search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1827405 [wpt PR 39473] - Fix VisibilityStateEntry and reenable test, a=testonly
[gecko.git] / caps / nsScriptSecurityManager.cpp
blobbf0899abcb2f9f46643d312031d8d217e8ab6df6
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "nsScriptSecurityManager.h"
8
9 #include "mozilla/ArrayUtils.h"
10 #include "mozilla/StaticPrefs_extensions.h"
11 #include "mozilla/StaticPrefs_security.h"
12 #include "mozilla/StoragePrincipalHelper.h"
13
14 #include "xpcpublic.h"
15 #include "XPCWrapper.h"
16 #include "nsILoadContext.h"
17 #include "nsIScriptObjectPrincipal.h"
18 #include "nsIScriptContext.h"
19 #include "nsIScriptError.h"
20 #include "nsINestedURI.h"
21 #include "nspr.h"
22 #include "nsJSPrincipals.h"
23 #include "mozilla/BasePrincipal.h"
24 #include "mozilla/ContentPrincipal.h"
25 #include "ExpandedPrincipal.h"
26 #include "SystemPrincipal.h"
27 #include "DomainPolicy.h"
28 #include "nsString.h"
29 #include "nsCRT.h"
30 #include "nsCRTGlue.h"
31 #include "nsContentSecurityUtils.h"
32 #include "nsDocShell.h"
33 #include "nsError.h"
34 #include "nsGlobalWindowInner.h"
35 #include "nsDOMCID.h"
36 #include "nsTextFormatter.h"
37 #include "nsIStringBundle.h"
38 #include "nsNetUtil.h"
39 #include "nsIEffectiveTLDService.h"
40 #include "nsDirectoryServiceDefs.h"
41 #include "nsIScriptGlobalObject.h"
42 #include "nsPIDOMWindow.h"
43 #include "nsIDocShell.h"
44 #include "nsIConsoleService.h"
45 #include "nsIOService.h"
46 #include "nsIContent.h"
47 #include "nsDOMJSUtils.h"
48 #include "nsAboutProtocolUtils.h"
49 #include "nsIClassInfo.h"
50 #include "nsIURIFixup.h"
51 #include "nsIURIMutator.h"
52 #include "nsIChromeRegistry.h"
53 #include "nsIResProtocolHandler.h"
54 #include "nsIContentSecurityPolicy.h"
55 #include "mozilla/Components.h"
56 #include "mozilla/Preferences.h"
57 #include "mozilla/dom/BindingUtils.h"
58 #include "mozilla/NullPrincipal.h"
59 #include <stdint.h>
60 #include "mozilla/dom/ContentChild.h"
61 #include "mozilla/dom/ContentParent.h"
62 #include "mozilla/dom/Exceptions.h"
63 #include "mozilla/dom/nsCSPContext.h"
64 #include "mozilla/dom/ScriptSettings.h"
65 #include "mozilla/ClearOnShutdown.h"
66 #include "mozilla/ExtensionPolicyService.h"
67 #include "mozilla/ResultExtensions.h"
68 #include "mozilla/StaticPtr.h"
69 #include "mozilla/dom/WorkerCommon.h"
70 #include "mozilla/dom/WorkerPrivate.h"
71 #include "nsContentUtils.h"
72 #include "nsJSUtils.h"
73 #include "nsILoadInfo.h"
74
75 // This should be probably defined on some other place... but I couldn't find it
76 #define WEBAPPS_PERM_NAME "webapps-manage"
77
78 using namespace mozilla;
79 using namespace mozilla::dom;
80
81 nsIIOService* nsScriptSecurityManager::sIOService = nullptr;
82 std::atomic<bool> nsScriptSecurityManager::sStrictFileOriginPolicy = true;
83
84 namespace {
85
86 class BundleHelper {
87 public:
88 NS_INLINE_DECL_REFCOUNTING(BundleHelper)
89
90 static nsIStringBundle* GetOrCreate() {
91 MOZ_ASSERT(!sShutdown);
92
93 // Already shutting down. Nothing should require the use of the string
94 // bundle when shutting down.
95 if (sShutdown) {
96 return nullptr;
97 }
98
99 if (!sSelf) {
100 sSelf = new BundleHelper();
101 }
102
103 return sSelf->GetOrCreateInternal();
104 }
105
106 static void Shutdown() {
107 sSelf = nullptr;
108 sShutdown = true;
109 }
110
111 private:
112 ~BundleHelper() = default;
113
114 nsIStringBundle* GetOrCreateInternal() {
115 if (!mBundle) {
116 nsCOMPtr<nsIStringBundleService> bundleService =
117 mozilla::components::StringBundle::Service();
118 if (NS_WARN_IF(!bundleService)) {
119 return nullptr;
120 }
121
122 nsresult rv = bundleService->CreateBundle(
123 "chrome://global/locale/security/caps.properties",
124 getter_AddRefs(mBundle));
125 if (NS_WARN_IF(NS_FAILED(rv))) {
126 return nullptr;
127 }
128 }
129
130 return mBundle;
131 }
132
133 nsCOMPtr<nsIStringBundle> mBundle;
134
135 static StaticRefPtr<BundleHelper> sSelf;
136 static bool sShutdown;
137 };
138
139 StaticRefPtr<BundleHelper> BundleHelper::sSelf;
140 bool BundleHelper::sShutdown = false;
141
142 } // namespace
143
144 ///////////////////////////
145 // Convenience Functions //
146 ///////////////////////////
147
148 class nsAutoInPrincipalDomainOriginSetter {
149 public:
150 nsAutoInPrincipalDomainOriginSetter() { ++sInPrincipalDomainOrigin; }
151 ~nsAutoInPrincipalDomainOriginSetter() { --sInPrincipalDomainOrigin; }
152 static uint32_t sInPrincipalDomainOrigin;
153 };
154 uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin;
155
156 static nsresult GetOriginFromURI(nsIURI* aURI, nsACString& aOrigin) {
157 if (!aURI) {
158 return NS_ERROR_NULL_POINTER;
159 }
160 if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin > 1) {
161 // Allow a single recursive call to GetPrincipalDomainOrigin, since that
162 // might be happening on a different principal from the first call. But
163 // after that, cut off the recursion; it just indicates that something
164 // we're doing in this method causes us to reenter a security check here.
165 return NS_ERROR_NOT_AVAILABLE;
166 }
167
168 nsAutoInPrincipalDomainOriginSetter autoSetter;
169
170 nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
171 NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
172
173 nsAutoCString hostPort;
174
175 nsresult rv = uri->GetHostPort(hostPort);
176 if (NS_SUCCEEDED(rv)) {
177 nsAutoCString scheme;
178 rv = uri->GetScheme(scheme);
179 NS_ENSURE_SUCCESS(rv, rv);
180 aOrigin = scheme + "://"_ns + hostPort;
181 } else {
182 // Some URIs (e.g., nsSimpleURI) don't support host. Just
183 // get the full spec.
184 rv = uri->GetSpec(aOrigin);
185 NS_ENSURE_SUCCESS(rv, rv);
186 }
187
188 return NS_OK;
189 }
190
191 static nsresult GetPrincipalDomainOrigin(nsIPrincipal* aPrincipal,
192 nsACString& aOrigin) {
193 aOrigin.Truncate();
194 nsCOMPtr<nsIURI> uri;
195 aPrincipal->GetDomain(getter_AddRefs(uri));
196 nsresult rv = GetOriginFromURI(uri, aOrigin);
197 if (NS_SUCCEEDED(rv)) {
198 return rv;
199 }
200 // If there is no Domain fallback to the Principals Origin
201 return aPrincipal->GetOriginNoSuffix(aOrigin);
202 }
203
204 inline void SetPendingExceptionASCII(JSContext* cx, const char* aMsg) {
205 JS_ReportErrorASCII(cx, "%s", aMsg);
206 }
207
208 inline void SetPendingException(JSContext* cx, const char16_t* aMsg) {
209 NS_ConvertUTF16toUTF8 msg(aMsg);
210 JS_ReportErrorUTF8(cx, "%s", msg.get());
211 }
212
213 /* static */
214 bool nsScriptSecurityManager::SecurityCompareURIs(nsIURI* aSourceURI,
215 nsIURI* aTargetURI) {
216 return NS_SecurityCompareURIs(aSourceURI, aTargetURI,
217 sStrictFileOriginPolicy);
218 }
219
220 // SecurityHashURI is consistent with SecurityCompareURIs because
221 // NS_SecurityHashURI is consistent with NS_SecurityCompareURIs. See
222 // nsNetUtil.h.
223 uint32_t nsScriptSecurityManager::SecurityHashURI(nsIURI* aURI) {
224 return NS_SecurityHashURI(aURI);
225 }
226
227 /*
228 * GetChannelResultPrincipal will return the principal that the resource
229 * returned by this channel will use. For example, if the resource is in
230 * a sandbox, it will return the nullprincipal. If the resource is forced
231 * to inherit principal, it will return the principal of its parent. If
232 * the load doesn't require sandboxing or inheriting, it will return the same
233 * principal as GetChannelURIPrincipal. Namely the principal of the URI
234 * that is being loaded.
