1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* vim: set ts=4 et sw=4 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #include "nsScriptSecurityManager.h"
9 #include "mozilla/ArrayUtils.h"
11 #include "js/OldDebugAPI.h"
12 #include "xpcprivate.h"
13 #include "XPCWrapper.h"
14 #include "nsILoadContext.h"
15 #include "nsIServiceManager.h"
16 #include "nsIScriptObjectPrincipal.h"
17 #include "nsIScriptContext.h"
19 #include "nsINestedURI.h"
21 #include "nsJSPrincipals.h"
22 #include "nsSystemPrincipal.h"
23 #include "nsPrincipal.h"
24 #include "nsNullPrincipal.h"
25 #include "DomainPolicy.h"
26 #include "nsXPIDLString.h"
28 #include "nsCRTGlue.h"
31 #include "nsIXPConnect.h"
32 #include "nsTextFormatter.h"
33 #include "nsIStringBundle.h"
34 #include "nsNetUtil.h"
35 #include "nsIProperties.h"
36 #include "nsDirectoryServiceDefs.h"
38 #include "nsIFileURL.h"
39 #include "nsIZipReader.h"
40 #include "nsIXPConnect.h"
41 #include "nsIScriptGlobalObject.h"
42 #include "nsPIDOMWindow.h"
43 #include "nsIDocShell.h"
44 #include "nsIPrompt.h"
45 #include "nsIWindowWatcher.h"
46 #include "nsIConsoleService.h"
47 #include "nsIJSRuntimeService.h"
48 #include "nsIObserverService.h"
49 #include "nsIContent.h"
50 #include "nsAutoPtr.h"
51 #include "nsDOMJSUtils.h"
52 #include "nsAboutProtocolUtils.h"
53 #include "nsIClassInfo.h"
54 #include "nsIURIFixup.h"
55 #include "nsCDefaultURIFixup.h"
56 #include "nsIChromeRegistry.h"
57 #include "nsIContentSecurityPolicy.h"
58 #include "nsIAsyncVerifyRedirectCallback.h"
59 #include "mozilla/Preferences.h"
60 #include "mozilla/dom/BindingUtils.h"
62 #include "mozilla/ClearOnShutdown.h"
63 #include "mozilla/StaticPtr.h"
64 #include "nsContentUtils.h"
65 #include "nsCxPusher.h"
66 #include "nsJSUtils.h"
67 #include "nsILoadInfo.h"
69 // This should be probably defined on some other place... but I couldn't find it
70 #define WEBAPPS_PERM_NAME "webapps-manage"
72 using namespace mozilla
;
73 using namespace mozilla::dom
;
75 nsIIOService
*nsScriptSecurityManager::sIOService
= nullptr;
76 nsIStringBundle
*nsScriptSecurityManager::sStrBundle
= nullptr;
77 JSRuntime
*nsScriptSecurityManager::sRuntime
= 0;
78 bool nsScriptSecurityManager::sStrictFileOriginPolicy
= true;
80 ///////////////////////////
81 // Convenience Functions //
82 ///////////////////////////
84 class nsAutoInPrincipalDomainOriginSetter
{
86 nsAutoInPrincipalDomainOriginSetter() {
87 ++sInPrincipalDomainOrigin
;
89 ~nsAutoInPrincipalDomainOriginSetter() {
90 --sInPrincipalDomainOrigin
;
92 static uint32_t sInPrincipalDomainOrigin
;
94 uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin
;
98 GetOriginFromURI(nsIURI
* aURI
, nsACString
& aOrigin
)
100 if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin
> 1) {
101 // Allow a single recursive call to GetPrincipalDomainOrigin, since that
102 // might be happening on a different principal from the first call. But
103 // after that, cut off the recursion; it just indicates that something
104 // we're doing in this method causes us to reenter a security check here.
105 return NS_ERROR_NOT_AVAILABLE
;
108 nsAutoInPrincipalDomainOriginSetter autoSetter
;
110 nsCOMPtr
<nsIURI
> uri
= NS_GetInnermostURI(aURI
);
111 NS_ENSURE_TRUE(uri
, NS_ERROR_UNEXPECTED
);
113 nsAutoCString hostPort
;
115 nsresult rv
= uri
->GetHostPort(hostPort
);
116 if (NS_SUCCEEDED(rv
)) {
117 nsAutoCString scheme
;
118 rv
= uri
->GetScheme(scheme
);
119 NS_ENSURE_SUCCESS(rv
, rv
);
120 aOrigin
= scheme
+ NS_LITERAL_CSTRING("://") + hostPort
;
123 // Some URIs (e.g., nsSimpleURI) don't support host. Just
124 // get the full spec.
125 rv
= uri
->GetSpec(aOrigin
);
126 NS_ENSURE_SUCCESS(rv
, rv
);
134 GetPrincipalDomainOrigin(nsIPrincipal
* aPrincipal
,
138 nsCOMPtr
<nsIURI
> uri
;
139 aPrincipal
->GetDomain(getter_AddRefs(uri
));
141 aPrincipal
->GetURI(getter_AddRefs(uri
));
143 NS_ENSURE_TRUE(uri
, NS_ERROR_UNEXPECTED
);
145 return GetOriginFromURI(uri
, aOrigin
);
148 inline void SetPendingException(JSContext
*cx
, const char *aMsg
)
150 JS_ReportError(cx
, "%s", aMsg
);
153 inline void SetPendingException(JSContext
*cx
, const char16_t
*aMsg
)
155 JS_ReportError(cx
, "%hs", aMsg
);
158 // Helper class to get stuff from the ClassInfo and not waste extra time with
159 // virtual method calls for things it has already gotten
163 ClassInfoData(nsIClassInfo
*aClassInfo
, const char *aName
)
164 : mClassInfo(aClassInfo
),
165 mName(const_cast<char *>(aName
)),
174 nsMemory::Free(mName
);
181 nsresult rv
= mClassInfo
->GetFlags(&mFlags
);
197 return !!(GetFlags() & nsIClassInfo::DOM_OBJECT
);
200 const char* GetName()
204 mClassInfo
->GetClassDescription(&mName
);
208 mMustFreeName
= true;
210 mName
= const_cast<char *>("UnnamedClass");
218 nsIClassInfo
*mClassInfo
; // WEAK
226 nsScriptSecurityManager::GetCurrentJSContext()
228 // Get JSContext from stack.
