search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bumping gaia.json for 2 gaia revision(s) a=gaia-bump
[gecko.git] / caps / nsScriptSecurityManager.cpp
blob374647f0a9537ae0771d089d4270f99ed72dcd62
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* vim: set ts=4 et sw=4 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "nsScriptSecurityManager.h"
8
9 #include "mozilla/ArrayUtils.h"
10
11 #include "xpcprivate.h"
12 #include "XPCWrapper.h"
13 #include "nsIAppsService.h"
14 #include "nsILoadContext.h"
15 #include "nsIServiceManager.h"
16 #include "nsIScriptObjectPrincipal.h"
17 #include "nsIScriptContext.h"
18 #include "nsIURL.h"
19 #include "nsINestedURI.h"
20 #include "nspr.h"
21 #include "nsJSPrincipals.h"
22 #include "nsSystemPrincipal.h"
23 #include "nsPrincipal.h"
24 #include "nsNullPrincipal.h"
25 #include "DomainPolicy.h"
26 #include "nsXPIDLString.h"
27 #include "nsCRT.h"
28 #include "nsCRTGlue.h"
29 #include "nsError.h"
30 #include "nsDOMCID.h"
31 #include "nsIXPConnect.h"
32 #include "nsTextFormatter.h"
33 #include "nsIStringBundle.h"
34 #include "nsNetUtil.h"
35 #include "nsIEffectiveTLDService.h"
36 #include "nsIProperties.h"
37 #include "nsDirectoryServiceDefs.h"
38 #include "nsIFile.h"
39 #include "nsIFileURL.h"
40 #include "nsIZipReader.h"
41 #include "nsIXPConnect.h"
42 #include "nsIScriptGlobalObject.h"
43 #include "nsPIDOMWindow.h"
44 #include "nsIDocShell.h"
45 #include "nsIPrompt.h"
46 #include "nsIWindowWatcher.h"
47 #include "nsIConsoleService.h"
48 #include "nsIJSRuntimeService.h"
49 #include "nsIObserverService.h"
50 #include "nsIContent.h"
51 #include "nsAutoPtr.h"
52 #include "nsDOMJSUtils.h"
53 #include "nsAboutProtocolUtils.h"
54 #include "nsIClassInfo.h"
55 #include "nsIURIFixup.h"
56 #include "nsCDefaultURIFixup.h"
57 #include "nsIChromeRegistry.h"
58 #include "nsIContentSecurityPolicy.h"
59 #include "nsIAsyncVerifyRedirectCallback.h"
60 #include "mozIApplication.h"
61 #include "mozilla/Preferences.h"
62 #include "mozilla/dom/BindingUtils.h"
63 #include <stdint.h>
64 #include "mozilla/dom/ScriptSettings.h"
65 #include "mozilla/ClearOnShutdown.h"
66 #include "mozilla/StaticPtr.h"
67 #include "nsContentUtils.h"
68 #include "nsJSUtils.h"
69 #include "nsILoadInfo.h"
70
71 // This should be probably defined on some other place... but I couldn't find it
72 #define WEBAPPS_PERM_NAME "webapps-manage"
73
74 using namespace mozilla;
75 using namespace mozilla::dom;
76
77 nsIIOService *nsScriptSecurityManager::sIOService = nullptr;
78 nsIStringBundle *nsScriptSecurityManager::sStrBundle = nullptr;
79 JSRuntime *nsScriptSecurityManager::sRuntime = 0;
80 bool nsScriptSecurityManager::sStrictFileOriginPolicy = true;
81
82 ///////////////////////////
83 // Convenience Functions //
84 ///////////////////////////
85
86 class nsAutoInPrincipalDomainOriginSetter {
87 public:
88 nsAutoInPrincipalDomainOriginSetter() {
89 ++sInPrincipalDomainOrigin;
90 }
91 ~nsAutoInPrincipalDomainOriginSetter() {
92 --sInPrincipalDomainOrigin;
93 }
94 static uint32_t sInPrincipalDomainOrigin;
95 };
96 uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin;
97
98 static
99 nsresult
100 GetOriginFromURI(nsIURI* aURI, nsACString& aOrigin)
101 {
102 if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin > 1) {
103 // Allow a single recursive call to GetPrincipalDomainOrigin, since that
104 // might be happening on a different principal from the first call. But
105 // after that, cut off the recursion; it just indicates that something
106 // we're doing in this method causes us to reenter a security check here.
107 return NS_ERROR_NOT_AVAILABLE;
108 }
109
110 nsAutoInPrincipalDomainOriginSetter autoSetter;
111
112 nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
113 NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
114
115 nsAutoCString hostPort;
116
117 nsresult rv = uri->GetHostPort(hostPort);
118 if (NS_SUCCEEDED(rv)) {
119 nsAutoCString scheme;
120 rv = uri->GetScheme(scheme);
121 NS_ENSURE_SUCCESS(rv, rv);
122 aOrigin = scheme + NS_LITERAL_CSTRING("://") + hostPort;
123 }
124 else {
125 // Some URIs (e.g., nsSimpleURI) don't support host. Just
126 // get the full spec.
127 rv = uri->GetSpec(aOrigin);
128 NS_ENSURE_SUCCESS(rv, rv);
129 }
130
131 return NS_OK;
132 }
133
134 static
135 nsresult
136 GetPrincipalDomainOrigin(nsIPrincipal* aPrincipal,
137 nsACString& aOrigin)
138 {
139
140 nsCOMPtr<nsIURI> uri;
141 aPrincipal->GetDomain(getter_AddRefs(uri));
142 if (!uri) {
143 aPrincipal->GetURI(getter_AddRefs(uri));
144 }
145 NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
146
147 return GetOriginFromURI(uri, aOrigin);
148 }
149
150 inline void SetPendingException(JSContext *cx, const char *aMsg)
151 {
152 JS_ReportError(cx, "%s", aMsg);
153 }
154
155 inline void SetPendingException(JSContext *cx, const char16_t *aMsg)
156 {
157 JS_ReportError(cx, "%hs", aMsg);
158 }
159
160 // Helper class to get stuff from the ClassInfo and not waste extra time with
161 // virtual method calls for things it has already gotten
162 class ClassInfoData
163 {
164 public:
165 ClassInfoData(nsIClassInfo *aClassInfo, const char *aName)
166 : mClassInfo(aClassInfo),
167 mName(const_cast<char *>(aName)),
168 mDidGetFlags(false),
169 mMustFreeName(false)
170 {
171 }
172
173 ~ClassInfoData()
174 {
175 if (mMustFreeName)
176 nsMemory::Free(mName);
177 }
178
179 uint32_t GetFlags()
180 {
181 if (!mDidGetFlags) {
182 if (mClassInfo) {
183 nsresult rv = mClassInfo->GetFlags(&mFlags);
184 if (NS_FAILED(rv)) {
185 mFlags = 0;
186 }
187 } else {
188 mFlags = 0;
189 }
190
191 mDidGetFlags = true;
192 }
193
194 return mFlags;
195 }
196
197 bool IsDOMClass()
198 {
199 return !!(GetFlags() & nsIClassInfo::DOM_OBJECT);
200 }
201
202 const char* GetName()
203 {
204 if (!mName) {
205 if (mClassInfo) {
206 mClassInfo->GetClassDescription(&mName);
207 }
208
209 if (mName) {
210 mMustFreeName = true;
211 } else {
212 mName = const_cast<char *>("UnnamedClass");
213 }
214 }
215
216 return mName;
217 }
218
219 private:
220 nsIClassInfo *mClassInfo; // WEAK
221 uint32_t mFlags;
222 char *mName;
223 bool mDidGetFlags;
224 bool mMustFreeName;
225 };
226
227 JSContext *
228 nsScriptSecurityManager::GetCurrentJSContext()
229 {
230 // Get JSContext from stack.