235 */
236 NS_IMETHODIMP
237 nsScriptSecurityManager::GetChannelResultPrincipal(nsIChannel* aChannel,
238 nsIPrincipal** aPrincipal) {
239 return GetChannelResultPrincipal(aChannel, aPrincipal,
240 /*aIgnoreSandboxing*/ false);
241 }
242
243 nsresult nsScriptSecurityManager::GetChannelResultPrincipalIfNotSandboxed(
244 nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
245 return GetChannelResultPrincipal(aChannel, aPrincipal,
246 /*aIgnoreSandboxing*/ true);
247 }
248
249 NS_IMETHODIMP
250 nsScriptSecurityManager::GetChannelResultStoragePrincipal(
251 nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
252 nsCOMPtr<nsIPrincipal> principal;
253 nsresult rv = GetChannelResultPrincipal(aChannel, getter_AddRefs(principal),
254 /*aIgnoreSandboxing*/ false);
255 if (NS_WARN_IF(NS_FAILED(rv) || !principal)) {
256 return rv;
257 }
258
259 if (!(principal->GetIsContentPrincipal())) {
260 // If for some reason we don't have a content principal here, just reuse our
261 // principal for the storage principal too, since attempting to create a
262 // storage principal would fail anyway.
263 principal.forget(aPrincipal);
264 return NS_OK;
265 }
266
267 return StoragePrincipalHelper::Create(
268 aChannel, principal, /* aForceIsolation */ false, aPrincipal);
269 }
270
271 NS_IMETHODIMP
272 nsScriptSecurityManager::GetChannelResultPrincipals(
273 nsIChannel* aChannel, nsIPrincipal** aPrincipal,
274 nsIPrincipal** aPartitionedPrincipal) {
275 nsresult rv = GetChannelResultPrincipal(aChannel, aPrincipal,
276 /*aIgnoreSandboxing*/ false);
277 if (NS_WARN_IF(NS_FAILED(rv))) {
278 return rv;
279 }
280
281 if (!(*aPrincipal)->GetIsContentPrincipal()) {
282 // If for some reason we don't have a content principal here, just reuse our
283 // principal for the storage principal too, since attempting to create a
284 // storage principal would fail anyway.
285 nsCOMPtr<nsIPrincipal> copy = *aPrincipal;
286 copy.forget(aPartitionedPrincipal);
287 return NS_OK;
288 }
289
290 return StoragePrincipalHelper::Create(
291 aChannel, *aPrincipal, /* aForceIsolation */ true, aPartitionedPrincipal);
292 }
293
294 nsresult nsScriptSecurityManager::GetChannelResultPrincipal(
295 nsIChannel* aChannel, nsIPrincipal** aPrincipal, bool aIgnoreSandboxing) {
296 MOZ_ASSERT(aChannel, "Must have channel!");
297
298 // Check whether we have an nsILoadInfo that says what we should do.
299 nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
300 if (loadInfo->GetForceInheritPrincipalOverruleOwner()) {
301 nsCOMPtr<nsIPrincipal> principalToInherit =
302 loadInfo->FindPrincipalToInherit(aChannel);
303 principalToInherit.forget(aPrincipal);
304 return NS_OK;
305 }
306
307 nsCOMPtr<nsISupports> owner;
308 aChannel->GetOwner(getter_AddRefs(owner));
309 if (owner) {
310 CallQueryInterface(owner, aPrincipal);
311 if (*aPrincipal) {
312 return NS_OK;
313 }
314 }
315
316 if (!aIgnoreSandboxing && loadInfo->GetLoadingSandboxed()) {
317 // Determine the unsandboxed result principal to use as this null
318 // principal's precursor. Ignore errors here, as the precursor isn't
319 // required.
320 nsCOMPtr<nsIPrincipal> precursor;
321 GetChannelResultPrincipal(aChannel, getter_AddRefs(precursor),
322 /*aIgnoreSandboxing*/ true);
323
324 // Construct a deterministic null principal URI from the precursor and the
325 // loadinfo's nullPrincipalID.
326 nsCOMPtr<nsIURI> nullPrincipalURI = NullPrincipal::CreateURI(
327 precursor, &loadInfo->GetSandboxedNullPrincipalID());
328
329 // Use the URI to construct the sandboxed result principal.
330 OriginAttributes attrs;
331 loadInfo->GetOriginAttributes(&attrs);
332 nsCOMPtr<nsIPrincipal> sandboxedPrincipal =
333 NullPrincipal::Create(attrs, nullPrincipalURI);
334 sandboxedPrincipal.forget(aPrincipal);
335 return NS_OK;
336 }
337
338 bool forceInherit = loadInfo->GetForceInheritPrincipal();
339 if (aIgnoreSandboxing && !forceInherit) {
340 // Check if SEC_FORCE_INHERIT_PRINCIPAL was dropped because of
341 // sandboxing:
342 if (loadInfo->GetLoadingSandboxed() &&
343 loadInfo->GetForceInheritPrincipalDropped()) {
344 forceInherit = true;
345 }
346 }
347 if (forceInherit) {
348 nsCOMPtr<nsIPrincipal> principalToInherit =
349 loadInfo->FindPrincipalToInherit(aChannel);
350 principalToInherit.forget(aPrincipal);
351 return NS_OK;
352 }
353
354 auto securityMode = loadInfo->GetSecurityMode();
355 // The data: inheritance flags should only apply to the initial load,
356 // not to loads that it might have redirected to.
357 if (loadInfo->RedirectChain().IsEmpty() &&
358 (securityMode ==
359 nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT ||
360 securityMode ==
361 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT ||
362 securityMode == nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT)) {
363 nsCOMPtr<nsIURI> uri;
364 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
365 NS_ENSURE_SUCCESS(rv, rv);
366
367 nsCOMPtr<nsIPrincipal> principalToInherit =
368 loadInfo->FindPrincipalToInherit(aChannel);
369 bool inheritForAboutBlank = loadInfo->GetAboutBlankInherits();
370
371 if (nsContentUtils::ChannelShouldInheritPrincipal(
372 principalToInherit, uri, inheritForAboutBlank, false)) {
373 principalToInherit.forget(aPrincipal);
374 return NS_OK;
375 }
376 }
377 return GetChannelURIPrincipal(aChannel, aPrincipal);
378 }
379
380 /* The principal of the URI that this channel is loading. This is never
381 * affected by things like sandboxed loads, or loads where we forcefully
382 * inherit the principal. Think of this as the principal of the server
383 * which this channel is loading from. Most callers should use
384 * GetChannelResultPrincipal instead of GetChannelURIPrincipal. Only
385 * call GetChannelURIPrincipal if you are sure that you want the
386 * principal that matches the uri, even in cases when the load is
387 * sandboxed or when the load could be a blob or data uri (i.e even when
388 * you encounter loads that may or may not be sandboxed and loads
389 * that may or may not inherit)."
390 */
391 NS_IMETHODIMP
392 nsScriptSecurityManager::GetChannelURIPrincipal(nsIChannel* aChannel,
393 nsIPrincipal** aPrincipal) {
394 MOZ_ASSERT(aChannel, "Must have channel!");
395
396 // Get the principal from the URI. Make sure this does the same thing
397 // as Document::Reset and PrototypeDocumentContentSink::Init.
398 nsCOMPtr<nsIURI> uri;
399 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
400 NS_ENSURE_SUCCESS(rv, rv);
401
402 nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
403
404 // Inherit the origin attributes from loadInfo.
405 // If this is a top-level document load, the origin attributes of the
406 // loadInfo will be set from nsDocShell::DoURILoad.
407 // For subresource loading, the origin attributes of the loadInfo is from
408 // its loadingPrincipal.
409 OriginAttributes attrs = loadInfo->GetOriginAttributes();
410
411 // If the URI is supposed to inherit the security context of whoever loads it,
412 // we shouldn't make a content principal for it, so instead return a null
413 // principal.
414 bool inheritsPrincipal = false;
415 rv = NS_URIChainHasFlags(uri,
416 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT,
417 &inheritsPrincipal);
418 if (NS_FAILED(rv) || inheritsPrincipal) {
419 // Find a precursor principal to credit for the load. This won't impact
420 // security checks, but makes tracking the source of related loads easier.
421 nsCOMPtr<nsIPrincipal> precursorPrincipal =
422 loadInfo->FindPrincipalToInherit(aChannel);
423 nsCOMPtr<nsIURI> nullPrincipalURI =
424 NullPrincipal::CreateURI(precursorPrincipal);
425 *aPrincipal = NullPrincipal::Create(attrs, nullPrincipalURI).take();
426 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
427 }
428
429 nsCOMPtr<nsIPrincipal> prin =
430 BasePrincipal::CreateContentPrincipal(uri, attrs);
431 prin.forget(aPrincipal);
432 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
433 }
434
435 /////////////////////////////
436 // nsScriptSecurityManager //
437 /////////////////////////////
438
439 ////////////////////////////////////
440 // Methods implementing ISupports //
441 ////////////////////////////////////
442 NS_IMPL_ISUPPORTS(nsScriptSecurityManager, nsIScriptSecurityManager)
443
444 ///////////////////////////////////////////////////
445 // Methods implementing nsIScriptSecurityManager //
446 ///////////////////////////////////////////////////
447
448 ///////////////// Security Checks /////////////////
449
450 bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
451 JSContext* cx, JS::RuntimeCode aKind, JS::Handle<JSString*> aCode) {
452 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
453
454 nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
455
456 // Check if Eval is allowed per firefox hardening policy
457 bool contextForbidsEval =
458 (subjectPrincipal->IsSystemPrincipal() || XRE_IsE10sParentProcess());
459 #if defined(ANDROID)
460 contextForbidsEval = false;
461 #endif
462
463 if (contextForbidsEval) {
464 nsAutoJSString scriptSample;
465 if (aKind == JS::RuntimeCode::JS &&
466 NS_WARN_IF(!scriptSample.init(cx, aCode))) {
467 return false;
468 }
469
470 if (!nsContentSecurityUtils::IsEvalAllowed(
471 cx, subjectPrincipal->IsSystemPrincipal(), scriptSample)) {
472 return false;
473 }
474 }
475
476 // Get the window, if any, corresponding to the current global
477 nsCOMPtr<nsIContentSecurityPolicy> csp;
478 if (nsGlobalWindowInner* win = xpc::CurrentWindowOrNull(cx)) {
479 csp = win->GetCsp();
480 }
481
482 if (!csp) {
483 // Get the CSP for addon sandboxes. If the principal is expanded and has a
484 // csp, we're probably in luck.