229 return nsXPConnect::XPConnect()->GetCurrentJSContext();
233 nsScriptSecurityManager::GetSafeJSContext()
235 // Get JSContext from stack.
236 return nsXPConnect::XPConnect()->GetSafeJSContext();
241 nsScriptSecurityManager::SecurityCompareURIs(nsIURI
* aSourceURI
,
244 return NS_SecurityCompareURIs(aSourceURI
, aTargetURI
, sStrictFileOriginPolicy
);
247 // SecurityHashURI is consistent with SecurityCompareURIs because NS_SecurityHashURI
248 // is consistent with NS_SecurityCompareURIs. See nsNetUtil.h.
250 nsScriptSecurityManager::SecurityHashURI(nsIURI
* aURI
)
252 return NS_SecurityHashURI(aURI
);
256 nsScriptSecurityManager::GetChannelPrincipal(nsIChannel
* aChannel
,
257 nsIPrincipal
** aPrincipal
)
259 NS_PRECONDITION(aChannel
, "Must have channel!");
260 nsCOMPtr
<nsISupports
> owner
;
261 aChannel
->GetOwner(getter_AddRefs(owner
));
263 CallQueryInterface(owner
, aPrincipal
);
269 // Check whether we have an nsILoadInfo that says what we should do.
270 nsCOMPtr
<nsILoadInfo
> loadInfo
;
271 aChannel
->GetLoadInfo(getter_AddRefs(loadInfo
));
273 if (loadInfo
->GetLoadingSandboxed()) {
274 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID
, aPrincipal
);
277 if (loadInfo
->GetForceInheritPrincipal()) {
278 NS_ADDREF(*aPrincipal
= loadInfo
->LoadingPrincipal());
283 // OK, get the principal from the URI. Make sure this does the same thing
284 // as nsDocument::Reset and XULDocument::StartDocumentLoad.
285 nsCOMPtr
<nsIURI
> uri
;
286 nsresult rv
= NS_GetFinalChannelURI(aChannel
, getter_AddRefs(uri
));
287 NS_ENSURE_SUCCESS(rv
, rv
);
290 nsCOMPtr
<nsILoadContext
> loadContext
;
291 NS_QueryNotificationCallbacks(aChannel
, loadContext
);
294 return GetLoadContextCodebasePrincipal(uri
, loadContext
, aPrincipal
);
297 return GetCodebasePrincipalInternal(uri
, UNKNOWN_APP_ID
,
298 /* isInBrowserElement */ false, aPrincipal
);
302 nsScriptSecurityManager::IsSystemPrincipal(nsIPrincipal
* aPrincipal
,
305 *aIsSystem
= (aPrincipal
== mSystemPrincipal
);
309 /////////////////////////////
310 // nsScriptSecurityManager //
311 /////////////////////////////
313 ////////////////////////////////////
314 // Methods implementing ISupports //
315 ////////////////////////////////////
316 NS_IMPL_ISUPPORTS(nsScriptSecurityManager
,
317 nsIScriptSecurityManager
,
321 ///////////////////////////////////////////////////
322 // Methods implementing nsIScriptSecurityManager //
323 ///////////////////////////////////////////////////
325 ///////////////// Security Checks /////////////////
328 nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(JSContext
*cx
)
330 MOZ_ASSERT(cx
== nsContentUtils::GetCurrentJSContext());
331 nsCOMPtr
<nsIPrincipal
> subjectPrincipal
= nsContentUtils::SubjectPrincipal();
332 nsCOMPtr
<nsIContentSecurityPolicy
> csp
;
333 nsresult rv
= subjectPrincipal
->GetCsp(getter_AddRefs(csp
));
334 NS_ASSERTION(NS_SUCCEEDED(rv
), "CSP: Failed to get CSP from principal.");
336 // don't do anything unless there's a CSP
341 bool reportViolation
= false;
342 rv
= csp
->GetAllowsEval(&reportViolation
, &evalOK
);
346 NS_WARNING("CSP: failed to get allowsEval");
347 return true; // fail open to not break sites.
350 if (reportViolation
) {
351 nsAutoString fileName
;
352 unsigned lineNum
= 0;
353 NS_NAMED_LITERAL_STRING(scriptSample
, "call to eval() or related function blocked by CSP");
355 JS::AutoFilename scriptFilename
;
356 if (JS::DescribeScriptedCaller(cx
, &scriptFilename
, &lineNum
)) {
357 if (const char *file
= scriptFilename
.get()) {
358 CopyUTF8toUTF16(nsDependentCString(file
), fileName
);
361 csp
->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL
,
374 nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals
*first
,
375 JSPrincipals
*second
)
377 return nsJSPrincipals::get(first
)->Subsumes(nsJSPrincipals::get(second
));
381 nsScriptSecurityManager::CheckSameOrigin(JSContext
* cx
,
384 MOZ_ASSERT_IF(cx
, cx
== nsContentUtils::GetCurrentJSContext());
386 // Get a principal from the context
387 nsIPrincipal
* sourcePrincipal
= nsContentUtils::SubjectPrincipal();
388 if (sourcePrincipal
== mSystemPrincipal
)
390 // This is a system (chrome) script, so allow access
394 // Get the original URI from the source principal.
