search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1615150 - Fix the logic that skips generated-files diffing when there aren't...
[gecko.git] / caps / nsScriptSecurityManager.cpp
blob9c5c8c3c52691d5ccddb606b2215f860032b9635
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "nsScriptSecurityManager.h"
8
9 #include "mozilla/ArrayUtils.h"
10 #include "mozilla/StaticPrefs_extensions.h"
11 #include "mozilla/StaticPrefs_security.h"
12 #include "mozilla/StoragePrincipalHelper.h"
13
14 #include "xpcpublic.h"
15 #include "XPCWrapper.h"
16 #include "nsILoadContext.h"
17 #include "nsIScriptObjectPrincipal.h"
18 #include "nsIScriptContext.h"
19 #include "nsIScriptError.h"
20 #include "nsINestedURI.h"
21 #include "nspr.h"
22 #include "nsJSPrincipals.h"
23 #include "mozilla/BasePrincipal.h"
24 #include "ExpandedPrincipal.h"
25 #include "SystemPrincipal.h"
26 #include "DomainPolicy.h"
27 #include "nsString.h"
28 #include "nsCRT.h"
29 #include "nsCRTGlue.h"
30 #include "nsContentSecurityUtils.h"
31 #include "nsDocShell.h"
32 #include "nsError.h"
33 #include "nsGlobalWindowInner.h"
34 #include "nsDOMCID.h"
35 #include "nsTextFormatter.h"
36 #include "nsIStringBundle.h"
37 #include "nsNetUtil.h"
38 #include "nsIEffectiveTLDService.h"
39 #include "nsDirectoryServiceDefs.h"
40 #include "nsIScriptGlobalObject.h"
41 #include "nsPIDOMWindow.h"
42 #include "nsIDocShell.h"
43 #include "nsIConsoleService.h"
44 #include "nsIOService.h"
45 #include "nsIContent.h"
46 #include "nsDOMJSUtils.h"
47 #include "nsAboutProtocolUtils.h"
48 #include "nsIClassInfo.h"
49 #include "nsIURIFixup.h"
50 #include "nsIChromeRegistry.h"
51 #include "nsIResProtocolHandler.h"
52 #include "nsIContentSecurityPolicy.h"
53 #include "mozilla/Components.h"
54 #include "mozilla/Preferences.h"
55 #include "mozilla/dom/BindingUtils.h"
56 #include "mozilla/NullPrincipal.h"
57 #include <stdint.h>
58 #include "mozilla/dom/nsCSPContext.h"
59 #include "mozilla/dom/ScriptSettings.h"
60 #include "mozilla/ClearOnShutdown.h"
61 #include "mozilla/StaticPtr.h"
62 #include "mozilla/dom/WorkerCommon.h"
63 #include "mozilla/dom/WorkerPrivate.h"
64 #include "nsContentUtils.h"
65 #include "nsJSUtils.h"
66 #include "nsILoadInfo.h"
67
68 // This should be probably defined on some other place... but I couldn't find it
69 #define WEBAPPS_PERM_NAME "webapps-manage"
70
71 using namespace mozilla;
72 using namespace mozilla::dom;
73
74 nsIIOService* nsScriptSecurityManager::sIOService = nullptr;
75 bool nsScriptSecurityManager::sStrictFileOriginPolicy = true;
76
77 namespace {
78
79 class BundleHelper {
80 public:
81 NS_INLINE_DECL_REFCOUNTING(BundleHelper)
82
83 static nsIStringBundle* GetOrCreate() {
84 MOZ_ASSERT(!sShutdown);
85
86 // Already shutting down. Nothing should require the use of the string
87 // bundle when shutting down.
88 if (sShutdown) {
89 return nullptr;
90 }
91
92 if (!sSelf) {
93 sSelf = new BundleHelper();
94 }
95
96 return sSelf->GetOrCreateInternal();
97 }
98
99 static void Shutdown() {
100 sSelf = nullptr;
101 sShutdown = true;
102 }
103
104 private:
105 ~BundleHelper() = default;
106
107 nsIStringBundle* GetOrCreateInternal() {
108 if (!mBundle) {
109 nsCOMPtr<nsIStringBundleService> bundleService =
110 mozilla::services::GetStringBundleService();
111 if (NS_WARN_IF(!bundleService)) {
112 return nullptr;
113 }
114
115 nsresult rv = bundleService->CreateBundle(
116 "chrome://global/locale/security/caps.properties",
117 getter_AddRefs(mBundle));
118 if (NS_WARN_IF(NS_FAILED(rv))) {
119 return nullptr;
120 }
121 }
122
123 return mBundle;
124 }
125
126 nsCOMPtr<nsIStringBundle> mBundle;
127
128 static StaticRefPtr<BundleHelper> sSelf;
129 static bool sShutdown;
130 };
131
132 StaticRefPtr<BundleHelper> BundleHelper::sSelf;
133 bool BundleHelper::sShutdown = false;
134
135 } // namespace
136
137 ///////////////////////////
138 // Convenience Functions //
139 ///////////////////////////
140
141 class nsAutoInPrincipalDomainOriginSetter {
142 public:
143 nsAutoInPrincipalDomainOriginSetter() { ++sInPrincipalDomainOrigin; }
144 ~nsAutoInPrincipalDomainOriginSetter() { --sInPrincipalDomainOrigin; }
145 static uint32_t sInPrincipalDomainOrigin;
146 };
147 uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin;
148
149 static nsresult GetOriginFromURI(nsIURI* aURI, nsACString& aOrigin) {
150 if (!aURI) {
151 return NS_ERROR_NULL_POINTER;
152 }
153 if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin > 1) {
154 // Allow a single recursive call to GetPrincipalDomainOrigin, since that
155 // might be happening on a different principal from the first call. But
156 // after that, cut off the recursion; it just indicates that something
157 // we're doing in this method causes us to reenter a security check here.
158 return NS_ERROR_NOT_AVAILABLE;
159 }
160
161 nsAutoInPrincipalDomainOriginSetter autoSetter;
162
163 nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
164 NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
165
166 nsAutoCString hostPort;
167
168 nsresult rv = uri->GetHostPort(hostPort);
169 if (NS_SUCCEEDED(rv)) {
170 nsAutoCString scheme;
171 rv = uri->GetScheme(scheme);
172 NS_ENSURE_SUCCESS(rv, rv);
173 aOrigin = scheme + NS_LITERAL_CSTRING("://") + hostPort;
174 } else {
175 // Some URIs (e.g., nsSimpleURI) don't support host. Just
176 // get the full spec.
177 rv = uri->GetSpec(aOrigin);
178 NS_ENSURE_SUCCESS(rv, rv);
179 }
180
181 return NS_OK;
182 }
183
184 static nsresult GetPrincipalDomainOrigin(nsIPrincipal* aPrincipal,
185 nsACString& aOrigin) {
186 aOrigin.Truncate();
187 nsCOMPtr<nsIURI> uri;
188 aPrincipal->GetDomain(getter_AddRefs(uri));
189 nsresult rv = GetOriginFromURI(uri, aOrigin);
190 if (NS_SUCCEEDED(rv)) {
191 return rv;
192 }
193 // If there is no Domain fallback to the Principals Origin
194 return aPrincipal->GetOriginNoSuffix(aOrigin);
195 }
196
197 inline void SetPendingExceptionASCII(JSContext* cx, const char* aMsg) {
198 JS_ReportErrorASCII(cx, "%s", aMsg);
199 }
200
201 inline void SetPendingException(JSContext* cx, const char16_t* aMsg) {
202 NS_ConvertUTF16toUTF8 msg(aMsg);
203 JS_ReportErrorUTF8(cx, "%s", msg.get());
204 }
205
206 /* static */
207 bool nsScriptSecurityManager::SecurityCompareURIs(nsIURI* aSourceURI,
208 nsIURI* aTargetURI) {
209 return NS_SecurityCompareURIs(aSourceURI, aTargetURI,
210 sStrictFileOriginPolicy);
211 }
212
213 // SecurityHashURI is consistent with SecurityCompareURIs because
214 // NS_SecurityHashURI is consistent with NS_SecurityCompareURIs. See
215 // nsNetUtil.h.
216 uint32_t nsScriptSecurityManager::SecurityHashURI(nsIURI* aURI) {
217 return NS_SecurityHashURI(aURI);
218 }
219
220 /*
221 * GetChannelResultPrincipal will return the principal that the resource
222 * returned by this channel will use. For example, if the resource is in
223 * a sandbox, it will return the nullprincipal. If the resource is forced
224 * to inherit principal, it will return the principal of its parent. If
225 * the load doesn't require sandboxing or inheriting, it will return the same
226 * principal as GetChannelURIPrincipal. Namely the principal of the URI
227 * that is being loaded.