485 auto* basePrin = BasePrincipal::Cast(subjectPrincipal);
486 // ContentScriptAddonPolicy means it is also an expanded principal, thus
487 // this is in a sandbox used as a content script.
488 if (basePrin->ContentScriptAddonPolicy()) {
489 basePrin->As<ExpandedPrincipal>()->GetCsp(getter_AddRefs(csp));
490 }
491 // don't do anything unless there's a CSP
492 if (!csp) {
493 return true;
494 }
495 }
496
497 nsCOMPtr<nsICSPEventListener> cspEventListener;
498 if (!NS_IsMainThread()) {
499 WorkerPrivate* workerPrivate =
500 mozilla::dom::GetWorkerPrivateFromContext(cx);
501 if (workerPrivate) {
502 cspEventListener = workerPrivate->CSPEventListener();
503 }
504 }
505
506 bool evalOK = true;
507 bool reportViolation = false;
508 if (aKind == JS::RuntimeCode::JS) {
509 nsresult rv = csp->GetAllowsEval(&reportViolation, &evalOK);
510 if (NS_FAILED(rv)) {
511 NS_WARNING("CSP: failed to get allowsEval");
512 return true; // fail open to not break sites.
513 }
514 } else {
515 if (NS_FAILED(csp->GetAllowsWasmEval(&reportViolation, &evalOK))) {
516 return false;
517 }
518 if (!evalOK) {
519 // Historically, CSP did not block WebAssembly in Firefox, and some
520 // add-ons use wasm and a stricter CSP. To avoid breaking them, ignore
521 // 'wasm-unsafe-eval' violations for MV2 extensions.
522 // TODO bug 1770909: remove this exception.
523 auto* addonPolicy = BasePrincipal::Cast(subjectPrincipal)->AddonPolicy();
524 if (addonPolicy && addonPolicy->ManifestVersion() == 2) {
525 reportViolation = true;
526 evalOK = true;
527 }
528 }
529 }
530
531 if (reportViolation) {
532 JS::AutoFilename scriptFilename;
533 nsAutoString fileName;
534 unsigned lineNum = 0;
535 unsigned columnNum = 0;
536 if (JS::DescribeScriptedCaller(cx, &scriptFilename, &lineNum, &columnNum)) {
537 if (const char* file = scriptFilename.get()) {
538 CopyUTF8toUTF16(nsDependentCString(file), fileName);
539 }
540 } else {
541 MOZ_ASSERT(!JS_IsExceptionPending(cx));
542 }
543
544 nsAutoJSString scriptSample;
545 if (aKind == JS::RuntimeCode::JS &&
546 NS_WARN_IF(!scriptSample.init(cx, aCode))) {
547 JS_ClearPendingException(cx);
548 return false;
549 }
550 uint16_t violationType =
551 aKind == JS::RuntimeCode::JS
552 ? nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL
553 : nsIContentSecurityPolicy::VIOLATION_TYPE_WASM_EVAL;
554 csp->LogViolationDetails(violationType,
555 nullptr, // triggering element
556 cspEventListener, fileName, scriptSample, lineNum,
557 columnNum, u""_ns, u""_ns);
558 }
559
560 return evalOK;
561 }
562
563 // static
564 bool nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals* first,
565 JSPrincipals* second) {
566 return nsJSPrincipals::get(first)->Subsumes(nsJSPrincipals::get(second));
567 }
568
569 NS_IMETHODIMP
570 nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI,
571 nsIURI* aTargetURI,
572 bool reportError,
573 bool aFromPrivateWindow) {
574 // Please note that aFromPrivateWindow is only 100% accurate if
575 // reportError is true.
576 if (!SecurityCompareURIs(aSourceURI, aTargetURI)) {
577 if (reportError) {
578 ReportError("CheckSameOriginError", aSourceURI, aTargetURI,
579 aFromPrivateWindow);
580 }
581 return NS_ERROR_DOM_BAD_URI;
582 }
583 return NS_OK;
584 }
585
586 NS_IMETHODIMP
587 nsScriptSecurityManager::CheckLoadURIFromScript(JSContext* cx, nsIURI* aURI) {
588 // Get principal of currently executing script.
589 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
590 nsIPrincipal* principal = nsContentUtils::SubjectPrincipal();
591 nsresult rv = CheckLoadURIWithPrincipal(
592 // Passing 0 for the window ID here is OK, because we will report a
593 // script-visible exception anyway.
594 principal, aURI, nsIScriptSecurityManager::STANDARD, 0);
595 if (NS_SUCCEEDED(rv)) {
596 // OK to load
597 return NS_OK;
598 }
599
600 // Report error.
601 nsAutoCString spec;
602 if (NS_FAILED(aURI->GetAsciiSpec(spec))) return NS_ERROR_FAILURE;
603 nsAutoCString msg("Access to '");
604 msg.Append(spec);
605 msg.AppendLiteral("' from script denied");
606 SetPendingExceptionASCII(cx, msg.get());
607 return NS_ERROR_DOM_BAD_URI;
608 }
609
610 /**
611 * Helper method to handle cases where a flag passed to
612 * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
613 * nsIProtocolHandler flags set.
614 * @return if success, access is allowed. Otherwise, deny access
615 */
616 static nsresult DenyAccessIfURIHasFlags(nsIURI* aURI, uint32_t aURIFlags) {
617 MOZ_ASSERT(aURI, "Must have URI!");
618
619 bool uriHasFlags;
620 nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &uriHasFlags);
621 NS_ENSURE_SUCCESS(rv, rv);
622
623 if (uriHasFlags) {
624 return NS_ERROR_DOM_BAD_URI;
625 }
626
627 return NS_OK;
628 }
629
630 static bool EqualOrSubdomain(nsIURI* aProbeArg, nsIURI* aBase) {
631 nsresult rv;
632 nsCOMPtr<nsIURI> probe = aProbeArg;
633
634 nsCOMPtr<nsIEffectiveTLDService> tldService =
635 do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
636 NS_ENSURE_TRUE(tldService, false);
637 while (true) {
638 if (nsScriptSecurityManager::SecurityCompareURIs(probe, aBase)) {
639 return true;
640 }
641
642 nsAutoCString host, newHost;
643 rv = probe->GetHost(host);
644 NS_ENSURE_SUCCESS(rv, false);
645
646 rv = tldService->GetNextSubDomain(host, newHost);
647 if (rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS) {
648 return false;
649 }
650 NS_ENSURE_SUCCESS(rv, false);
651 rv = NS_MutateURI(probe).SetHost(newHost).Finalize(probe);
652 NS_ENSURE_SUCCESS(rv, false);
653 }
654 }
655
656 NS_IMETHODIMP
657 nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
658 nsIURI* aTargetURI,
659 uint32_t aFlags,
660 uint64_t aInnerWindowID) {
661 MOZ_ASSERT(aPrincipal, "CheckLoadURIWithPrincipal must have a principal");
662
663 // If someone passes a flag that we don't understand, we should
664 // fail, because they may need a security check that we don't
665 // provide.
666 NS_ENSURE_FALSE(
667 aFlags &
668 ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
669 nsIScriptSecurityManager::ALLOW_CHROME |
670 nsIScriptSecurityManager::DISALLOW_SCRIPT |
671 nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL |
672 nsIScriptSecurityManager::DONT_REPORT_ERRORS),
673 NS_ERROR_UNEXPECTED);
674 NS_ENSURE_ARG_POINTER(aPrincipal);
675 NS_ENSURE_ARG_POINTER(aTargetURI);
676
677 // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
678 // would do such inheriting. That would be URIs that do not have their own
679 // security context. We do this even for the system principal.
680 if (aFlags & nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL) {
681 nsresult rv = DenyAccessIfURIHasFlags(
682 aTargetURI, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT);
683 NS_ENSURE_SUCCESS(rv, rv);
684 }
685
686 if (aPrincipal == mSystemPrincipal) {
687 // Allow access
688 return NS_OK;
689 }
690
691 nsCOMPtr<nsIURI> sourceURI;
692 auto* basePrin = BasePrincipal::Cast(aPrincipal);
693 basePrin->GetURI(getter_AddRefs(sourceURI));
694 if (!sourceURI) {
695 if (basePrin->Is<ExpandedPrincipal>()) {
696 // If the target addon is MV3 or the pref is on we require extension
697 // resources loaded from content to be listed in web_accessible_resources.
698 auto* targetPolicy =
699 ExtensionPolicyService::GetSingleton().GetByURL(aTargetURI);
700 bool contentAccessRequired =
701 targetPolicy &&
702 (targetPolicy->ManifestVersion() > 2 ||
703 StaticPrefs::extensions_content_web_accessible_enabled());
704 auto expanded = basePrin->As<ExpandedPrincipal>();
705 const auto& allowList = expanded->AllowList();
706 // Only report errors when all principals fail.
707 // With expanded principals, which are used by extension content scripts,
708 // we check only against non-extension principals for access to extension
709 // resource to enforce making those resources explicitly web accessible.
