1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* vim: set ts=4 et sw=4 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #include "nsScriptSecurityManager.h"
9 #include "mozilla/ArrayUtils.h"
11 #include "xpcprivate.h"
12 #include "XPCWrapper.h"
13 #include "nsIAppsService.h"
14 #include "nsILoadContext.h"
15 #include "nsIServiceManager.h"
16 #include "nsIScriptObjectPrincipal.h"
17 #include "nsIScriptContext.h"
19 #include "nsINestedURI.h"
21 #include "nsJSPrincipals.h"
22 #include "nsSystemPrincipal.h"
23 #include "nsPrincipal.h"
24 #include "nsNullPrincipal.h"
25 #include "DomainPolicy.h"
26 #include "nsXPIDLString.h"
28 #include "nsCRTGlue.h"
31 #include "nsIXPConnect.h"
32 #include "nsTextFormatter.h"
33 #include "nsIStringBundle.h"
34 #include "nsNetUtil.h"
35 #include "nsIEffectiveTLDService.h"
36 #include "nsIProperties.h"
37 #include "nsDirectoryServiceDefs.h"
39 #include "nsIFileURL.h"
40 #include "nsIZipReader.h"
41 #include "nsIXPConnect.h"
42 #include "nsIScriptGlobalObject.h"
43 #include "nsPIDOMWindow.h"
44 #include "nsIDocShell.h"
45 #include "nsIPrompt.h"
46 #include "nsIWindowWatcher.h"
47 #include "nsIConsoleService.h"
48 #include "nsIJSRuntimeService.h"
49 #include "nsIObserverService.h"
50 #include "nsIContent.h"
51 #include "nsAutoPtr.h"
52 #include "nsDOMJSUtils.h"
53 #include "nsAboutProtocolUtils.h"
54 #include "nsIClassInfo.h"
55 #include "nsIURIFixup.h"
56 #include "nsCDefaultURIFixup.h"
57 #include "nsIChromeRegistry.h"
58 #include "nsIContentSecurityPolicy.h"
59 #include "nsIAsyncVerifyRedirectCallback.h"
60 #include "mozIApplication.h"
61 #include "mozilla/Preferences.h"
62 #include "mozilla/dom/BindingUtils.h"
64 #include "mozilla/dom/ScriptSettings.h"
65 #include "mozilla/ClearOnShutdown.h"
66 #include "mozilla/StaticPtr.h"
67 #include "nsContentUtils.h"
68 #include "nsJSUtils.h"
69 #include "nsILoadInfo.h"
71 // This should be probably defined on some other place... but I couldn't find it
72 #define WEBAPPS_PERM_NAME "webapps-manage"
74 using namespace mozilla
;
75 using namespace mozilla::dom
;
77 nsIIOService
*nsScriptSecurityManager::sIOService
= nullptr;
78 nsIStringBundle
*nsScriptSecurityManager::sStrBundle
= nullptr;
79 JSRuntime
*nsScriptSecurityManager::sRuntime
= 0;
80 bool nsScriptSecurityManager::sStrictFileOriginPolicy
= true;
82 ///////////////////////////
83 // Convenience Functions //
84 ///////////////////////////
86 class nsAutoInPrincipalDomainOriginSetter
{
88 nsAutoInPrincipalDomainOriginSetter() {
89 ++sInPrincipalDomainOrigin
;
91 ~nsAutoInPrincipalDomainOriginSetter() {
92 --sInPrincipalDomainOrigin
;
94 static uint32_t sInPrincipalDomainOrigin
;
96 uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin
;
100 GetOriginFromURI(nsIURI
* aURI
, nsACString
& aOrigin
)
102 if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin
> 1) {
103 // Allow a single recursive call to GetPrincipalDomainOrigin, since that
104 // might be happening on a different principal from the first call. But
105 // after that, cut off the recursion; it just indicates that something
106 // we're doing in this method causes us to reenter a security check here.
107 return NS_ERROR_NOT_AVAILABLE
;
110 nsAutoInPrincipalDomainOriginSetter autoSetter
;
112 nsCOMPtr
<nsIURI
> uri
= NS_GetInnermostURI(aURI
);
113 NS_ENSURE_TRUE(uri
, NS_ERROR_UNEXPECTED
);
115 nsAutoCString hostPort
;
117 nsresult rv
= uri
->GetHostPort(hostPort
);
118 if (NS_SUCCEEDED(rv
)) {
119 nsAutoCString scheme
;
120 rv
= uri
->GetScheme(scheme
);
121 NS_ENSURE_SUCCESS(rv
, rv
);
122 aOrigin
= scheme
+ NS_LITERAL_CSTRING("://") + hostPort
;
125 // Some URIs (e.g., nsSimpleURI) don't support host. Just
126 // get the full spec.
127 rv
= uri
->GetSpec(aOrigin
);
128 NS_ENSURE_SUCCESS(rv
, rv
);
136 GetPrincipalDomainOrigin(nsIPrincipal
* aPrincipal
,
140 nsCOMPtr
<nsIURI
> uri
;
141 aPrincipal
->GetDomain(getter_AddRefs(uri
));
143 aPrincipal
->GetURI(getter_AddRefs(uri
));
145 NS_ENSURE_TRUE(uri
, NS_ERROR_UNEXPECTED
);
147 return GetOriginFromURI(uri
, aOrigin
);
150 inline void SetPendingException(JSContext
*cx
, const char *aMsg
)
152 JS_ReportError(cx
, "%s", aMsg
);
155 inline void SetPendingException(JSContext
*cx
, const char16_t
*aMsg
)
157 JS_ReportError(cx
, "%hs", aMsg
);
160 // Helper class to get stuff from the ClassInfo and not waste extra time with
161 // virtual method calls for things it has already gotten
165 ClassInfoData(nsIClassInfo
*aClassInfo
, const char *aName
)
166 : mClassInfo(aClassInfo
),
167 mName(const_cast<char *>(aName
)),
176 nsMemory::Free(mName
);
183 nsresult rv
= mClassInfo
->GetFlags(&mFlags
);
199 return !!(GetFlags() & nsIClassInfo::DOM_OBJECT
);
202 const char* GetName()
206 mClassInfo
->GetClassDescription(&mName
);
210 mMustFreeName
= true;
212 mName
= const_cast<char *>("UnnamedClass");
220 nsIClassInfo
*mClassInfo
; // WEAK
228 nsScriptSecurityManager::GetCurrentJSContext()
230 // Get JSContext from stack.