228 */
229 NS_IMETHODIMP
230 nsScriptSecurityManager::GetChannelResultPrincipal(nsIChannel* aChannel,
231 nsIPrincipal** aPrincipal) {
232 return GetChannelResultPrincipal(aChannel, aPrincipal,
233 /*aIgnoreSandboxing*/ false);
234 }
235
236 nsresult nsScriptSecurityManager::GetChannelResultPrincipalIfNotSandboxed(
237 nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
238 return GetChannelResultPrincipal(aChannel, aPrincipal,
239 /*aIgnoreSandboxing*/ true);
240 }
241
242 NS_IMETHODIMP
243 nsScriptSecurityManager::GetChannelResultStoragePrincipal(
244 nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
245 nsCOMPtr<nsIPrincipal> principal;
246 nsresult rv = GetChannelResultPrincipal(aChannel, getter_AddRefs(principal),
247 /*aIgnoreSandboxing*/ false);
248 if (NS_WARN_IF(NS_FAILED(rv))) {
249 return rv;
250 }
251
252 return StoragePrincipalHelper::Create(aChannel, principal, aPrincipal);
253 }
254
255 NS_IMETHODIMP
256 nsScriptSecurityManager::GetChannelResultPrincipals(
257 nsIChannel* aChannel, nsIPrincipal** aPrincipal,
258 nsIPrincipal** aStoragePrincipal) {
259 nsresult rv = GetChannelResultPrincipal(aChannel, aPrincipal,
260 /*aIgnoreSandboxing*/ false);
261 if (NS_WARN_IF(NS_FAILED(rv))) {
262 return rv;
263 }
264
265 if (!(*aPrincipal)->GetIsContentPrincipal()) {
266 // If for some reason we don't have a content principal here, just reuse our
267 // principal for the storage principal too, since attempting to create a
268 // storage principal would fail anyway.
269 nsCOMPtr<nsIPrincipal> copy = *aPrincipal;
270 copy.forget(aStoragePrincipal);
271 return NS_OK;
272 }
273
274 return StoragePrincipalHelper::Create(aChannel, *aPrincipal,
275 aStoragePrincipal);
276 }
277
278 nsresult nsScriptSecurityManager::GetChannelResultPrincipal(
279 nsIChannel* aChannel, nsIPrincipal** aPrincipal, bool aIgnoreSandboxing) {
280 MOZ_ASSERT(aChannel, "Must have channel!");
281
282 // Check whether we have an nsILoadInfo that says what we should do.
283 nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
284 if (loadInfo->GetForceInheritPrincipalOverruleOwner()) {
285 nsCOMPtr<nsIPrincipal> principalToInherit =
286 loadInfo->FindPrincipalToInherit(aChannel);
287 principalToInherit.forget(aPrincipal);
288 return NS_OK;
289 }
290
291 nsCOMPtr<nsISupports> owner;
292 aChannel->GetOwner(getter_AddRefs(owner));
293 if (owner) {
294 CallQueryInterface(owner, aPrincipal);
295 if (*aPrincipal) {
296 return NS_OK;
297 }
298 }
299
300 if (!aIgnoreSandboxing && loadInfo->GetLoadingSandboxed()) {
301 nsCOMPtr<nsIPrincipal> sandboxedLoadingPrincipal =
302 loadInfo->GetSandboxedLoadingPrincipal();
303 MOZ_ASSERT(sandboxedLoadingPrincipal);
304 sandboxedLoadingPrincipal.forget(aPrincipal);
305 return NS_OK;
306 }
307
308 bool forceInherit = loadInfo->GetForceInheritPrincipal();
309 if (aIgnoreSandboxing && !forceInherit) {
310 // Check if SEC_FORCE_INHERIT_PRINCIPAL was dropped because of
311 // sandboxing:
312 if (loadInfo->GetLoadingSandboxed() &&
313 loadInfo->GetForceInheritPrincipalDropped()) {
314 forceInherit = true;
315 }
316 }
317 if (forceInherit) {
318 nsCOMPtr<nsIPrincipal> principalToInherit =
319 loadInfo->FindPrincipalToInherit(aChannel);
320 principalToInherit.forget(aPrincipal);
321 return NS_OK;
322 }
323
324 auto securityMode = loadInfo->GetSecurityMode();
325 // The data: inheritance flags should only apply to the initial load,
326 // not to loads that it might have redirected to.
327 if (loadInfo->RedirectChain().IsEmpty() &&
328 (securityMode == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS ||
329 securityMode == nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS ||
330 securityMode == nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS)) {
331 nsCOMPtr<nsIURI> uri;
332 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
333 NS_ENSURE_SUCCESS(rv, rv);
334
335 nsCOMPtr<nsIPrincipal> principalToInherit =
336 loadInfo->FindPrincipalToInherit(aChannel);
337 bool inheritForAboutBlank = loadInfo->GetAboutBlankInherits();
338
339 if (nsContentUtils::ChannelShouldInheritPrincipal(
340 principalToInherit, uri, inheritForAboutBlank, false)) {
341 principalToInherit.forget(aPrincipal);
342 return NS_OK;
343 }
344 }
345 return GetChannelURIPrincipal(aChannel, aPrincipal);
346 }
347
348 /* The principal of the URI that this channel is loading. This is never
349 * affected by things like sandboxed loads, or loads where we forcefully
350 * inherit the principal. Think of this as the principal of the server
351 * which this channel is loading from. Most callers should use
352 * GetChannelResultPrincipal instead of GetChannelURIPrincipal. Only
353 * call GetChannelURIPrincipal if you are sure that you want the
354 * principal that matches the uri, even in cases when the load is
355 * sandboxed or when the load could be a blob or data uri (i.e even when
356 * you encounter loads that may or may not be sandboxed and loads
357 * that may or may not inherit)."
358 */
359 NS_IMETHODIMP
360 nsScriptSecurityManager::GetChannelURIPrincipal(nsIChannel* aChannel,
361 nsIPrincipal** aPrincipal) {
362 MOZ_ASSERT(aChannel, "Must have channel!");
363
364 // Get the principal from the URI. Make sure this does the same thing
365 // as Document::Reset and PrototypeDocumentContentSink::Init.
366 nsCOMPtr<nsIURI> uri;
367 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
368 NS_ENSURE_SUCCESS(rv, rv);
369
370 nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
371
372 // Inherit the origin attributes from loadInfo.
373 // If this is a top-level document load, the origin attributes of the
374 // loadInfo will be set from nsDocShell::DoURILoad.
375 // For subresource loading, the origin attributes of the loadInfo is from
376 // its loadingPrincipal.
377 OriginAttributes attrs = loadInfo->GetOriginAttributes();
378
379 nsCOMPtr<nsIPrincipal> prin =
380 BasePrincipal::CreateContentPrincipal(uri, attrs);
381 prin.forget(aPrincipal);
382 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
383 }
384
385 /////////////////////////////
386 // nsScriptSecurityManager //
387 /////////////////////////////
388
389 ////////////////////////////////////
390 // Methods implementing ISupports //
391 ////////////////////////////////////
392 NS_IMPL_ISUPPORTS(nsScriptSecurityManager, nsIScriptSecurityManager)
393
394 ///////////////////////////////////////////////////
395 // Methods implementing nsIScriptSecurityManager //
396 ///////////////////////////////////////////////////
397
398 ///////////////// Security Checks /////////////////
399
400 bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
401 JSContext* cx, JS::HandleValue aValue) {
402 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
403
404 // Get the window, if any, corresponding to the current global
405 nsCOMPtr<nsIContentSecurityPolicy> csp;
406 if (nsGlobalWindowInner* win = xpc::CurrentWindowOrNull(cx)) {
407 csp = win->GetCsp();
408 }
409
410 nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
411 if (!csp) {
412 if (!StaticPrefs::extensions_content_script_csp_enabled()) {
413 return true;
414 }
415 // Get the CSP for addon sandboxes. If the principal is expanded and has a
416 // csp, we're probably in luck.
417 auto* basePrin = BasePrincipal::Cast(subjectPrincipal);
418 // ContentScriptAddonPolicy means it is also an expanded principal, thus
419 // this is in a sandbox used as a content script.
