search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bumping gaia.json for 2 gaia revision(s) a=gaia-bump
[gecko.git] / caps / nsScriptSecurityManager.cpp
blob91270ec0b49eb25696f428408829245f01736527
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* vim: set ts=4 et sw=4 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "nsScriptSecurityManager.h"
8
9 #include "mozilla/ArrayUtils.h"
10
11 #include "js/OldDebugAPI.h"
12 #include "xpcprivate.h"
13 #include "XPCWrapper.h"
14 #include "nsILoadContext.h"
15 #include "nsIServiceManager.h"
16 #include "nsIScriptObjectPrincipal.h"
17 #include "nsIScriptContext.h"
18 #include "nsIURL.h"
19 #include "nsINestedURI.h"
20 #include "nspr.h"
21 #include "nsJSPrincipals.h"
22 #include "nsSystemPrincipal.h"
23 #include "nsPrincipal.h"
24 #include "nsNullPrincipal.h"
25 #include "DomainPolicy.h"
26 #include "nsXPIDLString.h"
27 #include "nsCRT.h"
28 #include "nsCRTGlue.h"
29 #include "nsError.h"
30 #include "nsDOMCID.h"
31 #include "nsIXPConnect.h"
32 #include "nsTextFormatter.h"
33 #include "nsIStringBundle.h"
34 #include "nsNetUtil.h"
35 #include "nsIProperties.h"
36 #include "nsDirectoryServiceDefs.h"
37 #include "nsIFile.h"
38 #include "nsIFileURL.h"
39 #include "nsIZipReader.h"
40 #include "nsIXPConnect.h"
41 #include "nsIScriptGlobalObject.h"
42 #include "nsPIDOMWindow.h"
43 #include "nsIDocShell.h"
44 #include "nsIPrompt.h"
45 #include "nsIWindowWatcher.h"
46 #include "nsIConsoleService.h"
47 #include "nsIJSRuntimeService.h"
48 #include "nsIObserverService.h"
49 #include "nsIContent.h"
50 #include "nsAutoPtr.h"
51 #include "nsDOMJSUtils.h"
52 #include "nsAboutProtocolUtils.h"
53 #include "nsIClassInfo.h"
54 #include "nsIURIFixup.h"
55 #include "nsCDefaultURIFixup.h"
56 #include "nsIChromeRegistry.h"
57 #include "nsIContentSecurityPolicy.h"
58 #include "nsIAsyncVerifyRedirectCallback.h"
59 #include "mozilla/Preferences.h"
60 #include "mozilla/dom/BindingUtils.h"
61 #include <stdint.h>
62 #include "mozilla/ClearOnShutdown.h"
63 #include "mozilla/StaticPtr.h"
64 #include "nsContentUtils.h"
65 #include "nsCxPusher.h"
66 #include "nsJSUtils.h"
67 #include "nsILoadInfo.h"
68
69 // This should be probably defined on some other place... but I couldn't find it
70 #define WEBAPPS_PERM_NAME "webapps-manage"
71
72 using namespace mozilla;
73 using namespace mozilla::dom;
74
75 nsIIOService *nsScriptSecurityManager::sIOService = nullptr;
76 nsIStringBundle *nsScriptSecurityManager::sStrBundle = nullptr;
77 JSRuntime *nsScriptSecurityManager::sRuntime = 0;
78 bool nsScriptSecurityManager::sStrictFileOriginPolicy = true;
79
80 ///////////////////////////
81 // Convenience Functions //
82 ///////////////////////////
83
84 class nsAutoInPrincipalDomainOriginSetter {
85 public:
86 nsAutoInPrincipalDomainOriginSetter() {
87 ++sInPrincipalDomainOrigin;
88 }
89 ~nsAutoInPrincipalDomainOriginSetter() {
90 --sInPrincipalDomainOrigin;
91 }
92 static uint32_t sInPrincipalDomainOrigin;
93 };
94 uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin;
95
96 static
97 nsresult
98 GetOriginFromURI(nsIURI* aURI, nsACString& aOrigin)
99 {
100 if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin > 1) {
101 // Allow a single recursive call to GetPrincipalDomainOrigin, since that
102 // might be happening on a different principal from the first call. But
103 // after that, cut off the recursion; it just indicates that something
104 // we're doing in this method causes us to reenter a security check here.
105 return NS_ERROR_NOT_AVAILABLE;
106 }
107
108 nsAutoInPrincipalDomainOriginSetter autoSetter;
109
110 nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
111 NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
112
113 nsAutoCString hostPort;
114
115 nsresult rv = uri->GetHostPort(hostPort);
116 if (NS_SUCCEEDED(rv)) {
117 nsAutoCString scheme;
118 rv = uri->GetScheme(scheme);
119 NS_ENSURE_SUCCESS(rv, rv);
120 aOrigin = scheme + NS_LITERAL_CSTRING("://") + hostPort;
121 }
122 else {
123 // Some URIs (e.g., nsSimpleURI) don't support host. Just
124 // get the full spec.
125 rv = uri->GetSpec(aOrigin);
126 NS_ENSURE_SUCCESS(rv, rv);
127 }
128
129 return NS_OK;
130 }
131
132 static
133 nsresult
134 GetPrincipalDomainOrigin(nsIPrincipal* aPrincipal,
135 nsACString& aOrigin)
136 {
137
138 nsCOMPtr<nsIURI> uri;
139 aPrincipal->GetDomain(getter_AddRefs(uri));
140 if (!uri) {
141 aPrincipal->GetURI(getter_AddRefs(uri));
142 }
143 NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
144
145 return GetOriginFromURI(uri, aOrigin);
146 }
147
148 inline void SetPendingException(JSContext *cx, const char *aMsg)
149 {
150 JS_ReportError(cx, "%s", aMsg);
151 }
152
153 inline void SetPendingException(JSContext *cx, const char16_t *aMsg)
154 {
155 JS_ReportError(cx, "%hs", aMsg);
156 }
157
158 // Helper class to get stuff from the ClassInfo and not waste extra time with
159 // virtual method calls for things it has already gotten
160 class ClassInfoData
161 {
162 public:
163 ClassInfoData(nsIClassInfo *aClassInfo, const char *aName)
164 : mClassInfo(aClassInfo),
165 mName(const_cast<char *>(aName)),
166 mDidGetFlags(false),
167 mMustFreeName(false)
168 {
169 }
170
171 ~ClassInfoData()
172 {
173 if (mMustFreeName)
174 nsMemory::Free(mName);
175 }
176
177 uint32_t GetFlags()
178 {
179 if (!mDidGetFlags) {
180 if (mClassInfo) {
181 nsresult rv = mClassInfo->GetFlags(&mFlags);
182 if (NS_FAILED(rv)) {
183 mFlags = 0;
184 }
185 } else {
186 mFlags = 0;
187 }
188
189 mDidGetFlags = true;
190 }
191
192 return mFlags;
193 }
194
195 bool IsDOMClass()
196 {
197 return !!(GetFlags() & nsIClassInfo::DOM_OBJECT);
198 }
199
200 const char* GetName()
201 {
202 if (!mName) {
203 if (mClassInfo) {
204 mClassInfo->GetClassDescription(&mName);
205 }
206
207 if (mName) {
208 mMustFreeName = true;
209 } else {
210 mName = const_cast<char *>("UnnamedClass");
211 }
212 }
213
214 return mName;
215 }
216
217 private:
218 nsIClassInfo *mClassInfo; // WEAK
219 uint32_t mFlags;
220 char *mName;
221 bool mDidGetFlags;
222 bool mMustFreeName;
223 };
224
225 JSContext *
226 nsScriptSecurityManager::GetCurrentJSContext()
227 {
228 // Get JSContext from stack.
