1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 * Content policy implementation that prevents all loads of images,
9 * subframes, etc from documents loaded as data (eg documents loaded
10 * via XMLHttpRequest).
13 #include "nsContentPolicyUtils.h"
14 #include "nsContentUtils.h"
15 #include "nsContentPolicyUtils.h"
16 #include "nsDataDocumentContentPolicy.h"
17 #include "nsNetUtil.h"
18 #include "nsIProtocolHandler.h"
19 #include "nsScriptSecurityManager.h"
20 #include "mozilla/dom/Document.h"
21 #include "mozilla/ScopeExit.h"
25 using namespace mozilla
;
27 NS_IMPL_ISUPPORTS(nsDataDocumentContentPolicy
, nsIContentPolicy
)
29 // Helper method for ShouldLoad()
30 // Checks a URI for the given flags. Returns true if the URI has the flags,
31 // and false if not (or if we weren't able to tell).
32 static bool HasFlags(nsIURI
* aURI
, uint32_t aURIFlags
) {
34 nsresult rv
= NS_URIChainHasFlags(aURI
, aURIFlags
, &hasFlags
);
35 return NS_SUCCEEDED(rv
) && hasFlags
;
38 // If you change DataDocumentContentPolicy, make sure to check that
39 // CHECK_PRINCIPAL_AND_DATA in nsContentPolicyUtils is still valid.
40 // nsContentPolicyUtils may not pass all the parameters to ShouldLoad.
42 nsDataDocumentContentPolicy::ShouldLoad(nsIURI
* aContentLocation
,
43 nsILoadInfo
* aLoadInfo
,
44 const nsACString
& aMimeGuess
,
46 auto setBlockingReason
= mozilla::MakeScopeExit([&]() {
47 if (NS_CP_REJECTED(*aDecision
)) {
48 NS_SetRequestBlockingReason(
49 aLoadInfo
, nsILoadInfo::BLOCKING_REASON_CONTENT_POLICY_DATA_DOCUMENT
);
53 uint32_t contentType
= aLoadInfo
->GetExternalContentPolicyType();
54 nsCOMPtr
<nsISupports
> requestingContext
= aLoadInfo
->GetLoadingContext();
56 MOZ_ASSERT(contentType
== nsContentUtils::InternalContentPolicyTypeToExternal(
58 "We should only see external content policy types here.");
60 *aDecision
= nsIContentPolicy::ACCEPT
;
61 // Look for the document. In most cases, requestingContext is a node.
62 nsCOMPtr
<mozilla::dom::Document
> doc
;
63 nsCOMPtr
<nsINode
> node
= do_QueryInterface(requestingContext
);
65 doc
= node
->OwnerDoc();
67 if (nsCOMPtr
<nsPIDOMWindowOuter
> window
=
68 do_QueryInterface(requestingContext
)) {
69 doc
= window
->GetDoc();
73 // DTDs are always OK to load
74 if (!doc
|| contentType
== nsIContentPolicy::TYPE_DTD
) {
78 if (doc
->IsLoadedAsData()) {
80 if (!doc
->IsStaticDocument()) {
81 // If not a print/print preview doc, then nothing else is allowed for
85 // Let static (print/print preview) documents to load fonts and
87 switch (contentType
) {
88 case nsIContentPolicy::TYPE_IMAGE
:
89 case nsIContentPolicy::TYPE_IMAGESET
:
90 case nsIContentPolicy::TYPE_FONT
:
91 // This one is a bit sketchy, but nsObjectLoadingContent takes care of
92 // only getting here if it is an image.
93 case nsIContentPolicy::TYPE_OBJECT
:
101 *aDecision
= nsIContentPolicy::REJECT_TYPE
;
106 mozilla::dom::Document
* docToCheckForImage
= doc
->GetDisplayDocument();
107 if (!docToCheckForImage
) {
108 docToCheckForImage
= doc
;
111 if (docToCheckForImage
->IsBeingUsedAsImage()) {
112 // We only allow SVG images to load content from URIs that are local and
113 // also satisfy one of the following conditions:
114 // - URI inherits security context, e.g. data URIs
116 // - URI loadable by subsumers, e.g. blob URIs
117 // Any URI that doesn't meet these requirements will be rejected below.
118 if (!(HasFlags(aContentLocation
,
119 nsIProtocolHandler::URI_IS_LOCAL_RESOURCE
) &&
120 (HasFlags(aContentLocation
,
121 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT
) ||
122 HasFlags(aContentLocation
,
123 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS
)))) {
124 *aDecision
= nsIContentPolicy::REJECT_TYPE
;
126 // Report error, if we can.
128 nsIPrincipal
* requestingPrincipal
= node
->NodePrincipal();
129 nsAutoCString sourceSpec
;
130 requestingPrincipal
->GetAsciiSpec(sourceSpec
);
131 nsAutoCString targetSpec
;
132 aContentLocation
->GetAsciiSpec(targetSpec
);
133 nsScriptSecurityManager::ReportError(
134 "ExternalDataError", sourceSpec
, targetSpec
,
135 requestingPrincipal
->OriginAttributesRef().mPrivateBrowsingId
> 0);
137 } else if ((contentType
== nsIContentPolicy::TYPE_IMAGE
||
138 contentType
== nsIContentPolicy::TYPE_IMAGESET
) &&
139 doc
->GetDocumentURI()) {
140 // Check for (& disallow) recursive image-loads
141 bool isRecursiveLoad
;
142 nsresult rv
= aContentLocation
->EqualsExceptRef(doc
->GetDocumentURI(),
144 if (NS_FAILED(rv
) || isRecursiveLoad
) {
145 NS_WARNING("Refusing to recursively load image");
146 *aDecision
= nsIContentPolicy::REJECT_TYPE
;
152 // Allow all loads for non-resource documents
153 if (!doc
->IsResourceDoc()) {
157 // For resource documents, blacklist some load types
158 if (contentType
== nsIContentPolicy::TYPE_OBJECT
||
159 contentType
== nsIContentPolicy::TYPE_DOCUMENT
||
160 contentType
== nsIContentPolicy::TYPE_SUBDOCUMENT
||
161 contentType
== nsIContentPolicy::TYPE_SCRIPT
||
162 contentType
== nsIContentPolicy::TYPE_XSLT
||
163 contentType
== nsIContentPolicy::TYPE_FETCH
||
164 contentType
== nsIContentPolicy::TYPE_WEB_MANIFEST
) {
165 *aDecision
= nsIContentPolicy::REJECT_TYPE
;
168 // If you add more restrictions here, make sure to check that
169 // CHECK_PRINCIPAL_AND_DATA in nsContentPolicyUtils is still valid.
170 // nsContentPolicyUtils may not pass all the parameters to ShouldLoad
176 nsDataDocumentContentPolicy::ShouldProcess(nsIURI
* aContentLocation
,
177 nsILoadInfo
* aLoadInfo
,
178 const nsACString
& aMimeGuess
,
179 int16_t* aDecision
) {
180 return ShouldLoad(aContentLocation
, aLoadInfo
, aMimeGuess
, aDecision
);