231 return nsXPConnect::XPConnect()->GetCurrentJSContext();
232 }
233
234 JSContext *
235 nsScriptSecurityManager::GetSafeJSContext()
236 {
237 // Get JSContext from stack.
238 return nsXPConnect::XPConnect()->GetSafeJSContext();
239 }
240
241 /* static */
242 bool
243 nsScriptSecurityManager::SecurityCompareURIs(nsIURI* aSourceURI,
244 nsIURI* aTargetURI)
245 {
246 return NS_SecurityCompareURIs(aSourceURI, aTargetURI, sStrictFileOriginPolicy);
247 }
248
249 // SecurityHashURI is consistent with SecurityCompareURIs because NS_SecurityHashURI
250 // is consistent with NS_SecurityCompareURIs. See nsNetUtil.h.
251 uint32_t
252 nsScriptSecurityManager::SecurityHashURI(nsIURI* aURI)
253 {
254 return NS_SecurityHashURI(aURI);
255 }
256
257 uint16_t
258 nsScriptSecurityManager::AppStatusForPrincipal(nsIPrincipal *aPrin)
259 {
260 uint32_t appId = aPrin->GetAppId();
261 bool inMozBrowser = aPrin->GetIsInBrowserElement();
262 NS_WARN_IF_FALSE(appId != nsIScriptSecurityManager::UNKNOWN_APP_ID,
263 "Asking for app status on a principal with an unknown app id");
264 // Installed apps have a valid app id (not NO_APP_ID or UNKNOWN_APP_ID)
265 // and they are not inside a mozbrowser.
266 if (appId == nsIScriptSecurityManager::NO_APP_ID ||
267 appId == nsIScriptSecurityManager::UNKNOWN_APP_ID || inMozBrowser)
268 {
269 return nsIPrincipal::APP_STATUS_NOT_INSTALLED;
270 }
271
272 nsCOMPtr<nsIAppsService> appsService = do_GetService(APPS_SERVICE_CONTRACTID);
273 NS_ENSURE_TRUE(appsService, nsIPrincipal::APP_STATUS_NOT_INSTALLED);
274
275 nsCOMPtr<mozIApplication> app;
276 appsService->GetAppByLocalId(appId, getter_AddRefs(app));
277 NS_ENSURE_TRUE(app, nsIPrincipal::APP_STATUS_NOT_INSTALLED);
278
279 uint16_t status = nsIPrincipal::APP_STATUS_INSTALLED;
280 NS_ENSURE_SUCCESS(app->GetAppStatus(&status),
281 nsIPrincipal::APP_STATUS_NOT_INSTALLED);
282
283 nsAutoCString origin;
284 NS_ENSURE_SUCCESS(aPrin->GetOrigin(getter_Copies(origin)),
285 nsIPrincipal::APP_STATUS_NOT_INSTALLED);
286 nsString appOrigin;
287 NS_ENSURE_SUCCESS(app->GetOrigin(appOrigin),
288 nsIPrincipal::APP_STATUS_NOT_INSTALLED);
289
290 // We go from string -> nsIURI -> origin to be sure we
291 // compare two punny-encoded origins.
292 nsCOMPtr<nsIURI> appURI;
293 NS_ENSURE_SUCCESS(NS_NewURI(getter_AddRefs(appURI), appOrigin),
294 nsIPrincipal::APP_STATUS_NOT_INSTALLED);
295
296 nsAutoCString appOriginPunned;
297 NS_ENSURE_SUCCESS(nsPrincipal::GetOriginForURI(appURI, getter_Copies(appOriginPunned)),
298 nsIPrincipal::APP_STATUS_NOT_INSTALLED);
299
300 if (!appOriginPunned.Equals(origin)) {
301 return nsIPrincipal::APP_STATUS_NOT_INSTALLED;
302 }
303
304 return status;
305
306 }
307
308 NS_IMETHODIMP
309 nsScriptSecurityManager::GetChannelResultPrincipal(nsIChannel* aChannel,
310 nsIPrincipal** aPrincipal)
311 {
312 NS_PRECONDITION(aChannel, "Must have channel!");
313 nsCOMPtr<nsISupports> owner;
314 aChannel->GetOwner(getter_AddRefs(owner));
315 if (owner) {
316 CallQueryInterface(owner, aPrincipal);
317 if (*aPrincipal) {
318 return NS_OK;
319 }
320 }
321
322 // Check whether we have an nsILoadInfo that says what we should do.
323 nsCOMPtr<nsILoadInfo> loadInfo;
324 aChannel->GetLoadInfo(getter_AddRefs(loadInfo));
325 if (loadInfo) {
326 if (loadInfo->GetLoadingSandboxed()) {
327 nsRefPtr<nsNullPrincipal> prin =
328 nsNullPrincipal::CreateWithInheritedAttributes(loadInfo->LoadingPrincipal());
329 NS_ENSURE_TRUE(prin, NS_ERROR_FAILURE);
330 prin.forget(aPrincipal);
331 return NS_OK;
332 }
333
334 if (loadInfo->GetForceInheritPrincipal()) {
335 NS_ADDREF(*aPrincipal = loadInfo->TriggeringPrincipal());
336 return NS_OK;
337 }
338 }
339 return GetChannelURIPrincipal(aChannel, aPrincipal);
340 }
341
342 NS_IMETHODIMP
343 nsScriptSecurityManager::GetChannelURIPrincipal(nsIChannel* aChannel,
344 nsIPrincipal** aPrincipal)
345 {
346 NS_PRECONDITION(aChannel, "Must have channel!");
347
348 // Get the principal from the URI. Make sure this does the same thing
349 // as nsDocument::Reset and XULDocument::StartDocumentLoad.
350 nsCOMPtr<nsIURI> uri;
351 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
352 NS_ENSURE_SUCCESS(rv, rv);
353
354 nsCOMPtr<nsILoadContext> loadContext;
355 NS_QueryNotificationCallbacks(aChannel, loadContext);
356
357 if (loadContext) {
358 return GetLoadContextCodebasePrincipal(uri, loadContext, aPrincipal);
359 }
360
361 return GetCodebasePrincipalInternal(uri, UNKNOWN_APP_ID,
362 /* isInBrowserElement */ false, aPrincipal);
363 }
364
365 NS_IMETHODIMP
366 nsScriptSecurityManager::IsSystemPrincipal(nsIPrincipal* aPrincipal,
367 bool* aIsSystem)
368 {
369 *aIsSystem = (aPrincipal == mSystemPrincipal);
370 return NS_OK;
371 }
372
373 /////////////////////////////
374 // nsScriptSecurityManager //
375 /////////////////////////////
376
377 ////////////////////////////////////
378 // Methods implementing ISupports //
379 ////////////////////////////////////
380 NS_IMPL_ISUPPORTS(nsScriptSecurityManager,
381 nsIScriptSecurityManager,
382 nsIChannelEventSink,
383 nsIObserver)
384
385 ///////////////////////////////////////////////////
386 // Methods implementing nsIScriptSecurityManager //
387 ///////////////////////////////////////////////////
388
389 ///////////////// Security Checks /////////////////
390
391 bool
392 nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(JSContext *cx)
393 {
394 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
395 nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
396 nsCOMPtr<nsIContentSecurityPolicy> csp;
397 nsresult rv = subjectPrincipal->GetCsp(getter_AddRefs(csp));
398 NS_ASSERTION(NS_SUCCEEDED(rv), "CSP: Failed to get CSP from principal.");
399
400 // don't do anything unless there's a CSP
401 if (!csp)
402 return true;
403
404 bool evalOK = true;
405 bool reportViolation = false;
406 rv = csp->GetAllowsEval(&reportViolation, &evalOK);
407
408 if (NS_FAILED(rv))
409 {
410 NS_WARNING("CSP: failed to get allowsEval");
411 return true; // fail open to not break sites.