229 return nsXPConnect::XPConnect()->GetCurrentJSContext();
230 }
231
232 JSContext *
233 nsScriptSecurityManager::GetSafeJSContext()
234 {
235 // Get JSContext from stack.
236 return nsXPConnect::XPConnect()->GetSafeJSContext();
237 }
238
239 /* static */
240 bool
241 nsScriptSecurityManager::SecurityCompareURIs(nsIURI* aSourceURI,
242 nsIURI* aTargetURI)
243 {
244 return NS_SecurityCompareURIs(aSourceURI, aTargetURI, sStrictFileOriginPolicy);
245 }
246
247 // SecurityHashURI is consistent with SecurityCompareURIs because NS_SecurityHashURI
248 // is consistent with NS_SecurityCompareURIs. See nsNetUtil.h.
249 uint32_t
250 nsScriptSecurityManager::SecurityHashURI(nsIURI* aURI)
251 {
252 return NS_SecurityHashURI(aURI);
253 }
254
255 NS_IMETHODIMP
256 nsScriptSecurityManager::GetChannelPrincipal(nsIChannel* aChannel,
257 nsIPrincipal** aPrincipal)
258 {
259 NS_PRECONDITION(aChannel, "Must have channel!");
260 nsCOMPtr<nsISupports> owner;
261 aChannel->GetOwner(getter_AddRefs(owner));
262 if (owner) {
263 CallQueryInterface(owner, aPrincipal);
264 if (*aPrincipal) {
265 return NS_OK;
266 }
267 }
268
269 // Check whether we have an nsILoadInfo that says what we should do.
270 nsCOMPtr<nsILoadInfo> loadInfo;
271 aChannel->GetLoadInfo(getter_AddRefs(loadInfo));
272 if (loadInfo) {
273 if (loadInfo->GetLoadingSandboxed()) {
274 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID, aPrincipal);
275 }
276
277 if (loadInfo->GetForceInheritPrincipal()) {
278 NS_ADDREF(*aPrincipal = loadInfo->LoadingPrincipal());
279 return NS_OK;
280 }
281 }
282
283 // OK, get the principal from the URI. Make sure this does the same thing
284 // as nsDocument::Reset and XULDocument::StartDocumentLoad.
285 nsCOMPtr<nsIURI> uri;
286 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
287 NS_ENSURE_SUCCESS(rv, rv);
288
289
290 nsCOMPtr<nsILoadContext> loadContext;
291 NS_QueryNotificationCallbacks(aChannel, loadContext);
292
293 if (loadContext) {
294 return GetLoadContextCodebasePrincipal(uri, loadContext, aPrincipal);
295 }
296
297 return GetCodebasePrincipalInternal(uri, UNKNOWN_APP_ID,
298 /* isInBrowserElement */ false, aPrincipal);
299 }
300
301 NS_IMETHODIMP
302 nsScriptSecurityManager::IsSystemPrincipal(nsIPrincipal* aPrincipal,
303 bool* aIsSystem)
304 {
305 *aIsSystem = (aPrincipal == mSystemPrincipal);
306 return NS_OK;
307 }
308
309 /////////////////////////////
310 // nsScriptSecurityManager //
311 /////////////////////////////
312
313 ////////////////////////////////////
314 // Methods implementing ISupports //
315 ////////////////////////////////////
316 NS_IMPL_ISUPPORTS(nsScriptSecurityManager,
317 nsIScriptSecurityManager,
318 nsIChannelEventSink,
319 nsIObserver)
320
321 ///////////////////////////////////////////////////
322 // Methods implementing nsIScriptSecurityManager //
323 ///////////////////////////////////////////////////
324
325 ///////////////// Security Checks /////////////////
326
327 bool
328 nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(JSContext *cx)
329 {
330 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
331 nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
332 nsCOMPtr<nsIContentSecurityPolicy> csp;
333 nsresult rv = subjectPrincipal->GetCsp(getter_AddRefs(csp));
334 NS_ASSERTION(NS_SUCCEEDED(rv), "CSP: Failed to get CSP from principal.");
335
336 // don't do anything unless there's a CSP
337 if (!csp)
338 return true;
339
340 bool evalOK = true;
341 bool reportViolation = false;
342 rv = csp->GetAllowsEval(&reportViolation, &evalOK);
343
344 if (NS_FAILED(rv))
345 {
346 NS_WARNING("CSP: failed to get allowsEval");
347 return true; // fail open to not break sites.
348 }
349
350 if (reportViolation) {
351 nsAutoString fileName;
352 unsigned lineNum = 0;
353 NS_NAMED_LITERAL_STRING(scriptSample, "call to eval() or related function blocked by CSP");
354
355 JS::AutoFilename scriptFilename;
356 if (JS::DescribeScriptedCaller(cx, &scriptFilename, &lineNum)) {
357 if (const char *file = scriptFilename.get()) {
358 CopyUTF8toUTF16(nsDependentCString(file), fileName);
359 }
360 }
361 csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
362 fileName,
363 scriptSample,
364 lineNum,
365 EmptyString(),
366 EmptyString());
367 }
368
369 return evalOK;
370 }
371
372 // static
373 bool
374 nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals *first,
375 JSPrincipals *second)
376 {
377 return nsJSPrincipals::get(first)->Subsumes(nsJSPrincipals::get(second));
378 }
379
380 NS_IMETHODIMP
381 nsScriptSecurityManager::CheckSameOrigin(JSContext* cx,
382 nsIURI* aTargetURI)
383 {
384 MOZ_ASSERT_IF(cx, cx == nsContentUtils::GetCurrentJSContext());
385
386 // Get a principal from the context
387 nsIPrincipal* sourcePrincipal = nsContentUtils::SubjectPrincipal();
388 if (sourcePrincipal == mSystemPrincipal)
389 {
390 // This is a system (chrome) script, so allow access
391 return NS_OK;
392 }
393
394 // Get the original URI from the source principal.
