dom/security/nsCSPContext.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef nsCSPContext_h___
   8 #define nsCSPContext_h___
   9
  10 #include "mozilla/dom/nsCSPUtils.h"
  11 #include "mozilla/dom/SecurityPolicyViolationEvent.h"
  12 #include "mozilla/StaticPrefs_security.h"
  13 #include "nsIChannel.h"
  14 #include "nsIChannelEventSink.h"
  15 #include "nsIContentSecurityPolicy.h"
  16 #include "nsIInterfaceRequestor.h"
  17 #include "nsIStreamListener.h"
  18 #include "nsIWeakReferenceUtils.h"
  19 #include "nsXPCOM.h"
  20
  21 #define NS_CSPCONTEXT_CONTRACTID "@mozilla.org/cspcontext;1"
  22 // 09d9ed1a-e5d4-4004-bfe0-27ceb923d9ac
  23 #define NS_CSPCONTEXT_CID                            \
  24   {                                                  \
  25     0x09d9ed1a, 0xe5d4, 0x4004, {                    \
  26       0xbf, 0xe0, 0x27, 0xce, 0xb9, 0x23, 0xd9, 0xac \
  27     }                                                \
  28   }
  29
  30 class nsINetworkInterceptController;
  31 class nsIEventTarget;
  32 struct ConsoleMsgQueueElem;
  33
  34 namespace mozilla {
  35 namespace dom {
  36 class Element;
  37 }
  38 namespace ipc {
  39 class ContentSecurityPolicy;
  40 }
  41 }  // namespace mozilla
  42
  43 class nsCSPContext : public nsIContentSecurityPolicy {
  44  public:
  45   NS_DECL_ISUPPORTS
  46   NS_DECL_NSICONTENTSECURITYPOLICY
  47   NS_DECL_NSISERIALIZABLE
  48
  49  protected:
  50   virtual ~nsCSPContext();
  51
  52  public:
  53   nsCSPContext();
  54
  55   static bool Equals(nsIContentSecurityPolicy* aCSP,
  56                      nsIContentSecurityPolicy* aOtherCSP);
  57
  58   // Init a CSP from a different CSP
  59   nsresult InitFromOther(nsCSPContext* otherContext);
  60
  61   // Used to suppress errors and warnings produced by the parser.
  62   // Use this when doing an one-off parsing of the CSP.
  63   void SuppressParserLogMessages() { mSuppressParserLogMessages = true; }
  64
  65   /**
  66    * SetRequestContextWithDocument() needs to be called before the
  67    * innerWindowID is initialized on the document. Use this function
  68    * to call back to flush queued up console messages and initialize
  69    * the innerWindowID. Node, If SetRequestContextWithPrincipal() was
  70    * called then we do not have a innerWindowID anyway and hence
  71    * we can not flush messages to the correct console.
  72    */
  73   void flushConsoleMessages();
  74
  75   void logToConsole(const char* aName, const nsTArray<nsString>& aParams,
  76                     const nsAString& aSourceName, const nsAString& aSourceLine,
  77                     uint32_t aLineNumber, uint32_t aColumnNumber,
  78                     uint32_t aSeverityFlag);
  79
  80   /**
  81    * Construct SecurityPolicyViolationEventInit structure.
  82    *
  83    * @param aBlockedURI
  84    *        A nsIURI: the source of the violation.
  85    * @param aOriginalUri
  86    *        The original URI if the blocked content is a redirect, else null
  87    * @param aViolatedDirective
  88    *        the directive that was violated (string).
  89    * @param aSourceFile
  90    *        name of the file containing the inline script violation
  91    * @param aScriptSample
  92    *        a sample of the violating inline script
  93    * @param aLineNum
  94    *        source line number of the violation (if available)
  95    * @param aColumnNum
  96    *        source column number of the violation (if available)
  97    * @param aViolationEventInit
  98    *        The output
  99    */
 100   nsresult GatherSecurityPolicyViolationEventData(
 101       nsIURI* aBlockedURI, const nsACString& aBlockedString,
 102       nsIURI* aOriginalURI, const nsAString& aViolatedDirective,
 103       uint32_t aViolatedPolicyIndex, const nsAString& aSourceFile,
 104       const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum,
 105       mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit);
 106
 107   nsresult SendReports(
 108       const mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit,
 109       uint32_t aViolatedPolicyIndex);
 110
 111   nsresult FireViolationEvent(
 112       mozilla::dom::Element* aTriggeringElement,
 113       nsICSPEventListener* aCSPEventListener,
 114       const mozilla::dom::SecurityPolicyViolationEventInit&
 115           aViolationEventInit);
 116
 117   enum BlockedContentSource {
 118     eUnknown,
 119     eInline,
 120     eEval,
 121     eSelf,
 122     eWasmEval,
 123   };
 124
 125   nsresult AsyncReportViolation(
 126       mozilla::dom::Element* aTriggeringElement,
 127       nsICSPEventListener* aCSPEventListener, nsIURI* aBlockedURI,
 128       BlockedContentSource aBlockedContentSource, nsIURI* aOriginalURI,
 129       const nsAString& aViolatedDirective,
 130       const nsAString& aViolatedDirectiveString,
 131       const CSPDirective aEffectiveDirective, uint32_t aViolatedPolicyIndex,
 132       const nsAString& aObserverSubject, const nsAString& aSourceFile,
 133       bool aReportSample, const nsAString& aScriptSample, uint32_t aLineNum,
 134       uint32_t aColumnNum);
 135
 136   // Hands off! Don't call this method unless you know what you
 137   // are doing. It's only supposed to be called from within
 138   // the principal destructor to avoid a tangling pointer.
