nsCOMPtr<nsIURI> mSelfURI;
 177   nsCOMPtr<nsILoadGroup> mCallingChannelLoadGroup;
 178   nsWeakPtr mLoadingContext;
 179   nsCOMPtr<nsIPrincipal> mLoadingPrincipal;
 180
 181   // helper members used to queue up web console messages till
 182   // the windowID becomes available. see flushConsoleMessages()
 183   nsTArray<ConsoleMsgQueueElem> mConsoleMsgQueue;
 184   bool mQueueUpMessages;
 185   nsCOMPtr<nsIEventTarget> mEventTarget;
 186 };
 187
 188 // Class that listens to violation report transmission and logs errors.
 189 class CSPViolationReportListener : public nsIStreamListener {
 190  public:
 191   NS_DECL_NSISTREAMLISTENER
 192   NS_DECL_NSIREQUESTOBSERVER
 193   NS_DECL_ISUPPORTS
 194
 195  public:
 196   CSPViolationReportListener();
 197
 198  protected:
 199   virtual ~CSPViolationReportListener();
 200 };
 201
 202 // The POST of the violation report (if it happens) should not follow
 203 // redirects, per the spec. hence, we implement an nsIChannelEventSink
 204 // with an object so we can tell XHR to abort if a redirect happens.
 205 class CSPReportRedirectSink final : public nsIChannelEventSink,
 206                                     public nsIInterfaceRequestor {
 207  public:
 208   NS_DECL_NSICHANNELEVENTSINK
 209   NS_DECL_NSIINTERFACEREQUESTOR
 210   NS_DECL_ISUPPORTS
 211
 212  public:
 213   CSPReportRedirectSink();
 214
 215   void SetInterceptController(
 216       nsINetworkInterceptController* aInterceptController);
 217
 218  protected:
 219   virtual ~CSPReportRedirectSink();
 220
 221  private:
 222   nsCOMPtr<nsINetworkInterceptController> mInterceptController;
 223 };
 224
 225 #endif /* nsCSPContext_h___ */