412 }
413
414 if (reportViolation) {
415 nsAutoString fileName;
416 unsigned lineNum = 0;
417 NS_NAMED_LITERAL_STRING(scriptSample, "call to eval() or related function blocked by CSP");
418
419 JS::AutoFilename scriptFilename;
420 if (JS::DescribeScriptedCaller(cx, &scriptFilename, &lineNum)) {
421 if (const char *file = scriptFilename.get()) {
422 CopyUTF8toUTF16(nsDependentCString(file), fileName);
423 }
424 }
425 csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
426 fileName,
427 scriptSample,
428 lineNum,
429 EmptyString(),
430 EmptyString());
431 }
432
433 return evalOK;
434 }
435
436 // static
437 bool
438 nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals *first,
439 JSPrincipals *second)
440 {
441 return nsJSPrincipals::get(first)->Subsumes(nsJSPrincipals::get(second));
442 }
443
444 NS_IMETHODIMP
445 nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI,
446 nsIURI* aTargetURI,
447 bool reportError)
448 {
449 if (!SecurityCompareURIs(aSourceURI, aTargetURI))
450 {
451 if (reportError) {
452 ReportError(nullptr, NS_LITERAL_STRING("CheckSameOriginError"),
453 aSourceURI, aTargetURI);
454 }
455 return NS_ERROR_DOM_BAD_URI;
456 }
457 return NS_OK;
458 }
459
460 /*static*/ uint32_t
461 nsScriptSecurityManager::HashPrincipalByOrigin(nsIPrincipal* aPrincipal)
462 {
463 nsCOMPtr<nsIURI> uri;
464 aPrincipal->GetDomain(getter_AddRefs(uri));
465 if (!uri)
466 aPrincipal->GetURI(getter_AddRefs(uri));
467 return SecurityHashURI(uri);
468 }
469
470 /* static */ bool
471 nsScriptSecurityManager::AppAttributesEqual(nsIPrincipal* aFirst,
472 nsIPrincipal* aSecond)
473 {
474 MOZ_ASSERT(aFirst && aSecond, "Don't pass null pointers!");
475
476 uint32_t firstAppId = nsIScriptSecurityManager::UNKNOWN_APP_ID;
477 if (!aFirst->GetUnknownAppId()) {
478 firstAppId = aFirst->GetAppId();
479 }
480
481 uint32_t secondAppId = nsIScriptSecurityManager::UNKNOWN_APP_ID;
482 if (!aSecond->GetUnknownAppId()) {
483 secondAppId = aSecond->GetAppId();
484 }
485
486 return ((firstAppId == secondAppId) &&
487 (aFirst->GetIsInBrowserElement() == aSecond->GetIsInBrowserElement()));
488 }
489
490 NS_IMETHODIMP
491 nsScriptSecurityManager::CheckLoadURIFromScript(JSContext *cx, nsIURI *aURI)
492 {
493 // Get principal of currently executing script.
494 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
495 nsIPrincipal* principal = nsContentUtils::SubjectPrincipal();
496 nsresult rv = CheckLoadURIWithPrincipal(principal, aURI,
497 nsIScriptSecurityManager::STANDARD);
498 if (NS_SUCCEEDED(rv)) {
499 // OK to load
500 return NS_OK;
501 }
502
503 // See if we're attempting to load a file: URI. If so, let a
504 // UniversalXPConnect capability trump the above check.
505 bool isFile = false;
506 bool isRes = false;
507 if (NS_FAILED(aURI->SchemeIs("file", &isFile)) ||
508 NS_FAILED(aURI->SchemeIs("resource", &isRes)))
509 return NS_ERROR_FAILURE;
510 if (isFile || isRes)
511 {
512 if (nsContentUtils::IsCallerChrome())
513 return NS_OK;
514 }
515
516 // Report error.
517 nsAutoCString spec;
518 if (NS_FAILED(aURI->GetAsciiSpec(spec)))
519 return NS_ERROR_FAILURE;
520 nsAutoCString msg("Access to '");
521 msg.Append(spec);
522 msg.AppendLiteral("' from script denied");
523 SetPendingException(cx, msg.get());
524 return NS_ERROR_DOM_BAD_URI;
525 }
526
527 /**
528 * Helper method to handle cases where a flag passed to
529 * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
530 * nsIProtocolHandler flags set.
531 * @return if success, access is allowed. Otherwise, deny access
532 */
533 static nsresult
534 DenyAccessIfURIHasFlags(nsIURI* aURI, uint32_t aURIFlags)
535 {
536 NS_PRECONDITION(aURI, "Must have URI!");
537
538 bool uriHasFlags;
539 nsresult rv =
540 NS_URIChainHasFlags(aURI, aURIFlags, &uriHasFlags);
541 NS_ENSURE_SUCCESS(rv, rv);
542
543 if (uriHasFlags) {
544 return NS_ERROR_DOM_BAD_URI;
545 }
546
547 return NS_OK;
548 }
549
550 static bool
551 EqualOrSubdomain(nsIURI* aProbeArg, nsIURI* aBase)
552 {
553 // Make a clone of the incoming URI, because we're going to mutate it.
554 nsCOMPtr<nsIURI> probe;
555 nsresult rv = aProbeArg->Clone(getter_AddRefs(probe));
556 NS_ENSURE_SUCCESS(rv, false);
557
558 nsCOMPtr<nsIEffectiveTLDService> tldService = do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
559 NS_ENSURE_TRUE(tldService, false);
560 while (true) {
561 if (nsScriptSecurityManager::SecurityCompareURIs(probe, aBase)) {
562 return true;
563 }
564
565 nsAutoCString host, newHost;
566 nsresult rv = probe->GetHost(host);
567 NS_ENSURE_SUCCESS(rv, false);
568
569 rv = tldService->GetNextSubDomain(host, newHost);
570 if (rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS) {
571 return false;
572 }
573 NS_ENSURE_SUCCESS(rv, false);
574 rv = probe->SetHost(newHost);
575 NS_ENSURE_SUCCESS(rv, false);
576 }
577 }
578
579 NS_IMETHODIMP
580 nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
581 nsIURI *aTargetURI,
582 uint32_t aFlags)
583 {
584 NS_PRECONDITION(aPrincipal, "CheckLoadURIWithPrincipal must have a principal");
585 // If someone passes a flag that we don't understand, we should
586 // fail, because they may need a security check that we don't
587 // provide.
588 NS_ENSURE_FALSE(aFlags & ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
589 nsIScriptSecurityManager::ALLOW_CHROME |
590 nsIScriptSecurityManager::DISALLOW_SCRIPT |
591 nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL |
592 nsIScriptSecurityManager::DONT_REPORT_ERRORS),
593 NS_ERROR_UNEXPECTED);
594 NS_ENSURE_ARG_POINTER(aPrincipal);
595 NS_ENSURE_ARG_POINTER(aTargetURI);
596
597 // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
598 // would do such inheriting. That would be URIs that do not have their own
599 // security context. We do this even for the system principal.
600 if (aFlags & nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL) {
601 nsresult rv =
602 DenyAccessIfURIHasFlags(aTargetURI,
603 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT);
604 NS_ENSURE_SUCCESS(rv, rv);
605 }
606
607 if (aPrincipal == mSystemPrincipal) {
608 // Allow access
609 return NS_OK;
610 }
611
612 nsCOMPtr<nsIURI> sourceURI;
613 aPrincipal->GetURI(getter_AddRefs(sourceURI));
614 if (!sourceURI) {
615 nsCOMPtr<nsIExpandedPrincipal> expanded = do_QueryInterface(aPrincipal);
616 if (expanded) {
617 nsTArray< nsCOMPtr<nsIPrincipal> > *whiteList;
618 expanded->GetWhiteList(&whiteList);
619 for (uint32_t i = 0; i < whiteList->Length(); ++i) {
620 nsresult rv = CheckLoadURIWithPrincipal((*whiteList)[i],
621 aTargetURI,
622 aFlags);
623 if (NS_SUCCEEDED(rv)) {
624 // Allow access if it succeeded with one of the white listed principals
625 return NS_OK;
626 }
627 }
628 // None of our whitelisted principals worked.
