dom/base/nsDataDocumentContentPolicy.cpp

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 /*
   8  * Content policy implementation that prevents all loads of images,
   9  * subframes, etc from documents loaded as data (eg documents loaded
  10  * via XMLHttpRequest).
  11  */
  12
  13 #include "nsContentPolicyUtils.h"
  14 #include "nsContentUtils.h"
  15 #include "nsContentPolicyUtils.h"
  16 #include "nsDataDocumentContentPolicy.h"
  17 #include "nsNetUtil.h"
  18 #include "nsIProtocolHandler.h"
  19 #include "nsScriptSecurityManager.h"
  20 #include "mozilla/dom/Document.h"
  21 #include "mozilla/ScopeExit.h"
  22 #include "nsINode.h"
  23 #include "nsIURI.h"
  24
  25 using namespace mozilla;
  26
  27 NS_IMPL_ISUPPORTS(nsDataDocumentContentPolicy, nsIContentPolicy)
  28
  29 // Helper method for ShouldLoad()
  30 // Checks a URI for the given flags.  Returns true if the URI has the flags,
  31 // and false if not (or if we weren't able to tell).
  32 static bool HasFlags(nsIURI* aURI, uint32_t aURIFlags) {
  33   bool hasFlags;
  34   nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &hasFlags);
  35   return NS_SUCCEEDED(rv) && hasFlags;
  36 }
  37
  38 // If you change DataDocumentContentPolicy, make sure to check that
  39 // CHECK_PRINCIPAL_AND_DATA in nsContentPolicyUtils is still valid.
  40 // nsContentPolicyUtils may not pass all the parameters to ShouldLoad.
  41 NS_IMETHODIMP
  42 nsDataDocumentContentPolicy::ShouldLoad(nsIURI* aContentLocation,
  43                                         nsILoadInfo* aLoadInfo,
  44                                         const nsACString& aMimeGuess,
  45                                         int16_t* aDecision) {
  46   auto setBlockingReason = mozilla::MakeScopeExit([&]() {
  47     if (NS_CP_REJECTED(*aDecision)) {
  48       NS_SetRequestBlockingReason(
  49           aLoadInfo, nsILoadInfo::BLOCKING_REASON_CONTENT_POLICY_DATA_DOCUMENT);
  50     }
  51   });
  52
  53   uint32_t contentType = aLoadInfo->GetExternalContentPolicyType();
  54   nsCOMPtr<nsISupports> requestingContext = aLoadInfo->GetLoadingContext();
  55
  56   MOZ_ASSERT(contentType == nsContentUtils::InternalContentPolicyTypeToExternal(
  57                                 contentType),
  58              "We should only see external content policy types here.");
  59
  60   *aDecision = nsIContentPolicy::ACCEPT;
  61   // Look for the document.  In most cases, requestingContext is a node.
  62   nsCOMPtr<mozilla::dom::Document> doc;
  63   nsCOMPtr<nsINode> node = do_QueryInterface(requestingContext);
  64   if (node) {
  65     doc = node->OwnerDoc();
  66   } else {
  67     if (nsCOMPtr<nsPIDOMWindowOuter> window =
  68             do_QueryInterface(requestingContext)) {
  69       doc = window->GetDoc();
  70     }
  71   }
  72
  73   // DTDs are always OK to load
  74   if (!doc || contentType == nsIContentPolicy::TYPE_DTD) {
  75     return NS_OK;
  76   }
  77
  78   if (doc->IsLoadedAsData()) {
  79     bool allowed = [&] {
  80       if (!doc->IsStaticDocument()) {
  81         // If not a print/print preview doc, then nothing else is allowed for
  82         // data documents.
  83         return false;
  84       }
  85       // Let static (print/print preview) documents to load fonts and
  86       // images.
  87       switch (contentType) {
  88         case nsIContentPolicy::TYPE_IMAGE:
  89         case nsIContentPolicy::TYPE_IMAGESET:
  90         case nsIContentPolicy::TYPE_FONT:
  91         // This one is a bit sketchy, but nsObjectLoadingContent takes care of
  92         // only getting here if it is an image.