231 return nsXPConnect::XPConnect()->GetCurrentJSContext();
235 nsScriptSecurityManager::GetSafeJSContext()
237 // Get JSContext from stack.
238 return nsXPConnect::XPConnect()->GetSafeJSContext();
243 nsScriptSecurityManager::SecurityCompareURIs(nsIURI
* aSourceURI
,
246 return NS_SecurityCompareURIs(aSourceURI
, aTargetURI
, sStrictFileOriginPolicy
);
249 // SecurityHashURI is consistent with SecurityCompareURIs because NS_SecurityHashURI
250 // is consistent with NS_SecurityCompareURIs. See nsNetUtil.h.
252 nsScriptSecurityManager::SecurityHashURI(nsIURI
* aURI
)
254 return NS_SecurityHashURI(aURI
);
258 nsScriptSecurityManager::AppStatusForPrincipal(nsIPrincipal
*aPrin
)
260 uint32_t appId
= aPrin
->GetAppId();
261 bool inMozBrowser
= aPrin
->GetIsInBrowserElement();
262 NS_WARN_IF_FALSE(appId
!= nsIScriptSecurityManager::UNKNOWN_APP_ID
,
263 "Asking for app status on a principal with an unknown app id");
264 // Installed apps have a valid app id (not NO_APP_ID or UNKNOWN_APP_ID)
265 // and they are not inside a mozbrowser.
266 if (appId
== nsIScriptSecurityManager::NO_APP_ID
||
267 appId
== nsIScriptSecurityManager::UNKNOWN_APP_ID
|| inMozBrowser
)
269 return nsIPrincipal::APP_STATUS_NOT_INSTALLED
;
272 nsCOMPtr
<nsIAppsService
> appsService
= do_GetService(APPS_SERVICE_CONTRACTID
);
273 NS_ENSURE_TRUE(appsService
, nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
275 nsCOMPtr
<mozIApplication
> app
;
276 appsService
->GetAppByLocalId(appId
, getter_AddRefs(app
));
277 NS_ENSURE_TRUE(app
, nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
279 uint16_t status
= nsIPrincipal::APP_STATUS_INSTALLED
;
280 NS_ENSURE_SUCCESS(app
->GetAppStatus(&status
),
281 nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
283 nsAutoCString origin
;
284 NS_ENSURE_SUCCESS(aPrin
->GetOrigin(getter_Copies(origin
)),
285 nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
287 NS_ENSURE_SUCCESS(app
->GetOrigin(appOrigin
),
288 nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
290 // We go from string -> nsIURI -> origin to be sure we
291 // compare two punny-encoded origins.
292 nsCOMPtr
<nsIURI
> appURI
;
293 NS_ENSURE_SUCCESS(NS_NewURI(getter_AddRefs(appURI
), appOrigin
),
294 nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
296 nsAutoCString appOriginPunned
;
297 NS_ENSURE_SUCCESS(nsPrincipal::GetOriginForURI(appURI
, getter_Copies(appOriginPunned
)),
298 nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
300 if (!appOriginPunned
.Equals(origin
)) {
301 return nsIPrincipal::APP_STATUS_NOT_INSTALLED
;
309 nsScriptSecurityManager::GetChannelResultPrincipal(nsIChannel
* aChannel
,
310 nsIPrincipal
** aPrincipal
)
312 NS_PRECONDITION(aChannel
, "Must have channel!");
313 nsCOMPtr
<nsISupports
> owner
;
314 aChannel
->GetOwner(getter_AddRefs(owner
));
316 CallQueryInterface(owner
, aPrincipal
);
322 // Check whether we have an nsILoadInfo that says what we should do.
323 nsCOMPtr
<nsILoadInfo
> loadInfo
;
324 aChannel
->GetLoadInfo(getter_AddRefs(loadInfo
));
326 if (loadInfo
->GetLoadingSandboxed()) {
327 nsRefPtr
<nsNullPrincipal
> prin
=
328 nsNullPrincipal::CreateWithInheritedAttributes(loadInfo
->LoadingPrincipal());
329 NS_ENSURE_TRUE(prin
, NS_ERROR_FAILURE
);
330 prin
.forget(aPrincipal
);
334 if (loadInfo
->GetForceInheritPrincipal()) {
335 NS_ADDREF(*aPrincipal
= loadInfo
->TriggeringPrincipal());
339 return GetChannelURIPrincipal(aChannel
, aPrincipal
);
343 nsScriptSecurityManager::GetChannelURIPrincipal(nsIChannel
* aChannel
,
344 nsIPrincipal
** aPrincipal
)
346 NS_PRECONDITION(aChannel
, "Must have channel!");
348 // Get the principal from the URI. Make sure this does the same thing
349 // as nsDocument::Reset and XULDocument::StartDocumentLoad.
350 nsCOMPtr
<nsIURI
> uri
;
351 nsresult rv
= NS_GetFinalChannelURI(aChannel
, getter_AddRefs(uri
));
352 NS_ENSURE_SUCCESS(rv
, rv
);
354 nsCOMPtr
<nsILoadContext
> loadContext
;
355 NS_QueryNotificationCallbacks(aChannel
, loadContext
);
358 return GetLoadContextCodebasePrincipal(uri
, loadContext
, aPrincipal
);
361 return GetCodebasePrincipalInternal(uri
, UNKNOWN_APP_ID
,
362 /* isInBrowserElement */ false, aPrincipal
);
366 nsScriptSecurityManager::IsSystemPrincipal(nsIPrincipal
* aPrincipal
,
369 *aIsSystem
= (aPrincipal
== mSystemPrincipal
);
373 /////////////////////////////
374 // nsScriptSecurityManager //
375 /////////////////////////////
377 ////////////////////////////////////
378 // Methods implementing ISupports //
379 ////////////////////////////////////
380 NS_IMPL_ISUPPORTS(nsScriptSecurityManager
,
381 nsIScriptSecurityManager
,
385 ///////////////////////////////////////////////////
386 // Methods implementing nsIScriptSecurityManager //
387 ///////////////////////////////////////////////////
389 ///////////////// Security Checks /////////////////
392 nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(JSContext
*cx
)
394 MOZ_ASSERT(cx
== nsContentUtils::GetCurrentJSContext());
395 nsCOMPtr
<nsIPrincipal
> subjectPrincipal
= nsContentUtils::SubjectPrincipal();
396 nsCOMPtr
<nsIContentSecurityPolicy
> csp
;
397 nsresult rv
= subjectPrincipal
->GetCsp(getter_AddRefs(csp
));
398 NS_ASSERTION(NS_SUCCEEDED(rv
), "CSP: Failed to get CSP from principal.");
400 // don't do anything unless there's a CSP
405 bool reportViolation
= false;
406 rv
= csp
->GetAllowsEval(&reportViolation
, &evalOK
);
410 NS_WARNING("CSP: failed to get allowsEval");
411 return true; // fail open to not break sites.