629 return NS_ERROR_DOM_BAD_URI;
630 }
631 NS_ERROR("Non-system principals or expanded principal passed to CheckLoadURIWithPrincipal "
632 "must have a URI!");
633 return NS_ERROR_UNEXPECTED;
634 }
635
636 // Automatic loads are not allowed from certain protocols.
637 if (aFlags & nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT) {
638 nsresult rv =
639 DenyAccessIfURIHasFlags(sourceURI,
640 nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT);
641 NS_ENSURE_SUCCESS(rv, rv);
642 }
643
644 // If either URI is a nested URI, get the base URI
645 nsCOMPtr<nsIURI> sourceBaseURI = NS_GetInnermostURI(sourceURI);
646 nsCOMPtr<nsIURI> targetBaseURI = NS_GetInnermostURI(aTargetURI);
647
648 //-- get the target scheme
649 nsAutoCString targetScheme;
650 nsresult rv = targetBaseURI->GetScheme(targetScheme);
651 if (NS_FAILED(rv)) return rv;
652
653 //-- Some callers do not allow loading javascript:
654 if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
655 targetScheme.EqualsLiteral("javascript"))
656 {
657 return NS_ERROR_DOM_BAD_URI;
658 }
659
660 NS_NAMED_LITERAL_STRING(errorTag, "CheckLoadURIError");
661 bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
662
663 // Check for uris that are only loadable by principals that subsume them
664 bool hasFlags;
665 rv = NS_URIChainHasFlags(targetBaseURI,
666 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
667 &hasFlags);
668 NS_ENSURE_SUCCESS(rv, rv);
669
670 if (hasFlags) {
671 return aPrincipal->CheckMayLoad(targetBaseURI, true, false);
672 }
673
674 //-- get the source scheme
675 nsAutoCString sourceScheme;
676 rv = sourceBaseURI->GetScheme(sourceScheme);
677 if (NS_FAILED(rv)) return rv;
678
679 if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
680 // A null principal can target its own URI.
681 if (sourceURI == aTargetURI) {
682 return NS_OK;
683 }
684 }
685 else if (targetScheme.Equals(sourceScheme,
686 nsCaseInsensitiveCStringComparator()))
687 {
688 // every scheme can access another URI from the same scheme,
689 // as long as they don't represent null principals...
690 // Or they don't require an special permission to do so
691 // See bug#773886
692
693 bool hasFlags;
694 rv = NS_URIChainHasFlags(targetBaseURI,
695 nsIProtocolHandler::URI_CROSS_ORIGIN_NEEDS_WEBAPPS_PERM,
696 &hasFlags);
697 NS_ENSURE_SUCCESS(rv, rv);
698
699 if (hasFlags) {
700 // Let apps load the whitelisted theme resources even if they don't
701 // have the webapps-manage permission but have the themeable one.
702 // Resources from the theme origin are also allowed to load from
703 // the theme origin (eg. stylesheets using images from the theme).
704 auto themeOrigin = Preferences::GetCString("b2g.theme.origin");
705 if (themeOrigin) {
706 nsAutoCString targetOrigin;
707 nsPrincipal::GetOriginForURI(targetBaseURI, getter_Copies(targetOrigin));
708 if (targetOrigin.Equals(themeOrigin)) {
709 nsAutoCString pOrigin;
710 aPrincipal->GetOrigin(getter_Copies(pOrigin));
711 return nsContentUtils::IsExactSitePermAllow(aPrincipal, "themeable") ||
712 pOrigin.Equals(themeOrigin)
713 ? NS_OK : NS_ERROR_DOM_BAD_URI;
714 }
715 }
716 // In this case, we allow opening only if the source and target URIS
717 // are on the same domain, or the opening URI has the webapps
718 // permision granted
719 if (!SecurityCompareURIs(sourceBaseURI, targetBaseURI) &&
720 !nsContentUtils::IsExactSitePermAllow(aPrincipal, WEBAPPS_PERM_NAME)) {
721 return NS_ERROR_DOM_BAD_URI;
722 }
723 }
724 return NS_OK;
725 }
726
727 // If the schemes don't match, the policy is specified by the protocol
728 // flags on the target URI. Note that the order of policy checks here is
729 // very important! We start from most restrictive and work our way down.
730 // Note that since we're working with the innermost URI, we can just use
731 // the methods that work on chains of nested URIs and they will only look
732 // at the flags for our one URI.
733
734 // Check for system target URI
735 rv = DenyAccessIfURIHasFlags(targetBaseURI,
736 nsIProtocolHandler::URI_DANGEROUS_TO_LOAD);
737 if (NS_FAILED(rv)) {
738 // Deny access, since the origin principal is not system
739 if (reportErrors) {
740 ReportError(nullptr, errorTag, sourceURI, aTargetURI);
741 }
742 return rv;
743 }
744
745 // Check for chrome target URI
746 rv = NS_URIChainHasFlags(targetBaseURI,
747 nsIProtocolHandler::URI_IS_UI_RESOURCE,
748 &hasFlags);
749 NS_ENSURE_SUCCESS(rv, rv);
750 if (hasFlags) {
751 if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
752
753 // For now, don't change behavior for resource:// or moz-icon:// and
754 // just allow them.
755 if (!targetScheme.EqualsLiteral("chrome")) {
756 return NS_OK;
757 }
758
759 // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
760 // target if ALLOW_CHROME is set.
761 //
762 // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
763 // loads (since docshell loads run the loaded content with its origin
764 // principal). So we're effectively allowing resource://, chrome://,
765 // and moz-icon:// source URIs to load resource://, chrome://, and
766 // moz-icon:// files, so long as they're not loading it as a document.
767 bool sourceIsUIResource;
768 rv = NS_URIChainHasFlags(sourceBaseURI,
769 nsIProtocolHandler::URI_IS_UI_RESOURCE,
770 &sourceIsUIResource);
771 NS_ENSURE_SUCCESS(rv, rv);
772 if (sourceIsUIResource) {
773 return NS_OK;
774 }
775
776 // Allow the load only if the chrome package is whitelisted.
777 nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(
778 NS_CHROMEREGISTRY_CONTRACTID));
779 if (reg) {
780 bool accessAllowed = false;
781 reg->AllowContentToAccess(targetBaseURI, &accessAllowed);
782 if (accessAllowed) {
783 return NS_OK;
784 }
785 }
786 }
787
788 // Special-case the hidden window: it's allowed to load
789 // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this.
790 nsAutoCString sourceSpec;
791 if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) &&
792 sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
793 return NS_OK;
794 }
795
796 if (reportErrors) {
797 ReportError(nullptr, errorTag, sourceURI, aTargetURI);
798 }
799 return NS_ERROR_DOM_BAD_URI;
800 }
801
802 // Check for target URI pointing to a file
803 rv = NS_URIChainHasFlags(targetBaseURI,
804 nsIProtocolHandler::URI_IS_LOCAL_FILE,
805 &hasFlags);
806 NS_ENSURE_SUCCESS(rv, rv);
807 if (hasFlags) {
808 // Allow domains that were whitelisted in the prefs. In 99.9% of cases,
809 // this array is empty.