395 // This has the effect of ignoring any change to document.domain
396 // which must be done to avoid DNS spoofing (bug 154930)
397 nsCOMPtr
<nsIURI
> sourceURI
;
398 sourcePrincipal
->GetDomain(getter_AddRefs(sourceURI
));
400 sourcePrincipal
->GetURI(getter_AddRefs(sourceURI
));
401 NS_ENSURE_TRUE(sourceURI
, NS_ERROR_FAILURE
);
405 if (!SecurityCompareURIs(sourceURI
, aTargetURI
))
407 ReportError(cx
, NS_LITERAL_STRING("CheckSameOriginError"), sourceURI
, aTargetURI
);
408 return NS_ERROR_DOM_BAD_URI
;
414 nsScriptSecurityManager::CheckSameOriginURI(nsIURI
* aSourceURI
,
418 if (!SecurityCompareURIs(aSourceURI
, aTargetURI
))
421 ReportError(nullptr, NS_LITERAL_STRING("CheckSameOriginError"),
422 aSourceURI
, aTargetURI
);
424 return NS_ERROR_DOM_BAD_URI
;
430 nsScriptSecurityManager::HashPrincipalByOrigin(nsIPrincipal
* aPrincipal
)
432 nsCOMPtr
<nsIURI
> uri
;
433 aPrincipal
->GetDomain(getter_AddRefs(uri
));
435 aPrincipal
->GetURI(getter_AddRefs(uri
));
436 return SecurityHashURI(uri
);
440 nsScriptSecurityManager::AppAttributesEqual(nsIPrincipal
* aFirst
,
441 nsIPrincipal
* aSecond
)
443 MOZ_ASSERT(aFirst
&& aSecond
, "Don't pass null pointers!");
445 uint32_t firstAppId
= nsIScriptSecurityManager::UNKNOWN_APP_ID
;
446 if (!aFirst
->GetUnknownAppId()) {
447 firstAppId
= aFirst
->GetAppId();
450 uint32_t secondAppId
= nsIScriptSecurityManager::UNKNOWN_APP_ID
;
451 if (!aSecond
->GetUnknownAppId()) {
452 secondAppId
= aSecond
->GetAppId();
455 return ((firstAppId
== secondAppId
) &&
456 (aFirst
->GetIsInBrowserElement() == aSecond
->GetIsInBrowserElement()));
460 nsScriptSecurityManager::CheckLoadURIFromScript(JSContext
*cx
, nsIURI
*aURI
)
462 // Get principal of currently executing script.
463 MOZ_ASSERT(cx
== nsContentUtils::GetCurrentJSContext());
464 nsIPrincipal
* principal
= nsContentUtils::SubjectPrincipal();
465 nsresult rv
= CheckLoadURIWithPrincipal(principal
, aURI
,
466 nsIScriptSecurityManager::STANDARD
);
467 if (NS_SUCCEEDED(rv
)) {
472 // See if we're attempting to load a file: URI. If so, let a
473 // UniversalXPConnect capability trump the above check.
476 if (NS_FAILED(aURI
->SchemeIs("file", &isFile
)) ||
477 NS_FAILED(aURI
->SchemeIs("resource", &isRes
)))
478 return NS_ERROR_FAILURE
;
481 if (nsContentUtils::IsCallerChrome())
487 if (NS_FAILED(aURI
->GetAsciiSpec(spec
)))
488 return NS_ERROR_FAILURE
;
489 nsAutoCString
msg("Access to '");
491 msg
.AppendLiteral("' from script denied");
492 SetPendingException(cx
, msg
.get());
493 return NS_ERROR_DOM_BAD_URI
;
497 * Helper method to handle cases where a flag passed to
498 * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
499 * nsIProtocolHandler flags set.
500 * @return if success, access is allowed. Otherwise, deny access
503 DenyAccessIfURIHasFlags(nsIURI
* aURI
, uint32_t aURIFlags
)
505 NS_PRECONDITION(aURI
, "Must have URI!");
509 NS_URIChainHasFlags(aURI
, aURIFlags
, &uriHasFlags
);
510 NS_ENSURE_SUCCESS(rv
, rv
);
513 return NS_ERROR_DOM_BAD_URI
;
520 nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal
* aPrincipal
,
524 NS_PRECONDITION(aPrincipal
, "CheckLoadURIWithPrincipal must have a principal");
525 // If someone passes a flag that we don't understand, we should
526 // fail, because they may need a security check that we don't
528 NS_ENSURE_FALSE(aFlags
& ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT
|
529 nsIScriptSecurityManager::ALLOW_CHROME
|
530 nsIScriptSecurityManager::DISALLOW_SCRIPT
|
531 nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL
|
532 nsIScriptSecurityManager::DONT_REPORT_ERRORS
),
533 NS_ERROR_UNEXPECTED
);
534 NS_ENSURE_ARG_POINTER(aPrincipal
);
535 NS_ENSURE_ARG_POINTER(aTargetURI
);
537 // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
538 // would do such inheriting. That would be URIs that do not have their own
539 // security context. We do this even for the system principal.
540 if (aFlags
& nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL
) {
542 DenyAccessIfURIHasFlags(aTargetURI
,
543 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT
);
544 NS_ENSURE_SUCCESS(rv
, rv
);
547 if (aPrincipal
== mSystemPrincipal
) {
552 nsCOMPtr
<nsIURI
> sourceURI
;
553 aPrincipal
->GetURI(getter_AddRefs(sourceURI
));
555 nsCOMPtr
<nsIExpandedPrincipal
> expanded
= do_QueryInterface(aPrincipal
);
557 nsTArray
< nsCOMPtr
<nsIPrincipal
> > *whiteList
;
558 expanded
->GetWhiteList(&whiteList
);
559 for (uint32_t i
= 0; i
< whiteList
->Length(); ++i
) {
560 nsresult rv
= CheckLoadURIWithPrincipal((*whiteList
)[i
],
563 if (NS_SUCCEEDED(rv
)) {
564 // Allow access if it succeeded with one of the white listed principals
568 // None of our whitelisted principals worked.
569 return NS_ERROR_DOM_BAD_URI
;
571 NS_ERROR("Non-system principals or expanded principal passed to CheckLoadURIWithPrincipal "
573 return NS_ERROR_UNEXPECTED
;
576 // Automatic loads are not allowed from certain protocols.