710 uint32_t flags = aFlags | nsIScriptSecurityManager::DONT_REPORT_ERRORS;
711 for (size_t i = 0; i < allowList.Length() - 1; i++) {
712 if (contentAccessRequired &&
713 BasePrincipal::Cast(allowList[i])->AddonPolicy()) {
714 continue;
715 }
716 nsresult rv = CheckLoadURIWithPrincipal(allowList[i], aTargetURI, flags,
717 aInnerWindowID);
718 if (NS_SUCCEEDED(rv)) {
719 // Allow access if it succeeded with one of the allowlisted principals
720 return NS_OK;
721 }
722 }
723
724 if (contentAccessRequired &&
725 BasePrincipal::Cast(allowList.LastElement())->AddonPolicy()) {
726 bool reportErrors =
727 !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
728 if (reportErrors) {
729 ReportError("CheckLoadURI", sourceURI, aTargetURI,
730 allowList.LastElement()
731 ->OriginAttributesRef()
732 .mPrivateBrowsingId > 0,
733 aInnerWindowID);
734 }
735 return NS_ERROR_DOM_BAD_URI;
736 }
737 // Report errors (if requested) for the last principal.
738 return CheckLoadURIWithPrincipal(allowList.LastElement(), aTargetURI,
739 aFlags, aInnerWindowID);
740 }
741 NS_ERROR(
742 "Non-system principals or expanded principal passed to "
743 "CheckLoadURIWithPrincipal "
744 "must have a URI!");
745 return NS_ERROR_UNEXPECTED;
746 }
747
748 // Automatic loads are not allowed from certain protocols.
749 if (aFlags &
750 nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT) {
751 nsresult rv = DenyAccessIfURIHasFlags(
752 sourceURI,
753 nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT);
754 NS_ENSURE_SUCCESS(rv, rv);
755 }
756
757 // If either URI is a nested URI, get the base URI
758 nsCOMPtr<nsIURI> sourceBaseURI = NS_GetInnermostURI(sourceURI);
759 nsCOMPtr<nsIURI> targetBaseURI = NS_GetInnermostURI(aTargetURI);
760
761 //-- get the target scheme
762 nsAutoCString targetScheme;
763 nsresult rv = targetBaseURI->GetScheme(targetScheme);
764 if (NS_FAILED(rv)) return rv;
765
766 //-- Some callers do not allow loading javascript:
767 if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
768 targetScheme.EqualsLiteral("javascript")) {
769 return NS_ERROR_DOM_BAD_URI;
770 }
771
772 // Check for uris that are only loadable by principals that subsume them
773 bool targetURIIsLoadableBySubsumers = false;
774 rv = NS_URIChainHasFlags(targetBaseURI,
775 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
776 &targetURIIsLoadableBySubsumers);
777 NS_ENSURE_SUCCESS(rv, rv);
778
779 if (targetURIIsLoadableBySubsumers) {
780 // check nothing else in the URI chain has flags that prevent
781 // access:
782 rv = CheckLoadURIFlags(
783 sourceURI, aTargetURI, sourceBaseURI, targetBaseURI, aFlags,
784 aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0,
785 aInnerWindowID);
786 NS_ENSURE_SUCCESS(rv, rv);
787 // Check the principal is allowed to load the target.
788 if (aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS) {
789 return aPrincipal->CheckMayLoad(targetBaseURI, false);
790 }
791 return aPrincipal->CheckMayLoadWithReporting(targetBaseURI, false,
792 aInnerWindowID);
793 }
794
795 //-- get the source scheme
796 nsAutoCString sourceScheme;
797 rv = sourceBaseURI->GetScheme(sourceScheme);
798 if (NS_FAILED(rv)) return rv;
799
800 if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
801 // A null principal can target its own URI.
802 if (sourceURI == aTargetURI) {
803 return NS_OK;
804 }
805 } else if (sourceScheme.EqualsIgnoreCase("file") &&
806 targetScheme.EqualsIgnoreCase("moz-icon")) {
807 // exception for file: linking to moz-icon://.ext?size=...
808 // Note that because targetScheme is the base (innermost) URI scheme,
809 // this does NOT allow file -> moz-icon:file:///... links.
810 // This is intentional.
811 return NS_OK;
812 }
813
814 // Check for webextension
815 bool targetURIIsLoadableByExtensions = false;
816 rv = NS_URIChainHasFlags(aTargetURI,
817 nsIProtocolHandler::URI_LOADABLE_BY_EXTENSIONS,
818 &targetURIIsLoadableByExtensions);
819 NS_ENSURE_SUCCESS(rv, rv);
820
821 if (targetURIIsLoadableByExtensions &&
822 BasePrincipal::Cast(aPrincipal)->AddonPolicy()) {
823 return NS_OK;
824 }
825
826 // If we get here, check all the schemes can link to each other, from the top
827 // down:
828 nsCOMPtr<nsIURI> currentURI = sourceURI;
829 nsCOMPtr<nsIURI> currentOtherURI = aTargetURI;
830
831 bool denySameSchemeLinks = false;
832 rv = NS_URIChainHasFlags(aTargetURI,
833 nsIProtocolHandler::URI_SCHEME_NOT_SELF_LINKABLE,
834 &denySameSchemeLinks);
835 if (NS_FAILED(rv)) return rv;
836
837 while (currentURI && currentOtherURI) {
838 nsAutoCString scheme, otherScheme;
839 currentURI->GetScheme(scheme);
840 currentOtherURI->GetScheme(otherScheme);
841
842 bool schemesMatch =
843 scheme.Equals(otherScheme, nsCaseInsensitiveCStringComparator);
844 bool isSamePage = false;
845 bool isExtensionMismatch = false;
846 // about: URIs are special snowflakes.
847 if (scheme.EqualsLiteral("about") && schemesMatch) {
848 nsAutoCString moduleName, otherModuleName;
849 // about: pages can always link to themselves:
850 isSamePage =
851 NS_SUCCEEDED(NS_GetAboutModuleName(currentURI, moduleName)) &&
852 NS_SUCCEEDED(
853 NS_GetAboutModuleName(currentOtherURI, otherModuleName)) &&
854 moduleName.Equals(otherModuleName);
855 if (!isSamePage) {
856 // We will have allowed the load earlier if the source page has
857 // system principal. So we know the source has a content
858 // principal, and it's trying to link to something else.
859 // Linkable about: pages are always reachable, even if we hit
860 // the CheckLoadURIFlags call below.
861 // We punch only 1 other hole: iff the source is unlinkable,
862 // we let them link to other pages explicitly marked SAFE
863 // for content. This avoids world-linkable about: pages linking
864 // to non-world-linkable about: pages.
865 nsCOMPtr<nsIAboutModule> module, otherModule;
866 bool knowBothModules =
867 NS_SUCCEEDED(
868 NS_GetAboutModule(currentURI, getter_AddRefs(module))) &&
869 NS_SUCCEEDED(NS_GetAboutModule(currentOtherURI,
870 getter_AddRefs(otherModule)));
871 uint32_t aboutModuleFlags = 0;
872 uint32_t otherAboutModuleFlags = 0;
873 knowBothModules =
874 knowBothModules &&
875 NS_SUCCEEDED(module->GetURIFlags(currentURI, &aboutModuleFlags)) &&
876 NS_SUCCEEDED(otherModule->GetURIFlags(currentOtherURI,
877 &otherAboutModuleFlags));
878 if (knowBothModules) {
879 isSamePage = !(aboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) &&
880 (otherAboutModuleFlags &
881 nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT);
882 if (isSamePage &&
883 otherAboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) {
884 // XXXgijs: this is a hack. The target will be nested
885 // (with innerURI of moz-safe-about:whatever), and
886 // the source isn't, so we won't pass if we finish
887 // the loop. We *should* pass, though, so return here.
888 // This hack can go away when bug 1228118 is fixed.
889 return NS_OK;
890 }
891 }
892 }
893 } else if (schemesMatch && scheme.EqualsLiteral("moz-extension")) {
894 // If it is not the same exension, we want to ensure we end up
895 // calling CheckLoadURIFlags
896 nsAutoCString host, otherHost;
897 currentURI->GetHost(host);
898 currentOtherURI->GetHost(otherHost);
899 isExtensionMismatch = !host.Equals(otherHost);
900 } else {
901 bool equalExceptRef = false;
902 rv = currentURI->EqualsExceptRef(currentOtherURI, &equalExceptRef);
903 isSamePage = NS_SUCCEEDED(rv) && equalExceptRef;
904 }
905
906 // If schemes are not equal, or they're equal but the target URI
907 // is different from the source URI and doesn't always allow linking
908 // from the same scheme, or this is two different extensions, check
909 // if the URI flags of the current target URI allow the current
910 // source URI to link to it.
911 // The policy is specified by the protocol flags on both URIs.
912 if (!schemesMatch || (denySameSchemeLinks && !isSamePage) ||
913 isExtensionMismatch) {
914 return CheckLoadURIFlags(
915 currentURI, currentOtherURI, sourceBaseURI, targetBaseURI, aFlags,
916 aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0,
917 aInnerWindowID);
918 }
919 // Otherwise... check if we can nest another level:
920 nsCOMPtr<nsINestedURI> nestedURI = do_QueryInterface(currentURI);
921 nsCOMPtr<nsINestedURI> nestedOtherURI = do_QueryInterface(currentOtherURI);
922
923 // If schemes match and neither URI is nested further, we're OK.
924 if (!nestedURI && !nestedOtherURI) {
925 return NS_OK;
926 }
927 // If one is nested and the other isn't, something is wrong.
928 if (!nestedURI != !nestedOtherURI) {
929 return NS_ERROR_DOM_BAD_URI;
930 }
931 // Otherwise, both should be nested and we'll go through the loop again.