  93         case nsIContentPolicy::TYPE_OBJECT:
  94           return true;
  95         default:
  96           return false;
  97       }
  98     }();
  99
 100     if (!allowed) {
 101       *aDecision = nsIContentPolicy::REJECT_TYPE;
 102       return NS_OK;
 103     }
 104   }
 105
 106   mozilla::dom::Document* docToCheckForImage = doc->GetDisplayDocument();
 107   if (!docToCheckForImage) {
 108     docToCheckForImage = doc;
 109   }
 110
 111   if (docToCheckForImage->IsBeingUsedAsImage()) {
 112     // We only allow SVG images to load content from URIs that are local and
 113     // also satisfy one of the following conditions:
 114     //  - URI inherits security context, e.g. data URIs
 115     //   OR
 116     //  - URI loadable by subsumers, e.g. blob URIs
 117     // Any URI that doesn't meet these requirements will be rejected below.
 118     if (!(HasFlags(aContentLocation,
 119                    nsIProtocolHandler::URI_IS_LOCAL_RESOURCE) &&
 120           (HasFlags(aContentLocation,
 121                     nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT) ||
 122            HasFlags(aContentLocation,
 123                     nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS)))) {
 124       *aDecision = nsIContentPolicy::REJECT_TYPE;
 125
 126       // Report error, if we can.
 127       if (node) {
 128         nsIPrincipal* requestingPrincipal = node->NodePrincipal();
 129         nsAutoCString sourceSpec;
 130         requestingPrincipal->GetAsciiSpec(sourceSpec);
 131         nsAutoCString targetSpec;
 132         aContentLocation->GetAsciiSpec(targetSpec);
 133         nsScriptSecurityManager::ReportError(
 134             "ExternalDataError", sourceSpec, targetSpec,
 135             requestingPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0);
 136       }
 137     } else if ((contentType == nsIContentPolicy::TYPE_IMAGE ||
 138                 contentType == nsIContentPolicy::TYPE_IMAGESET) &&
 139                doc->GetDocumentURI()) {
 140       // Check for (& disallow) recursive image-loads
 141       bool isRecursiveLoad;
 142       nsresult rv = aContentLocation->EqualsExceptRef(doc->GetDocumentURI(),
 143                                                       &isRecursiveLoad);
 144       if (NS_FAILED(rv) || isRecursiveLoad) {
 145         NS_WARNING("Refusing to recursively load image");
 146         *aDecision = nsIContentPolicy::REJECT_TYPE;
 147       }
 148     }
 149     return NS_OK;
 150   }
 151
 152   // Allow all loads for non-resource documents
 153   if (!doc->IsResourceDoc()) {
 154     return NS_OK;
 155   }
 156
 157   // For resource documents, blacklist some load types
 158   if (contentType == nsIContentPolicy::TYPE_OBJECT ||
 159       contentType == nsIContentPolicy::TYPE_DOCUMENT ||
 160       contentType == nsIContentPolicy::TYPE_SUBDOCUMENT ||
 161       contentType == nsIContentPolicy::TYPE_SCRIPT ||
 162       contentType == nsIContentPolicy::TYPE_XSLT ||
 163       contentType == nsIContentPolicy::TYPE_FETCH ||
 164       contentType == nsIContentPolicy::TYPE_WEB_MANIFEST) {
 165     *aDecision = nsIContentPolicy::REJECT_TYPE;
 166   }
 167
 168   // If you add more restrictions here, make sure to check that
 169   // CHECK_PRINCIPAL_AND_DATA in nsContentPolicyUtils is still valid.
 170   // nsContentPolicyUtils may not pass all the parameters to ShouldLoad
 171
 172   return NS_OK;
 173 }
 174
 175 NS_IMETHODIMP
 176 nsDataDocumentContentPolicy::ShouldProcess(nsIURI* aContentLocation,
 177                                            nsILoadInfo* aLoadInfo,
 178                                            const nsACString& aMimeGuess,
 179                                            int16_t* aDecision) {
 180   return ShouldLoad(aContentLocation, aLoadInfo, aMimeGuess, aDecision);
 181 }