577 if (aFlags
& nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT
) {
579 DenyAccessIfURIHasFlags(sourceURI
,
580 nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT
);
581 NS_ENSURE_SUCCESS(rv
, rv
);
584 // If either URI is a nested URI, get the base URI
585 nsCOMPtr
<nsIURI
> sourceBaseURI
= NS_GetInnermostURI(sourceURI
);
586 nsCOMPtr
<nsIURI
> targetBaseURI
= NS_GetInnermostURI(aTargetURI
);
588 //-- get the target scheme
589 nsAutoCString targetScheme
;
590 nsresult rv
= targetBaseURI
->GetScheme(targetScheme
);
591 if (NS_FAILED(rv
)) return rv
;
593 //-- Some callers do not allow loading javascript:
594 if ((aFlags
& nsIScriptSecurityManager::DISALLOW_SCRIPT
) &&
595 targetScheme
.EqualsLiteral("javascript"))
597 return NS_ERROR_DOM_BAD_URI
;
600 NS_NAMED_LITERAL_STRING(errorTag
, "CheckLoadURIError");
601 bool reportErrors
= !(aFlags
& nsIScriptSecurityManager::DONT_REPORT_ERRORS
);
603 // Check for uris that are only loadable by principals that subsume them
605 rv
= NS_URIChainHasFlags(targetBaseURI
,
606 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS
,
608 NS_ENSURE_SUCCESS(rv
, rv
);
611 return aPrincipal
->CheckMayLoad(targetBaseURI
, true, false);
614 //-- get the source scheme
615 nsAutoCString sourceScheme
;
616 rv
= sourceBaseURI
->GetScheme(sourceScheme
);
617 if (NS_FAILED(rv
)) return rv
;
619 if (sourceScheme
.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME
)) {
620 // A null principal can target its own URI.
621 if (sourceURI
== aTargetURI
) {
625 else if (targetScheme
.Equals(sourceScheme
,
626 nsCaseInsensitiveCStringComparator()))
628 // every scheme can access another URI from the same scheme,
629 // as long as they don't represent null principals...
630 // Or they don't require an special permission to do so
634 rv
= NS_URIChainHasFlags(targetBaseURI
,
635 nsIProtocolHandler::URI_CROSS_ORIGIN_NEEDS_WEBAPPS_PERM
,
637 NS_ENSURE_SUCCESS(rv
, rv
);
640 // In this case, we allow opening only if the source and target URIS
641 // are on the same domain, or the opening URI has the webapps
643 if (!SecurityCompareURIs(sourceBaseURI
,targetBaseURI
) &&
644 !nsContentUtils::IsExactSitePermAllow(aPrincipal
,WEBAPPS_PERM_NAME
)){
645 return NS_ERROR_DOM_BAD_URI
;
651 // If the schemes don't match, the policy is specified by the protocol
652 // flags on the target URI. Note that the order of policy checks here is
653 // very important! We start from most restrictive and work our way down.
654 // Note that since we're working with the innermost URI, we can just use
655 // the methods that work on chains of nested URIs and they will only look
656 // at the flags for our one URI.
658 // Check for system target URI
659 rv
= DenyAccessIfURIHasFlags(targetBaseURI
,
660 nsIProtocolHandler::URI_DANGEROUS_TO_LOAD
);
662 // Deny access, since the origin principal is not system
664 ReportError(nullptr, errorTag
, sourceURI
, aTargetURI
);
669 // Check for chrome target URI
670 rv
= NS_URIChainHasFlags(targetBaseURI
,
671 nsIProtocolHandler::URI_IS_UI_RESOURCE
,
673 NS_ENSURE_SUCCESS(rv
, rv
);
675 if (aFlags
& nsIScriptSecurityManager::ALLOW_CHROME
) {
676 if (!targetScheme
.EqualsLiteral("chrome")) {
677 // for now don't change behavior for resource: or moz-icon:
681 // allow load only if chrome package is whitelisted
682 nsCOMPtr
<nsIXULChromeRegistry
> reg(do_GetService(
683 NS_CHROMEREGISTRY_CONTRACTID
));
685 bool accessAllowed
= false;
686 reg
->AllowContentToAccess(targetBaseURI
, &accessAllowed
);
693 // resource: and chrome: are equivalent, securitywise
694 // That's bogus!! Fix this. But watch out for
695 // the view-source stylesheet?
697 rv
= NS_URIChainHasFlags(sourceBaseURI
,
698 nsIProtocolHandler::URI_IS_UI_RESOURCE
,
700 NS_ENSURE_SUCCESS(rv
, rv
);
701 if (sourceIsChrome
) {
705 ReportError(nullptr, errorTag
, sourceURI
, aTargetURI
);
707 return NS_ERROR_DOM_BAD_URI
;
710 // Check for target URI pointing to a file
711 rv
= NS_URIChainHasFlags(targetBaseURI
,
712 nsIProtocolHandler::URI_IS_LOCAL_FILE
,
714 NS_ENSURE_SUCCESS(rv
, rv
);
716 // Allow domains that were whitelisted in the prefs. In 99.9% of cases,
717 // this array is empty.
718 for (size_t i
= 0; i
< mFileURIWhitelist
.Length(); ++i
) {
719 if (SecurityCompareURIs(mFileURIWhitelist
[i
], sourceURI
)) {
724 // resource: and chrome: are equivalent, securitywise
725 // That's bogus!! Fix this. But watch out for
726 // the view-source stylesheet?
728 rv
= NS_URIChainHasFlags(sourceURI
,
729 nsIProtocolHandler::URI_IS_UI_RESOURCE
,
731 NS_ENSURE_SUCCESS(rv
, rv
);
732 if (sourceIsChrome
) {
737 ReportError(nullptr, errorTag
, sourceURI
, aTargetURI
);
739 return NS_ERROR_DOM_BAD_URI
;
742 // OK, everyone is allowed to load this, since unflagged handlers are
743 // deprecated but treated as URI_LOADABLE_BY_ANYONE. But check whether we
744 // need to warn. At some point we'll want to make this warning into an
745 // error and treat unflagged handlers as URI_DANGEROUS_TO_LOAD.