932 nestedURI->GetInnerURI(getter_AddRefs(currentURI));
933 nestedOtherURI->GetInnerURI(getter_AddRefs(currentOtherURI));
934 }
935
936 // We should never get here. We should always return from inside the loop.
937 return NS_ERROR_DOM_BAD_URI;
938 }
939
940 /**
941 * Helper method to check whether the target URI and its innermost ("base") URI
942 * has protocol flags that should stop it from being loaded by the source URI
943 * (and/or the source URI's innermost ("base") URI), taking into account any
944 * nsIScriptSecurityManager flags originally passed to
945 * CheckLoadURIWithPrincipal and friends.
946 *
947 * @return if success, access is allowed. Otherwise, deny access
948 */
949 nsresult nsScriptSecurityManager::CheckLoadURIFlags(
950 nsIURI* aSourceURI, nsIURI* aTargetURI, nsIURI* aSourceBaseURI,
951 nsIURI* aTargetBaseURI, uint32_t aFlags, bool aFromPrivateWindow,
952 uint64_t aInnerWindowID) {
953 // Note that the order of policy checks here is very important!
954 // We start from most restrictive and work our way down.
955 bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
956 const char* errorTag = "CheckLoadURIError";
957
958 nsAutoCString targetScheme;
959 nsresult rv = aTargetBaseURI->GetScheme(targetScheme);
960 if (NS_FAILED(rv)) return rv;
961
962 // Check for system target URI. Regular (non web accessible) extension
963 // URIs will also have URI_DANGEROUS_TO_LOAD.
964 rv = DenyAccessIfURIHasFlags(aTargetURI,
965 nsIProtocolHandler::URI_DANGEROUS_TO_LOAD);
966 if (NS_FAILED(rv)) {
967 // Deny access, since the origin principal is not system
968 if (reportErrors) {
969 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
970 aInnerWindowID);
971 }
972 return rv;
973 }
974
975 // Used by ExtensionProtocolHandler to prevent loading extension resources
976 // in private contexts if the extension does not have permission.
977 if (aFromPrivateWindow) {
978 rv = DenyAccessIfURIHasFlags(
979 aTargetURI, nsIProtocolHandler::URI_DISALLOW_IN_PRIVATE_CONTEXT);
980 if (NS_FAILED(rv)) {
981 if (reportErrors) {
982 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
983 aInnerWindowID);
984 }
985 return rv;
986 }
987 }
988
989 // If MV3 Extension uris are web accessible they have
990 // WEBEXT_URI_WEB_ACCESSIBLE.
991 bool maybeWebAccessible = false;
992 NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::WEBEXT_URI_WEB_ACCESSIBLE,
993 &maybeWebAccessible);
994 NS_ENSURE_SUCCESS(rv, rv);
995 if (maybeWebAccessible) {
996 bool isWebAccessible = false;
997 rv = ExtensionPolicyService::GetSingleton().SourceMayLoadExtensionURI(
998 aSourceURI, aTargetURI, &isWebAccessible);
999 if (NS_SUCCEEDED(rv) && isWebAccessible) {
1000 return NS_OK;
1001 }
1002 if (reportErrors) {
1003 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
1004 aInnerWindowID);
1005 }
1006 return NS_ERROR_DOM_BAD_URI;
1007 }
1008
1009 // Check for chrome target URI
1010 bool targetURIIsUIResource = false;
1011 rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_UI_RESOURCE,
1012 &targetURIIsUIResource);
1013 NS_ENSURE_SUCCESS(rv, rv);
1014 if (targetURIIsUIResource) {
1015 // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
1016 // loads (since docshell loads run the loaded content with its origin
1017 // principal). We are effectively allowing resource:// and chrome://
1018 // URIs to load as long as they are content accessible and as long
1019 // they're not loading it as a document.
1020 if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
1021 bool sourceIsUIResource = false;
1022 rv = NS_URIChainHasFlags(aSourceBaseURI,
1023 nsIProtocolHandler::URI_IS_UI_RESOURCE,
1024 &sourceIsUIResource);
1025 NS_ENSURE_SUCCESS(rv, rv);
1026 if (sourceIsUIResource) {
1027 // Special case for moz-icon URIs loaded by a local resources like
1028 // e.g. chrome: or resource:
1029 if (targetScheme.EqualsLiteral("moz-icon")) {
1030 return NS_OK;
1031 }
1032 }
1033
1034 if (targetScheme.EqualsLiteral("resource")) {
1035 if (StaticPrefs::security_all_resource_uri_content_accessible()) {
1036 return NS_OK;
1037 }
1038
1039 nsCOMPtr<nsIProtocolHandler> ph;
1040 rv = sIOService->GetProtocolHandler("resource", getter_AddRefs(ph));
1041 NS_ENSURE_SUCCESS(rv, rv);
1042 if (!ph) {
1043 return NS_ERROR_DOM_BAD_URI;
1044 }
1045
1046 nsCOMPtr<nsIResProtocolHandler> rph = do_QueryInterface(ph);
1047 if (!rph) {
1048 return NS_ERROR_DOM_BAD_URI;
1049 }
1050
1051 bool accessAllowed = false;
1052 rph->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
1053 if (accessAllowed) {
1054 return NS_OK;
1055 }
1056 } else if (targetScheme.EqualsLiteral("chrome")) {
1057 // Allow the load only if the chrome package is allowlisted.
1058 nsCOMPtr<nsIXULChromeRegistry> reg(
1059 do_GetService(NS_CHROMEREGISTRY_CONTRACTID));
1060 if (reg) {
1061 bool accessAllowed = false;
1062 reg->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
1063 if (accessAllowed) {
1064 return NS_OK;
1065 }
1066 }
1067 } else if (targetScheme.EqualsLiteral("moz-page-thumb") ||
1068 targetScheme.EqualsLiteral("page-icon")) {
1069 if (XRE_IsParentProcess()) {
1070 return NS_OK;
1071 }
1072
1073 auto& remoteType = dom::ContentChild::GetSingleton()->GetRemoteType();
1074 if (remoteType == PRIVILEGEDABOUT_REMOTE_TYPE) {
1075 return NS_OK;
1076 }
1077 }
1078 }
1079
1080 if (reportErrors) {
1081 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
1082 aInnerWindowID);
1083 }
1084 return NS_ERROR_DOM_BAD_URI;
1085 }
1086
1087 // Check for target URI pointing to a file
1088 bool targetURIIsLocalFile = false;
1089 rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_LOCAL_FILE,
1090 &targetURIIsLocalFile);
1091 NS_ENSURE_SUCCESS(rv, rv);
1092 if (targetURIIsLocalFile) {
1093 // Allow domains that were allowlisted in the prefs. In 99.9% of cases,
1094 // this array is empty.
1095 bool isAllowlisted;
1096 MOZ_ALWAYS_SUCCEEDS(InFileURIAllowlist(aSourceURI, &isAllowlisted));
1097 if (isAllowlisted) {
1098 return NS_OK;
1099 }
1100
1101 // Allow chrome://
1102 if (aSourceBaseURI->SchemeIs("chrome")) {
1103 return NS_OK;
1104 }
1105
1106 // Nothing else.
1107 if (reportErrors) {
1108 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
1109 aInnerWindowID);
1110 }
1111 return NS_ERROR_DOM_BAD_URI;
1112 }
1113
1114 #ifdef DEBUG
1115 {
1116 // Everyone is allowed to load this. The case URI_LOADABLE_BY_SUBSUMERS
1117 // is handled by the caller which is just delegating to us as a helper.