414 if (reportViolation
) {
415 nsAutoString fileName
;
416 unsigned lineNum
= 0;
417 NS_NAMED_LITERAL_STRING(scriptSample
, "call to eval() or related function blocked by CSP");
419 JS::AutoFilename scriptFilename
;
420 if (JS::DescribeScriptedCaller(cx
, &scriptFilename
, &lineNum
)) {
421 if (const char *file
= scriptFilename
.get()) {
422 CopyUTF8toUTF16(nsDependentCString(file
), fileName
);
425 csp
->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL
,
438 nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals
*first
,
439 JSPrincipals
*second
)
441 return nsJSPrincipals::get(first
)->Subsumes(nsJSPrincipals::get(second
));
445 nsScriptSecurityManager::CheckSameOriginURI(nsIURI
* aSourceURI
,
449 if (!SecurityCompareURIs(aSourceURI
, aTargetURI
))
452 ReportError(nullptr, NS_LITERAL_STRING("CheckSameOriginError"),
453 aSourceURI
, aTargetURI
);
455 return NS_ERROR_DOM_BAD_URI
;
461 nsScriptSecurityManager::HashPrincipalByOrigin(nsIPrincipal
* aPrincipal
)
463 nsCOMPtr
<nsIURI
> uri
;
464 aPrincipal
->GetDomain(getter_AddRefs(uri
));
466 aPrincipal
->GetURI(getter_AddRefs(uri
));
467 return SecurityHashURI(uri
);
471 nsScriptSecurityManager::AppAttributesEqual(nsIPrincipal
* aFirst
,
472 nsIPrincipal
* aSecond
)
474 MOZ_ASSERT(aFirst
&& aSecond
, "Don't pass null pointers!");
476 uint32_t firstAppId
= nsIScriptSecurityManager::UNKNOWN_APP_ID
;
477 if (!aFirst
->GetUnknownAppId()) {
478 firstAppId
= aFirst
->GetAppId();
481 uint32_t secondAppId
= nsIScriptSecurityManager::UNKNOWN_APP_ID
;
482 if (!aSecond
->GetUnknownAppId()) {
483 secondAppId
= aSecond
->GetAppId();
486 return ((firstAppId
== secondAppId
) &&
487 (aFirst
->GetIsInBrowserElement() == aSecond
->GetIsInBrowserElement()));
491 nsScriptSecurityManager::CheckLoadURIFromScript(JSContext
*cx
, nsIURI
*aURI
)
493 // Get principal of currently executing script.
494 MOZ_ASSERT(cx
== nsContentUtils::GetCurrentJSContext());
495 nsIPrincipal
* principal
= nsContentUtils::SubjectPrincipal();
496 nsresult rv
= CheckLoadURIWithPrincipal(principal
, aURI
,
497 nsIScriptSecurityManager::STANDARD
);
498 if (NS_SUCCEEDED(rv
)) {
503 // See if we're attempting to load a file: URI. If so, let a
504 // UniversalXPConnect capability trump the above check.
507 if (NS_FAILED(aURI
->SchemeIs("file", &isFile
)) ||
508 NS_FAILED(aURI
->SchemeIs("resource", &isRes
)))
509 return NS_ERROR_FAILURE
;
512 if (nsContentUtils::IsCallerChrome())
518 if (NS_FAILED(aURI
->GetAsciiSpec(spec
)))
519 return NS_ERROR_FAILURE
;
520 nsAutoCString
msg("Access to '");
522 msg
.AppendLiteral("' from script denied");
523 SetPendingException(cx
, msg
.get());
524 return NS_ERROR_DOM_BAD_URI
;
528 * Helper method to handle cases where a flag passed to
529 * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
530 * nsIProtocolHandler flags set.
531 * @return if success, access is allowed. Otherwise, deny access
534 DenyAccessIfURIHasFlags(nsIURI
* aURI
, uint32_t aURIFlags
)
536 NS_PRECONDITION(aURI
, "Must have URI!");
540 NS_URIChainHasFlags(aURI
, aURIFlags
, &uriHasFlags
);
541 NS_ENSURE_SUCCESS(rv
, rv
);
544 return NS_ERROR_DOM_BAD_URI
;
551 EqualOrSubdomain(nsIURI
* aProbeArg
, nsIURI
* aBase
)
553 // Make a clone of the incoming URI, because we're going to mutate it.
554 nsCOMPtr
<nsIURI
> probe
;
555 nsresult rv
= aProbeArg
->Clone(getter_AddRefs(probe
));
556 NS_ENSURE_SUCCESS(rv
, false);
558 nsCOMPtr
<nsIEffectiveTLDService
> tldService
= do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID
);
559 NS_ENSURE_TRUE(tldService
, false);
561 if (nsScriptSecurityManager::SecurityCompareURIs(probe
, aBase
)) {
565 nsAutoCString host
, newHost
;
566 nsresult rv
= probe
->GetHost(host
);
567 NS_ENSURE_SUCCESS(rv
, false);
569 rv
= tldService
->GetNextSubDomain(host
, newHost
);
570 if (rv
== NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS
) {
573 NS_ENSURE_SUCCESS(rv
, false);
574 rv
= probe
->SetHost(newHost
);
575 NS_ENSURE_SUCCESS(rv
, false);
580 nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal
* aPrincipal
,
584 NS_PRECONDITION(aPrincipal
, "CheckLoadURIWithPrincipal must have a principal");
585 // If someone passes a flag that we don't understand, we should
586 // fail, because they may need a security check that we don't
588 NS_ENSURE_FALSE(aFlags
& ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT
|
589 nsIScriptSecurityManager::ALLOW_CHROME
|
590 nsIScriptSecurityManager::DISALLOW_SCRIPT
|
591 nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL
|
592 nsIScriptSecurityManager::DONT_REPORT_ERRORS
),
593 NS_ERROR_UNEXPECTED
);
594 NS_ENSURE_ARG_POINTER(aPrincipal
);
595 NS_ENSURE_ARG_POINTER(aTargetURI
);
597 // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
598 // would do such inheriting. That would be URIs that do not have their own
599 // security context. We do this even for the system principal.