395 // This has the effect of ignoring any change to document.domain
396 // which must be done to avoid DNS spoofing (bug 154930)
397 nsCOMPtr<nsIURI> sourceURI;
398 sourcePrincipal->GetDomain(getter_AddRefs(sourceURI));
399 if (!sourceURI) {
400 sourcePrincipal->GetURI(getter_AddRefs(sourceURI));
401 NS_ENSURE_TRUE(sourceURI, NS_ERROR_FAILURE);
402 }
403
404 // Compare origins
405 if (!SecurityCompareURIs(sourceURI, aTargetURI))
406 {
407 ReportError(cx, NS_LITERAL_STRING("CheckSameOriginError"), sourceURI, aTargetURI);
408 return NS_ERROR_DOM_BAD_URI;
409 }
410 return NS_OK;
411 }
412
413 NS_IMETHODIMP
414 nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI,
415 nsIURI* aTargetURI,
416 bool reportError)
417 {
418 if (!SecurityCompareURIs(aSourceURI, aTargetURI))
419 {
420 if (reportError) {
421 ReportError(nullptr, NS_LITERAL_STRING("CheckSameOriginError"),
422 aSourceURI, aTargetURI);
423 }
424 return NS_ERROR_DOM_BAD_URI;
425 }
426 return NS_OK;
427 }
428
429 /*static*/ uint32_t
430 nsScriptSecurityManager::HashPrincipalByOrigin(nsIPrincipal* aPrincipal)
431 {
432 nsCOMPtr<nsIURI> uri;
433 aPrincipal->GetDomain(getter_AddRefs(uri));
434 if (!uri)
435 aPrincipal->GetURI(getter_AddRefs(uri));
436 return SecurityHashURI(uri);
437 }
438
439 /* static */ bool
440 nsScriptSecurityManager::AppAttributesEqual(nsIPrincipal* aFirst,
441 nsIPrincipal* aSecond)
442 {
443 MOZ_ASSERT(aFirst && aSecond, "Don't pass null pointers!");
444
445 uint32_t firstAppId = nsIScriptSecurityManager::UNKNOWN_APP_ID;
446 if (!aFirst->GetUnknownAppId()) {
447 firstAppId = aFirst->GetAppId();
448 }
449
450 uint32_t secondAppId = nsIScriptSecurityManager::UNKNOWN_APP_ID;
451 if (!aSecond->GetUnknownAppId()) {
452 secondAppId = aSecond->GetAppId();
453 }
454
455 return ((firstAppId == secondAppId) &&
456 (aFirst->GetIsInBrowserElement() == aSecond->GetIsInBrowserElement()));
457 }
458
459 NS_IMETHODIMP
460 nsScriptSecurityManager::CheckLoadURIFromScript(JSContext *cx, nsIURI *aURI)
461 {
462 // Get principal of currently executing script.
463 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
464 nsIPrincipal* principal = nsContentUtils::SubjectPrincipal();
465 nsresult rv = CheckLoadURIWithPrincipal(principal, aURI,
466 nsIScriptSecurityManager::STANDARD);
467 if (NS_SUCCEEDED(rv)) {
468 // OK to load
469 return NS_OK;
470 }
471
472 // See if we're attempting to load a file: URI. If so, let a
473 // UniversalXPConnect capability trump the above check.
474 bool isFile = false;
475 bool isRes = false;
476 if (NS_FAILED(aURI->SchemeIs("file", &isFile)) ||
477 NS_FAILED(aURI->SchemeIs("resource", &isRes)))
478 return NS_ERROR_FAILURE;
479 if (isFile || isRes)
480 {
481 if (nsContentUtils::IsCallerChrome())
482 return NS_OK;
483 }
484
485 // Report error.
486 nsAutoCString spec;
487 if (NS_FAILED(aURI->GetAsciiSpec(spec)))
488 return NS_ERROR_FAILURE;
489 nsAutoCString msg("Access to '");
490 msg.Append(spec);
491 msg.AppendLiteral("' from script denied");
492 SetPendingException(cx, msg.get());
493 return NS_ERROR_DOM_BAD_URI;
494 }
495
496 /**
497 * Helper method to handle cases where a flag passed to
498 * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
499 * nsIProtocolHandler flags set.
500 * @return if success, access is allowed. Otherwise, deny access
501 */
502 static nsresult
503 DenyAccessIfURIHasFlags(nsIURI* aURI, uint32_t aURIFlags)
504 {
505 NS_PRECONDITION(aURI, "Must have URI!");
506
507 bool uriHasFlags;
508 nsresult rv =
509 NS_URIChainHasFlags(aURI, aURIFlags, &uriHasFlags);
510 NS_ENSURE_SUCCESS(rv, rv);
511
512 if (uriHasFlags) {
513 return NS_ERROR_DOM_BAD_URI;
514 }
515
516 return NS_OK;
517 }
518
519 NS_IMETHODIMP
520 nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
521 nsIURI *aTargetURI,
522 uint32_t aFlags)
523 {
524 NS_PRECONDITION(aPrincipal, "CheckLoadURIWithPrincipal must have a principal");
525 // If someone passes a flag that we don't understand, we should
526 // fail, because they may need a security check that we don't
527 // provide.
528 NS_ENSURE_FALSE(aFlags & ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
529 nsIScriptSecurityManager::ALLOW_CHROME |
530 nsIScriptSecurityManager::DISALLOW_SCRIPT |
531 nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL |
532 nsIScriptSecurityManager::DONT_REPORT_ERRORS),
533 NS_ERROR_UNEXPECTED);
534 NS_ENSURE_ARG_POINTER(aPrincipal);
535 NS_ENSURE_ARG_POINTER(aTargetURI);
536
537 // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
538 // would do such inheriting. That would be URIs that do not have their own
539 // security context. We do this even for the system principal.
540 if (aFlags & nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL) {
541 nsresult rv =
542 DenyAccessIfURIHasFlags(aTargetURI,
543 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT);
544 NS_ENSURE_SUCCESS(rv, rv);
545 }
546
547 if (aPrincipal == mSystemPrincipal) {
548 // Allow access
549 return NS_OK;
550 }
551
552 nsCOMPtr<nsIURI> sourceURI;
553 aPrincipal->GetURI(getter_AddRefs(sourceURI));
554 if (!sourceURI) {
555 nsCOMPtr<nsIExpandedPrincipal> expanded = do_QueryInterface(aPrincipal);
556 if (expanded) {
557 nsTArray< nsCOMPtr<nsIPrincipal> > *whiteList;
558 expanded->GetWhiteList(&whiteList);
559 for (uint32_t i = 0; i < whiteList->Length(); ++i) {
560 nsresult rv = CheckLoadURIWithPrincipal((*whiteList)[i],
561 aTargetURI,
562 aFlags);
563 if (NS_SUCCEEDED(rv)) {
564 // Allow access if it succeeded with one of the white listed principals
565 return NS_OK;
566 }
567 }
568 // None of our whitelisted principals worked.
569 return NS_ERROR_DOM_BAD_URI;
570 }
571 NS_ERROR("Non-system principals or expanded principal passed to CheckLoadURIWithPrincipal "
572 "must have a URI!");
573 return NS_ERROR_UNEXPECTED;
574 }
575
576 // Automatic loads are not allowed from certain protocols.