420 if (basePrin->ContentScriptAddonPolicy()) {
421 basePrin->As<ExpandedPrincipal>()->GetCsp(getter_AddRefs(csp));
422 }
423 // don't do anything unless there's a CSP
424 if (!csp) {
425 return true;
426 }
427 }
428
429 nsCOMPtr<nsICSPEventListener> cspEventListener;
430 if (!NS_IsMainThread()) {
431 WorkerPrivate* workerPrivate =
432 mozilla::dom::GetWorkerPrivateFromContext(cx);
433 if (workerPrivate) {
434 cspEventListener = workerPrivate->CSPEventListener();
435 }
436 }
437
438 bool evalOK = true;
439 bool reportViolation = false;
440 nsresult rv = csp->GetAllowsEval(&reportViolation, &evalOK);
441
442 // A little convoluted. We want the scriptSample for a) reporting a violation
443 // or b) passing it to AssertEvalNotUsingSystemPrincipal or c) we're in the
444 // parent process. So do the work to get it if either of those cases is true.
445 nsAutoJSString scriptSample;
446 if (reportViolation || subjectPrincipal->IsSystemPrincipal() ||
447 XRE_IsE10sParentProcess()) {
448 JS::Rooted<JSString*> jsString(cx, JS::ToString(cx, aValue));
449 if (NS_WARN_IF(!jsString)) {
450 JS_ClearPendingException(cx);
451 return false;
452 }
453
454 if (NS_WARN_IF(!scriptSample.init(cx, jsString))) {
455 JS_ClearPendingException(cx);
456 return false;
457 }
458 }
459
460 #if !defined(ANDROID)
461 if (!nsContentSecurityUtils::IsEvalAllowed(
462 cx, subjectPrincipal->IsSystemPrincipal(), scriptSample)) {
463 return false;
464 }
465 #endif
466
467 if (NS_FAILED(rv)) {
468 NS_WARNING("CSP: failed to get allowsEval");
469 return true; // fail open to not break sites.
470 }
471
472 if (reportViolation) {
473 JS::AutoFilename scriptFilename;
474 nsAutoString fileName;
475 unsigned lineNum = 0;
476 unsigned columnNum = 0;
477 if (JS::DescribeScriptedCaller(cx, &scriptFilename, &lineNum, &columnNum)) {
478 if (const char* file = scriptFilename.get()) {
479 CopyUTF8toUTF16(nsDependentCString(file), fileName);
480 }
481 } else {
482 MOZ_ASSERT(!JS_IsExceptionPending(cx));
483 }
484 csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
485 nullptr, // triggering element
486 cspEventListener, fileName, scriptSample, lineNum,
487 columnNum, EmptyString(), EmptyString());
488 }
489
490 return evalOK;
491 }
492
493 // static
494 bool nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals* first,
495 JSPrincipals* second) {
496 return nsJSPrincipals::get(first)->Subsumes(nsJSPrincipals::get(second));
497 }
498
499 NS_IMETHODIMP
500 nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI,
501 nsIURI* aTargetURI,
502 bool reportError,
503 bool aFromPrivateWindow) {
504 // Please note that aFromPrivateWindow is only 100% accurate if
505 // reportError is true.
506 if (!SecurityCompareURIs(aSourceURI, aTargetURI)) {
507 if (reportError) {
508 ReportError("CheckSameOriginError", aSourceURI, aTargetURI,
509 aFromPrivateWindow);
510 }
511 return NS_ERROR_DOM_BAD_URI;
512 }
513 return NS_OK;
514 }
515
516 NS_IMETHODIMP
517 nsScriptSecurityManager::CheckLoadURIFromScript(JSContext* cx, nsIURI* aURI) {
518 // Get principal of currently executing script.
519 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
520 nsIPrincipal* principal = nsContentUtils::SubjectPrincipal();
521 nsresult rv = CheckLoadURIWithPrincipal(
522 // Passing 0 for the window ID here is OK, because we will report a
523 // script-visible exception anyway.
524 principal, aURI, nsIScriptSecurityManager::STANDARD, 0);
525 if (NS_SUCCEEDED(rv)) {
526 // OK to load
527 return NS_OK;
528 }
529
530 // Report error.
531 nsAutoCString spec;
532 if (NS_FAILED(aURI->GetAsciiSpec(spec))) return NS_ERROR_FAILURE;
533 nsAutoCString msg("Access to '");
534 msg.Append(spec);
535 msg.AppendLiteral("' from script denied");
536 SetPendingExceptionASCII(cx, msg.get());
537 return NS_ERROR_DOM_BAD_URI;
538 }
539
540 /**
541 * Helper method to handle cases where a flag passed to
542 * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
543 * nsIProtocolHandler flags set.
544 * @return if success, access is allowed. Otherwise, deny access
545 */
546 static nsresult DenyAccessIfURIHasFlags(nsIURI* aURI, uint32_t aURIFlags) {
547 MOZ_ASSERT(aURI, "Must have URI!");
548
549 bool uriHasFlags;
550 nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &uriHasFlags);
551 NS_ENSURE_SUCCESS(rv, rv);
552
553 if (uriHasFlags) {
554 return NS_ERROR_DOM_BAD_URI;
555 }
556
557 return NS_OK;
558 }
559
560 static bool EqualOrSubdomain(nsIURI* aProbeArg, nsIURI* aBase) {
561 nsresult rv;
562 nsCOMPtr<nsIURI> probe = aProbeArg;
563
564 nsCOMPtr<nsIEffectiveTLDService> tldService =
565 do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
566 NS_ENSURE_TRUE(tldService, false);
567 while (true) {
568 if (nsScriptSecurityManager::SecurityCompareURIs(probe, aBase)) {
569 return true;
570 }
571
572 nsAutoCString host, newHost;
573 rv = probe->GetHost(host);
574 NS_ENSURE_SUCCESS(rv, false);
575
576 rv = tldService->GetNextSubDomain(host, newHost);
577 if (rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS) {
578 return false;
579 }
580 NS_ENSURE_SUCCESS(rv, false);
581 rv = NS_MutateURI(probe).SetHost(newHost).Finalize(probe);
582 NS_ENSURE_SUCCESS(rv, false);
583 }
584 }
585
586 NS_IMETHODIMP
587 nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
588 nsIURI* aTargetURI,
589 uint32_t aFlags,
590 uint64_t aInnerWindowID) {
591 MOZ_ASSERT(aPrincipal, "CheckLoadURIWithPrincipal must have a principal");
592
593 // If someone passes a flag that we don't understand, we should
594 // fail, because they may need a security check that we don't
595 // provide.
596 NS_ENSURE_FALSE(
597 aFlags &
598 ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
599 nsIScriptSecurityManager::ALLOW_CHROME |
600 nsIScriptSecurityManager::DISALLOW_SCRIPT |
601 nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL |
602 nsIScriptSecurityManager::DONT_REPORT_ERRORS),
603 NS_ERROR_UNEXPECTED);
604 NS_ENSURE_ARG_POINTER(aPrincipal);
605 NS_ENSURE_ARG_POINTER(aTargetURI);
606
607 // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
608 // would do such inheriting. That would be URIs that do not have their own
609 // security context. We do this even for the system principal.
610 if (aFlags & nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL) {
611 nsresult rv = DenyAccessIfURIHasFlags(
612 aTargetURI, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT);
613 NS_ENSURE_SUCCESS(rv, rv);
614 }
615
616 if (aPrincipal == mSystemPrincipal) {
617 // Allow access
618 return NS_OK;
619 }
620
621 nsCOMPtr<nsIURI> sourceURI;
622 aPrincipal->GetURI(getter_AddRefs(sourceURI));
623 if (!sourceURI) {
624 auto* basePrin = BasePrincipal::Cast(aPrincipal);
625 if (basePrin->Is<ExpandedPrincipal>()) {
626 auto expanded = basePrin->As<ExpandedPrincipal>();
627 for (auto& prin : expanded->AllowList()) {
628 nsresult rv =
629 CheckLoadURIWithPrincipal(prin, aTargetURI, aFlags, aInnerWindowID);
630 if (NS_SUCCEEDED(rv)) {
631 // Allow access if it succeeded with one of the allowlisted principals
632 return NS_OK;
633 }
634 }
635 // None of our allowlisted principals worked.
636 return NS_ERROR_DOM_BAD_URI;
637 }
638 NS_ERROR(
639 "Non-system principals or expanded principal passed to "
640 "CheckLoadURIWithPrincipal "
641 "must have a URI!");
642 return NS_ERROR_UNEXPECTED;
643 }
644
645 // Automatic loads are not allowed from certain protocols.