600 if (aFlags
& nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL
) {
602 DenyAccessIfURIHasFlags(aTargetURI
,
603 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT
);
604 NS_ENSURE_SUCCESS(rv
, rv
);
607 if (aPrincipal
== mSystemPrincipal
) {
612 nsCOMPtr
<nsIURI
> sourceURI
;
613 aPrincipal
->GetURI(getter_AddRefs(sourceURI
));
615 nsCOMPtr
<nsIExpandedPrincipal
> expanded
= do_QueryInterface(aPrincipal
);
617 nsTArray
< nsCOMPtr
<nsIPrincipal
> > *whiteList
;
618 expanded
->GetWhiteList(&whiteList
);
619 for (uint32_t i
= 0; i
< whiteList
->Length(); ++i
) {
620 nsresult rv
= CheckLoadURIWithPrincipal((*whiteList
)[i
],
623 if (NS_SUCCEEDED(rv
)) {
624 // Allow access if it succeeded with one of the white listed principals
628 // None of our whitelisted principals worked.
629 return NS_ERROR_DOM_BAD_URI
;
631 NS_ERROR("Non-system principals or expanded principal passed to CheckLoadURIWithPrincipal "
633 return NS_ERROR_UNEXPECTED
;
636 // Automatic loads are not allowed from certain protocols.
637 if (aFlags
& nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT
) {
639 DenyAccessIfURIHasFlags(sourceURI
,
640 nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT
);
641 NS_ENSURE_SUCCESS(rv
, rv
);
644 // If either URI is a nested URI, get the base URI
645 nsCOMPtr
<nsIURI
> sourceBaseURI
= NS_GetInnermostURI(sourceURI
);
646 nsCOMPtr
<nsIURI
> targetBaseURI
= NS_GetInnermostURI(aTargetURI
);
648 //-- get the target scheme
649 nsAutoCString targetScheme
;
650 nsresult rv
= targetBaseURI
->GetScheme(targetScheme
);
651 if (NS_FAILED(rv
)) return rv
;
653 //-- Some callers do not allow loading javascript:
654 if ((aFlags
& nsIScriptSecurityManager::DISALLOW_SCRIPT
) &&
655 targetScheme
.EqualsLiteral("javascript"))
657 return NS_ERROR_DOM_BAD_URI
;
660 NS_NAMED_LITERAL_STRING(errorTag
, "CheckLoadURIError");
661 bool reportErrors
= !(aFlags
& nsIScriptSecurityManager::DONT_REPORT_ERRORS
);
663 // Check for uris that are only loadable by principals that subsume them
665 rv
= NS_URIChainHasFlags(targetBaseURI
,
666 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS
,
668 NS_ENSURE_SUCCESS(rv
, rv
);
671 return aPrincipal
->CheckMayLoad(targetBaseURI
, true, false);
674 //-- get the source scheme
675 nsAutoCString sourceScheme
;
676 rv
= sourceBaseURI
->GetScheme(sourceScheme
);
677 if (NS_FAILED(rv
)) return rv
;
679 if (sourceScheme
.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME
)) {
680 // A null principal can target its own URI.
681 if (sourceURI
== aTargetURI
) {
685 else if (targetScheme
.Equals(sourceScheme
,
686 nsCaseInsensitiveCStringComparator()))
688 // every scheme can access another URI from the same scheme,
689 // as long as they don't represent null principals...
690 // Or they don't require an special permission to do so
694 rv
= NS_URIChainHasFlags(targetBaseURI
,
695 nsIProtocolHandler::URI_CROSS_ORIGIN_NEEDS_WEBAPPS_PERM
,
697 NS_ENSURE_SUCCESS(rv
, rv
);
700 // Let apps load the whitelisted theme resources even if they don't
701 // have the webapps-manage permission but have the themeable one.
702 // Resources from the theme origin are also allowed to load from
703 // the theme origin (eg. stylesheets using images from the theme).
704 auto themeOrigin
= Preferences::GetCString("b2g.theme.origin");
706 nsAutoCString targetOrigin
;
707 nsPrincipal::GetOriginForURI(targetBaseURI
, getter_Copies(targetOrigin
));
708 if (targetOrigin
.Equals(themeOrigin
)) {
709 nsAutoCString pOrigin
;
710 aPrincipal
->GetOrigin(getter_Copies(pOrigin
));
711 return nsContentUtils::IsExactSitePermAllow(aPrincipal
, "themeable") ||
712 pOrigin
.Equals(themeOrigin
)
713 ? NS_OK
: NS_ERROR_DOM_BAD_URI
;
716 // In this case, we allow opening only if the source and target URIS
717 // are on the same domain, or the opening URI has the webapps
719 if (!SecurityCompareURIs(sourceBaseURI
, targetBaseURI
) &&
720 !nsContentUtils::IsExactSitePermAllow(aPrincipal
, WEBAPPS_PERM_NAME
)) {
721 return NS_ERROR_DOM_BAD_URI
;
727 // If the schemes don't match, the policy is specified by the protocol
728 // flags on the target URI. Note that the order of policy checks here is
729 // very important! We start from most restrictive and work our way down.
730 // Note that since we're working with the innermost URI, we can just use
731 // the methods that work on chains of nested URIs and they will only look
732 // at the flags for our one URI.
734 // Check for system target URI
735 rv
= DenyAccessIfURIHasFlags(targetBaseURI
,
736 nsIProtocolHandler::URI_DANGEROUS_TO_LOAD
);
738 // Deny access, since the origin principal is not system
740 ReportError(nullptr, errorTag
, sourceURI
, aTargetURI
);
745 // Check for chrome target URI
746 rv
= NS_URIChainHasFlags(targetBaseURI
,
747 nsIProtocolHandler::URI_IS_UI_RESOURCE
,
749 NS_ENSURE_SUCCESS(rv
, rv
);
751 if (aFlags
& nsIScriptSecurityManager::ALLOW_CHROME
) {
753 // For now, don't change behavior for resource:// or moz-icon:// and
755 if (!targetScheme
.EqualsLiteral("chrome")) {
759 // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
760 // target if ALLOW_CHROME is set.