810 for (size_t i = 0; i < mFileURIWhitelist.Length(); ++i) {
811 if (EqualOrSubdomain(sourceURI, mFileURIWhitelist[i])) {
812 return NS_OK;
813 }
814 }
815
816 // resource: and chrome: are equivalent, securitywise
817 // That's bogus!! Fix this. But watch out for
818 // the view-source stylesheet?
819 bool sourceIsChrome;
820 rv = NS_URIChainHasFlags(sourceURI,
821 nsIProtocolHandler::URI_IS_UI_RESOURCE,
822 &sourceIsChrome);
823 NS_ENSURE_SUCCESS(rv, rv);
824 if (sourceIsChrome) {
825 return NS_OK;
826 }
827
828 if (reportErrors) {
829 ReportError(nullptr, errorTag, sourceURI, aTargetURI);
830 }
831 return NS_ERROR_DOM_BAD_URI;
832 }
833
834 // OK, everyone is allowed to load this, since unflagged handlers are
835 // deprecated but treated as URI_LOADABLE_BY_ANYONE. But check whether we
836 // need to warn. At some point we'll want to make this warning into an
837 // error and treat unflagged handlers as URI_DANGEROUS_TO_LOAD.
838 rv = NS_URIChainHasFlags(targetBaseURI,
839 nsIProtocolHandler::URI_LOADABLE_BY_ANYONE,
840 &hasFlags);
841 NS_ENSURE_SUCCESS(rv, rv);
842 if (!hasFlags) {
843 nsXPIDLString message;
844 NS_ConvertASCIItoUTF16 ucsTargetScheme(targetScheme);
845 const char16_t* formatStrings[] = { ucsTargetScheme.get() };
846 rv = sStrBundle->
847 FormatStringFromName(MOZ_UTF16("ProtocolFlagError"),
848 formatStrings,
849 ArrayLength(formatStrings),
850 getter_Copies(message));
851 if (NS_SUCCEEDED(rv)) {
852 nsCOMPtr<nsIConsoleService> console(
853 do_GetService("@mozilla.org/consoleservice;1"));
854 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
855
856 console->LogStringMessage(message.get());
857 }
858 }
859
860 return NS_OK;
861 }
862
863 nsresult
864 nsScriptSecurityManager::ReportError(JSContext* cx, const nsAString& messageTag,
865 nsIURI* aSource, nsIURI* aTarget)
866 {
867 nsresult rv;
868 NS_ENSURE_TRUE(aSource && aTarget, NS_ERROR_NULL_POINTER);
869
870 // Get the source URL spec
871 nsAutoCString sourceSpec;
872 rv = aSource->GetAsciiSpec(sourceSpec);
873 NS_ENSURE_SUCCESS(rv, rv);
874
875 // Get the target URL spec
876 nsAutoCString targetSpec;
877 rv = aTarget->GetAsciiSpec(targetSpec);
878 NS_ENSURE_SUCCESS(rv, rv);
879
880 // Localize the error message
881 nsXPIDLString message;
882 NS_ConvertASCIItoUTF16 ucsSourceSpec(sourceSpec);
883 NS_ConvertASCIItoUTF16 ucsTargetSpec(targetSpec);
884 const char16_t *formatStrings[] = { ucsSourceSpec.get(), ucsTargetSpec.get() };
885 rv = sStrBundle->FormatStringFromName(PromiseFlatString(messageTag).get(),
886 formatStrings,
887 ArrayLength(formatStrings),
888 getter_Copies(message));
889 NS_ENSURE_SUCCESS(rv, rv);
890
891 // If a JS context was passed in, set a JS exception.
892 // Otherwise, print the error message directly to the JS console
893 // and to standard output
894 if (cx)
895 {
896 SetPendingException(cx, message.get());
897 }
898 else // Print directly to the console
899 {
900 nsCOMPtr<nsIConsoleService> console(
901 do_GetService("@mozilla.org/consoleservice;1"));
902 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
903
904 console->LogStringMessage(message.get());
905 }
906 return NS_OK;
907 }
908
909 NS_IMETHODIMP
910 nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(nsIPrincipal* aPrincipal,
911 const nsACString& aTargetURIStr,
912 uint32_t aFlags)
913 {
914 nsresult rv;
915 nsCOMPtr<nsIURI> target;
916 rv = NS_NewURI(getter_AddRefs(target), aTargetURIStr,
917 nullptr, nullptr, sIOService);
918 NS_ENSURE_SUCCESS(rv, rv);
919
920 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags);
921 if (rv == NS_ERROR_DOM_BAD_URI) {
922 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
923 // return values.
924 return rv;
925 }
926 NS_ENSURE_SUCCESS(rv, rv);
927
928 // Now start testing fixup -- since aTargetURIStr is a string, not
929 // an nsIURI, we may well end up fixing it up before loading.
930 // Note: This needs to stay in sync with the nsIURIFixup api.
931 nsCOMPtr<nsIURIFixup> fixup = do_GetService(NS_URIFIXUP_CONTRACTID);
932 if (!fixup) {
933 return rv;
934 }
935
936 uint32_t flags[] = {
937 nsIURIFixup::FIXUP_FLAG_NONE,
938 nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS,
939 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP,
940 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI,
941 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP |
942 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI
943 };
944
945 for (uint32_t i = 0; i < ArrayLength(flags); ++i) {
946 rv = fixup->CreateFixupURI(aTargetURIStr, flags[i], nullptr,
947 getter_AddRefs(target));
948 NS_ENSURE_SUCCESS(rv, rv);
949
950 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags);
951 if (rv == NS_ERROR_DOM_BAD_URI) {
952 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
953 // return values.
954 return rv;
955 }
956 NS_ENSURE_SUCCESS(rv, rv);
957 }
958
959 return rv;
960 }
961
962 bool
963 nsScriptSecurityManager::ScriptAllowed(JSObject *aGlobal)
964 {
965 MOZ_ASSERT(aGlobal);
966 MOZ_ASSERT(JS_IsGlobalObject(aGlobal) || js::IsOuterObject(aGlobal));
967
968 // Check the bits on the compartment private.
969 return xpc::Scriptability::Get(aGlobal).Allowed();
970 }
971
972 ///////////////// Principals ///////////////////////
973
974 NS_IMETHODIMP
975 nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal **result)
976 {
977 NS_ADDREF(*result = mSystemPrincipal);
978
979 return NS_OK;
980 }
981
982 nsresult
983 nsScriptSecurityManager::CreateCodebasePrincipal(nsIURI* aURI, uint32_t aAppId,
984 bool aInMozBrowser,
985 nsIPrincipal **result)
986 {
987 // I _think_ it's safe to not create null principals here based on aURI.