577 if (aFlags & nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT) {
578 nsresult rv =
579 DenyAccessIfURIHasFlags(sourceURI,
580 nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT);
581 NS_ENSURE_SUCCESS(rv, rv);
582 }
583
584 // If either URI is a nested URI, get the base URI
585 nsCOMPtr<nsIURI> sourceBaseURI = NS_GetInnermostURI(sourceURI);
586 nsCOMPtr<nsIURI> targetBaseURI = NS_GetInnermostURI(aTargetURI);
587
588 //-- get the target scheme
589 nsAutoCString targetScheme;
590 nsresult rv = targetBaseURI->GetScheme(targetScheme);
591 if (NS_FAILED(rv)) return rv;
592
593 //-- Some callers do not allow loading javascript:
594 if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
595 targetScheme.EqualsLiteral("javascript"))
596 {
597 return NS_ERROR_DOM_BAD_URI;
598 }
599
600 NS_NAMED_LITERAL_STRING(errorTag, "CheckLoadURIError");
601 bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
602
603 // Check for uris that are only loadable by principals that subsume them
604 bool hasFlags;
605 rv = NS_URIChainHasFlags(targetBaseURI,
606 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
607 &hasFlags);
608 NS_ENSURE_SUCCESS(rv, rv);
609
610 if (hasFlags) {
611 return aPrincipal->CheckMayLoad(targetBaseURI, true, false);
612 }
613
614 //-- get the source scheme
615 nsAutoCString sourceScheme;
616 rv = sourceBaseURI->GetScheme(sourceScheme);
617 if (NS_FAILED(rv)) return rv;
618
619 if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
620 // A null principal can target its own URI.
621 if (sourceURI == aTargetURI) {
622 return NS_OK;
623 }
624 }
625 else if (targetScheme.Equals(sourceScheme,
626 nsCaseInsensitiveCStringComparator()))
627 {
628 // every scheme can access another URI from the same scheme,
629 // as long as they don't represent null principals...
630 // Or they don't require an special permission to do so
631 // See bug#773886
632
633 bool hasFlags;
634 rv = NS_URIChainHasFlags(targetBaseURI,
635 nsIProtocolHandler::URI_CROSS_ORIGIN_NEEDS_WEBAPPS_PERM,
636 &hasFlags);
637 NS_ENSURE_SUCCESS(rv, rv);
638
639 if (hasFlags) {
640 // In this case, we allow opening only if the source and target URIS
641 // are on the same domain, or the opening URI has the webapps
642 // permision granted
643 if (!SecurityCompareURIs(sourceBaseURI,targetBaseURI) &&
644 !nsContentUtils::IsExactSitePermAllow(aPrincipal,WEBAPPS_PERM_NAME)){
645 return NS_ERROR_DOM_BAD_URI;
646 }
647 }
648 return NS_OK;
649 }
650
651 // If the schemes don't match, the policy is specified by the protocol
652 // flags on the target URI. Note that the order of policy checks here is
653 // very important! We start from most restrictive and work our way down.
654 // Note that since we're working with the innermost URI, we can just use
655 // the methods that work on chains of nested URIs and they will only look
656 // at the flags for our one URI.
657
658 // Check for system target URI
659 rv = DenyAccessIfURIHasFlags(targetBaseURI,
660 nsIProtocolHandler::URI_DANGEROUS_TO_LOAD);
661 if (NS_FAILED(rv)) {
662 // Deny access, since the origin principal is not system
663 if (reportErrors) {
664 ReportError(nullptr, errorTag, sourceURI, aTargetURI);
665 }
666 return rv;
667 }
668
669 // Check for chrome target URI
670 rv = NS_URIChainHasFlags(targetBaseURI,
671 nsIProtocolHandler::URI_IS_UI_RESOURCE,
672 &hasFlags);
673 NS_ENSURE_SUCCESS(rv, rv);
674 if (hasFlags) {
675 if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
676 if (!targetScheme.EqualsLiteral("chrome")) {
677 // for now don't change behavior for resource: or moz-icon:
678 return NS_OK;
679 }
680
681 // allow load only if chrome package is whitelisted
682 nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(
683 NS_CHROMEREGISTRY_CONTRACTID));
684 if (reg) {
685 bool accessAllowed = false;
686 reg->AllowContentToAccess(targetBaseURI, &accessAllowed);
687 if (accessAllowed) {
688 return NS_OK;
689 }
690 }
691 }
692
693 // resource: and chrome: are equivalent, securitywise
694 // That's bogus!! Fix this. But watch out for
695 // the view-source stylesheet?
696 bool sourceIsChrome;
697 rv = NS_URIChainHasFlags(sourceBaseURI,
698 nsIProtocolHandler::URI_IS_UI_RESOURCE,
699 &sourceIsChrome);
700 NS_ENSURE_SUCCESS(rv, rv);
701 if (sourceIsChrome) {
702 return NS_OK;
703 }
704 if (reportErrors) {
705 ReportError(nullptr, errorTag, sourceURI, aTargetURI);
706 }
707 return NS_ERROR_DOM_BAD_URI;
708 }
709
710 // Check for target URI pointing to a file
711 rv = NS_URIChainHasFlags(targetBaseURI,
712 nsIProtocolHandler::URI_IS_LOCAL_FILE,
713 &hasFlags);
714 NS_ENSURE_SUCCESS(rv, rv);
715 if (hasFlags) {
716 // Allow domains that were whitelisted in the prefs. In 99.9% of cases,
717 // this array is empty.
718 for (size_t i = 0; i < mFileURIWhitelist.Length(); ++i) {
719 if (SecurityCompareURIs(mFileURIWhitelist[i], sourceURI)) {
720 return NS_OK;
721 }
722 }
723
724 // resource: and chrome: are equivalent, securitywise
725 // That's bogus!! Fix this. But watch out for
726 // the view-source stylesheet?
727 bool sourceIsChrome;
728 rv = NS_URIChainHasFlags(sourceURI,
729 nsIProtocolHandler::URI_IS_UI_RESOURCE,
730 &sourceIsChrome);
731 NS_ENSURE_SUCCESS(rv, rv);
732 if (sourceIsChrome) {
733 return NS_OK;
734 }
735
736 if (reportErrors) {
737 ReportError(nullptr, errorTag, sourceURI, aTargetURI);
738 }
739 return NS_ERROR_DOM_BAD_URI;
740 }
741
742 // OK, everyone is allowed to load this, since unflagged handlers are
743 // deprecated but treated as URI_LOADABLE_BY_ANYONE. But check whether we
744 // need to warn. At some point we'll want to make this warning into an
745 // error and treat unflagged handlers as URI_DANGEROUS_TO_LOAD.