1118 bool hasSubsumersFlag = false;
1119 NS_URIChainHasFlags(aTargetBaseURI,
1120 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
1121 &hasSubsumersFlag);
1122 bool hasLoadableByAnyone = false;
1123 NS_URIChainHasFlags(aTargetBaseURI,
1124 nsIProtocolHandler::URI_LOADABLE_BY_ANYONE,
1125 &hasLoadableByAnyone);
1126 MOZ_ASSERT(hasLoadableByAnyone || hasSubsumersFlag,
1127 "why do we get here and do not have any of the two flags set?");
1128 }
1129 #endif
1130
1131 return NS_OK;
1132 }
1133
1134 nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1135 const nsACString& aSourceSpec,
1136 const nsACString& aTargetSpec,
1137 bool aFromPrivateWindow,
1138 uint64_t aInnerWindowID) {
1139 if (aSourceSpec.IsEmpty() || aTargetSpec.IsEmpty()) {
1140 return NS_OK;
1141 }
1142
1143 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1144 if (NS_WARN_IF(!bundle)) {
1145 return NS_OK;
1146 }
1147
1148 // Localize the error message
1149 nsAutoString message;
1150 AutoTArray<nsString, 2> formatStrings;
1151 CopyASCIItoUTF16(aSourceSpec, *formatStrings.AppendElement());
1152 CopyASCIItoUTF16(aTargetSpec, *formatStrings.AppendElement());
1153 nsresult rv =
1154 bundle->FormatStringFromName(aMessageTag, formatStrings, message);
1155 NS_ENSURE_SUCCESS(rv, rv);
1156
1157 nsCOMPtr<nsIConsoleService> console(
1158 do_GetService(NS_CONSOLESERVICE_CONTRACTID));
1159 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
1160 nsCOMPtr<nsIScriptError> error(do_CreateInstance(NS_SCRIPTERROR_CONTRACTID));
1161 NS_ENSURE_TRUE(error, NS_ERROR_FAILURE);
1162
1163 // using category of "SOP" so we can link to MDN
1164 if (aInnerWindowID != 0) {
1165 rv = error->InitWithWindowID(
1166 message, u""_ns, u""_ns, 0, 0, nsIScriptError::errorFlag, "SOP"_ns,
1167 aInnerWindowID, true /* From chrome context */);
1168 } else {
1169 rv = error->Init(message, u""_ns, u""_ns, 0, 0, nsIScriptError::errorFlag,
1170 "SOP"_ns, aFromPrivateWindow,
1171 true /* From chrome context */);
1172 }
1173 NS_ENSURE_SUCCESS(rv, rv);
1174 console->LogMessage(error);
1175 return NS_OK;
1176 }
1177
1178 nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1179 nsIURI* aSource, nsIURI* aTarget,
1180 bool aFromPrivateWindow,
1181 uint64_t aInnerWindowID) {
1182 NS_ENSURE_TRUE(aSource && aTarget, NS_ERROR_NULL_POINTER);
1183
1184 // Get the source URL spec
1185 nsAutoCString sourceSpec;
1186 nsresult rv = aSource->GetAsciiSpec(sourceSpec);
1187 NS_ENSURE_SUCCESS(rv, rv);
1188
1189 // Get the target URL spec
1190 nsAutoCString targetSpec;
1191 rv = aTarget->GetAsciiSpec(targetSpec);
1192 NS_ENSURE_SUCCESS(rv, rv);
1193
1194 return ReportError(aMessageTag, sourceSpec, targetSpec, aFromPrivateWindow,
1195 aInnerWindowID);
1196 }
1197
1198 NS_IMETHODIMP
1199 nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(
1200 nsIPrincipal* aPrincipal, const nsACString& aTargetURIStr,
1201 uint32_t aFlags) {
1202 nsresult rv;
1203 nsCOMPtr<nsIURI> target;
1204 rv = NS_NewURI(getter_AddRefs(target), aTargetURIStr);
1205 NS_ENSURE_SUCCESS(rv, rv);
1206
1207 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1208 if (rv == NS_ERROR_DOM_BAD_URI) {
1209 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1210 // return values.
1211 return rv;
1212 }
1213 NS_ENSURE_SUCCESS(rv, rv);
1214
1215 // Now start testing fixup -- since aTargetURIStr is a string, not
1216 // an nsIURI, we may well end up fixing it up before loading.
1217 // Note: This needs to stay in sync with the nsIURIFixup api.
1218 nsCOMPtr<nsIURIFixup> fixup = components::URIFixup::Service();
1219 if (!fixup) {
1220 return rv;
1221 }
1222
1223 // URIFixup's keyword and alternate flags can only fixup to http/https, so we
1224 // can skip testing them. This simplifies our life because this code can be
1225 // invoked from the content process where the search service would not be
1226 // available.
1227 uint32_t flags[] = {nsIURIFixup::FIXUP_FLAG_NONE,
1228 nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS};
1229 for (uint32_t i = 0; i < ArrayLength(flags); ++i) {
1230 uint32_t fixupFlags = flags[i];
1231 if (aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0) {
1232 fixupFlags |= nsIURIFixup::FIXUP_FLAG_PRIVATE_CONTEXT;
1233 }
1234 nsCOMPtr<nsIURIFixupInfo> fixupInfo;
1235 rv = fixup->GetFixupURIInfo(aTargetURIStr, fixupFlags,
1236 getter_AddRefs(fixupInfo));
1237 NS_ENSURE_SUCCESS(rv, rv);
1238 rv = fixupInfo->GetPreferredURI(getter_AddRefs(target));
1239 NS_ENSURE_SUCCESS(rv, rv);
1240
1241 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1242 if (rv == NS_ERROR_DOM_BAD_URI) {
1243 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1244 // return values.
1245 return rv;
1246 }
1247 NS_ENSURE_SUCCESS(rv, rv);
1248 }
1249
1250 return rv;
1251 }
1252
1253 NS_IMETHODIMP
1254 nsScriptSecurityManager::CheckLoadURIWithPrincipalFromJS(
1255 nsIPrincipal* aPrincipal, nsIURI* aTargetURI, uint32_t aFlags,
1256 uint64_t aInnerWindowID, JSContext* aCx) {
1257 MOZ_ASSERT(aPrincipal,
1258 "CheckLoadURIWithPrincipalFromJS must have a principal");
1259 NS_ENSURE_ARG_POINTER(aPrincipal);
1260 NS_ENSURE_ARG_POINTER(aTargetURI);
1261
1262 nsresult rv =
1263 CheckLoadURIWithPrincipal(aPrincipal, aTargetURI, aFlags, aInnerWindowID);
1264 if (NS_FAILED(rv)) {
1265 nsAutoCString uriStr;
1266 Unused << aTargetURI->GetSpec(uriStr);
1267
1268 nsAutoCString message("Load of ");
1269 message.Append(uriStr);
1270
1271 nsAutoCString principalStr;
1272 Unused << aPrincipal->GetSpec(principalStr);
1273 if (!principalStr.IsEmpty()) {
1274 message.AppendPrintf(" from %s", principalStr.get());
1275 }
1276
1277 message.Append(" denied");
1278
1279 dom::Throw(aCx, rv, message);
1280 }
1281
1282 return rv;
1283 }
1284
1285 NS_IMETHODIMP
1286 nsScriptSecurityManager::CheckLoadURIStrWithPrincipalFromJS(
1287 nsIPrincipal* aPrincipal, const nsACString& aTargetURIStr, uint32_t aFlags,
1288 JSContext* aCx) {
1289 nsCOMPtr<nsIURI> targetURI;
1290 MOZ_TRY(NS_NewURI(getter_AddRefs(targetURI), aTargetURIStr));
1291
1292 return CheckLoadURIWithPrincipalFromJS(aPrincipal, targetURI, aFlags, 0, aCx);
1293 }
1294
1295 NS_IMETHODIMP
1296 nsScriptSecurityManager::InFileURIAllowlist(nsIURI* aUri, bool* aResult) {
1297 MOZ_ASSERT(aUri);
1298 MOZ_ASSERT(aResult);
1299
1300 *aResult = false;
1301 for (nsIURI* uri : EnsureFileURIAllowlist()) {
1302 if (EqualOrSubdomain(aUri, uri)) {
1303 *aResult = true;
1304 return NS_OK;
1305 }
1306 }
1307
1308 return NS_OK;
1309 }
1310
1311 ///////////////// Principals ///////////////////////
1312
1313 NS_IMETHODIMP
1314 nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal** result) {
1315 NS_ADDREF(*result = mSystemPrincipal);
1316
1317 return NS_OK;
1318 }
1319
1320 NS_IMETHODIMP
1321 nsScriptSecurityManager::CreateContentPrincipal(
1322 nsIURI* aURI, JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1323 nsIPrincipal** aPrincipal) {
1324 OriginAttributes attrs;
1325 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1326 return NS_ERROR_INVALID_ARG;
1327 }
1328 nsCOMPtr<nsIPrincipal> prin =
1329 BasePrincipal::CreateContentPrincipal(aURI, attrs);
1330 prin.forget(aPrincipal);
1331 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1332 }
1333
1334 NS_IMETHODIMP
1335 nsScriptSecurityManager::CreateContentPrincipalFromOrigin(
1336 const nsACString& aOrigin, nsIPrincipal** aPrincipal) {
1337 if (StringBeginsWith(aOrigin, "["_ns)) {
1338 return NS_ERROR_INVALID_ARG;
1339 }
1340
1341 if (StringBeginsWith(aOrigin,
1342 nsLiteralCString(NS_NULLPRINCIPAL_SCHEME ":"))) {
1343 return NS_ERROR_INVALID_ARG;
1344 }
1345
1346 nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(aOrigin);
1347 prin.forget(aPrincipal);
1348 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1349 }
1350
1351 NS_IMETHODIMP
1352 nsScriptSecurityManager::PrincipalToJSON(nsIPrincipal* aPrincipal,
1353 nsACString& aJSON) {
1354 aJSON.Truncate();
1355 if (!aPrincipal) {
1356 return NS_ERROR_FAILURE;
1357 }
1358
1359 BasePrincipal::Cast(aPrincipal)->ToJSON(aJSON);
1360
1361 if (aJSON.IsEmpty()) {
1362 return NS_ERROR_FAILURE;
1363 }
1364
1365 return NS_OK;
1366 }
1367
1368 NS_IMETHODIMP
1369 nsScriptSecurityManager::JSONToPrincipal(const nsACString& aJSON,
1370 nsIPrincipal** aPrincipal) {
1371 if (aJSON.IsEmpty()) {
1372 return NS_ERROR_FAILURE;
1373 }
1374
1375 nsCOMPtr<nsIPrincipal> principal = BasePrincipal::FromJSON(aJSON);
1376
1377 if (!principal) {
1378 return NS_ERROR_FAILURE;
1379 }
1380
1381 principal.forget(aPrincipal);
1382 return NS_OK;
1383 }
1384
1385 NS_IMETHODIMP
1386 nsScriptSecurityManager::CreateNullPrincipal(
1387 JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1388 nsIPrincipal** aPrincipal) {
1389 OriginAttributes attrs;
1390 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1391 return NS_ERROR_INVALID_ARG;
1392 }
1393 nsCOMPtr<nsIPrincipal> prin = NullPrincipal::Create(attrs);
1394 prin.forget(aPrincipal);
1395 return NS_OK;
1396 }
1397
1398 NS_IMETHODIMP
1399 nsScriptSecurityManager::GetLoadContextContentPrincipal(
1400 nsIURI* aURI, nsILoadContext* aLoadContext, nsIPrincipal** aPrincipal) {
1401 NS_ENSURE_STATE(aLoadContext);
1402 OriginAttributes docShellAttrs;
1403 aLoadContext->GetOriginAttributes(docShellAttrs);
1404
1405 nsCOMPtr<nsIPrincipal> prin =
1406 BasePrincipal::CreateContentPrincipal(aURI, docShellAttrs);
1407 prin.forget(aPrincipal);
1408 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1409 }
1410
1411 NS_IMETHODIMP
1412 nsScriptSecurityManager::GetDocShellContentPrincipal(
1413 nsIURI* aURI, nsIDocShell* aDocShell, nsIPrincipal** aPrincipal) {
1414 nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(
1415 aURI, nsDocShell::Cast(aDocShell)->GetOriginAttributes());
1416 prin.forget(aPrincipal);
1417 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1418 }
1419
1420 NS_IMETHODIMP
1421 nsScriptSecurityManager::PrincipalWithOA(
1422 nsIPrincipal* aPrincipal, JS::Handle<JS::Value> aOriginAttributes,
1423 JSContext* aCx, nsIPrincipal** aReturnPrincipal) {
1424 if (!aPrincipal) {
1425 return NS_OK;
1426 }
1427 if (aPrincipal->GetIsContentPrincipal()) {
1428 OriginAttributes attrs;
1429 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1430 return NS_ERROR_INVALID_ARG;
1431 }
1432 auto* contentPrincipal = static_cast<ContentPrincipal*>(aPrincipal);
1433 RefPtr<ContentPrincipal> copy =
1434 new ContentPrincipal(contentPrincipal, attrs);
1435 NS_ENSURE_TRUE(copy, NS_ERROR_FAILURE);
1436 copy.forget(aReturnPrincipal);
1437 } else {
1438 // We do this for null principals, system principals (both fine)
1439 // ... and expanded principals, where we should probably do something
1440 // cleverer, but I also don't think we care too much.