746 rv
= NS_URIChainHasFlags(targetBaseURI
,
747 nsIProtocolHandler::URI_LOADABLE_BY_ANYONE
,
749 NS_ENSURE_SUCCESS(rv
, rv
);
751 nsXPIDLString message
;
752 NS_ConvertASCIItoUTF16
ucsTargetScheme(targetScheme
);
753 const char16_t
* formatStrings
[] = { ucsTargetScheme
.get() };
755 FormatStringFromName(MOZ_UTF16("ProtocolFlagError"),
757 ArrayLength(formatStrings
),
758 getter_Copies(message
));
759 if (NS_SUCCEEDED(rv
)) {
760 nsCOMPtr
<nsIConsoleService
> console(
761 do_GetService("@mozilla.org/consoleservice;1"));
762 NS_ENSURE_TRUE(console
, NS_ERROR_FAILURE
);
764 console
->LogStringMessage(message
.get());
772 nsScriptSecurityManager::ReportError(JSContext
* cx
, const nsAString
& messageTag
,
773 nsIURI
* aSource
, nsIURI
* aTarget
)
776 NS_ENSURE_TRUE(aSource
&& aTarget
, NS_ERROR_NULL_POINTER
);
778 // Get the source URL spec
779 nsAutoCString sourceSpec
;
780 rv
= aSource
->GetAsciiSpec(sourceSpec
);
781 NS_ENSURE_SUCCESS(rv
, rv
);
783 // Get the target URL spec
784 nsAutoCString targetSpec
;
785 rv
= aTarget
->GetAsciiSpec(targetSpec
);
786 NS_ENSURE_SUCCESS(rv
, rv
);
788 // Localize the error message
789 nsXPIDLString message
;
790 NS_ConvertASCIItoUTF16
ucsSourceSpec(sourceSpec
);
791 NS_ConvertASCIItoUTF16
ucsTargetSpec(targetSpec
);
792 const char16_t
*formatStrings
[] = { ucsSourceSpec
.get(), ucsTargetSpec
.get() };
793 rv
= sStrBundle
->FormatStringFromName(PromiseFlatString(messageTag
).get(),
795 ArrayLength(formatStrings
),
796 getter_Copies(message
));
797 NS_ENSURE_SUCCESS(rv
, rv
);
799 // If a JS context was passed in, set a JS exception.
800 // Otherwise, print the error message directly to the JS console
801 // and to standard output
804 SetPendingException(cx
, message
.get());
806 else // Print directly to the console
808 nsCOMPtr
<nsIConsoleService
> console(
809 do_GetService("@mozilla.org/consoleservice;1"));
810 NS_ENSURE_TRUE(console
, NS_ERROR_FAILURE
);
812 console
->LogStringMessage(message
.get());
818 nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(nsIPrincipal
* aPrincipal
,
819 const nsACString
& aTargetURIStr
,
823 nsCOMPtr
<nsIURI
> target
;
824 rv
= NS_NewURI(getter_AddRefs(target
), aTargetURIStr
,
825 nullptr, nullptr, sIOService
);
826 NS_ENSURE_SUCCESS(rv
, rv
);
828 rv
= CheckLoadURIWithPrincipal(aPrincipal
, target
, aFlags
);
829 if (rv
== NS_ERROR_DOM_BAD_URI
) {
830 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
834 NS_ENSURE_SUCCESS(rv
, rv
);
836 // Now start testing fixup -- since aTargetURIStr is a string, not
837 // an nsIURI, we may well end up fixing it up before loading.
838 // Note: This needs to stay in sync with the nsIURIFixup api.
839 nsCOMPtr
<nsIURIFixup
> fixup
= do_GetService(NS_URIFIXUP_CONTRACTID
);
845 nsIURIFixup::FIXUP_FLAG_NONE
,
846 nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS
,
847 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP
,
848 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI
,
849 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP
|
850 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI
853 for (uint32_t i
= 0; i
< ArrayLength(flags
); ++i
) {
854 rv
= fixup
->CreateFixupURI(aTargetURIStr
, flags
[i
], nullptr,
855 getter_AddRefs(target
));
856 NS_ENSURE_SUCCESS(rv
, rv
);
858 rv
= CheckLoadURIWithPrincipal(aPrincipal
, target
, aFlags
);
859 if (rv
== NS_ERROR_DOM_BAD_URI
) {
860 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
864 NS_ENSURE_SUCCESS(rv
, rv
);
871 nsScriptSecurityManager::ScriptAllowed(JSObject
*aGlobal
)
874 MOZ_ASSERT(JS_IsGlobalObject(aGlobal
) || js::IsOuterObject(aGlobal
));
876 JS::RootedObject
global(cx
, js::UncheckedUnwrap(aGlobal
, /* stopAtOuter = */ false));
878 // Check the bits on the compartment private.
879 return xpc::Scriptability::Get(aGlobal
).Allowed();
882 ///////////////// Principals ///////////////////////
885 nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal
**result
)
887 NS_ADDREF(*result
= mSystemPrincipal
);
893 nsScriptSecurityManager::CreateCodebasePrincipal(nsIURI
* aURI
, uint32_t aAppId
,
895 nsIPrincipal
**result
)
897 // I _think_ it's safe to not create null principals here based on aURI.
898 // At least all the callers would do the right thing in those cases, as far
899 // as I can tell. --bz
901 nsCOMPtr
<nsIURIWithPrincipal
> uriPrinc
= do_QueryInterface(aURI
);
903 nsCOMPtr
<nsIPrincipal
> principal
;
904 uriPrinc
->GetPrincipal(getter_AddRefs(principal
));
905 if (!principal
|| principal
== mSystemPrincipal
) {
906 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID
, result
);
909 principal
.forget(result
);
914 nsRefPtr
<nsPrincipal
> codebase
= new nsPrincipal();
916 return NS_ERROR_OUT_OF_MEMORY
;
918 nsresult rv
= codebase
->Init(aURI
, aAppId
, aInMozBrowser
);
922 NS_ADDREF(*result
= codebase
);
928 nsScriptSecurityManager::GetSimpleCodebasePrincipal(nsIURI
* aURI
,
929 nsIPrincipal
** aPrincipal
)
931 return GetCodebasePrincipalInternal(aURI
,
932 nsIScriptSecurityManager::UNKNOWN_APP_ID
,
937 nsScriptSecurityManager::GetNoAppCodebasePrincipal(nsIURI
* aURI
,