988 // At least all the callers would do the right thing in those cases, as far
989 // as I can tell. --bz
990
991 nsCOMPtr<nsIURIWithPrincipal> uriPrinc = do_QueryInterface(aURI);
992 if (uriPrinc) {
993 nsCOMPtr<nsIPrincipal> principal;
994 uriPrinc->GetPrincipal(getter_AddRefs(principal));
995 if (!principal) {
996 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID, result);
997 }
998
999 principal.forget(result);
1000
1001 return NS_OK;
1002 }
1003
1004 nsRefPtr<nsPrincipal> codebase = new nsPrincipal();
1005 if (!codebase)
1006 return NS_ERROR_OUT_OF_MEMORY;
1007
1008 nsresult rv = codebase->Init(aURI, aAppId, aInMozBrowser);
1009 if (NS_FAILED(rv))
1010 return rv;
1011
1012 NS_ADDREF(*result = codebase);
1013
1014 return NS_OK;
1015 }
1016
1017 NS_IMETHODIMP
1018 nsScriptSecurityManager::GetSimpleCodebasePrincipal(nsIURI* aURI,
1019 nsIPrincipal** aPrincipal)
1020 {
1021 return GetCodebasePrincipalInternal(aURI,
1022 nsIScriptSecurityManager::UNKNOWN_APP_ID,
1023 false, aPrincipal);
1024 }
1025
1026 NS_IMETHODIMP
1027 nsScriptSecurityManager::GetNoAppCodebasePrincipal(nsIURI* aURI,
1028 nsIPrincipal** aPrincipal)
1029 {
1030 return GetCodebasePrincipalInternal(aURI, nsIScriptSecurityManager::NO_APP_ID,
1031 false, aPrincipal);
1032 }
1033
1034 NS_IMETHODIMP
1035 nsScriptSecurityManager::GetCodebasePrincipal(nsIURI* aURI,
1036 nsIPrincipal** aPrincipal)
1037 {
1038 return GetNoAppCodebasePrincipal(aURI, aPrincipal);
1039 }
1040
1041 NS_IMETHODIMP
1042 nsScriptSecurityManager::GetAppCodebasePrincipal(nsIURI* aURI,
1043 uint32_t aAppId,
1044 bool aInMozBrowser,
1045 nsIPrincipal** aPrincipal)
1046 {
1047 NS_ENSURE_TRUE(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID,
1048 NS_ERROR_INVALID_ARG);
1049
1050 return GetCodebasePrincipalInternal(aURI, aAppId, aInMozBrowser, aPrincipal);
1051 }
1052
1053 NS_IMETHODIMP
1054 nsScriptSecurityManager::
1055 GetLoadContextCodebasePrincipal(nsIURI* aURI,
1056 nsILoadContext* aLoadContext,
1057 nsIPrincipal** aPrincipal)
1058 {
1059 uint32_t appId;
1060 aLoadContext->GetAppId(&appId);
1061 bool isInBrowserElement;
1062 aLoadContext->GetIsInBrowserElement(&isInBrowserElement);
1063 return GetCodebasePrincipalInternal(aURI,
1064 appId,
1065 isInBrowserElement,
1066 aPrincipal);
1067 }
1068
1069 NS_IMETHODIMP
1070 nsScriptSecurityManager::GetDocShellCodebasePrincipal(nsIURI* aURI,
1071 nsIDocShell* aDocShell,
1072 nsIPrincipal** aPrincipal)
1073 {
1074 return GetCodebasePrincipalInternal(aURI,
1075 aDocShell->GetAppId(),
1076 aDocShell->GetIsInBrowserElement(),
1077 aPrincipal);
1078 }
1079
1080 nsresult
1081 nsScriptSecurityManager::GetCodebasePrincipalInternal(nsIURI *aURI,
1082 uint32_t aAppId,
1083 bool aInMozBrowser,
1084 nsIPrincipal **result)
1085 {
1086 NS_ENSURE_ARG(aURI);
1087
1088 bool inheritsPrincipal;
1089 nsresult rv =
1090 NS_URIChainHasFlags(aURI,
1091 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT,
1092 &inheritsPrincipal);
1093 if (NS_FAILED(rv) || inheritsPrincipal) {
1094 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID, result);
1095 }
1096
1097 nsCOMPtr<nsIPrincipal> principal;
1098 rv = CreateCodebasePrincipal(aURI, aAppId, aInMozBrowser,
1099 getter_AddRefs(principal));
1100 NS_ENSURE_SUCCESS(rv, rv);
1101 NS_IF_ADDREF(*result = principal);
1102
1103 return NS_OK;
1104 }
1105
1106 // static
1107 nsIPrincipal*
1108 nsScriptSecurityManager::doGetObjectPrincipal(JSObject *aObj)
1109 {
1110 JSCompartment *compartment = js::GetObjectCompartment(aObj);
1111 JSPrincipals *principals = JS_GetCompartmentPrincipals(compartment);
1112 return nsJSPrincipals::get(principals);
1113 }
1114
1115 NS_IMETHODIMP
1116 nsScriptSecurityManager::CanCreateWrapper(JSContext *cx,
1117 const nsIID &aIID,
1118 nsISupports *aObj,
1119 nsIClassInfo *aClassInfo)
1120 {
1121 // XXX Special case for nsIXPCException ?
1122 ClassInfoData objClassInfo = ClassInfoData(aClassInfo, nullptr);
1123 if (objClassInfo.IsDOMClass())
1124 {
1125 return NS_OK;
1126 }
1127
1128 // We give remote-XUL whitelisted domains a free pass here. See bug 932906.
1129 if (!xpc::AllowContentXBLScope(js::GetContextCompartment(cx)))
1130 {
1131 return NS_OK;
1132 }
1133
1134 if (nsContentUtils::IsCallerChrome())
1135 {
1136 return NS_OK;
1137 }
1138
1139 //-- Access denied, report an error
1140 NS_ConvertUTF8toUTF16 strName("CreateWrapperDenied");
1141 nsAutoCString origin;
1142 nsIPrincipal* subjectPrincipal = nsContentUtils::SubjectPrincipal();
1143 GetPrincipalDomainOrigin(subjectPrincipal, origin);
1144 NS_ConvertUTF8toUTF16 originUnicode(origin);
1145 NS_ConvertUTF8toUTF16 classInfoName(objClassInfo.GetName());
1146 const char16_t* formatStrings[] = {
1147 classInfoName.get(),
1148 originUnicode.get()
1149 };
1150 uint32_t length = ArrayLength(formatStrings);
1151 if (originUnicode.IsEmpty()) {
1152 --length;
1153 } else {
1154 strName.AppendLiteral("ForOrigin");
1155 }
1156 nsXPIDLString errorMsg;
1157 nsresult rv = sStrBundle->FormatStringFromName(strName.get(),
1158 formatStrings,
1159 length,
1160 getter_Copies(errorMsg));
1161 NS_ENSURE_SUCCESS(rv, rv);
1162
1163 SetPendingException(cx, errorMsg.get());
1164 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1165 }
1166
1167 NS_IMETHODIMP
1168 nsScriptSecurityManager::CanCreateInstance(JSContext *cx,
1169 const nsCID &aCID)
1170 {
1171 if (nsContentUtils::IsCallerChrome()) {
1172 return NS_OK;
1173 }
1174
1175 //-- Access denied, report an error
1176 nsAutoCString errorMsg("Permission denied to create instance of class. CID=");
1177 char cidStr[NSID_LENGTH];
1178 aCID.ToProvidedString(cidStr);
1179 errorMsg.Append(cidStr);
1180 SetPendingException(cx, errorMsg.get());
1181 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1182 }
1183
1184 NS_IMETHODIMP
1185 nsScriptSecurityManager::CanGetService(JSContext *cx,
1186 const nsCID &aCID)
1187 {
1188 if (nsContentUtils::IsCallerChrome()) {
1189 return NS_OK;
1190 }
1191
1192 //-- Access denied, report an error
1193 nsAutoCString errorMsg("Permission denied to get service. CID=");
1194 char cidStr[NSID_LENGTH];
1195 aCID.ToProvidedString(cidStr);
1196 errorMsg.Append(cidStr);
1197 SetPendingException(cx, errorMsg.get());
1198 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1199 }
1200
1201 /////////////////////////////////////////////
1202 // Method implementing nsIChannelEventSink //