762 // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
763 // loads (since docshell loads run the loaded content with its origin
764 // principal). So we're effectively allowing resource://, chrome://,
765 // and moz-icon:// source URIs to load resource://, chrome://, and
766 // moz-icon:// files, so long as they're not loading it as a document.
767 bool sourceIsUIResource
;
768 rv
= NS_URIChainHasFlags(sourceBaseURI
,
769 nsIProtocolHandler::URI_IS_UI_RESOURCE
,
770 &sourceIsUIResource
);
771 NS_ENSURE_SUCCESS(rv
, rv
);
772 if (sourceIsUIResource
) {
776 // Allow the load only if the chrome package is whitelisted.
777 nsCOMPtr
<nsIXULChromeRegistry
> reg(do_GetService(
778 NS_CHROMEREGISTRY_CONTRACTID
));
780 bool accessAllowed
= false;
781 reg
->AllowContentToAccess(targetBaseURI
, &accessAllowed
);
788 // Special-case the hidden window: it's allowed to load
789 // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this.
790 nsAutoCString sourceSpec
;
791 if (NS_SUCCEEDED(sourceBaseURI
->GetSpec(sourceSpec
)) &&
792 sourceSpec
.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
797 ReportError(nullptr, errorTag
, sourceURI
, aTargetURI
);
799 return NS_ERROR_DOM_BAD_URI
;
802 // Check for target URI pointing to a file
803 rv
= NS_URIChainHasFlags(targetBaseURI
,
804 nsIProtocolHandler::URI_IS_LOCAL_FILE
,
806 NS_ENSURE_SUCCESS(rv
, rv
);
808 // Allow domains that were whitelisted in the prefs. In 99.9% of cases,
809 // this array is empty.
810 for (size_t i
= 0; i
< mFileURIWhitelist
.Length(); ++i
) {
811 if (EqualOrSubdomain(sourceURI
, mFileURIWhitelist
[i
])) {
816 // resource: and chrome: are equivalent, securitywise
817 // That's bogus!! Fix this. But watch out for
818 // the view-source stylesheet?
820 rv
= NS_URIChainHasFlags(sourceURI
,
821 nsIProtocolHandler::URI_IS_UI_RESOURCE
,
823 NS_ENSURE_SUCCESS(rv
, rv
);
824 if (sourceIsChrome
) {
829 ReportError(nullptr, errorTag
, sourceURI
, aTargetURI
);
831 return NS_ERROR_DOM_BAD_URI
;
834 // OK, everyone is allowed to load this, since unflagged handlers are
835 // deprecated but treated as URI_LOADABLE_BY_ANYONE. But check whether we
836 // need to warn. At some point we'll want to make this warning into an
837 // error and treat unflagged handlers as URI_DANGEROUS_TO_LOAD.
838 rv
= NS_URIChainHasFlags(targetBaseURI
,
839 nsIProtocolHandler::URI_LOADABLE_BY_ANYONE
,
841 NS_ENSURE_SUCCESS(rv
, rv
);
843 nsXPIDLString message
;
844 NS_ConvertASCIItoUTF16
ucsTargetScheme(targetScheme
);
845 const char16_t
* formatStrings
[] = { ucsTargetScheme
.get() };
847 FormatStringFromName(MOZ_UTF16("ProtocolFlagError"),
849 ArrayLength(formatStrings
),
850 getter_Copies(message
));
851 if (NS_SUCCEEDED(rv
)) {
852 nsCOMPtr
<nsIConsoleService
> console(
853 do_GetService("@mozilla.org/consoleservice;1"));
854 NS_ENSURE_TRUE(console
, NS_ERROR_FAILURE
);
856 console
->LogStringMessage(message
.get());
864 nsScriptSecurityManager::ReportError(JSContext
* cx
, const nsAString
& messageTag
,
865 nsIURI
* aSource
, nsIURI
* aTarget
)
868 NS_ENSURE_TRUE(aSource
&& aTarget
, NS_ERROR_NULL_POINTER
);
870 // Get the source URL spec
871 nsAutoCString sourceSpec
;
872 rv
= aSource
->GetAsciiSpec(sourceSpec
);
873 NS_ENSURE_SUCCESS(rv
, rv
);
875 // Get the target URL spec
876 nsAutoCString targetSpec
;
877 rv
= aTarget
->GetAsciiSpec(targetSpec
);
878 NS_ENSURE_SUCCESS(rv
, rv
);
880 // Localize the error message
881 nsXPIDLString message
;
882 NS_ConvertASCIItoUTF16
ucsSourceSpec(sourceSpec
);
883 NS_ConvertASCIItoUTF16
ucsTargetSpec(targetSpec
);
884 const char16_t
*formatStrings
[] = { ucsSourceSpec
.get(), ucsTargetSpec
.get() };
885 rv
= sStrBundle
->FormatStringFromName(PromiseFlatString(messageTag
).get(),
887 ArrayLength(formatStrings
),
888 getter_Copies(message
));
889 NS_ENSURE_SUCCESS(rv
, rv
);
891 // If a JS context was passed in, set a JS exception.
892 // Otherwise, print the error message directly to the JS console
893 // and to standard output
896 SetPendingException(cx
, message
.get());
898 else // Print directly to the console
900 nsCOMPtr
<nsIConsoleService
> console(
901 do_GetService("@mozilla.org/consoleservice;1"));
902 NS_ENSURE_TRUE(console
, NS_ERROR_FAILURE
);
904 console
->LogStringMessage(message
.get());
910 nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(nsIPrincipal
* aPrincipal
,
911 const nsACString
& aTargetURIStr
,
915 nsCOMPtr
<nsIURI
> target
;
916 rv
= NS_NewURI(getter_AddRefs(target
), aTargetURIStr
,
917 nullptr, nullptr, sIOService
);
918 NS_ENSURE_SUCCESS(rv
, rv
);
920 rv
= CheckLoadURIWithPrincipal(aPrincipal
, target
, aFlags
);
921 if (rv
== NS_ERROR_DOM_BAD_URI
) {
922 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
926 NS_ENSURE_SUCCESS(rv
, rv
);
928 // Now start testing fixup -- since aTargetURIStr is a string, not
929 // an nsIURI, we may well end up fixing it up before loading.