646 if (aFlags &
647 nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT) {
648 nsresult rv = DenyAccessIfURIHasFlags(
649 sourceURI,
650 nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT);
651 NS_ENSURE_SUCCESS(rv, rv);
652 }
653
654 // If either URI is a nested URI, get the base URI
655 nsCOMPtr<nsIURI> sourceBaseURI = NS_GetInnermostURI(sourceURI);
656 nsCOMPtr<nsIURI> targetBaseURI = NS_GetInnermostURI(aTargetURI);
657
658 //-- get the target scheme
659 nsAutoCString targetScheme;
660 nsresult rv = targetBaseURI->GetScheme(targetScheme);
661 if (NS_FAILED(rv)) return rv;
662
663 //-- Some callers do not allow loading javascript:
664 if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
665 targetScheme.EqualsLiteral("javascript")) {
666 return NS_ERROR_DOM_BAD_URI;
667 }
668
669 // Check for uris that are only loadable by principals that subsume them
670 bool hasFlags;
671 rv = NS_URIChainHasFlags(
672 targetBaseURI, nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS, &hasFlags);
673 NS_ENSURE_SUCCESS(rv, rv);
674
675 if (hasFlags) {
676 // check nothing else in the URI chain has flags that prevent
677 // access:
678 rv = CheckLoadURIFlags(
679 sourceURI, aTargetURI, sourceBaseURI, targetBaseURI, aFlags,
680 aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0,
681 aInnerWindowID);
682 NS_ENSURE_SUCCESS(rv, rv);
683 // Check the principal is allowed to load the target.
684 if (aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS) {
685 return aPrincipal->CheckMayLoad(targetBaseURI, false);
686 }
687 return aPrincipal->CheckMayLoadWithReporting(targetBaseURI, false,
688 aInnerWindowID);
689 }
690
691 //-- get the source scheme
692 nsAutoCString sourceScheme;
693 rv = sourceBaseURI->GetScheme(sourceScheme);
694 if (NS_FAILED(rv)) return rv;
695
696 if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
697 // A null principal can target its own URI.
698 if (sourceURI == aTargetURI) {
699 return NS_OK;
700 }
701 } else if (StaticPrefs::
702 security_view_source_reachable_from_inner_protocol() &&
703 sourceScheme.EqualsIgnoreCase(targetScheme.get()) &&
704 aTargetURI->SchemeIs("view-source")) {
705 // exception for foo: linking to view-source:foo for reftests...
706 return NS_OK;
707 } else if (sourceScheme.EqualsIgnoreCase("file") &&
708 targetScheme.EqualsIgnoreCase("moz-icon")) {
709 // exception for file: linking to moz-icon://.ext?size=...
710 // Note that because targetScheme is the base (innermost) URI scheme,
711 // this does NOT allow file -> moz-icon:file:///... links.
712 // This is intentional.
713 return NS_OK;
714 }
715
716 // Check for webextension
717 rv = NS_URIChainHasFlags(
718 aTargetURI, nsIProtocolHandler::URI_LOADABLE_BY_EXTENSIONS, &hasFlags);
719 NS_ENSURE_SUCCESS(rv, rv);
720
721 if (hasFlags && BasePrincipal::Cast(aPrincipal)->AddonPolicy()) {
722 return NS_OK;
723 }
724
725 // If we get here, check all the schemes can link to each other, from the top
726 // down:
727 nsCaseInsensitiveCStringComparator stringComparator;
728 nsCOMPtr<nsIURI> currentURI = sourceURI;
729 nsCOMPtr<nsIURI> currentOtherURI = aTargetURI;
730
731 bool denySameSchemeLinks = false;
732 rv = NS_URIChainHasFlags(aTargetURI,
733 nsIProtocolHandler::URI_SCHEME_NOT_SELF_LINKABLE,
734 &denySameSchemeLinks);
735 if (NS_FAILED(rv)) return rv;
736
737 while (currentURI && currentOtherURI) {
738 nsAutoCString scheme, otherScheme;
739 currentURI->GetScheme(scheme);
740 currentOtherURI->GetScheme(otherScheme);
741
742 bool schemesMatch = scheme.Equals(otherScheme, stringComparator);
743 bool isSamePage = false;
744 // about: URIs are special snowflakes.
745 if (scheme.EqualsLiteral("about") && schemesMatch) {
746 nsAutoCString moduleName, otherModuleName;
747 // about: pages can always link to themselves:
748 isSamePage =
749 NS_SUCCEEDED(NS_GetAboutModuleName(currentURI, moduleName)) &&
750 NS_SUCCEEDED(
751 NS_GetAboutModuleName(currentOtherURI, otherModuleName)) &&
752 moduleName.Equals(otherModuleName);
753 if (!isSamePage) {
754 // We will have allowed the load earlier if the source page has
755 // system principal. So we know the source has a content
756 // principal, and it's trying to link to something else.
757 // Linkable about: pages are always reachable, even if we hit
758 // the CheckLoadURIFlags call below.
759 // We punch only 1 other hole: iff the source is unlinkable,
760 // we let them link to other pages explicitly marked SAFE
761 // for content. This avoids world-linkable about: pages linking
762 // to non-world-linkable about: pages.
763 nsCOMPtr<nsIAboutModule> module, otherModule;
764 bool knowBothModules =
765 NS_SUCCEEDED(
766 NS_GetAboutModule(currentURI, getter_AddRefs(module))) &&
767 NS_SUCCEEDED(NS_GetAboutModule(currentOtherURI,
768 getter_AddRefs(otherModule)));
769 uint32_t aboutModuleFlags = 0;
770 uint32_t otherAboutModuleFlags = 0;
771 knowBothModules =
772 knowBothModules &&
773 NS_SUCCEEDED(module->GetURIFlags(currentURI, &aboutModuleFlags)) &&
774 NS_SUCCEEDED(otherModule->GetURIFlags(currentOtherURI,
775 &otherAboutModuleFlags));
776 if (knowBothModules) {
777 isSamePage = !(aboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) &&
778 (otherAboutModuleFlags &
779 nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT);
780 if (isSamePage &&
781 otherAboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) {
782 // XXXgijs: this is a hack. The target will be nested
783 // (with innerURI of moz-safe-about:whatever), and
784 // the source isn't, so we won't pass if we finish
785 // the loop. We *should* pass, though, so return here.
786 // This hack can go away when bug 1228118 is fixed.
787 return NS_OK;
788 }
789 }
790 }
791 } else {
792 bool equalExceptRef = false;
793 rv = currentURI->EqualsExceptRef(currentOtherURI, &equalExceptRef);
794 isSamePage = NS_SUCCEEDED(rv) && equalExceptRef;
795 }
796
797 // If schemes are not equal, or they're equal but the target URI
798 // is different from the source URI and doesn't always allow linking
799 // from the same scheme, check if the URI flags of the current target
800 // URI allow the current source URI to link to it.
801 // The policy is specified by the protocol flags on both URIs.
802 if (!schemesMatch || (denySameSchemeLinks && !isSamePage)) {
803 return CheckLoadURIFlags(
804 currentURI, currentOtherURI, sourceBaseURI, targetBaseURI, aFlags,
805 aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0,
806 aInnerWindowID);
807 }
808 // Otherwise... check if we can nest another level:
809 nsCOMPtr<nsINestedURI> nestedURI = do_QueryInterface(currentURI);
810 nsCOMPtr<nsINestedURI> nestedOtherURI = do_QueryInterface(currentOtherURI);
811
812 // If schemes match and neither URI is nested further, we're OK.
813 if (!nestedURI && !nestedOtherURI) {
814 return NS_OK;
815 }
816 // If one is nested and the other isn't, something is wrong.
817 if (!nestedURI != !nestedOtherURI) {
818 return NS_ERROR_DOM_BAD_URI;
819 }
820 // Otherwise, both should be nested and we'll go through the loop again.
821 nestedURI->GetInnerURI(getter_AddRefs(currentURI));
822 nestedOtherURI->GetInnerURI(getter_AddRefs(currentOtherURI));
823 }
824
825 // We should never get here. We should always return from inside the loop.
826 return NS_ERROR_DOM_BAD_URI;
827 }
828
829 /**
830 * Helper method to check whether the target URI and its innermost ("base") URI
831 * has protocol flags that should stop it from being loaded by the source URI
832 * (and/or the source URI's innermost ("base") URI), taking into account any
833 * nsIScriptSecurityManager flags originally passed to
834 * CheckLoadURIWithPrincipal and friends.
835 *
836 * @return if success, access is allowed. Otherwise, deny access
837 */
838 nsresult nsScriptSecurityManager::CheckLoadURIFlags(
839 nsIURI* aSourceURI, nsIURI* aTargetURI, nsIURI* aSourceBaseURI,
840 nsIURI* aTargetBaseURI, uint32_t aFlags, bool aFromPrivateWindow,
841 uint64_t aInnerWindowID) {
842 // Note that the order of policy checks here is very important!