746 rv = NS_URIChainHasFlags(targetBaseURI,
747 nsIProtocolHandler::URI_LOADABLE_BY_ANYONE,
748 &hasFlags);
749 NS_ENSURE_SUCCESS(rv, rv);
750 if (!hasFlags) {
751 nsXPIDLString message;
752 NS_ConvertASCIItoUTF16 ucsTargetScheme(targetScheme);
753 const char16_t* formatStrings[] = { ucsTargetScheme.get() };
754 rv = sStrBundle->
755 FormatStringFromName(MOZ_UTF16("ProtocolFlagError"),
756 formatStrings,
757 ArrayLength(formatStrings),
758 getter_Copies(message));
759 if (NS_SUCCEEDED(rv)) {
760 nsCOMPtr<nsIConsoleService> console(
761 do_GetService("@mozilla.org/consoleservice;1"));
762 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
763
764 console->LogStringMessage(message.get());
765 }
766 }
767
768 return NS_OK;
769 }
770
771 nsresult
772 nsScriptSecurityManager::ReportError(JSContext* cx, const nsAString& messageTag,
773 nsIURI* aSource, nsIURI* aTarget)
774 {
775 nsresult rv;
776 NS_ENSURE_TRUE(aSource && aTarget, NS_ERROR_NULL_POINTER);
777
778 // Get the source URL spec
779 nsAutoCString sourceSpec;
780 rv = aSource->GetAsciiSpec(sourceSpec);
781 NS_ENSURE_SUCCESS(rv, rv);
782
783 // Get the target URL spec
784 nsAutoCString targetSpec;
785 rv = aTarget->GetAsciiSpec(targetSpec);
786 NS_ENSURE_SUCCESS(rv, rv);
787
788 // Localize the error message
789 nsXPIDLString message;
790 NS_ConvertASCIItoUTF16 ucsSourceSpec(sourceSpec);
791 NS_ConvertASCIItoUTF16 ucsTargetSpec(targetSpec);
792 const char16_t *formatStrings[] = { ucsSourceSpec.get(), ucsTargetSpec.get() };
793 rv = sStrBundle->FormatStringFromName(PromiseFlatString(messageTag).get(),
794 formatStrings,
795 ArrayLength(formatStrings),
796 getter_Copies(message));
797 NS_ENSURE_SUCCESS(rv, rv);
798
799 // If a JS context was passed in, set a JS exception.
800 // Otherwise, print the error message directly to the JS console
801 // and to standard output
802 if (cx)
803 {
804 SetPendingException(cx, message.get());
805 }
806 else // Print directly to the console
807 {
808 nsCOMPtr<nsIConsoleService> console(
809 do_GetService("@mozilla.org/consoleservice;1"));
810 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
811
812 console->LogStringMessage(message.get());
813 }
814 return NS_OK;
815 }
816
817 NS_IMETHODIMP
818 nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(nsIPrincipal* aPrincipal,
819 const nsACString& aTargetURIStr,
820 uint32_t aFlags)
821 {
822 nsresult rv;
823 nsCOMPtr<nsIURI> target;
824 rv = NS_NewURI(getter_AddRefs(target), aTargetURIStr,
825 nullptr, nullptr, sIOService);
826 NS_ENSURE_SUCCESS(rv, rv);
827
828 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags);
829 if (rv == NS_ERROR_DOM_BAD_URI) {
830 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
831 // return values.
832 return rv;
833 }
834 NS_ENSURE_SUCCESS(rv, rv);
835
836 // Now start testing fixup -- since aTargetURIStr is a string, not
837 // an nsIURI, we may well end up fixing it up before loading.
838 // Note: This needs to stay in sync with the nsIURIFixup api.
839 nsCOMPtr<nsIURIFixup> fixup = do_GetService(NS_URIFIXUP_CONTRACTID);
840 if (!fixup) {
841 return rv;
842 }
843
844 uint32_t flags[] = {
845 nsIURIFixup::FIXUP_FLAG_NONE,
846 nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS,
847 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP,
848 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI,
849 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP |
850 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI
851 };
852
853 for (uint32_t i = 0; i < ArrayLength(flags); ++i) {
854 rv = fixup->CreateFixupURI(aTargetURIStr, flags[i], nullptr,
855 getter_AddRefs(target));
856 NS_ENSURE_SUCCESS(rv, rv);
857
858 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags);
859 if (rv == NS_ERROR_DOM_BAD_URI) {
860 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
861 // return values.
862 return rv;
863 }
864 NS_ENSURE_SUCCESS(rv, rv);
865 }
866
867 return rv;
868 }
869
870 bool
871 nsScriptSecurityManager::ScriptAllowed(JSObject *aGlobal)
872 {
873 MOZ_ASSERT(aGlobal);
874 MOZ_ASSERT(JS_IsGlobalObject(aGlobal) || js::IsOuterObject(aGlobal));
875 AutoJSContext cx;
876 JS::RootedObject global(cx, js::UncheckedUnwrap(aGlobal, /* stopAtOuter = */ false));
877
878 // Check the bits on the compartment private.
879 return xpc::Scriptability::Get(aGlobal).Allowed();
880 }
881
882 ///////////////// Principals ///////////////////////
883
884 NS_IMETHODIMP
885 nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal **result)
886 {
887 NS_ADDREF(*result = mSystemPrincipal);
888
889 return NS_OK;
890 }
891
892 nsresult
893 nsScriptSecurityManager::CreateCodebasePrincipal(nsIURI* aURI, uint32_t aAppId,
894 bool aInMozBrowser,
895 nsIPrincipal **result)
896 {
897 // I _think_ it's safe to not create null principals here based on aURI.
898 // At least all the callers would do the right thing in those cases, as far
899 // as I can tell. --bz
900
901 nsCOMPtr<nsIURIWithPrincipal> uriPrinc = do_QueryInterface(aURI);
902 if (uriPrinc) {
903 nsCOMPtr<nsIPrincipal> principal;
904 uriPrinc->GetPrincipal(getter_AddRefs(principal));
905 if (!principal || principal == mSystemPrincipal) {
906 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID, result);
907 }
908
909 principal.forget(result);
910
911 return NS_OK;
912 }
913
914 nsRefPtr<nsPrincipal> codebase = new nsPrincipal();
915 if (!codebase)
916 return NS_ERROR_OUT_OF_MEMORY;
917
918 nsresult rv = codebase->Init(aURI, aAppId, aInMozBrowser);
919 if (NS_FAILED(rv))
920 return rv;
921
922 NS_ADDREF(*result = codebase);
923
924 return NS_OK;
925 }
926
927 NS_IMETHODIMP
928 nsScriptSecurityManager::GetSimpleCodebasePrincipal(nsIURI* aURI,
929 nsIPrincipal** aPrincipal)
930 {
931 return GetCodebasePrincipalInternal(aURI,
932 nsIScriptSecurityManager::UNKNOWN_APP_ID,
933 false, aPrincipal);
934 }
935
936 NS_IMETHODIMP
937 nsScriptSecurityManager::GetNoAppCodebasePrincipal(nsIURI* aURI,