 139   void clearLoadingPrincipal() { mLoadingPrincipal = nullptr; }
 140
 141   nsWeakPtr GetLoadingContext() { return mLoadingContext; }
 142
 143   static uint32_t ScriptSampleMaxLength() {
 144     return std::max(
 145         mozilla::StaticPrefs::security_csp_reporting_script_sample_max_length(),
 146         0);
 147   }
 148
 149   void AddIPCPolicy(const mozilla::ipc::ContentSecurityPolicy& aPolicy);
 150   void SerializePolicies(
 151       nsTArray<mozilla::ipc::ContentSecurityPolicy>& aPolicies);
 152
 153  private:
 154   bool ShouldThrottleReport(
 155       const mozilla::dom::SecurityPolicyViolationEventInit&
 156           aViolationEventInit);
 157
 158   bool permitsInternal(CSPDirective aDir,
 159                        mozilla::dom::Element* aTriggeringElement,
 160                        nsICSPEventListener* aCSPEventListener,
 161                        nsILoadInfo* aLoadInfo, nsIURI* aContentLocation,
 162                        nsIURI* aOriginalURIIfRedirect, bool aSpecific,
 163                        bool aSendViolationReports,
 164                        bool aSendContentLocationInViolationReports);
 165
 166   // helper to report inline script/style violations
 167   void reportInlineViolation(CSPDirective aDirective,
 168                              mozilla::dom::Element* aTriggeringElement,
 169                              nsICSPEventListener* aCSPEventListener,
 170                              const nsAString& aNonce, bool aReportSample,
 171                              const nsAString& aSample,
 172                              const nsAString& aViolatedDirective,
 173                              const nsAString& aViolatedDirectiveString,
 174                              CSPDirective aEffectiveDirective,
 175                              uint32_t aViolatedPolicyIndex,
 176                              uint32_t aLineNumber, uint32_t aColumnNumber);
 177
 178   nsCString mReferrer;
 179   uint64_t mInnerWindowID;          // used for web console logging
 180   bool mSkipAllowInlineStyleCheck;  // used to allow Devtools to edit styles
 181   // When deserializing an nsCSPContext instance, we initially just keep the
 182   // policies unparsed. We will only reconstruct actual CSP policy instances
 183   // when there's an attempt to use the CSP. Given a better way to serialize/
 184   // deserialize individual nsCSPPolicy objects, this performance
 185   // optimization could go away.
 186   nsTArray<mozilla::ipc::ContentSecurityPolicy> mIPCPolicies;
 187   nsTArray<nsCSPPolicy*> mPolicies;
 188   nsCOMPtr<nsIURI> mSelfURI;
 189   nsCOMPtr<nsILoadGroup> mCallingChannelLoadGroup;
 190   nsWeakPtr mLoadingContext;
 191   nsCOMPtr<nsIPrincipal> mLoadingPrincipal;
 192
 193   bool mSuppressParserLogMessages = false;
 194
 195   // helper members used to queue up web console messages till
 196   // the windowID becomes available. see flushConsoleMessages()
 197   nsTArray<ConsoleMsgQueueElem> mConsoleMsgQueue;
 198   bool mQueueUpMessages;
 199   nsCOMPtr<nsIEventTarget> mEventTarget;
 200
 201   mozilla::TimeStamp mSendReportLimitSpanStart;
 202   uint32_t mSendReportLimitCount = 1;
 203   bool mWarnedAboutTooManyReports = false;
 204 };
 205
 206 // Class that listens to violation report transmission and logs errors.
 207 class CSPViolationReportListener : public nsIStreamListener {
 208  public:
 209   NS_DECL_NSISTREAMLISTENER
 210   NS_DECL_NSIREQUESTOBSERVER
 211   NS_DECL_ISUPPORTS
 212
 213  public:
 214   CSPViolationReportListener();
 215
 216  protected:
 217   virtual ~CSPViolationReportListener();
 218 };
 219
 220 // The POST of the violation report (if it happens) should not follow
 221 // redirects, per the spec. hence, we implement an nsIChannelEventSink
 222 // with an object so we can tell XHR to abort if a redirect happens.
 223 class CSPReportRedirectSink final : public nsIChannelEventSink,
 224                                     public nsIInterfaceRequestor {
 225  public:
 226   NS_DECL_NSICHANNELEVENTSINK
 227   NS_DECL_NSIINTERFACEREQUESTOR
 228   NS_DECL_ISUPPORTS
 229
 230  public:
 231   CSPReportRedirectSink();
 232
 233   void SetInterceptController(
 234       nsINetworkInterceptController* aInterceptController);
 235
 236  protected:
 237   virtual ~CSPReportRedirectSink();
 238
 239  private:
 240   nsCOMPtr<nsINetworkInterceptController> mInterceptController;
 241 };
 242
 243 #endif /* nsCSPContext_h___ */