843 // We start from most restrictive and work our way down.
844 bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
845 const char* errorTag = "CheckLoadURIError";
846
847 nsAutoCString targetScheme;
848 nsresult rv = aTargetBaseURI->GetScheme(targetScheme);
849 if (NS_FAILED(rv)) return rv;
850
851 // Check for system target URI
852 rv = DenyAccessIfURIHasFlags(aTargetURI,
853 nsIProtocolHandler::URI_DANGEROUS_TO_LOAD);
854 if (NS_FAILED(rv)) {
855 // Deny access, since the origin principal is not system
856 if (reportErrors) {
857 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
858 aInnerWindowID);
859 }
860 return rv;
861 }
862
863 // Used by ExtensionProtocolHandler to prevent loading extension resources
864 // in private contexts if the extension does not have permission.
865 if (aFromPrivateWindow) {
866 rv = DenyAccessIfURIHasFlags(
867 aTargetURI, nsIProtocolHandler::URI_DISALLOW_IN_PRIVATE_CONTEXT);
868 if (NS_FAILED(rv)) {
869 if (reportErrors) {
870 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
871 aInnerWindowID);
872 }
873 return rv;
874 }
875 }
876
877 // Check for chrome target URI
878 bool hasFlags = false;
879 rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_UI_RESOURCE,
880 &hasFlags);
881 NS_ENSURE_SUCCESS(rv, rv);
882 if (hasFlags) {
883 if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
884 // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
885 // target if ALLOW_CHROME is set.
886 //
887 // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
888 // loads (since docshell loads run the loaded content with its origin
889 // principal). So we're effectively allowing resource://, chrome://,
890 // and moz-icon:// source URIs to load resource://, chrome://, and
891 // moz-icon:// files, so long as they're not loading it as a document.
892 bool sourceIsUIResource;
893 rv = NS_URIChainHasFlags(aSourceBaseURI,
894 nsIProtocolHandler::URI_IS_UI_RESOURCE,
895 &sourceIsUIResource);
896 NS_ENSURE_SUCCESS(rv, rv);
897 if (sourceIsUIResource) {
898 return NS_OK;
899 }
900
901 if (targetScheme.EqualsLiteral("resource")) {
902 if (StaticPrefs::security_all_resource_uri_content_accessible()) {
903 return NS_OK;
904 }
905
906 nsCOMPtr<nsIProtocolHandler> ph;
907 rv = sIOService->GetProtocolHandler("resource", getter_AddRefs(ph));
908 NS_ENSURE_SUCCESS(rv, rv);
909 if (!ph) {
910 return NS_ERROR_DOM_BAD_URI;
911 }
912
913 nsCOMPtr<nsIResProtocolHandler> rph = do_QueryInterface(ph);
914 if (!rph) {
915 return NS_ERROR_DOM_BAD_URI;
916 }
917
918 bool accessAllowed = false;
919 rph->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
920 if (accessAllowed) {
921 return NS_OK;
922 }
923 } else if (targetScheme.EqualsLiteral("chrome")) {
924 // Allow the load only if the chrome package is allowlisted.
925 nsCOMPtr<nsIXULChromeRegistry> reg(
926 do_GetService(NS_CHROMEREGISTRY_CONTRACTID));
927 if (reg) {
928 bool accessAllowed = false;
929 reg->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
930 if (accessAllowed) {
931 return NS_OK;
932 }
933 }
934 }
935 }
936
937 if (reportErrors) {
938 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
939 aInnerWindowID);
940 }
941 return NS_ERROR_DOM_BAD_URI;
942 }
943
944 // Check for target URI pointing to a file
945 rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_LOCAL_FILE,
946 &hasFlags);
947 NS_ENSURE_SUCCESS(rv, rv);
948 if (hasFlags) {
949 // Allow domains that were allowlisted in the prefs. In 99.9% of cases,
950 // this array is empty.
951 bool isAllowlisted;
952 MOZ_ALWAYS_SUCCEEDS(InFileURIAllowlist(aSourceURI, &isAllowlisted));
953 if (isAllowlisted) {
954 return NS_OK;
955 }
956
957 // Allow chrome://
958 if (aSourceBaseURI->SchemeIs("chrome")) {
959 return NS_OK;
960 }
961
962 // Nothing else.
963 if (reportErrors) {
964 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
965 aInnerWindowID);
966 }
967 return NS_ERROR_DOM_BAD_URI;
968 }
969
970 // OK, everyone is allowed to load this, since unflagged handlers are
971 // deprecated but treated as URI_LOADABLE_BY_ANYONE. But check whether we
972 // need to warn. At some point we'll want to make this warning into an
973 // error and treat unflagged handlers as URI_DANGEROUS_TO_LOAD.
974 rv = NS_URIChainHasFlags(
975 aTargetBaseURI, nsIProtocolHandler::URI_LOADABLE_BY_ANYONE, &hasFlags);
976 NS_ENSURE_SUCCESS(rv, rv);
977 // NB: we also get here if the base URI is URI_LOADABLE_BY_SUBSUMERS,
978 // and none of the rest of the nested chain of URIs for aTargetURI
979 // prohibits the load, so avoid warning in that case:
980 bool hasSubsumersFlag = false;
981 rv = NS_URIChainHasFlags(aTargetBaseURI,
982 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
983 &hasSubsumersFlag);
984 NS_ENSURE_SUCCESS(rv, rv);
985 if (!hasFlags && !hasSubsumersFlag) {
986 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
987 if (bundle) {
988 nsAutoString message;
989 AutoTArray<nsString, 1> formatStrings;
990 CopyASCIItoUTF16(targetScheme, *formatStrings.AppendElement());
991 rv = bundle->FormatStringFromName("ProtocolFlagError", formatStrings,
992 message);
993 if (NS_SUCCEEDED(rv)) {
994 nsCOMPtr<nsIConsoleService> console(
995 do_GetService("@mozilla.org/consoleservice;1"));
996 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
997
998 console->LogStringMessage(message.get());
999 }
1000 }
1001 }
1002
1003 return NS_OK;
1004 }
1005
1006 nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1007 const nsACString& aSourceSpec,
1008 const nsACString& aTargetSpec,
1009 bool aFromPrivateWindow,
1010 uint64_t aInnerWindowID) {
1011 if (aSourceSpec.IsEmpty() || aTargetSpec.IsEmpty()) {
1012 return NS_OK;
1013 }
1014
1015 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1016 if (NS_WARN_IF(!bundle)) {
1017 return NS_OK;
1018 }
1019
1020 // Localize the error message
1021 nsAutoString message;
1022 AutoTArray<nsString, 2> formatStrings;
1023 CopyASCIItoUTF16(aSourceSpec, *formatStrings.AppendElement());
1024 CopyASCIItoUTF16(aTargetSpec, *formatStrings.AppendElement());
1025 nsresult rv =
1026 bundle->FormatStringFromName(aMessageTag, formatStrings, message);
1027 NS_ENSURE_SUCCESS(rv, rv);
1028
1029 nsCOMPtr<nsIConsoleService> console(
1030 do_GetService(NS_CONSOLESERVICE_CONTRACTID));
1031 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
1032 nsCOMPtr<nsIScriptError> error(do_CreateInstance(NS_SCRIPTERROR_CONTRACTID));
1033 NS_ENSURE_TRUE(error, NS_ERROR_FAILURE);
1034
1035 // using category of "SOP" so we can link to MDN
1036 if (aInnerWindowID != 0) {
1037 rv = error->InitWithWindowID(message, EmptyString(), EmptyString(), 0, 0,
1038 nsIScriptError::errorFlag,
1039 NS_LITERAL_CSTRING("SOP"), aInnerWindowID,
1040 true /* From chrome context */);
1041 } else {
1042 rv = error->Init(message, EmptyString(), EmptyString(), 0, 0,
1043 nsIScriptError::errorFlag, "SOP", aFromPrivateWindow,
1044 true /* From chrome context */);
1045 }
1046 NS_ENSURE_SUCCESS(rv, rv);
1047 console->LogMessage(error);
1048 return NS_OK;
1049 }
1050
1051 nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1052 nsIURI* aSource, nsIURI* aTarget,
1053 bool aFromPrivateWindow,
1054 uint64_t aInnerWindowID) {
1055 NS_ENSURE_TRUE(aSource && aTarget, NS_ERROR_NULL_POINTER);
1056
1057 // Get the source URL spec
1058 nsAutoCString sourceSpec;
1059 nsresult rv = aSource->GetAsciiSpec(sourceSpec);
1060 NS_ENSURE_SUCCESS(rv, rv);
1061
1062 // Get the target URL spec
1063 nsAutoCString targetSpec;
1064 rv = aTarget->GetAsciiSpec(targetSpec);
1065 NS_ENSURE_SUCCESS(rv, rv);
1066
1067 return ReportError(aMessageTag, sourceSpec, targetSpec, aFromPrivateWindow,
1068 aInnerWindowID);
1069 }
1070
1071 NS_IMETHODIMP
1072 nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(
1073 nsIPrincipal* aPrincipal, const nsACString& aTargetURIStr,
1074 uint32_t aFlags) {
1075 nsresult rv;
1076 nsCOMPtr<nsIURI> target;
1077 rv = NS_NewURI(getter_AddRefs(target), aTargetURIStr);
1078 NS_ENSURE_SUCCESS(rv, rv);
1079
1080 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1081 if (rv == NS_ERROR_DOM_BAD_URI) {
1082 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1083 // return values.