938 nsIPrincipal** aPrincipal)
939 {
940 return GetCodebasePrincipalInternal(aURI, nsIScriptSecurityManager::NO_APP_ID,
941 false, aPrincipal);
942 }
943
944 NS_IMETHODIMP
945 nsScriptSecurityManager::GetCodebasePrincipal(nsIURI* aURI,
946 nsIPrincipal** aPrincipal)
947 {
948 return GetNoAppCodebasePrincipal(aURI, aPrincipal);
949 }
950
951 NS_IMETHODIMP
952 nsScriptSecurityManager::GetAppCodebasePrincipal(nsIURI* aURI,
953 uint32_t aAppId,
954 bool aInMozBrowser,
955 nsIPrincipal** aPrincipal)
956 {
957 NS_ENSURE_TRUE(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID,
958 NS_ERROR_INVALID_ARG);
959
960 return GetCodebasePrincipalInternal(aURI, aAppId, aInMozBrowser, aPrincipal);
961 }
962
963 NS_IMETHODIMP
964 nsScriptSecurityManager::
965 GetLoadContextCodebasePrincipal(nsIURI* aURI,
966 nsILoadContext* aLoadContext,
967 nsIPrincipal** aPrincipal)
968 {
969 uint32_t appId;
970 aLoadContext->GetAppId(&appId);
971 bool isInBrowserElement;
972 aLoadContext->GetIsInBrowserElement(&isInBrowserElement);
973 return GetCodebasePrincipalInternal(aURI,
974 appId,
975 isInBrowserElement,
976 aPrincipal);
977 }
978
979 NS_IMETHODIMP
980 nsScriptSecurityManager::GetDocShellCodebasePrincipal(nsIURI* aURI,
981 nsIDocShell* aDocShell,
982 nsIPrincipal** aPrincipal)
983 {
984 return GetCodebasePrincipalInternal(aURI,
985 aDocShell->GetAppId(),
986 aDocShell->GetIsInBrowserElement(),
987 aPrincipal);
988 }
989
990 nsresult
991 nsScriptSecurityManager::GetCodebasePrincipalInternal(nsIURI *aURI,
992 uint32_t aAppId,
993 bool aInMozBrowser,
994 nsIPrincipal **result)
995 {
996 NS_ENSURE_ARG(aURI);
997
998 bool inheritsPrincipal;
999 nsresult rv =
1000 NS_URIChainHasFlags(aURI,
1001 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT,
1002 &inheritsPrincipal);
1003 if (NS_FAILED(rv) || inheritsPrincipal) {
1004 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID, result);
1005 }
1006
1007 nsCOMPtr<nsIPrincipal> principal;
1008 rv = CreateCodebasePrincipal(aURI, aAppId, aInMozBrowser,
1009 getter_AddRefs(principal));
1010 NS_ENSURE_SUCCESS(rv, rv);
1011 NS_IF_ADDREF(*result = principal);
1012
1013 return NS_OK;
1014 }
1015
1016 // static
1017 nsIPrincipal*
1018 nsScriptSecurityManager::doGetObjectPrincipal(JSObject *aObj)
1019 {
1020 JSCompartment *compartment = js::GetObjectCompartment(aObj);
1021 JSPrincipals *principals = JS_GetCompartmentPrincipals(compartment);
1022 return nsJSPrincipals::get(principals);
1023 }
1024
1025 NS_IMETHODIMP
1026 nsScriptSecurityManager::CanCreateWrapper(JSContext *cx,
1027 const nsIID &aIID,
1028 nsISupports *aObj,
1029 nsIClassInfo *aClassInfo)
1030 {
1031 // XXX Special case for nsIXPCException ?
1032 ClassInfoData objClassInfo = ClassInfoData(aClassInfo, nullptr);
1033 if (objClassInfo.IsDOMClass())
1034 {
1035 return NS_OK;
1036 }
1037
1038 // We give remote-XUL whitelisted domains a free pass here. See bug 932906.
1039 if (!xpc::AllowContentXBLScope(js::GetContextCompartment(cx)))
1040 {
1041 return NS_OK;
1042 }
1043
1044 if (nsContentUtils::IsCallerChrome())
1045 {
1046 return NS_OK;
1047 }
1048
1049 //-- Access denied, report an error
1050 NS_ConvertUTF8toUTF16 strName("CreateWrapperDenied");
1051 nsAutoCString origin;
1052 nsIPrincipal* subjectPrincipal = nsContentUtils::SubjectPrincipal();
1053 GetPrincipalDomainOrigin(subjectPrincipal, origin);
1054 NS_ConvertUTF8toUTF16 originUnicode(origin);
1055 NS_ConvertUTF8toUTF16 classInfoName(objClassInfo.GetName());
1056 const char16_t* formatStrings[] = {
1057 classInfoName.get(),
1058 originUnicode.get()
1059 };
1060 uint32_t length = ArrayLength(formatStrings);
1061 if (originUnicode.IsEmpty()) {
1062 --length;
1063 } else {
1064 strName.AppendLiteral("ForOrigin");
1065 }
1066 nsXPIDLString errorMsg;
1067 nsresult rv = sStrBundle->FormatStringFromName(strName.get(),
1068 formatStrings,
1069 length,
1070 getter_Copies(errorMsg));
1071 NS_ENSURE_SUCCESS(rv, rv);
1072
1073 SetPendingException(cx, errorMsg.get());
1074 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1075 }
1076
1077 NS_IMETHODIMP
1078 nsScriptSecurityManager::CanCreateInstance(JSContext *cx,
1079 const nsCID &aCID)
1080 {
1081 if (nsContentUtils::IsCallerChrome()) {
1082 return NS_OK;
1083 }
1084
1085 //-- Access denied, report an error
1086 nsAutoCString errorMsg("Permission denied to create instance of class. CID=");
1087 char cidStr[NSID_LENGTH];
1088 aCID.ToProvidedString(cidStr);
1089 errorMsg.Append(cidStr);
1090 SetPendingException(cx, errorMsg.get());
1091 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1092 }
1093
1094 NS_IMETHODIMP
1095 nsScriptSecurityManager::CanGetService(JSContext *cx,
1096 const nsCID &aCID)
1097 {
1098 if (nsContentUtils::IsCallerChrome()) {
1099 return NS_OK;
1100 }
1101
1102 //-- Access denied, report an error
1103 nsAutoCString errorMsg("Permission denied to get service. CID=");
1104 char cidStr[NSID_LENGTH];
1105 aCID.ToProvidedString(cidStr);
1106 errorMsg.Append(cidStr);
1107 SetPendingException(cx, errorMsg.get());
1108 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1109 }
1110
1111 /////////////////////////////////////////////
1112 // Method implementing nsIChannelEventSink //
1113 /////////////////////////////////////////////
1114 NS_IMETHODIMP
1115 nsScriptSecurityManager::AsyncOnChannelRedirect(nsIChannel* oldChannel,
1116 nsIChannel* newChannel,
1117 uint32_t redirFlags,
1118 nsIAsyncVerifyRedirectCallback *cb)
1119 {
1120 nsCOMPtr<nsIPrincipal> oldPrincipal;
1121 GetChannelPrincipal(oldChannel, getter_AddRefs(oldPrincipal));
1122
1123 nsCOMPtr<nsIURI> newURI;
1124 newChannel->GetURI(getter_AddRefs(newURI));
1125 nsCOMPtr<nsIURI> newOriginalURI;
1126 newChannel->GetOriginalURI(getter_AddRefs(newOriginalURI));
1127
1128 NS_ENSURE_STATE(oldPrincipal && newURI && newOriginalURI);
1129
1130 const uint32_t flags =
1131 nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
1132 nsIScriptSecurityManager::DISALLOW_SCRIPT;