1203 /////////////////////////////////////////////
1204 NS_IMETHODIMP
1205 nsScriptSecurityManager::AsyncOnChannelRedirect(nsIChannel* oldChannel,
1206 nsIChannel* newChannel,
1207 uint32_t redirFlags,
1208 nsIAsyncVerifyRedirectCallback *cb)
1209 {
1210 nsCOMPtr<nsIPrincipal> oldPrincipal;
1211 GetChannelResultPrincipal(oldChannel, getter_AddRefs(oldPrincipal));
1212
1213 nsCOMPtr<nsIURI> newURI;
1214 newChannel->GetURI(getter_AddRefs(newURI));
1215 nsCOMPtr<nsIURI> newOriginalURI;
1216 newChannel->GetOriginalURI(getter_AddRefs(newOriginalURI));
1217
1218 NS_ENSURE_STATE(oldPrincipal && newURI && newOriginalURI);
1219
1220 const uint32_t flags =
1221 nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
1222 nsIScriptSecurityManager::DISALLOW_SCRIPT;
1223 nsresult rv = CheckLoadURIWithPrincipal(oldPrincipal, newURI, flags);
1224 if (NS_SUCCEEDED(rv) && newOriginalURI != newURI) {
1225 rv = CheckLoadURIWithPrincipal(oldPrincipal, newOriginalURI, flags);
1226 }
1227
1228 if (NS_FAILED(rv))
1229 return rv;
1230
1231 cb->OnRedirectVerifyCallback(NS_OK);
1232 return NS_OK;
1233 }
1234
1235
1236 /////////////////////////////////////
1237 // Method implementing nsIObserver //
1238 /////////////////////////////////////
1239 const char sJSEnabledPrefName[] = "javascript.enabled";
1240 const char sFileOriginPolicyPrefName[] =
1241 "security.fileuri.strict_origin_policy";
1242
1243 static const char* kObservedPrefs[] = {
1244 sJSEnabledPrefName,
1245 sFileOriginPolicyPrefName,
1246 "capability.policy.",
1247 nullptr
1248 };
1249
1250
1251 NS_IMETHODIMP
1252 nsScriptSecurityManager::Observe(nsISupports* aObject, const char* aTopic,
1253 const char16_t* aMessage)
1254 {
1255 ScriptSecurityPrefChanged();
1256 return NS_OK;
1257 }
1258
1259 /////////////////////////////////////////////
1260 // Constructor, Destructor, Initialization //
1261 /////////////////////////////////////////////
1262 nsScriptSecurityManager::nsScriptSecurityManager(void)
1263 : mPrefInitialized(false)
1264 , mIsJavaScriptEnabled(false)
1265 {
1266 static_assert(sizeof(intptr_t) == sizeof(void*),
1267 "intptr_t and void* have different lengths on this platform. "
1268 "This may cause a security failure with the SecurityLevel union.");
1269 }
1270
1271 nsresult nsScriptSecurityManager::Init()
1272 {
1273 nsresult rv = CallGetService(NS_IOSERVICE_CONTRACTID, &sIOService);
1274 NS_ENSURE_SUCCESS(rv, rv);
1275
1276 InitPrefs();
1277
1278 nsCOMPtr<nsIStringBundleService> bundleService =
1279 mozilla::services::GetStringBundleService();
1280 if (!bundleService)
1281 return NS_ERROR_FAILURE;
1282
1283 rv = bundleService->CreateBundle("chrome://global/locale/security/caps.properties", &sStrBundle);
1284 NS_ENSURE_SUCCESS(rv, rv);
1285
1286 // Create our system principal singleton
1287 nsRefPtr<nsSystemPrincipal> system = new nsSystemPrincipal();
1288 NS_ENSURE_TRUE(system, NS_ERROR_OUT_OF_MEMORY);
1289
1290 mSystemPrincipal = system;
1291
1292 //-- Register security check callback in the JS engine
1293 // Currently this is used to control access to function.caller
1294 rv = nsXPConnect::XPConnect()->GetRuntime(&sRuntime);
1295 NS_ENSURE_SUCCESS(rv, rv);
1296
1297 static const JSSecurityCallbacks securityCallbacks = {
1298 ContentSecurityPolicyPermitsJSAction,
1299 JSPrincipalsSubsume,
1300 };
1301
1302 MOZ_ASSERT(!JS_GetSecurityCallbacks(sRuntime));
1303 JS_SetSecurityCallbacks(sRuntime, &securityCallbacks);
1304 JS_InitDestroyPrincipalsCallback(sRuntime, nsJSPrincipals::Destroy);
1305
1306 JS_SetTrustedPrincipals(sRuntime, system);
1307
1308 return NS_OK;
1309 }
1310
1311 static StaticRefPtr<nsScriptSecurityManager> gScriptSecMan;
1312
1313 nsScriptSecurityManager::~nsScriptSecurityManager(void)
1314 {
1315 Preferences::RemoveObservers(this, kObservedPrefs);
1316 if (mDomainPolicy)
1317 mDomainPolicy->Deactivate();
1318 MOZ_ASSERT(!mDomainPolicy);
1319 }
1320
1321 void
1322 nsScriptSecurityManager::Shutdown()
1323 {
1324 if (sRuntime) {
1325 JS_SetSecurityCallbacks(sRuntime, nullptr);
1326 JS_SetTrustedPrincipals(sRuntime, nullptr);
1327 sRuntime = nullptr;
1328 }
1329
1330 NS_IF_RELEASE(sIOService);
1331 NS_IF_RELEASE(sStrBundle);
1332 }
1333
1334 nsScriptSecurityManager *
1335 nsScriptSecurityManager::GetScriptSecurityManager()
1336 {
1337 return gScriptSecMan;
1338 }
1339
1340 /* static */ void
1341 nsScriptSecurityManager::InitStatics()
1342 {
1343 nsRefPtr<nsScriptSecurityManager> ssManager = new nsScriptSecurityManager();
1344 nsresult rv = ssManager->Init();
1345 if (NS_FAILED(rv)) {
1346 MOZ_CRASH();
1347 }
1348
1349 ClearOnShutdown(&gScriptSecMan);
1350 gScriptSecMan = ssManager;
1351 }
1352
1353 // Currently this nsGenericFactory constructor is used only from FastLoad
1354 // (XPCOM object deserialization) code, when "creating" the system principal
1355 // singleton.
1356 nsSystemPrincipal *
1357 nsScriptSecurityManager::SystemPrincipalSingletonConstructor()
1358 {
1359 nsIPrincipal *sysprin = nullptr;
1360 if (gScriptSecMan)
1361 NS_ADDREF(sysprin = gScriptSecMan->mSystemPrincipal);
1362 return static_cast<nsSystemPrincipal*>(sysprin);
1363 }
1364
1365 struct IsWhitespace {
1366 static bool Test(char aChar) { return NS_IsAsciiWhitespace(aChar); };
1367 };
1368 struct IsWhitespaceOrComma {
1369 static bool Test(char aChar) { return aChar == ',' || NS_IsAsciiWhitespace(aChar); };
1370 };
1371
1372 template <typename Predicate>
1373 uint32_t SkipPast(const nsCString& str, uint32_t base)
1374 {
1375 while (base < str.Length() && Predicate::Test(str[base])) {
1376 ++base;
1377 }
1378 return base;
1379 }
1380
1381 template <typename Predicate>
1382 uint32_t SkipUntil(const nsCString& str, uint32_t base)
1383 {
1384 while (base < str.Length() && !Predicate::Test(str[base])) {
1385 ++base;
1386 }
1387 return base;
1388 }
1389
1390 inline void
1391 nsScriptSecurityManager::ScriptSecurityPrefChanged()
1392 {
1393 MOZ_ASSERT(mPrefInitialized);
1394 mIsJavaScriptEnabled =
1395 Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
1396 sStrictFileOriginPolicy =
1397 Preferences::GetBool(sFileOriginPolicyPrefName, false);
1398
1399 //
1400 // Rebuild the set of principals for which we allow file:// URI loads. This
1401 // implements a small subset of an old pref-based CAPS people that people
1402 // have come to depend on. See bug 995943.