1084 return rv;
1085 }
1086 NS_ENSURE_SUCCESS(rv, rv);
1087
1088 // Now start testing fixup -- since aTargetURIStr is a string, not
1089 // an nsIURI, we may well end up fixing it up before loading.
1090 // Note: This needs to stay in sync with the nsIURIFixup api.
1091 nsCOMPtr<nsIURIFixup> fixup = components::URIFixup::Service();
1092 if (!fixup) {
1093 return rv;
1094 }
1095
1096 uint32_t flags[] = {nsIURIFixup::FIXUP_FLAG_NONE,
1097 nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS,
1098 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP,
1099 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI,
1100 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP |
1101 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI};
1102
1103 for (uint32_t i = 0; i < ArrayLength(flags); ++i) {
1104 uint32_t fixupFlags = flags[i];
1105 if (aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0) {
1106 fixupFlags |= nsIURIFixup::FIXUP_FLAG_PRIVATE_CONTEXT;
1107 }
1108 rv = fixup->CreateFixupURI(aTargetURIStr, fixupFlags, nullptr,
1109 getter_AddRefs(target));
1110 NS_ENSURE_SUCCESS(rv, rv);
1111
1112 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1113 if (rv == NS_ERROR_DOM_BAD_URI) {
1114 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1115 // return values.
1116 return rv;
1117 }
1118 NS_ENSURE_SUCCESS(rv, rv);
1119 }
1120
1121 return rv;
1122 }
1123
1124 NS_IMETHODIMP
1125 nsScriptSecurityManager::InFileURIAllowlist(nsIURI* aUri, bool* aResult) {
1126 MOZ_ASSERT(aUri);
1127 MOZ_ASSERT(aResult);
1128
1129 *aResult = false;
1130 for (nsIURI* uri : EnsureFileURIAllowlist()) {
1131 if (EqualOrSubdomain(aUri, uri)) {
1132 *aResult = true;
1133 return NS_OK;
1134 }
1135 }
1136
1137 return NS_OK;
1138 }
1139
1140 ///////////////// Principals ///////////////////////
1141
1142 NS_IMETHODIMP
1143 nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal** result) {
1144 NS_ADDREF(*result = mSystemPrincipal);
1145
1146 return NS_OK;
1147 }
1148
1149 NS_IMETHODIMP
1150 nsScriptSecurityManager::CreateContentPrincipal(
1151 nsIURI* aURI, JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1152 nsIPrincipal** aPrincipal) {
1153 OriginAttributes attrs;
1154 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1155 return NS_ERROR_INVALID_ARG;
1156 }
1157 nsCOMPtr<nsIPrincipal> prin =
1158 BasePrincipal::CreateContentPrincipal(aURI, attrs);
1159 prin.forget(aPrincipal);
1160 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1161 }
1162
1163 NS_IMETHODIMP
1164 nsScriptSecurityManager::CreateContentPrincipalFromOrigin(
1165 const nsACString& aOrigin, nsIPrincipal** aPrincipal) {
1166 if (StringBeginsWith(aOrigin, NS_LITERAL_CSTRING("["))) {
1167 return NS_ERROR_INVALID_ARG;
1168 }
1169
1170 if (StringBeginsWith(aOrigin,
1171 NS_LITERAL_CSTRING(NS_NULLPRINCIPAL_SCHEME ":"))) {
1172 return NS_ERROR_INVALID_ARG;
1173 }
1174
1175 nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(aOrigin);
1176 prin.forget(aPrincipal);
1177 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1178 }
1179
1180 NS_IMETHODIMP
1181 nsScriptSecurityManager::PrincipalToJSON(nsIPrincipal* aPrincipal,
1182 nsACString& aJSON) {
1183 aJSON.Truncate();
1184 if (!aPrincipal) {
1185 return NS_ERROR_FAILURE;
1186 }
1187
1188 BasePrincipal::Cast(aPrincipal)->ToJSON(aJSON);
1189
1190 if (aJSON.IsEmpty()) {
1191 return NS_ERROR_FAILURE;
1192 }
1193
1194 return NS_OK;
1195 }
1196
1197 NS_IMETHODIMP
1198 nsScriptSecurityManager::JSONToPrincipal(const nsACString& aJSON,
1199 nsIPrincipal** aPrincipal) {
1200 if (aJSON.IsEmpty()) {
1201 return NS_ERROR_FAILURE;
1202 }
1203
1204 nsCOMPtr<nsIPrincipal> principal = BasePrincipal::FromJSON(aJSON);
1205
1206 if (!principal) {
1207 return NS_ERROR_FAILURE;
1208 }
1209
1210 principal.forget(aPrincipal);
1211 return NS_OK;
1212 }
1213
1214 NS_IMETHODIMP
1215 nsScriptSecurityManager::CreateNullPrincipal(
1216 JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1217 nsIPrincipal** aPrincipal) {
1218 OriginAttributes attrs;
1219 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1220 return NS_ERROR_INVALID_ARG;
1221 }
1222 nsCOMPtr<nsIPrincipal> prin = NullPrincipal::Create(attrs);
1223 prin.forget(aPrincipal);
1224 return NS_OK;
1225 }
1226
1227 NS_IMETHODIMP
1228 nsScriptSecurityManager::GetLoadContextContentPrincipal(
1229 nsIURI* aURI, nsILoadContext* aLoadContext, nsIPrincipal** aPrincipal) {
1230 NS_ENSURE_STATE(aLoadContext);
1231 OriginAttributes docShellAttrs;
1232 aLoadContext->GetOriginAttributes(docShellAttrs);
1233
1234 nsCOMPtr<nsIPrincipal> prin =
1235 BasePrincipal::CreateContentPrincipal(aURI, docShellAttrs);
1236 prin.forget(aPrincipal);
1237 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1238 }
1239
1240 NS_IMETHODIMP
1241 nsScriptSecurityManager::GetDocShellContentPrincipal(
1242 nsIURI* aURI, nsIDocShell* aDocShell, nsIPrincipal** aPrincipal) {
1243 nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(
1244 aURI, nsDocShell::Cast(aDocShell)->GetOriginAttributes());
1245 prin.forget(aPrincipal);
1246 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1247 }
1248
1249 NS_IMETHODIMP
1250 nsScriptSecurityManager::PrincipalWithOA(
1251 nsIPrincipal* aPrincipal, JS::Handle<JS::Value> aOriginAttributes,
1252 JSContext* aCx, nsIPrincipal** aReturnPrincipal) {
1253 if (!aPrincipal) {
1254 return NS_OK;
1255 }
1256 if (aPrincipal->GetIsContentPrincipal()) {
1257 OriginAttributes attrs;
1258 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1259 return NS_ERROR_INVALID_ARG;
1260 }
1261 RefPtr<ContentPrincipal> copy = new ContentPrincipal();
1262 auto* contentPrincipal = static_cast<ContentPrincipal*>(aPrincipal);
1263 nsresult rv = copy->Init(contentPrincipal, attrs);
1264 NS_ENSURE_SUCCESS(rv, rv);
1265 copy.forget(aReturnPrincipal);
1266 } else {
1267 // We do this for null principals, system principals (both fine)
1268 // ... and expanded principals, where we should probably do something
1269 // cleverer, but I also don't think we care too much.
1270 nsCOMPtr<nsIPrincipal> prin = aPrincipal;
1271 prin.forget(aReturnPrincipal);
1272 }
1273
1274 return *aReturnPrincipal ? NS_OK : NS_ERROR_FAILURE;
1275 }
1276
1277 NS_IMETHODIMP
1278 nsScriptSecurityManager::CanCreateWrapper(JSContext* cx, const nsIID& aIID,
1279 nsISupports* aObj,
1280 nsIClassInfo* aClassInfo) {
1281 // XXX Special case for Exception ?