938 nsIPrincipal
** aPrincipal
)
940 return GetCodebasePrincipalInternal(aURI
, nsIScriptSecurityManager::NO_APP_ID
,
945 nsScriptSecurityManager::GetCodebasePrincipal(nsIURI
* aURI
,
946 nsIPrincipal
** aPrincipal
)
948 return GetNoAppCodebasePrincipal(aURI
, aPrincipal
);
952 nsScriptSecurityManager::GetAppCodebasePrincipal(nsIURI
* aURI
,
955 nsIPrincipal
** aPrincipal
)
957 NS_ENSURE_TRUE(aAppId
!= nsIScriptSecurityManager::UNKNOWN_APP_ID
,
958 NS_ERROR_INVALID_ARG
);
960 return GetCodebasePrincipalInternal(aURI
, aAppId
, aInMozBrowser
, aPrincipal
);
964 nsScriptSecurityManager::
965 GetLoadContextCodebasePrincipal(nsIURI
* aURI
,
966 nsILoadContext
* aLoadContext
,
967 nsIPrincipal
** aPrincipal
)
970 aLoadContext
->GetAppId(&appId
);
971 bool isInBrowserElement
;
972 aLoadContext
->GetIsInBrowserElement(&isInBrowserElement
);
973 return GetCodebasePrincipalInternal(aURI
,
980 nsScriptSecurityManager::GetDocShellCodebasePrincipal(nsIURI
* aURI
,
981 nsIDocShell
* aDocShell
,
982 nsIPrincipal
** aPrincipal
)
984 return GetCodebasePrincipalInternal(aURI
,
985 aDocShell
->GetAppId(),
986 aDocShell
->GetIsInBrowserElement(),
991 nsScriptSecurityManager::GetCodebasePrincipalInternal(nsIURI
*aURI
,
994 nsIPrincipal
**result
)
998 bool inheritsPrincipal
;
1000 NS_URIChainHasFlags(aURI
,
1001 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT
,
1002 &inheritsPrincipal
);
1003 if (NS_FAILED(rv
) || inheritsPrincipal
) {
1004 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID
, result
);
1007 nsCOMPtr
<nsIPrincipal
> principal
;
1008 rv
= CreateCodebasePrincipal(aURI
, aAppId
, aInMozBrowser
,
1009 getter_AddRefs(principal
));
1010 NS_ENSURE_SUCCESS(rv
, rv
);
1011 NS_IF_ADDREF(*result
= principal
);
1018 nsScriptSecurityManager::doGetObjectPrincipal(JSObject
*aObj
)
1020 JSCompartment
*compartment
= js::GetObjectCompartment(aObj
);
1021 JSPrincipals
*principals
= JS_GetCompartmentPrincipals(compartment
);
1022 return nsJSPrincipals::get(principals
);
1026 nsScriptSecurityManager::CanCreateWrapper(JSContext
*cx
,
1029 nsIClassInfo
*aClassInfo
)
1031 // XXX Special case for nsIXPCException ?
1032 ClassInfoData objClassInfo
= ClassInfoData(aClassInfo
, nullptr);
1033 if (objClassInfo
.IsDOMClass())
1038 // We give remote-XUL whitelisted domains a free pass here. See bug 932906.
1039 if (!xpc::AllowContentXBLScope(js::GetContextCompartment(cx
)))
1044 if (nsContentUtils::IsCallerChrome())
1049 //-- Access denied, report an error
1050 NS_ConvertUTF8toUTF16
strName("CreateWrapperDenied");
1051 nsAutoCString origin
;
1052 nsIPrincipal
* subjectPrincipal
= nsContentUtils::SubjectPrincipal();
1053 GetPrincipalDomainOrigin(subjectPrincipal
, origin
);
1054 NS_ConvertUTF8toUTF16
originUnicode(origin
);
1055 NS_ConvertUTF8toUTF16
classInfoName(objClassInfo
.GetName());
1056 const char16_t
* formatStrings
[] = {
1057 classInfoName
.get(),
1060 uint32_t length
= ArrayLength(formatStrings
);
1061 if (originUnicode
.IsEmpty()) {
1064 strName
.AppendLiteral("ForOrigin");
1066 nsXPIDLString errorMsg
;
1067 nsresult rv
= sStrBundle
->FormatStringFromName(strName
.get(),
1070 getter_Copies(errorMsg
));
1071 NS_ENSURE_SUCCESS(rv
, rv
);
1073 SetPendingException(cx
, errorMsg
.get());
1074 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED
;
1078 nsScriptSecurityManager::CanCreateInstance(JSContext
*cx
,
1081 if (nsContentUtils::IsCallerChrome()) {
1085 //-- Access denied, report an error
1086 nsAutoCString
errorMsg("Permission denied to create instance of class. CID=");
1087 char cidStr
[NSID_LENGTH
];
1088 aCID
.ToProvidedString(cidStr
);
1089 errorMsg
.Append(cidStr
);
1090 SetPendingException(cx
, errorMsg
.get());
1091 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED
;
1095 nsScriptSecurityManager::CanGetService(JSContext
*cx
,
1098 if (nsContentUtils::IsCallerChrome()) {
1102 //-- Access denied, report an error
1103 nsAutoCString
errorMsg("Permission denied to get service. CID=");
1104 char cidStr
[NSID_LENGTH
];
1105 aCID
.ToProvidedString(cidStr
);
1106 errorMsg
.Append(cidStr
);
1107 SetPendingException(cx
, errorMsg
.get());
1108 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED
;
1111 /////////////////////////////////////////////
1112 // Method implementing nsIChannelEventSink //
1113 /////////////////////////////////////////////
1115 nsScriptSecurityManager::AsyncOnChannelRedirect(nsIChannel
* oldChannel
,
1116 nsIChannel
* newChannel
,
1117 uint32_t redirFlags
,
1118 nsIAsyncVerifyRedirectCallback
*cb
)
1120 nsCOMPtr
<nsIPrincipal
> oldPrincipal
;
1121 GetChannelPrincipal(oldChannel
, getter_AddRefs(oldPrincipal
));
1123 nsCOMPtr
<nsIURI
> newURI
;
1124 newChannel
->GetURI(getter_AddRefs(newURI
));
1125 nsCOMPtr
<nsIURI
> newOriginalURI
;
1126 newChannel
->GetOriginalURI(getter_AddRefs(newOriginalURI
));
1128 NS_ENSURE_STATE(oldPrincipal
&& newURI
&& newOriginalURI
);
1130 const uint32_t flags
=
1131 nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT
|
1132 nsIScriptSecurityManager::DISALLOW_SCRIPT
;
1133 nsresult rv
= CheckLoadURIWithPrincipal(oldPrincipal