1403 //
1404
1405 mFileURIWhitelist.Clear();
1406 auto policies = mozilla::Preferences::GetCString("capability.policy.policynames");
1407 for (uint32_t base = SkipPast<IsWhitespaceOrComma>(policies, 0), bound = 0;
1408 base < policies.Length();
1409 base = SkipPast<IsWhitespaceOrComma>(policies, bound))
1410 {
1411 // Grab the current policy name.
1412 bound = SkipUntil<IsWhitespaceOrComma>(policies, base);
1413 auto policyName = Substring(policies, base, bound - base);
1414
1415 // Figure out if this policy allows loading file:// URIs. If not, we can skip it.
1416 nsCString checkLoadURIPrefName = NS_LITERAL_CSTRING("capability.policy.") +
1417 policyName +
1418 NS_LITERAL_CSTRING(".checkloaduri.enabled");
1419 if (!Preferences::GetString(checkLoadURIPrefName.get()).LowerCaseEqualsLiteral("allaccess")) {
1420 continue;
1421 }
1422
1423 // Grab the list of domains associated with this policy.
1424 nsCString domainPrefName = NS_LITERAL_CSTRING("capability.policy.") +
1425 policyName +
1426 NS_LITERAL_CSTRING(".sites");
1427 auto siteList = Preferences::GetCString(domainPrefName.get());
1428 AddSitesToFileURIWhitelist(siteList);
1429 }
1430 }
1431
1432 void
1433 nsScriptSecurityManager::AddSitesToFileURIWhitelist(const nsCString& aSiteList)
1434 {
1435 for (uint32_t base = SkipPast<IsWhitespace>(aSiteList, 0), bound = 0;
1436 base < aSiteList.Length();
1437 base = SkipPast<IsWhitespace>(aSiteList, bound))
1438 {
1439 // Grab the current site.
1440 bound = SkipUntil<IsWhitespace>(aSiteList, base);
1441 nsAutoCString site(Substring(aSiteList, base, bound - base));
1442
1443 // Check if the URI is schemeless. If so, add both http and https.
1444 nsAutoCString unused;
1445 if (NS_FAILED(sIOService->ExtractScheme(site, unused))) {
1446 AddSitesToFileURIWhitelist(NS_LITERAL_CSTRING("http://") + site);
1447 AddSitesToFileURIWhitelist(NS_LITERAL_CSTRING("https://") + site);
1448 continue;
1449 }
1450
1451 // Convert it to a URI and add it to our list.
1452 nsCOMPtr<nsIURI> uri;
1453 nsresult rv = NS_NewURI(getter_AddRefs(uri), site, nullptr, nullptr, sIOService);
1454 if (NS_SUCCEEDED(rv)) {
1455 mFileURIWhitelist.AppendElement(uri);
1456 } else {
1457 nsCOMPtr<nsIConsoleService> console(do_GetService("@mozilla.org/consoleservice;1"));
1458 if (console) {
1459 nsAutoString msg = NS_LITERAL_STRING("Unable to to add site to file:// URI whitelist: ") +
1460 NS_ConvertASCIItoUTF16(site);
1461 console->LogStringMessage(msg.get());
1462 }
1463 }
1464 }
1465 }
1466
1467 nsresult
1468 nsScriptSecurityManager::InitPrefs()
1469 {
1470 nsIPrefBranch* branch = Preferences::GetRootBranch();
1471 NS_ENSURE_TRUE(branch, NS_ERROR_FAILURE);
1472
1473 mPrefInitialized = true;
1474
1475 // Set the initial value of the "javascript.enabled" prefs
1476 ScriptSecurityPrefChanged();
1477
1478 // set observer callbacks in case the value of the prefs change
1479 Preferences::AddStrongObservers(this, kObservedPrefs);
1480
1481 return NS_OK;
1482 }
1483
1484 namespace mozilla {
1485
1486 void
1487 GetJarPrefix(uint32_t aAppId, bool aInMozBrowser, nsACString& aJarPrefix)
1488 {
1489 MOZ_ASSERT(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID);
1490
1491 if (aAppId == nsIScriptSecurityManager::UNKNOWN_APP_ID) {
1492 aAppId = nsIScriptSecurityManager::NO_APP_ID;
1493 }
1494
1495 aJarPrefix.Truncate();
1496
1497 // Fallback.
1498 if (aAppId == nsIScriptSecurityManager::NO_APP_ID && !aInMozBrowser) {
1499 return;
1500 }
1501
1502 // aJarPrefix = appId + "+" + { 't', 'f' } + "+";
1503 aJarPrefix.AppendInt(aAppId);
1504 aJarPrefix.Append('+');
1505 aJarPrefix.Append(aInMozBrowser ? 't' : 'f');
1506 aJarPrefix.Append('+');
1507
1508 return;
1509 }
1510
1511 } // namespace mozilla
1512
1513 NS_IMETHODIMP
1514 nsScriptSecurityManager::GetJarPrefix(uint32_t aAppId,
1515 bool aInMozBrowser,
1516 nsACString& aJarPrefix)
1517 {
1518 MOZ_ASSERT(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID);
1519
1520 mozilla::GetJarPrefix(aAppId, aInMozBrowser, aJarPrefix);
1521 return NS_OK;
1522 }
1523
1524 NS_IMETHODIMP
1525 nsScriptSecurityManager::GetDomainPolicyActive(bool *aRv)
1526 {
1527 *aRv = !!mDomainPolicy;
1528 return NS_OK;
1529 }
1530
1531 NS_IMETHODIMP
1532 nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy** aRv)
1533 {
1534 // We only allow one domain policy at a time. The holder of the previous
1535 // policy must explicitly deactivate it first.
1536 if (mDomainPolicy) {
1537 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1538 }
1539
1540 mDomainPolicy = new DomainPolicy();
1541 nsCOMPtr<nsIDomainPolicy> ptr = mDomainPolicy;
1542 ptr.forget(aRv);
1543 return NS_OK;
1544 }
1545
1546 // Intentionally non-scriptable. Script must have a reference to the
1547 // nsIDomainPolicy to deactivate it.
1548 void
1549 nsScriptSecurityManager::DeactivateDomainPolicy()
1550 {
1551 mDomainPolicy = nullptr;
1552 }
1553
1554 NS_IMETHODIMP
1555 nsScriptSecurityManager::PolicyAllowsScript(nsIURI* aURI, bool *aRv)
1556 {
1557 nsresult rv;
1558
1559 // Compute our rule. If we don't have any domain policy set up that might
1560 // provide exceptions to this rule, we're done.
1561 *aRv = mIsJavaScriptEnabled;
1562 if (!mDomainPolicy) {
1563 return NS_OK;
1564 }
1565
1566 // We have a domain policy. Grab the appropriate set of exceptions to the
1567 // rule (either the blacklist or the whitelist, depending on whether script
1568 // is enabled or disabled by default).
1569 nsCOMPtr<nsIDomainSet> exceptions;
1570 nsCOMPtr<nsIDomainSet> superExceptions;
1571 if (*aRv) {
1572 mDomainPolicy->GetBlacklist(getter_AddRefs(exceptions));
1573 mDomainPolicy->GetSuperBlacklist(getter_AddRefs(superExceptions));
1574 } else {
1575 mDomainPolicy->GetWhitelist(getter_AddRefs(exceptions));
1576 mDomainPolicy->GetSuperWhitelist(getter_AddRefs(superExceptions));
1577 }
1578
1579 bool contains;
1580 rv = exceptions->Contains(aURI, &contains);
1581 NS_ENSURE_SUCCESS(rv, rv);
1582 if (contains) {
1583 *aRv = !*aRv;
1584 return NS_OK;
1585 }
1586 rv = superExceptions->ContainsSuperDomain(aURI, &contains);
1587 NS_ENSURE_SUCCESS(rv, rv);
1588 if (contains) {
1589 *aRv = !*aRv;
1590 }
1591
1592 return NS_OK;
1593 }