1282
1283 // We give remote-XUL allowlisted domains a free pass here. See bug 932906.
1284 JS::Rooted<JS::Realm*> contextRealm(cx, JS::GetCurrentRealmOrNull(cx));
1285 MOZ_RELEASE_ASSERT(contextRealm);
1286 if (!xpc::AllowContentXBLScope(contextRealm)) {
1287 return NS_OK;
1288 }
1289
1290 if (nsContentUtils::IsCallerChrome()) {
1291 return NS_OK;
1292 }
1293
1294 //-- Access denied, report an error
1295 nsAutoCString originUTF8;
1296 nsIPrincipal* subjectPrincipal = nsContentUtils::SubjectPrincipal();
1297 GetPrincipalDomainOrigin(subjectPrincipal, originUTF8);
1298 NS_ConvertUTF8toUTF16 originUTF16(originUTF8);
1299 nsAutoCString classInfoNameUTF8;
1300 if (aClassInfo) {
1301 aClassInfo->GetClassDescription(classInfoNameUTF8);
1302 }
1303 if (classInfoNameUTF8.IsEmpty()) {
1304 classInfoNameUTF8.AssignLiteral("UnnamedClass");
1305 }
1306
1307 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1308 if (NS_WARN_IF(!bundle)) {
1309 return NS_OK;
1310 }
1311
1312 NS_ConvertUTF8toUTF16 classInfoUTF16(classInfoNameUTF8);
1313 nsresult rv;
1314 nsAutoString errorMsg;
1315 if (originUTF16.IsEmpty()) {
1316 AutoTArray<nsString, 1> formatStrings = {classInfoUTF16};
1317 rv = bundle->FormatStringFromName("CreateWrapperDenied", formatStrings,
1318 errorMsg);
1319 } else {
1320 AutoTArray<nsString, 2> formatStrings = {classInfoUTF16, originUTF16};
1321 rv = bundle->FormatStringFromName("CreateWrapperDeniedForOrigin",
1322 formatStrings, errorMsg);
1323 }
1324 NS_ENSURE_SUCCESS(rv, rv);
1325
1326 SetPendingException(cx, errorMsg.get());
1327 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1328 }
1329
1330 NS_IMETHODIMP
1331 nsScriptSecurityManager::CanCreateInstance(JSContext* cx, const nsCID& aCID) {
1332 if (nsContentUtils::IsCallerChrome()) {
1333 return NS_OK;
1334 }
1335
1336 //-- Access denied, report an error
1337 nsAutoCString errorMsg("Permission denied to create instance of class. CID=");
1338 char cidStr[NSID_LENGTH];
1339 aCID.ToProvidedString(cidStr);
1340 errorMsg.Append(cidStr);
1341 SetPendingExceptionASCII(cx, errorMsg.get());
1342 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1343 }
1344
1345 NS_IMETHODIMP
1346 nsScriptSecurityManager::CanGetService(JSContext* cx, const nsCID& aCID) {
1347 if (nsContentUtils::IsCallerChrome()) {
1348 return NS_OK;
1349 }
1350
1351 //-- Access denied, report an error
1352 nsAutoCString errorMsg("Permission denied to get service. CID=");
1353 char cidStr[NSID_LENGTH];
1354 aCID.ToProvidedString(cidStr);
1355 errorMsg.Append(cidStr);
1356 SetPendingExceptionASCII(cx, errorMsg.get());
1357 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1358 }
1359
1360 const char sJSEnabledPrefName[] = "javascript.enabled";
1361 const char sFileOriginPolicyPrefName[] =
1362 "security.fileuri.strict_origin_policy";
1363
1364 static const char* kObservedPrefs[] = {sJSEnabledPrefName,
1365 sFileOriginPolicyPrefName,
1366 "capability.policy.", nullptr};
1367
1368 /////////////////////////////////////////////
1369 // Constructor, Destructor, Initialization //
1370 /////////////////////////////////////////////
1371 nsScriptSecurityManager::nsScriptSecurityManager(void)
1372 : mPrefInitialized(false), mIsJavaScriptEnabled(false) {
1373 static_assert(
1374 sizeof(intptr_t) == sizeof(void*),
1375 "intptr_t and void* have different lengths on this platform. "
1376 "This may cause a security failure with the SecurityLevel union.");
1377 }
1378
1379 nsresult nsScriptSecurityManager::Init() {
1380 nsresult rv = CallGetService(NS_IOSERVICE_CONTRACTID, &sIOService);
1381 NS_ENSURE_SUCCESS(rv, rv);
1382
1383 InitPrefs();
1384
1385 // Create our system principal singleton
1386 RefPtr<SystemPrincipal> system = SystemPrincipal::Create();
1387
1388 mSystemPrincipal = system;
1389
1390 return NS_OK;
1391 }
1392
1393 void nsScriptSecurityManager::InitJSCallbacks(JSContext* aCx) {
1394 //-- Register security check callback in the JS engine
1395 // Currently this is used to control access to function.caller
1396
1397 static const JSSecurityCallbacks securityCallbacks = {
1398 ContentSecurityPolicyPermitsJSAction,
1399 JSPrincipalsSubsume,
1400 };
1401
1402 MOZ_ASSERT(!JS_GetSecurityCallbacks(aCx));
1403 JS_SetSecurityCallbacks(aCx, &securityCallbacks);
1404 JS_InitDestroyPrincipalsCallback(aCx, nsJSPrincipals::Destroy);
1405
1406 JS_SetTrustedPrincipals(aCx, BasePrincipal::Cast(mSystemPrincipal));
1407 }
1408
1409 /* static */
1410 void nsScriptSecurityManager::ClearJSCallbacks(JSContext* aCx) {
1411 JS_SetSecurityCallbacks(aCx, nullptr);
1412 JS_SetTrustedPrincipals(aCx, nullptr);
1413 }
1414
1415 static StaticRefPtr<nsScriptSecurityManager> gScriptSecMan;
1416
1417 nsScriptSecurityManager::~nsScriptSecurityManager(void) {
1418 Preferences::UnregisterPrefixCallbacks(
1419 nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1420 if (mDomainPolicy) {
1421 mDomainPolicy->Deactivate();
1422 }
1423 // ContentChild might hold a reference to the domain policy,
1424 // and it might release it only after the security manager is
1425 // gone. But we can still assert this for the main process.
1426 MOZ_ASSERT_IF(XRE_IsParentProcess(), !mDomainPolicy);
1427 }
1428
1429 void nsScriptSecurityManager::Shutdown() {
1430 NS_IF_RELEASE(sIOService);
1431 BundleHelper::Shutdown();
1432 }
1433
1434 nsScriptSecurityManager* nsScriptSecurityManager::GetScriptSecurityManager() {
1435 return gScriptSecMan;
1436 }
1437
1438 /* static */
1439 void nsScriptSecurityManager::InitStatics() {
1440 RefPtr<nsScriptSecurityManager> ssManager = new nsScriptSecurityManager();
1441 nsresult rv = ssManager->Init();
1442 if (NS_FAILED(rv)) {
1443 MOZ_CRASH("ssManager->Init() failed");
1444 }
1445
1446 ClearOnShutdown(&gScriptSecMan);
1447 gScriptSecMan = ssManager;
1448 }
1449
1450 // Currently this nsGenericFactory constructor is used only from FastLoad
1451 // (XPCOM object deserialization) code, when "creating" the system principal
1452 // singleton.