, newURI
, flags
);
1134 if (NS_SUCCEEDED(rv
) && newOriginalURI
!= newURI
) {
1135 rv
= CheckLoadURIWithPrincipal(oldPrincipal
, newOriginalURI
, flags
);
1141 cb
->OnRedirectVerifyCallback(NS_OK
);
1146 /////////////////////////////////////
1147 // Method implementing nsIObserver //
1148 /////////////////////////////////////
1149 const char sJSEnabledPrefName
[] = "javascript.enabled";
1150 const char sFileOriginPolicyPrefName
[] =
1151 "security.fileuri.strict_origin_policy";
1153 static const char* kObservedPrefs
[] = {
1155 sFileOriginPolicyPrefName
,
1156 "capability.policy.",
1162 nsScriptSecurityManager::Observe(nsISupports
* aObject
, const char* aTopic
,
1163 const char16_t
* aMessage
)
1165 ScriptSecurityPrefChanged();
1169 /////////////////////////////////////////////
1170 // Constructor, Destructor, Initialization //
1171 /////////////////////////////////////////////
1172 nsScriptSecurityManager::nsScriptSecurityManager(void)
1173 : mPrefInitialized(false)
1174 , mIsJavaScriptEnabled(false)
1176 static_assert(sizeof(intptr_t) == sizeof(void*),
1177 "intptr_t and void* have different lengths on this platform. "
1178 "This may cause a security failure with the SecurityLevel union.");
1181 nsresult
nsScriptSecurityManager::Init()
1185 nsresult rv
= CallGetService(NS_IOSERVICE_CONTRACTID
, &sIOService
);
1186 NS_ENSURE_SUCCESS(rv
, rv
);
1188 nsCOMPtr
<nsIStringBundleService
> bundleService
=
1189 mozilla::services::GetStringBundleService();
1191 return NS_ERROR_FAILURE
;
1193 rv
= bundleService
->CreateBundle("chrome://global/locale/security/caps.properties", &sStrBundle
);
1194 NS_ENSURE_SUCCESS(rv
, rv
);
1196 // Create our system principal singleton
1197 nsRefPtr
<nsSystemPrincipal
> system
= new nsSystemPrincipal();
1198 NS_ENSURE_TRUE(system
, NS_ERROR_OUT_OF_MEMORY
);
1200 mSystemPrincipal
= system
;
1202 //-- Register security check callback in the JS engine
1203 // Currently this is used to control access to function.caller
1204 rv
= nsXPConnect::XPConnect()->GetRuntime(&sRuntime
);
1205 NS_ENSURE_SUCCESS(rv
, rv
);
1207 static const JSSecurityCallbacks securityCallbacks
= {
1208 ContentSecurityPolicyPermitsJSAction
,
1209 JSPrincipalsSubsume
,
1212 MOZ_ASSERT(!JS_GetSecurityCallbacks(sRuntime
));
1213 JS_SetSecurityCallbacks(sRuntime
, &securityCallbacks
);
1214 JS_InitDestroyPrincipalsCallback(sRuntime
, nsJSPrincipals::Destroy
);
1216 JS_SetTrustedPrincipals(sRuntime
, system
);
1221 static StaticRefPtr
<nsScriptSecurityManager
> gScriptSecMan
;
1223 nsScriptSecurityManager::~nsScriptSecurityManager(void)
1225 Preferences::RemoveObservers(this, kObservedPrefs
);
1227 mDomainPolicy
->Deactivate();
1228 MOZ_ASSERT(!mDomainPolicy
);
1232 nsScriptSecurityManager::Shutdown()
1235 JS_SetSecurityCallbacks(sRuntime
, nullptr);
1236 JS_SetTrustedPrincipals(sRuntime
, nullptr);
1240 NS_IF_RELEASE(sIOService
);
1241 NS_IF_RELEASE(sStrBundle
);
1244 nsScriptSecurityManager
*
1245 nsScriptSecurityManager::GetScriptSecurityManager()
1247 return gScriptSecMan
;
1251 nsScriptSecurityManager::InitStatics()
1253 nsRefPtr
<nsScriptSecurityManager
> ssManager
= new nsScriptSecurityManager();
1254 nsresult rv
= ssManager
->Init();
1255 if (NS_FAILED(rv
)) {
1259 ClearOnShutdown(&gScriptSecMan
);
1260 gScriptSecMan
= ssManager
;
1263 // Currently this nsGenericFactory constructor is used only from FastLoad
1264 // (XPCOM object deserialization) code, when "creating" the system principal
1267 nsScriptSecurityManager::SystemPrincipalSingletonConstructor()
1269 nsIPrincipal
*sysprin
= nullptr;
1271 NS_ADDREF(sysprin
= gScriptSecMan
->mSystemPrincipal
);
1272 return static_cast<nsSystemPrincipal
*>(sysprin
);
1275 struct IsWhitespace
{
1276 static bool Test(char aChar
) { return NS_IsAsciiWhitespace(aChar
); };
1278 struct IsWhitespaceOrComma
{
1279 static bool Test(char aChar
) { return aChar
== ',' || NS_IsAsciiWhitespace(aChar
); };
1282 template <typename Predicate
>
1283 uint32_t SkipPast(const nsCString
& str
, uint32_t base
)
1285 while (base
< str
.Length() && Predicate::Test(str
[base
])) {
1291 template <typename Predicate
>
1292 uint32_t SkipUntil(const nsCString
& str
, uint32_t base
)
1294 while (base
< str
.Length() && !Predicate::Test(str
[base
])) {
1301 nsScriptSecurityManager::ScriptSecurityPrefChanged()
1303 MOZ_ASSERT(mPrefInitialized
);
1304 mIsJavaScriptEnabled
=
1305 Preferences::GetBool(sJSEnabledPrefName
, mIsJavaScriptEnabled
);
1306 sStrictFileOriginPolicy
=
1307 Preferences::GetBool(sFileOriginPolicyPrefName
, false);
1310 // Rebuild the set of principals for which we allow file:// URI loads. This
1311 // implements a small subset of an old pref-based CAPS people that people
1312 // have come to depend on. See bug 995943.
1315 mFileURIWhitelist
.Clear();
1316 auto policies
= mozilla::Preferences::GetCString("capability.policy.policynames");
1317 for (uint32_t base
= SkipPast
<IsWhitespaceOrComma
>(policies
, 0), bound
= 0;
1318 base
< policies
.Length();
1319 base
= SkipPast
<IsWhitespaceOrComma
>(policies
, bound
))
1321 // Grab the current policy name.