930 // Note: This needs to stay in sync with the nsIURIFixup api.
931 nsCOMPtr
<nsIURIFixup
> fixup
= do_GetService(NS_URIFIXUP_CONTRACTID
);
937 nsIURIFixup::FIXUP_FLAG_NONE
,
938 nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS
,
939 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP
,
940 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI
,
941 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP
|
942 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI
945 for (uint32_t i
= 0; i
< ArrayLength(flags
); ++i
) {
946 rv
= fixup
->CreateFixupURI(aTargetURIStr
, flags
[i
], nullptr,
947 getter_AddRefs(target
));
948 NS_ENSURE_SUCCESS(rv
, rv
);
950 rv
= CheckLoadURIWithPrincipal(aPrincipal
, target
, aFlags
);
951 if (rv
== NS_ERROR_DOM_BAD_URI
) {
952 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
956 NS_ENSURE_SUCCESS(rv
, rv
);
963 nsScriptSecurityManager::ScriptAllowed(JSObject
*aGlobal
)
966 MOZ_ASSERT(JS_IsGlobalObject(aGlobal
) || js::IsOuterObject(aGlobal
));
968 // Check the bits on the compartment private.
969 return xpc::Scriptability::Get(aGlobal
).Allowed();
972 ///////////////// Principals ///////////////////////
975 nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal
**result
)
977 NS_ADDREF(*result
= mSystemPrincipal
);
983 nsScriptSecurityManager::CreateCodebasePrincipal(nsIURI
* aURI
, uint32_t aAppId
,
985 nsIPrincipal
**result
)
987 // I _think_ it's safe to not create null principals here based on aURI.
988 // At least all the callers would do the right thing in those cases, as far
989 // as I can tell. --bz
991 nsCOMPtr
<nsIURIWithPrincipal
> uriPrinc
= do_QueryInterface(aURI
);
993 nsCOMPtr
<nsIPrincipal
> principal
;
994 uriPrinc
->GetPrincipal(getter_AddRefs(principal
));
996 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID
, result
);
999 principal
.forget(result
);
1004 nsRefPtr
<nsPrincipal
> codebase
= new nsPrincipal();
1006 return NS_ERROR_OUT_OF_MEMORY
;
1008 nsresult rv
= codebase
->Init(aURI
, aAppId
, aInMozBrowser
);
1012 NS_ADDREF(*result
= codebase
);
1018 nsScriptSecurityManager::GetSimpleCodebasePrincipal(nsIURI
* aURI
,
1019 nsIPrincipal
** aPrincipal
)
1021 return GetCodebasePrincipalInternal(aURI
,
1022 nsIScriptSecurityManager::UNKNOWN_APP_ID
,
1027 nsScriptSecurityManager::GetNoAppCodebasePrincipal(nsIURI
* aURI
,
1028 nsIPrincipal
** aPrincipal
)
1030 return GetCodebasePrincipalInternal(aURI
, nsIScriptSecurityManager::NO_APP_ID
,
1035 nsScriptSecurityManager::GetCodebasePrincipal(nsIURI
* aURI
,
1036 nsIPrincipal
** aPrincipal
)
1038 return GetNoAppCodebasePrincipal(aURI
, aPrincipal
);
1042 nsScriptSecurityManager::GetAppCodebasePrincipal(nsIURI
* aURI
,
1045 nsIPrincipal
** aPrincipal
)
1047 NS_ENSURE_TRUE(aAppId
!= nsIScriptSecurityManager::UNKNOWN_APP_ID
,
1048 NS_ERROR_INVALID_ARG
);
1050 return GetCodebasePrincipalInternal(aURI
, aAppId
, aInMozBrowser
, aPrincipal
);
1054 nsScriptSecurityManager::
1055 GetLoadContextCodebasePrincipal(nsIURI
* aURI
,
1056 nsILoadContext
* aLoadContext
,
1057 nsIPrincipal
** aPrincipal
)
1060 aLoadContext
->GetAppId(&appId
);
1061 bool isInBrowserElement
;
1062 aLoadContext
->GetIsInBrowserElement(&isInBrowserElement
);
1063 return GetCodebasePrincipalInternal(aURI
,
1070 nsScriptSecurityManager::GetDocShellCodebasePrincipal(nsIURI
* aURI
,
1071 nsIDocShell
* aDocShell
,
1072 nsIPrincipal
** aPrincipal
)
1074 return GetCodebasePrincipalInternal(aURI
,
1075 aDocShell
->GetAppId(),
1076 aDocShell
->GetIsInBrowserElement(),
1081 nsScriptSecurityManager::GetCodebasePrincipalInternal(nsIURI
*aURI
,
1084 nsIPrincipal
**result
)
1086 NS_ENSURE_ARG(aURI
);
1088 bool inheritsPrincipal
;
1090 NS_URIChainHasFlags(aURI
,
1091 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT
,
1092 &inheritsPrincipal
);
1093 if (NS_FAILED(rv
) || inheritsPrincipal
) {
1094 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID
, result
);
1097 nsCOMPtr
<nsIPrincipal
> principal
;
1098 rv
= CreateCodebasePrincipal(aURI
, aAppId
, aInMozBrowser
,
1099 getter_AddRefs(principal
));
1100 NS_ENSURE_SUCCESS(rv
, rv
);
1101 NS_IF_ADDREF(*result
= principal
);
1108 nsScriptSecurityManager::doGetObjectPrincipal(JSObject
*aObj
)
1110 JSCompartment
*compartment
= js::GetObjectCompartment(aObj
);
1111 JSPrincipals
*principals
= JS_GetCompartmentPrincipals(compartment
);
1112 return nsJSPrincipals::get(principals
);
1116 nsScriptSecurityManager::CanCreateWrapper(JSContext
*cx
,
1119 nsIClassInfo
*aClassInfo
)
1121 // XXX Special case for nsIXPCException ?
1122 ClassInfoData objClassInfo
= ClassInfoData(aClassInfo
, nullptr);
1123 if (objClassInfo
.IsDOMClass())
1128 // We give remote-XUL whitelisted domains a free pass here. See bug 932906.