1133 nsresult rv = CheckLoadURIWithPrincipal(oldPrincipal, newURI, flags);
1134 if (NS_SUCCEEDED(rv) && newOriginalURI != newURI) {
1135 rv = CheckLoadURIWithPrincipal(oldPrincipal, newOriginalURI, flags);
1136 }
1137
1138 if (NS_FAILED(rv))
1139 return rv;
1140
1141 cb->OnRedirectVerifyCallback(NS_OK);
1142 return NS_OK;
1143 }
1144
1145
1146 /////////////////////////////////////
1147 // Method implementing nsIObserver //
1148 /////////////////////////////////////
1149 const char sJSEnabledPrefName[] = "javascript.enabled";
1150 const char sFileOriginPolicyPrefName[] =
1151 "security.fileuri.strict_origin_policy";
1152
1153 static const char* kObservedPrefs[] = {
1154 sJSEnabledPrefName,
1155 sFileOriginPolicyPrefName,
1156 "capability.policy.",
1157 nullptr
1158 };
1159
1160
1161 NS_IMETHODIMP
1162 nsScriptSecurityManager::Observe(nsISupports* aObject, const char* aTopic,
1163 const char16_t* aMessage)
1164 {
1165 ScriptSecurityPrefChanged();
1166 return NS_OK;
1167 }
1168
1169 /////////////////////////////////////////////
1170 // Constructor, Destructor, Initialization //
1171 /////////////////////////////////////////////
1172 nsScriptSecurityManager::nsScriptSecurityManager(void)
1173 : mPrefInitialized(false)
1174 , mIsJavaScriptEnabled(false)
1175 {
1176 static_assert(sizeof(intptr_t) == sizeof(void*),
1177 "intptr_t and void* have different lengths on this platform. "
1178 "This may cause a security failure with the SecurityLevel union.");
1179 }
1180
1181 nsresult nsScriptSecurityManager::Init()
1182 {
1183 InitPrefs();
1184
1185 nsresult rv = CallGetService(NS_IOSERVICE_CONTRACTID, &sIOService);
1186 NS_ENSURE_SUCCESS(rv, rv);
1187
1188 nsCOMPtr<nsIStringBundleService> bundleService =
1189 mozilla::services::GetStringBundleService();
1190 if (!bundleService)
1191 return NS_ERROR_FAILURE;
1192
1193 rv = bundleService->CreateBundle("chrome://global/locale/security/caps.properties", &sStrBundle);
1194 NS_ENSURE_SUCCESS(rv, rv);
1195
1196 // Create our system principal singleton
1197 nsRefPtr<nsSystemPrincipal> system = new nsSystemPrincipal();
1198 NS_ENSURE_TRUE(system, NS_ERROR_OUT_OF_MEMORY);
1199
1200 mSystemPrincipal = system;
1201
1202 //-- Register security check callback in the JS engine
1203 // Currently this is used to control access to function.caller
1204 rv = nsXPConnect::XPConnect()->GetRuntime(&sRuntime);
1205 NS_ENSURE_SUCCESS(rv, rv);
1206
1207 static const JSSecurityCallbacks securityCallbacks = {
1208 ContentSecurityPolicyPermitsJSAction,
1209 JSPrincipalsSubsume,
1210 };
1211
1212 MOZ_ASSERT(!JS_GetSecurityCallbacks(sRuntime));
1213 JS_SetSecurityCallbacks(sRuntime, &securityCallbacks);
1214 JS_InitDestroyPrincipalsCallback(sRuntime, nsJSPrincipals::Destroy);
1215
1216 JS_SetTrustedPrincipals(sRuntime, system);
1217
1218 return NS_OK;
1219 }
1220
1221 static StaticRefPtr<nsScriptSecurityManager> gScriptSecMan;
1222
1223 nsScriptSecurityManager::~nsScriptSecurityManager(void)
1224 {
1225 Preferences::RemoveObservers(this, kObservedPrefs);
1226 if (mDomainPolicy)
1227 mDomainPolicy->Deactivate();
1228 MOZ_ASSERT(!mDomainPolicy);
1229 }
1230
1231 void
1232 nsScriptSecurityManager::Shutdown()
1233 {
1234 if (sRuntime) {
1235 JS_SetSecurityCallbacks(sRuntime, nullptr);
1236 JS_SetTrustedPrincipals(sRuntime, nullptr);
1237 sRuntime = nullptr;
1238 }
1239
1240 NS_IF_RELEASE(sIOService);
1241 NS_IF_RELEASE(sStrBundle);
1242 }
1243
1244 nsScriptSecurityManager *
1245 nsScriptSecurityManager::GetScriptSecurityManager()
1246 {
1247 return gScriptSecMan;
1248 }
1249
1250 /* static */ void
1251 nsScriptSecurityManager::InitStatics()
1252 {
1253 nsRefPtr<nsScriptSecurityManager> ssManager = new nsScriptSecurityManager();
1254 nsresult rv = ssManager->Init();
1255 if (NS_FAILED(rv)) {
1256 MOZ_CRASH();
1257 }
1258
1259 ClearOnShutdown(&gScriptSecMan);
1260 gScriptSecMan = ssManager;
1261 }
1262
1263 // Currently this nsGenericFactory constructor is used only from FastLoad
1264 // (XPCOM object deserialization) code, when "creating" the system principal
1265 // singleton.
1266 nsSystemPrincipal *
1267 nsScriptSecurityManager::SystemPrincipalSingletonConstructor()
1268 {
1269 nsIPrincipal *sysprin = nullptr;
1270 if (gScriptSecMan)
1271 NS_ADDREF(sysprin = gScriptSecMan->mSystemPrincipal);
1272 return static_cast<nsSystemPrincipal*>(sysprin);
1273 }
1274
1275 struct IsWhitespace {
1276 static bool Test(char aChar) { return NS_IsAsciiWhitespace(aChar); };
1277 };
1278 struct IsWhitespaceOrComma {
1279 static bool Test(char aChar) { return aChar == ',' || NS_IsAsciiWhitespace(aChar); };
1280 };
1281
1282 template <typename Predicate>
1283 uint32_t SkipPast(const nsCString& str, uint32_t base)
1284 {
1285 while (base < str.Length() && Predicate::Test(str[base])) {
1286 ++base;
1287 }
1288 return base;
1289 }
1290
1291 template <typename Predicate>
1292 uint32_t SkipUntil(const nsCString& str, uint32_t base)
1293 {
1294 while (base < str.Length() && !Predicate::Test(str[base])) {
1295 ++base;
1296 }
1297 return base;
1298 }
1299
1300 inline void
1301 nsScriptSecurityManager::ScriptSecurityPrefChanged()
1302 {
1303 MOZ_ASSERT(mPrefInitialized);
1304 mIsJavaScriptEnabled =
1305 Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
1306 sStrictFileOriginPolicy =
1307 Preferences::GetBool(sFileOriginPolicyPrefName, false);
1308
1309 //
1310 // Rebuild the set of principals for which we allow file:// URI loads. This
1311 // implements a small subset of an old pref-based CAPS people that people
1312 // have come to depend on. See bug 995943.
1313 //
1314
1315 mFileURIWhitelist.Clear();
1316 auto policies = mozilla::Preferences::GetCString("capability.policy.policynames");
1317 for (uint32_t base = SkipPast<IsWhitespaceOrComma>(policies, 0), bound = 0;
1318 base < policies.Length();
1319 base = SkipPast<IsWhitespaceOrComma>(policies, bound))
1320 {
1321 // Grab the current policy name.