1322 bound
= SkipUntil
<IsWhitespaceOrComma
>(policies
, base
);
1323 auto policyName
= Substring(policies
, base
, bound
- base
);
1325 // Figure out if this policy allows loading file:// URIs. If not, we can skip it.
1326 nsCString checkLoadURIPrefName
= NS_LITERAL_CSTRING("capability.policy.") +
1328 NS_LITERAL_CSTRING(".checkloaduri.enabled");
1329 if (!Preferences::GetString(checkLoadURIPrefName
.get()).LowerCaseEqualsLiteral("allaccess")) {
1333 // Grab the list of domains associated with this policy.
1334 nsCString domainPrefName
= NS_LITERAL_CSTRING("capability.policy.") +
1336 NS_LITERAL_CSTRING(".sites");
1337 auto siteList
= Preferences::GetCString(domainPrefName
.get());
1338 AddSitesToFileURIWhitelist(siteList
);
1343 nsScriptSecurityManager::AddSitesToFileURIWhitelist(const nsCString
& aSiteList
)
1345 for (uint32_t base
= SkipPast
<IsWhitespace
>(aSiteList
, 0), bound
= 0;
1346 base
< aSiteList
.Length();
1347 base
= SkipPast
<IsWhitespace
>(aSiteList
, bound
))
1349 // Grab the current site.
1350 bound
= SkipUntil
<IsWhitespace
>(aSiteList
, base
);
1351 auto site
= Substring(aSiteList
, base
, bound
- base
);
1353 // Convert it to a URI and add it to our list.
1354 nsCOMPtr
<nsIURI
> uri
;
1355 nsresult rv
= NS_NewURI(getter_AddRefs(uri
), site
, nullptr, nullptr, sIOService
);
1356 if (NS_SUCCEEDED(rv
)) {
1357 mFileURIWhitelist
.AppendElement(uri
);
1359 nsCOMPtr
<nsIConsoleService
> console(do_GetService("@mozilla.org/consoleservice;1"));
1361 nsAutoString msg
= NS_LITERAL_STRING("Unable to to add site to file:// URI whitelist: ") +
1362 NS_ConvertASCIItoUTF16(site
);
1363 console
->LogStringMessage(msg
.get());
1370 nsScriptSecurityManager::InitPrefs()
1372 nsIPrefBranch
* branch
= Preferences::GetRootBranch();
1373 NS_ENSURE_TRUE(branch
, NS_ERROR_FAILURE
);
1375 mPrefInitialized
= true;
1377 // Set the initial value of the "javascript.enabled" prefs
1378 ScriptSecurityPrefChanged();
1380 // set observer callbacks in case the value of the prefs change
1381 Preferences::AddStrongObservers(this, kObservedPrefs
);
1389 GetJarPrefix(uint32_t aAppId
, bool aInMozBrowser
, nsACString
& aJarPrefix
)
1391 MOZ_ASSERT(aAppId
!= nsIScriptSecurityManager::UNKNOWN_APP_ID
);
1393 if (aAppId
== nsIScriptSecurityManager::UNKNOWN_APP_ID
) {
1394 aAppId
= nsIScriptSecurityManager::NO_APP_ID
;
1397 aJarPrefix
.Truncate();
1400 if (aAppId
== nsIScriptSecurityManager::NO_APP_ID
&& !aInMozBrowser
) {
1404 // aJarPrefix = appId + "+" + { 't', 'f' } + "+";
1405 aJarPrefix
.AppendInt(aAppId
);
1406 aJarPrefix
.Append('+');
1407 aJarPrefix
.Append(aInMozBrowser
? 't' : 'f');
1408 aJarPrefix
.Append('+');
1413 } // namespace mozilla
1416 nsScriptSecurityManager::GetJarPrefix(uint32_t aAppId
,
1418 nsACString
& aJarPrefix
)
1420 MOZ_ASSERT(aAppId
!= nsIScriptSecurityManager::UNKNOWN_APP_ID
);
1422 mozilla::GetJarPrefix(aAppId
, aInMozBrowser
, aJarPrefix
);
1427 nsScriptSecurityManager::GetDomainPolicyActive(bool *aRv
)
1429 *aRv
= !!mDomainPolicy
;
1434 nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy
** aRv
)
1436 // We only allow one domain policy at a time. The holder of the previous
1437 // policy must explicitly deactivate it first.
1438 if (mDomainPolicy
) {
1439 return NS_ERROR_SERVICE_NOT_AVAILABLE
;
1442 mDomainPolicy
= new DomainPolicy();
1443 nsCOMPtr
<nsIDomainPolicy
> ptr
= mDomainPolicy
;
1448 // Intentionally non-scriptable. Script must have a reference to the
1449 // nsIDomainPolicy to deactivate it.
1451 nsScriptSecurityManager::DeactivateDomainPolicy()
1453 mDomainPolicy
= nullptr;
1457 nsScriptSecurityManager::PolicyAllowsScript(nsIURI
* aURI
, bool *aRv
)
1461 // Compute our rule. If we don't have any domain policy set up that might
1462 // provide exceptions to this rule, we're done.
1463 *aRv
= mIsJavaScriptEnabled
;
1464 if (!mDomainPolicy
) {
1468 // We have a domain policy. Grab the appropriate set of exceptions to the
1469 // rule (either the blacklist or the whitelist, depending on whether script
1470 // is enabled or disabled by default).
1471 nsCOMPtr
<nsIDomainSet
> exceptions
;
1472 nsCOMPtr
<nsIDomainSet
> superExceptions
;
1474 mDomainPolicy
->GetBlacklist(getter_AddRefs(exceptions
));
1475 mDomainPolicy
->GetSuperBlacklist(getter_AddRefs(superExceptions
));
1477 mDomainPolicy
->GetWhitelist(getter_AddRefs(exceptions
));
1478 mDomainPolicy
->GetSuperWhitelist(getter_AddRefs(superExceptions
));
1482 rv
= exceptions
->Contains(aURI
, &contains
);
1483 NS_ENSURE_SUCCESS(rv
, rv
);
1488 rv
= superExceptions
->ContainsSuperDomain(aURI
, &contains
);
1489 NS_ENSURE_SUCCESS(rv
, rv
);