1129 if (!xpc::AllowContentXBLScope(js::GetContextCompartment(cx
)))
1134 if (nsContentUtils::IsCallerChrome())
1139 //-- Access denied, report an error
1140 NS_ConvertUTF8toUTF16
strName("CreateWrapperDenied");
1141 nsAutoCString origin
;
1142 nsIPrincipal
* subjectPrincipal
= nsContentUtils::SubjectPrincipal();
1143 GetPrincipalDomainOrigin(subjectPrincipal
, origin
);
1144 NS_ConvertUTF8toUTF16
originUnicode(origin
);
1145 NS_ConvertUTF8toUTF16
classInfoName(objClassInfo
.GetName());
1146 const char16_t
* formatStrings
[] = {
1147 classInfoName
.get(),
1150 uint32_t length
= ArrayLength(formatStrings
);
1151 if (originUnicode
.IsEmpty()) {
1154 strName
.AppendLiteral("ForOrigin");
1156 nsXPIDLString errorMsg
;
1157 nsresult rv
= sStrBundle
->FormatStringFromName(strName
.get(),
1160 getter_Copies(errorMsg
));
1161 NS_ENSURE_SUCCESS(rv
, rv
);
1163 SetPendingException(cx
, errorMsg
.get());
1164 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED
;
1168 nsScriptSecurityManager::CanCreateInstance(JSContext
*cx
,
1171 if (nsContentUtils::IsCallerChrome()) {
1175 //-- Access denied, report an error
1176 nsAutoCString
errorMsg("Permission denied to create instance of class. CID=");
1177 char cidStr
[NSID_LENGTH
];
1178 aCID
.ToProvidedString(cidStr
);
1179 errorMsg
.Append(cidStr
);
1180 SetPendingException(cx
, errorMsg
.get());
1181 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED
;
1185 nsScriptSecurityManager::CanGetService(JSContext
*cx
,
1188 if (nsContentUtils::IsCallerChrome()) {
1192 //-- Access denied, report an error
1193 nsAutoCString
errorMsg("Permission denied to get service. CID=");
1194 char cidStr
[NSID_LENGTH
];
1195 aCID
.ToProvidedString(cidStr
);
1196 errorMsg
.Append(cidStr
);
1197 SetPendingException(cx
, errorMsg
.get());
1198 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED
;
1201 /////////////////////////////////////////////
1202 // Method implementing nsIChannelEventSink //
1203 /////////////////////////////////////////////
1205 nsScriptSecurityManager::AsyncOnChannelRedirect(nsIChannel
* oldChannel
,
1206 nsIChannel
* newChannel
,
1207 uint32_t redirFlags
,
1208 nsIAsyncVerifyRedirectCallback
*cb
)
1210 nsCOMPtr
<nsIPrincipal
> oldPrincipal
;
1211 GetChannelResultPrincipal(oldChannel
, getter_AddRefs(oldPrincipal
));
1213 nsCOMPtr
<nsIURI
> newURI
;
1214 newChannel
->GetURI(getter_AddRefs(newURI
));
1215 nsCOMPtr
<nsIURI
> newOriginalURI
;
1216 newChannel
->GetOriginalURI(getter_AddRefs(newOriginalURI
));
1218 NS_ENSURE_STATE(oldPrincipal
&& newURI
&& newOriginalURI
);
1220 const uint32_t flags
=
1221 nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT
|
1222 nsIScriptSecurityManager::DISALLOW_SCRIPT
;
1223 nsresult rv
= CheckLoadURIWithPrincipal(oldPrincipal
, newURI
, flags
);
1224 if (NS_SUCCEEDED(rv
) && newOriginalURI
!= newURI
) {
1225 rv
= CheckLoadURIWithPrincipal(oldPrincipal
, newOriginalURI
, flags
);
1231 cb
->OnRedirectVerifyCallback(NS_OK
);
1236 /////////////////////////////////////
1237 // Method implementing nsIObserver //
1238 /////////////////////////////////////
1239 const char sJSEnabledPrefName
[] = "javascript.enabled";
1240 const char sFileOriginPolicyPrefName
[] =
1241 "security.fileuri.strict_origin_policy";
1243 static const char* kObservedPrefs
[] = {
1245 sFileOriginPolicyPrefName
,
1246 "capability.policy.",
1252 nsScriptSecurityManager::Observe(nsISupports
* aObject
, const char* aTopic
,
1253 const char16_t
* aMessage
)
1255 ScriptSecurityPrefChanged();
1259 /////////////////////////////////////////////
1260 // Constructor, Destructor, Initialization //
1261 /////////////////////////////////////////////
1262 nsScriptSecurityManager::nsScriptSecurityManager(void)
1263 : mPrefInitialized(false)
1264 , mIsJavaScriptEnabled(false)
1266 static_assert(sizeof(intptr_t) == sizeof(void*),
1267 "intptr_t and void* have different lengths on this platform. "
1268 "This may cause a security failure with the SecurityLevel union.");
1271 nsresult
nsScriptSecurityManager::Init()
1273 nsresult rv
= CallGetService(NS_IOSERVICE_CONTRACTID
, &sIOService
);
1274 NS_ENSURE_SUCCESS(rv
, rv
);
1278 nsCOMPtr
<nsIStringBundleService
> bundleService
=
1279 mozilla::services::GetStringBundleService();
1281 return NS_ERROR_FAILURE
;
1283 rv
= bundleService
->CreateBundle("chrome://global/locale/security/caps.properties", &sStrBundle
);
1284 NS_ENSURE_SUCCESS(rv
, rv
);
1286 // Create our system principal singleton
1287 nsRefPtr
<nsSystemPrincipal
> system
= new nsSystemPrincipal();
1288 NS_ENSURE_TRUE(system
, NS_ERROR_OUT_OF_MEMORY
);
1290 mSystemPrincipal
= system
;
1292 //-- Register security check callback in the JS engine
1293 // Currently this is used to control access to function.caller
1294 rv
= nsXPConnect::XPConnect()->GetRuntime(&sRuntime
);
1295 NS_ENSURE_SUCCESS(rv
, rv
);
1297 static const JSSecurityCallbacks securityCallbacks
= {
1298 ContentSecurityPolicyPermitsJSAction
,
1299 JSPrincipalsSubsume
,
1302 MOZ_ASSERT(!JS_GetSecurityCallbacks(sRuntime
));