1453 already_AddRefed<SystemPrincipal>
1454 nsScriptSecurityManager::SystemPrincipalSingletonConstructor() {
1455 if (gScriptSecMan)
1456 return do_AddRef(gScriptSecMan->mSystemPrincipal)
1457 .downcast<SystemPrincipal>();
1458 return nullptr;
1459 }
1460
1461 struct IsWhitespace {
1462 static bool Test(char aChar) { return NS_IsAsciiWhitespace(aChar); };
1463 };
1464 struct IsWhitespaceOrComma {
1465 static bool Test(char aChar) {
1466 return aChar == ',' || NS_IsAsciiWhitespace(aChar);
1467 };
1468 };
1469
1470 template <typename Predicate>
1471 uint32_t SkipPast(const nsCString& str, uint32_t base) {
1472 while (base < str.Length() && Predicate::Test(str[base])) {
1473 ++base;
1474 }
1475 return base;
1476 }
1477
1478 template <typename Predicate>
1479 uint32_t SkipUntil(const nsCString& str, uint32_t base) {
1480 while (base < str.Length() && !Predicate::Test(str[base])) {
1481 ++base;
1482 }
1483 return base;
1484 }
1485
1486 // static
1487 void nsScriptSecurityManager::ScriptSecurityPrefChanged(const char* aPref,
1488 void* aSelf) {
1489 static_cast<nsScriptSecurityManager*>(aSelf)->ScriptSecurityPrefChanged(
1490 aPref);
1491 }
1492
1493 inline void nsScriptSecurityManager::ScriptSecurityPrefChanged(
1494 const char* aPref) {
1495 MOZ_ASSERT(mPrefInitialized);
1496 mIsJavaScriptEnabled =
1497 Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
1498 sStrictFileOriginPolicy =
1499 Preferences::GetBool(sFileOriginPolicyPrefName, false);
1500 mFileURIAllowlist.reset();
1501 }
1502
1503 void nsScriptSecurityManager::AddSitesToFileURIAllowlist(
1504 const nsCString& aSiteList) {
1505 for (uint32_t base = SkipPast<IsWhitespace>(aSiteList, 0), bound = 0;
1506 base < aSiteList.Length();
1507 base = SkipPast<IsWhitespace>(aSiteList, bound)) {
1508 // Grab the current site.
1509 bound = SkipUntil<IsWhitespace>(aSiteList, base);
1510 nsAutoCString site(Substring(aSiteList, base, bound - base));
1511
1512 // Check if the URI is schemeless. If so, add both http and https.
1513 nsAutoCString unused;
1514 if (NS_FAILED(sIOService->ExtractScheme(site, unused))) {
1515 AddSitesToFileURIAllowlist(NS_LITERAL_CSTRING("http://") + site);
1516 AddSitesToFileURIAllowlist(NS_LITERAL_CSTRING("https://") + site);
1517 continue;
1518 }
1519
1520 // Convert it to a URI and add it to our list.
1521 nsCOMPtr<nsIURI> uri;
1522 nsresult rv = NS_NewURI(getter_AddRefs(uri), site);
1523 if (NS_SUCCEEDED(rv)) {
1524 mFileURIAllowlist.ref().AppendElement(uri);
1525 } else {
1526 nsCOMPtr<nsIConsoleService> console(
1527 do_GetService("@mozilla.org/consoleservice;1"));
1528 if (console) {
1529 nsAutoString msg =
1530 NS_LITERAL_STRING(
1531 "Unable to to add site to file:// URI allowlist: ") +
1532 NS_ConvertASCIItoUTF16(site);
1533 console->LogStringMessage(msg.get());
1534 }
1535 }
1536 }
1537 }
1538
1539 nsresult nsScriptSecurityManager::InitPrefs() {
1540 nsIPrefBranch* branch = Preferences::GetRootBranch();
1541 NS_ENSURE_TRUE(branch, NS_ERROR_FAILURE);
1542
1543 mPrefInitialized = true;
1544
1545 // Set the initial value of the "javascript.enabled" prefs
1546 ScriptSecurityPrefChanged();
1547
1548 // set observer callbacks in case the value of the prefs change
1549 Preferences::RegisterPrefixCallbacks(
1550 nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1551
1552 return NS_OK;
1553 }
1554
1555 NS_IMETHODIMP
1556 nsScriptSecurityManager::GetDomainPolicyActive(bool* aRv) {
1557 *aRv = !!mDomainPolicy;
1558 return NS_OK;
1559 }
1560
1561 NS_IMETHODIMP
1562 nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy** aRv) {
1563 if (!XRE_IsParentProcess()) {
1564 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1565 }
1566
1567 return ActivateDomainPolicyInternal(aRv);
1568 }
1569
1570 NS_IMETHODIMP
1571 nsScriptSecurityManager::ActivateDomainPolicyInternal(nsIDomainPolicy** aRv) {
1572 // We only allow one domain policy at a time. The holder of the previous
1573 // policy must explicitly deactivate it first.
1574 if (mDomainPolicy) {
1575 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1576 }
1577
1578 mDomainPolicy = new DomainPolicy();
1579 nsCOMPtr<nsIDomainPolicy> ptr = mDomainPolicy;
1580 ptr.forget(aRv);
1581 return NS_OK;
1582 }
1583
1584 // Intentionally non-scriptable. Script must have a reference to the
1585 // nsIDomainPolicy to deactivate it.
1586 void nsScriptSecurityManager::DeactivateDomainPolicy() {
1587 mDomainPolicy = nullptr;
1588 }
1589
1590 void nsScriptSecurityManager::CloneDomainPolicy(DomainPolicyClone* aClone) {
1591 MOZ_ASSERT(aClone);
1592 if (mDomainPolicy) {
1593 mDomainPolicy->CloneDomainPolicy(aClone);
1594 } else {
1595 aClone->active() = false;
1596 }
1597 }
1598
1599 NS_IMETHODIMP
1600 nsScriptSecurityManager::PolicyAllowsScript(nsIURI* aURI, bool* aRv) {
1601 nsresult rv;
1602
1603 // Compute our rule. If we don't have any domain policy set up that might
1604 // provide exceptions to this rule, we're done.
1605 *aRv = mIsJavaScriptEnabled;
1606 if (!mDomainPolicy) {
1607 return NS_OK;
1608 }
1609
1610 // We have a domain policy. Grab the appropriate set of exceptions to the
1611 // rule (either the blocklist or the allowlist, depending on whether script
1612 // is enabled or disabled by default).
1613 nsCOMPtr<nsIDomainSet> exceptions;
1614 nsCOMPtr<nsIDomainSet> superExceptions;
1615 if (*aRv) {
1616 mDomainPolicy->GetBlocklist(getter_AddRefs(exceptions));
1617 mDomainPolicy->GetSuperBlocklist(getter_AddRefs(superExceptions));
1618 } else {
1619 mDomainPolicy->GetAllowlist(getter_AddRefs(exceptions));
1620 mDomainPolicy->GetSuperAllowlist(getter_AddRefs(superExceptions));
1621 }
1622
1623 bool contains;
1624 rv = exceptions->Contains(aURI, &contains);
1625 NS_ENSURE_SUCCESS(rv, rv);
1626 if (contains) {
1627 *aRv = !*aRv;
1628 return NS_OK;
1629 }
1630 rv = superExceptions->ContainsSuperDomain(aURI, &contains);
1631 NS_ENSURE_SUCCESS(rv, rv);
1632 if (contains) {
1633 *aRv = !*aRv;
1634 }
1635
1636 return NS_OK;
1637 }
1638
1639 const nsTArray<nsCOMPtr<nsIURI>>&
1640 nsScriptSecurityManager::EnsureFileURIAllowlist() {
1641 if (mFileURIAllowlist.isSome()) {
1642 return mFileURIAllowlist.ref();
1643 }
1644
1645 //
1646 // Rebuild the set of principals for which we allow file:// URI loads. This
1647 // implements a small subset of an old pref-based CAPS people that people
1648 // have come to depend on. See bug 995943.
1649 //
1650
1651 mFileURIAllowlist.emplace();
1652 nsAutoCString policies;
1653 mozilla::Preferences::GetCString("capability.policy.policynames", policies);
1654 for (uint32_t base = SkipPast<IsWhitespaceOrComma>(policies, 0), bound = 0;
1655 base < policies.Length();
1656 base = SkipPast<IsWhitespaceOrComma>(policies, bound)) {
1657 // Grab the current policy name.
1658 bound = SkipUntil<IsWhitespaceOrComma>(policies, base);
1659 auto policyName = Substring(policies, base, bound - base);
1660
1661 // Figure out if this policy allows loading file:// URIs. If not, we can
1662 // skip it.
1663 nsCString checkLoadURIPrefName =
1664 NS_LITERAL_CSTRING("capability.policy.") + policyName +
1665 NS_LITERAL_CSTRING(".checkloaduri.enabled");
1666 nsAutoString value;
1667 nsresult rv = Preferences::GetString(checkLoadURIPrefName.get(), value);
1668 if (NS_FAILED(rv) || !value.LowerCaseEqualsLiteral("allaccess")) {
1669 continue;
1670 }
1671
1672 // Grab the list of domains associated with this policy.
1673 nsCString domainPrefName = NS_LITERAL_CSTRING("capability.policy.") +
1674 policyName + NS_LITERAL_CSTRING(".sites");
1675 nsAutoCString siteList;
1676 Preferences::GetCString(domainPrefName.get(), siteList);
1677 AddSitesToFileURIAllowlist(siteList);
1678 }
1679
1680 return mFileURIAllowlist.ref();
1681 }