1441 nsCOMPtr<nsIPrincipal> prin = aPrincipal;
1442 prin.forget(aReturnPrincipal);
1443 }
1444
1445 return *aReturnPrincipal ? NS_OK : NS_ERROR_FAILURE;
1446 }
1447
1448 NS_IMETHODIMP
1449 nsScriptSecurityManager::CanCreateWrapper(JSContext* cx, const nsIID& aIID,
1450 nsISupports* aObj,
1451 nsIClassInfo* aClassInfo) {
1452 // XXX Special case for Exception ?
1453
1454 // We give remote-XUL allowlisted domains a free pass here. See bug 932906.
1455 JS::Rooted<JS::Realm*> contextRealm(cx, JS::GetCurrentRealmOrNull(cx));
1456 MOZ_RELEASE_ASSERT(contextRealm);
1457 if (!xpc::AllowContentXBLScope(contextRealm)) {
1458 return NS_OK;
1459 }
1460
1461 if (nsContentUtils::IsCallerChrome()) {
1462 return NS_OK;
1463 }
1464
1465 //-- Access denied, report an error
1466 nsAutoCString originUTF8;
1467 nsIPrincipal* subjectPrincipal = nsContentUtils::SubjectPrincipal();
1468 GetPrincipalDomainOrigin(subjectPrincipal, originUTF8);
1469 NS_ConvertUTF8toUTF16 originUTF16(originUTF8);
1470 nsAutoCString classInfoNameUTF8;
1471 if (aClassInfo) {
1472 aClassInfo->GetClassDescription(classInfoNameUTF8);
1473 }
1474 if (classInfoNameUTF8.IsEmpty()) {
1475 classInfoNameUTF8.AssignLiteral("UnnamedClass");
1476 }
1477
1478 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1479 if (NS_WARN_IF(!bundle)) {
1480 return NS_OK;
1481 }
1482
1483 NS_ConvertUTF8toUTF16 classInfoUTF16(classInfoNameUTF8);
1484 nsresult rv;
1485 nsAutoString errorMsg;
1486 if (originUTF16.IsEmpty()) {
1487 AutoTArray<nsString, 1> formatStrings = {classInfoUTF16};
1488 rv = bundle->FormatStringFromName("CreateWrapperDenied", formatStrings,
1489 errorMsg);
1490 } else {
1491 AutoTArray<nsString, 2> formatStrings = {classInfoUTF16, originUTF16};
1492 rv = bundle->FormatStringFromName("CreateWrapperDeniedForOrigin",
1493 formatStrings, errorMsg);
1494 }
1495 NS_ENSURE_SUCCESS(rv, rv);
1496
1497 SetPendingException(cx, errorMsg.get());
1498 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1499 }
1500
1501 NS_IMETHODIMP
1502 nsScriptSecurityManager::CanCreateInstance(JSContext* cx, const nsCID& aCID) {
1503 if (nsContentUtils::IsCallerChrome()) {
1504 return NS_OK;
1505 }
1506
1507 //-- Access denied, report an error
1508 nsAutoCString errorMsg("Permission denied to create instance of class. CID=");
1509 char cidStr[NSID_LENGTH];
1510 aCID.ToProvidedString(cidStr);
1511 errorMsg.Append(cidStr);
1512 SetPendingExceptionASCII(cx, errorMsg.get());
1513 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1514 }
1515
1516 NS_IMETHODIMP
1517 nsScriptSecurityManager::CanGetService(JSContext* cx, const nsCID& aCID) {
1518 if (nsContentUtils::IsCallerChrome()) {
1519 return NS_OK;
1520 }
1521
1522 //-- Access denied, report an error
1523 nsAutoCString errorMsg("Permission denied to get service. CID=");
1524 char cidStr[NSID_LENGTH];
1525 aCID.ToProvidedString(cidStr);
1526 errorMsg.Append(cidStr);
1527 SetPendingExceptionASCII(cx, errorMsg.get());
1528 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1529 }
1530
1531 const char sJSEnabledPrefName[] = "javascript.enabled";
1532 const char sFileOriginPolicyPrefName[] =
1533 "security.fileuri.strict_origin_policy";
1534
1535 static const char* kObservedPrefs[] = {sJSEnabledPrefName,
1536 sFileOriginPolicyPrefName,
1537 "capability.policy.", nullptr};
1538
1539 /////////////////////////////////////////////
1540 // Constructor, Destructor, Initialization //
1541 /////////////////////////////////////////////
1542 nsScriptSecurityManager::nsScriptSecurityManager(void)
1543 : mPrefInitialized(false), mIsJavaScriptEnabled(false) {
1544 static_assert(
1545 sizeof(intptr_t) == sizeof(void*),
1546 "intptr_t and void* have different lengths on this platform. "
1547 "This may cause a security failure with the SecurityLevel union.");
1548 }
1549
1550 nsresult nsScriptSecurityManager::Init() {
1551 nsresult rv = CallGetService(NS_IOSERVICE_CONTRACTID, &sIOService);
1552 NS_ENSURE_SUCCESS(rv, rv);
1553
1554 InitPrefs();
1555
1556 // Create our system principal singleton
1557 mSystemPrincipal = SystemPrincipal::Init();
1558
1559 return NS_OK;
1560 }
1561
1562 void nsScriptSecurityManager::InitJSCallbacks(JSContext* aCx) {
1563 //-- Register security check callback in the JS engine
1564 // Currently this is used to control access to function.caller
1565
1566 static const JSSecurityCallbacks securityCallbacks = {
1567 ContentSecurityPolicyPermitsJSAction,
1568 JSPrincipalsSubsume,
1569 };
1570
1571 MOZ_ASSERT(!JS_GetSecurityCallbacks(aCx));
1572 JS_SetSecurityCallbacks(aCx, &securityCallbacks);
1573 JS_InitDestroyPrincipalsCallback(aCx, nsJSPrincipals::Destroy);
1574
1575 JS_SetTrustedPrincipals(aCx, BasePrincipal::Cast(mSystemPrincipal));
1576 }
1577
1578 /* static */
1579 void nsScriptSecurityManager::ClearJSCallbacks(JSContext* aCx) {
1580 JS_SetSecurityCallbacks(aCx, nullptr);
1581 JS_SetTrustedPrincipals(aCx, nullptr);
1582 }
1583
1584 static StaticRefPtr<nsScriptSecurityManager> gScriptSecMan;
1585
1586 nsScriptSecurityManager::~nsScriptSecurityManager(void) {
1587 Preferences::UnregisterPrefixCallbacks(
1588 nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1589 if (mDomainPolicy) {
1590 mDomainPolicy->Deactivate();
1591 }
1592 // ContentChild might hold a reference to the domain policy,
1593 // and it might release it only after the security manager is
1594 // gone. But we can still assert this for the main process.
1595 MOZ_ASSERT_IF(XRE_IsParentProcess(), !mDomainPolicy);
1596 }
1597
1598 void nsScriptSecurityManager::Shutdown() {
1599 NS_IF_RELEASE(sIOService);
1600 BundleHelper::Shutdown();
1601 SystemPrincipal::Shutdown();
1602 }
1603
1604 nsScriptSecurityManager* nsScriptSecurityManager::GetScriptSecurityManager() {
1605 return gScriptSecMan;
1606 }
1607
1608 /* static */
1609 void nsScriptSecurityManager::InitStatics() {
1610 RefPtr<nsScriptSecurityManager> ssManager = new nsScriptSecurityManager();
1611 nsresult rv = ssManager->Init();
1612 if (NS_FAILED(rv)) {
1613 MOZ_CRASH("ssManager->Init() failed");
1614 }
1615
1616 ClearOnShutdown(&gScriptSecMan);
1617 gScriptSecMan = ssManager;
1618 }
1619
1620 // Currently this nsGenericFactory constructor is used only from FastLoad
1621 // (XPCOM object deserialization) code, when "creating" the system principal
1622 // singleton.