1322 bound = SkipUntil<IsWhitespaceOrComma>(policies, base);
1323 auto policyName = Substring(policies, base, bound - base);
1324
1325 // Figure out if this policy allows loading file:// URIs. If not, we can skip it.
1326 nsCString checkLoadURIPrefName = NS_LITERAL_CSTRING("capability.policy.") +
1327 policyName +
1328 NS_LITERAL_CSTRING(".checkloaduri.enabled");
1329 if (!Preferences::GetString(checkLoadURIPrefName.get()).LowerCaseEqualsLiteral("allaccess")) {
1330 continue;
1331 }
1332
1333 // Grab the list of domains associated with this policy.
1334 nsCString domainPrefName = NS_LITERAL_CSTRING("capability.policy.") +
1335 policyName +
1336 NS_LITERAL_CSTRING(".sites");
1337 auto siteList = Preferences::GetCString(domainPrefName.get());
1338 AddSitesToFileURIWhitelist(siteList);
1339 }
1340 }
1341
1342 void
1343 nsScriptSecurityManager::AddSitesToFileURIWhitelist(const nsCString& aSiteList)
1344 {
1345 for (uint32_t base = SkipPast<IsWhitespace>(aSiteList, 0), bound = 0;
1346 base < aSiteList.Length();
1347 base = SkipPast<IsWhitespace>(aSiteList, bound))
1348 {
1349 // Grab the current site.
1350 bound = SkipUntil<IsWhitespace>(aSiteList, base);
1351 auto site = Substring(aSiteList, base, bound - base);
1352
1353 // Convert it to a URI and add it to our list.
1354 nsCOMPtr<nsIURI> uri;
1355 nsresult rv = NS_NewURI(getter_AddRefs(uri), site, nullptr, nullptr, sIOService);
1356 if (NS_SUCCEEDED(rv)) {
1357 mFileURIWhitelist.AppendElement(uri);
1358 } else {
1359 nsCOMPtr<nsIConsoleService> console(do_GetService("@mozilla.org/consoleservice;1"));
1360 if (console) {
1361 nsAutoString msg = NS_LITERAL_STRING("Unable to to add site to file:// URI whitelist: ") +
1362 NS_ConvertASCIItoUTF16(site);
1363 console->LogStringMessage(msg.get());
1364 }
1365 }
1366 }
1367 }
1368
1369 nsresult
1370 nsScriptSecurityManager::InitPrefs()
1371 {
1372 nsIPrefBranch* branch = Preferences::GetRootBranch();
1373 NS_ENSURE_TRUE(branch, NS_ERROR_FAILURE);
1374
1375 mPrefInitialized = true;
1376
1377 // Set the initial value of the "javascript.enabled" prefs
1378 ScriptSecurityPrefChanged();
1379
1380 // set observer callbacks in case the value of the prefs change
1381 Preferences::AddStrongObservers(this, kObservedPrefs);
1382
1383 return NS_OK;
1384 }
1385
1386 namespace mozilla {
1387
1388 void
1389 GetJarPrefix(uint32_t aAppId, bool aInMozBrowser, nsACString& aJarPrefix)
1390 {
1391 MOZ_ASSERT(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID);
1392
1393 if (aAppId == nsIScriptSecurityManager::UNKNOWN_APP_ID) {
1394 aAppId = nsIScriptSecurityManager::NO_APP_ID;
1395 }
1396
1397 aJarPrefix.Truncate();
1398
1399 // Fallback.
1400 if (aAppId == nsIScriptSecurityManager::NO_APP_ID && !aInMozBrowser) {
1401 return;
1402 }
1403
1404 // aJarPrefix = appId + "+" + { 't', 'f' } + "+";
1405 aJarPrefix.AppendInt(aAppId);
1406 aJarPrefix.Append('+');
1407 aJarPrefix.Append(aInMozBrowser ? 't' : 'f');
1408 aJarPrefix.Append('+');
1409
1410 return;
1411 }
1412
1413 } // namespace mozilla
1414
1415 NS_IMETHODIMP
1416 nsScriptSecurityManager::GetJarPrefix(uint32_t aAppId,
1417 bool aInMozBrowser,
1418 nsACString& aJarPrefix)
1419 {
1420 MOZ_ASSERT(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID);
1421
1422 mozilla::GetJarPrefix(aAppId, aInMozBrowser, aJarPrefix);
1423 return NS_OK;
1424 }
1425
1426 NS_IMETHODIMP
1427 nsScriptSecurityManager::GetDomainPolicyActive(bool *aRv)
1428 {
1429 *aRv = !!mDomainPolicy;
1430 return NS_OK;
1431 }
1432
1433 NS_IMETHODIMP
1434 nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy** aRv)
1435 {
1436 // We only allow one domain policy at a time. The holder of the previous
1437 // policy must explicitly deactivate it first.
1438 if (mDomainPolicy) {
1439 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1440 }
1441
1442 mDomainPolicy = new DomainPolicy();
1443 nsCOMPtr<nsIDomainPolicy> ptr = mDomainPolicy;
1444 ptr.forget(aRv);
1445 return NS_OK;
1446 }
1447
1448 // Intentionally non-scriptable. Script must have a reference to the
1449 // nsIDomainPolicy to deactivate it.
1450 void
1451 nsScriptSecurityManager::DeactivateDomainPolicy()
1452 {
1453 mDomainPolicy = nullptr;
1454 }
1455
1456 NS_IMETHODIMP
1457 nsScriptSecurityManager::PolicyAllowsScript(nsIURI* aURI, bool *aRv)
1458 {
1459 nsresult rv;
1460
1461 // Compute our rule. If we don't have any domain policy set up that might
1462 // provide exceptions to this rule, we're done.
1463 *aRv = mIsJavaScriptEnabled;
1464 if (!mDomainPolicy) {
1465 return NS_OK;
1466 }
1467
1468 // We have a domain policy. Grab the appropriate set of exceptions to the
1469 // rule (either the blacklist or the whitelist, depending on whether script
1470 // is enabled or disabled by default).
1471 nsCOMPtr<nsIDomainSet> exceptions;
1472 nsCOMPtr<nsIDomainSet> superExceptions;
1473 if (*aRv) {
1474 mDomainPolicy->GetBlacklist(getter_AddRefs(exceptions));
1475 mDomainPolicy->GetSuperBlacklist(getter_AddRefs(superExceptions));
1476 } else {
1477 mDomainPolicy->GetWhitelist(getter_AddRefs(exceptions));
1478 mDomainPolicy->GetSuperWhitelist(getter_AddRefs(superExceptions));
1479 }
1480
1481 bool contains;
1482 rv = exceptions->Contains(aURI, &contains);
1483 NS_ENSURE_SUCCESS(rv, rv);
1484 if (contains) {
1485 *aRv = !*aRv;
1486 return NS_OK;
1487 }
1488 rv = superExceptions->ContainsSuperDomain(aURI, &contains);
1489 NS_ENSURE_SUCCESS(rv, rv);
1490 if (contains) {
1491 *aRv = !*aRv;
1492 }
1493
1494 return NS_OK;
1495 }