1623 already_AddRefed<SystemPrincipal>
1624 nsScriptSecurityManager::SystemPrincipalSingletonConstructor() {
1625 if (gScriptSecMan)
1626 return do_AddRef(gScriptSecMan->mSystemPrincipal)
1627 .downcast<SystemPrincipal>();
1628 return nullptr;
1629 }
1630
1631 struct IsWhitespace {
1632 static bool Test(char aChar) { return NS_IsAsciiWhitespace(aChar); };
1633 };
1634 struct IsWhitespaceOrComma {
1635 static bool Test(char aChar) {
1636 return aChar == ',' || NS_IsAsciiWhitespace(aChar);
1637 };
1638 };
1639
1640 template <typename Predicate>
1641 uint32_t SkipPast(const nsCString& str, uint32_t base) {
1642 while (base < str.Length() && Predicate::Test(str[base])) {
1643 ++base;
1644 }
1645 return base;
1646 }
1647
1648 template <typename Predicate>
1649 uint32_t SkipUntil(const nsCString& str, uint32_t base) {
1650 while (base < str.Length() && !Predicate::Test(str[base])) {
1651 ++base;
1652 }
1653 return base;
1654 }
1655
1656 // static
1657 void nsScriptSecurityManager::ScriptSecurityPrefChanged(const char* aPref,
1658 void* aSelf) {
1659 static_cast<nsScriptSecurityManager*>(aSelf)->ScriptSecurityPrefChanged(
1660 aPref);
1661 }
1662
1663 inline void nsScriptSecurityManager::ScriptSecurityPrefChanged(
1664 const char* aPref) {
1665 MOZ_ASSERT(mPrefInitialized);
1666 mIsJavaScriptEnabled =
1667 Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
1668 sStrictFileOriginPolicy =
1669 Preferences::GetBool(sFileOriginPolicyPrefName, false);
1670 mFileURIAllowlist.reset();
1671 }
1672
1673 void nsScriptSecurityManager::AddSitesToFileURIAllowlist(
1674 const nsCString& aSiteList) {
1675 for (uint32_t base = SkipPast<IsWhitespace>(aSiteList, 0), bound = 0;
1676 base < aSiteList.Length();
1677 base = SkipPast<IsWhitespace>(aSiteList, bound)) {
1678 // Grab the current site.
1679 bound = SkipUntil<IsWhitespace>(aSiteList, base);
1680 nsAutoCString site(Substring(aSiteList, base, bound - base));
1681
1682 // Check if the URI is schemeless. If so, add both http and https.
1683 nsAutoCString unused;
1684 if (NS_FAILED(sIOService->ExtractScheme(site, unused))) {
1685 AddSitesToFileURIAllowlist("http://"_ns + site);
1686 AddSitesToFileURIAllowlist("https://"_ns + site);
1687 continue;
1688 }
1689
1690 // Convert it to a URI and add it to our list.
1691 nsCOMPtr<nsIURI> uri;
1692 nsresult rv = NS_NewURI(getter_AddRefs(uri), site);
1693 if (NS_SUCCEEDED(rv)) {
1694 mFileURIAllowlist.ref().AppendElement(uri);
1695 } else {
1696 nsCOMPtr<nsIConsoleService> console(
1697 do_GetService("@mozilla.org/consoleservice;1"));
1698 if (console) {
1699 nsAutoString msg =
1700 u"Unable to to add site to file:// URI allowlist: "_ns +
1701 NS_ConvertASCIItoUTF16(site);
1702 console->LogStringMessage(msg.get());
1703 }
1704 }
1705 }
1706 }
1707
1708 nsresult nsScriptSecurityManager::InitPrefs() {
1709 nsIPrefBranch* branch = Preferences::GetRootBranch();
1710 NS_ENSURE_TRUE(branch, NS_ERROR_FAILURE);
1711
1712 mPrefInitialized = true;
1713
1714 // Set the initial value of the "javascript.enabled" prefs
1715 ScriptSecurityPrefChanged();
1716
1717 // set observer callbacks in case the value of the prefs change
1718 Preferences::RegisterPrefixCallbacks(
1719 nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1720
1721 return NS_OK;
1722 }
1723
1724 NS_IMETHODIMP
1725 nsScriptSecurityManager::GetDomainPolicyActive(bool* aRv) {
1726 *aRv = !!mDomainPolicy;
1727 return NS_OK;
1728 }
1729
1730 NS_IMETHODIMP
1731 nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy** aRv) {
1732 if (!XRE_IsParentProcess()) {
1733 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1734 }
1735
1736 return ActivateDomainPolicyInternal(aRv);
1737 }
1738
1739 NS_IMETHODIMP
1740 nsScriptSecurityManager::ActivateDomainPolicyInternal(nsIDomainPolicy** aRv) {
1741 // We only allow one domain policy at a time. The holder of the previous
1742 // policy must explicitly deactivate it first.
1743 if (mDomainPolicy) {
1744 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1745 }
1746
1747 mDomainPolicy = new DomainPolicy();
1748 nsCOMPtr<nsIDomainPolicy> ptr = mDomainPolicy;
1749 ptr.forget(aRv);
1750 return NS_OK;
1751 }
1752
1753 // Intentionally non-scriptable. Script must have a reference to the
1754 // nsIDomainPolicy to deactivate it.
1755 void nsScriptSecurityManager::DeactivateDomainPolicy() {
1756 mDomainPolicy = nullptr;
1757 }
1758
1759 void nsScriptSecurityManager::CloneDomainPolicy(DomainPolicyClone* aClone) {
1760 MOZ_ASSERT(aClone);
1761 if (mDomainPolicy) {
1762 mDomainPolicy->CloneDomainPolicy(aClone);
1763 } else {
1764 aClone->active() = false;
1765 }
1766 }
1767
1768 NS_IMETHODIMP
1769 nsScriptSecurityManager::PolicyAllowsScript(nsIURI* aURI, bool* aRv) {
1770 nsresult rv;
1771
1772 // Compute our rule. If we don't have any domain policy set up that might
1773 // provide exceptions to this rule, we're done.
1774 *aRv = mIsJavaScriptEnabled;
1775 if (!mDomainPolicy) {
1776 return NS_OK;
1777 }
1778
1779 // We have a domain policy. Grab the appropriate set of exceptions to the
1780 // rule (either the blocklist or the allowlist, depending on whether script
1781 // is enabled or disabled by default).
1782 nsCOMPtr<nsIDomainSet> exceptions;
1783 nsCOMPtr<nsIDomainSet> superExceptions;
1784 if (*aRv) {
1785 mDomainPolicy->GetBlocklist(getter_AddRefs(exceptions));
1786 mDomainPolicy->GetSuperBlocklist(getter_AddRefs(superExceptions));
1787 } else {
1788 mDomainPolicy->GetAllowlist(getter_AddRefs(exceptions));
1789 mDomainPolicy->GetSuperAllowlist(getter_AddRefs(superExceptions));
1790 }
1791
1792 bool contains;
1793 rv = exceptions->Contains(aURI, &contains);
1794 NS_ENSURE_SUCCESS(rv, rv);
1795 if (contains) {
1796 *aRv = !*aRv;
1797 return NS_OK;
1798 }
1799 rv = superExceptions->ContainsSuperDomain(aURI, &contains);
1800 NS_ENSURE_SUCCESS(rv, rv);
1801 if (contains) {
1802 *aRv = !*aRv;
1803 }
1804
1805 return NS_OK;
1806 }
1807
1808 const nsTArray<nsCOMPtr<nsIURI>>&
1809 nsScriptSecurityManager::EnsureFileURIAllowlist() {
1810 if (mFileURIAllowlist.isSome()) {
1811 return mFileURIAllowlist.ref();
1812 }
1813
1814 //
1815 // Rebuild the set of principals for which we allow file:// URI loads. This
1816 // implements a small subset of an old pref-based CAPS people that people
1817 // have come to depend on. See bug 995943.
1818 //
1819
1820 mFileURIAllowlist.emplace();
1821 nsAutoCString policies;
1822 mozilla::Preferences::GetCString("capability.policy.policynames", policies);
1823 for (uint32_t base = SkipPast<IsWhitespaceOrComma>(policies, 0), bound = 0;
1824 base < policies.Length();
1825 base = SkipPast<IsWhitespaceOrComma>(policies, bound)) {
1826 // Grab the current policy name.
1827 bound = SkipUntil<IsWhitespaceOrComma>(policies, base);
1828 auto policyName = Substring(policies, base, bound - base);
1829
1830 // Figure out if this policy allows loading file:// URIs. If not, we can
1831 // skip it.
1832 nsCString checkLoadURIPrefName =
1833 "capability.policy."_ns + policyName + ".checkloaduri.enabled"_ns;
1834 nsAutoString value;
1835 nsresult rv = Preferences::GetString(checkLoadURIPrefName.get(), value);
1836 if (NS_FAILED(rv) || !value.LowerCaseEqualsLiteral("allaccess")) {
1837 continue;
1838 }
1839
1840 // Grab the list of domains associated with this policy.
1841 nsCString domainPrefName =
1842 "capability.policy."_ns + policyName + ".sites"_ns;
1843 nsAutoCString siteList;
1844 Preferences::GetCString(domainPrefName.get(), siteList);
1845 AddSitesToFileURIAllowlist(siteList);
1846 }
1847
1848 return mFileURIAllowlist.ref();
1849 }