1303 JS_SetSecurityCallbacks(sRuntime
, &securityCallbacks
);
1304 JS_InitDestroyPrincipalsCallback(sRuntime
, nsJSPrincipals::Destroy
);
1306 JS_SetTrustedPrincipals(sRuntime
, system
);
1311 static StaticRefPtr
<nsScriptSecurityManager
> gScriptSecMan
;
1313 nsScriptSecurityManager::~nsScriptSecurityManager(void)
1315 Preferences::RemoveObservers(this, kObservedPrefs
);
1317 mDomainPolicy
->Deactivate();
1318 MOZ_ASSERT(!mDomainPolicy
);
1322 nsScriptSecurityManager::Shutdown()
1325 JS_SetSecurityCallbacks(sRuntime
, nullptr);
1326 JS_SetTrustedPrincipals(sRuntime
, nullptr);
1330 NS_IF_RELEASE(sIOService
);
1331 NS_IF_RELEASE(sStrBundle
);
1334 nsScriptSecurityManager
*
1335 nsScriptSecurityManager::GetScriptSecurityManager()
1337 return gScriptSecMan
;
1341 nsScriptSecurityManager::InitStatics()
1343 nsRefPtr
<nsScriptSecurityManager
> ssManager
= new nsScriptSecurityManager();
1344 nsresult rv
= ssManager
->Init();
1345 if (NS_FAILED(rv
)) {
1349 ClearOnShutdown(&gScriptSecMan
);
1350 gScriptSecMan
= ssManager
;
1353 // Currently this nsGenericFactory constructor is used only from FastLoad
1354 // (XPCOM object deserialization) code, when "creating" the system principal
1357 nsScriptSecurityManager::SystemPrincipalSingletonConstructor()
1359 nsIPrincipal
*sysprin
= nullptr;
1361 NS_ADDREF(sysprin
= gScriptSecMan
->mSystemPrincipal
);
1362 return static_cast<nsSystemPrincipal
*>(sysprin
);
1365 struct IsWhitespace
{
1366 static bool Test(char aChar
) { return NS_IsAsciiWhitespace(aChar
); };
1368 struct IsWhitespaceOrComma
{
1369 static bool Test(char aChar
) { return aChar
== ',' || NS_IsAsciiWhitespace(aChar
); };
1372 template <typename Predicate
>
1373 uint32_t SkipPast(const nsCString
& str
, uint32_t base
)
1375 while (base
< str
.Length() && Predicate::Test(str
[base
])) {
1381 template <typename Predicate
>
1382 uint32_t SkipUntil(const nsCString
& str
, uint32_t base
)
1384 while (base
< str
.Length() && !Predicate::Test(str
[base
])) {
1391 nsScriptSecurityManager::ScriptSecurityPrefChanged()
1393 MOZ_ASSERT(mPrefInitialized
);
1394 mIsJavaScriptEnabled
=
1395 Preferences::GetBool(sJSEnabledPrefName
, mIsJavaScriptEnabled
);
1396 sStrictFileOriginPolicy
=
1397 Preferences::GetBool(sFileOriginPolicyPrefName
, false);
1400 // Rebuild the set of principals for which we allow file:// URI loads. This
1401 // implements a small subset of an old pref-based CAPS people that people
1402 // have come to depend on. See bug 995943.
1405 mFileURIWhitelist
.Clear();
1406 auto policies
= mozilla::Preferences::GetCString("capability.policy.policynames");
1407 for (uint32_t base
= SkipPast
<IsWhitespaceOrComma
>(policies
, 0), bound
= 0;
1408 base
< policies
.Length();
1409 base
= SkipPast
<IsWhitespaceOrComma
>(policies
, bound
))
1411 // Grab the current policy name.
1412 bound
= SkipUntil
<IsWhitespaceOrComma
>(policies
, base
);
1413 auto policyName
= Substring(policies
, base
, bound
- base
);
1415 // Figure out if this policy allows loading file:// URIs. If not, we can skip it.
1416 nsCString checkLoadURIPrefName
= NS_LITERAL_CSTRING("capability.policy.") +
1418 NS_LITERAL_CSTRING(".checkloaduri.enabled");
1419 if (!Preferences::GetString(checkLoadURIPrefName
.get()).LowerCaseEqualsLiteral("allaccess")) {
1423 // Grab the list of domains associated with this policy.
1424 nsCString domainPrefName
= NS_LITERAL_CSTRING("capability.policy.") +
1426 NS_LITERAL_CSTRING(".sites");
1427 auto siteList
= Preferences::GetCString(domainPrefName
.get());
1428 AddSitesToFileURIWhitelist(siteList
);
1433 nsScriptSecurityManager::AddSitesToFileURIWhitelist(const nsCString
& aSiteList
)
1435 for (uint32_t base
= SkipPast
<IsWhitespace
>(aSiteList
, 0), bound
= 0;
1436 base
< aSiteList
.Length();
1437 base
= SkipPast
<IsWhitespace
>(aSiteList
, bound
))
1439 // Grab the current site.
1440 bound
= SkipUntil
<IsWhitespace
>(aSiteList
, base
);
1441 nsAutoCString
site(Substring(aSiteList
, base
, bound
- base
));
1443 // Check if the URI is schemeless. If so, add both http and https.
1444 nsAutoCString unused
;
1445 if (NS_FAILED(sIOService
->ExtractScheme(site
, unused
))) {
1446 AddSitesToFileURIWhitelist(NS_LITERAL_CSTRING("http://") + site
);
1447 AddSitesToFileURIWhitelist(NS_LITERAL_CSTRING("https://") + site
);
1451 // Convert it to a URI and add it to our list.
1452 nsCOMPtr
<nsIURI
> uri
;
1453 nsresult rv
= NS_NewURI(getter_AddRefs(uri
), site
, nullptr, nullptr, sIOService
);
1454 if (NS_SUCCEEDED(rv
)) {
1455 mFileURIWhitelist
.AppendElement(uri
);
1457 nsCOMPtr
<nsIConsoleService
> console(do_GetService("@mozilla.org/consoleservice;1"));
1459 nsAutoString msg
= NS_LITERAL_STRING("Unable to to add site to file:// URI whitelist: ") +
1460 NS_ConvertASCIItoUTF16(site
);
1461 console
->LogStringMessage(msg
.get());
1468 nsScriptSecurityManager::InitPrefs()
1470 nsIPrefBranch
* branch
= Preferences::GetRootBranch();
1471 NS_ENSURE_TRUE(branch
, NS_ERROR_FAILURE
);
1473 mPrefInitialized
= true;
1475 // Set the initial value of the "javascript.enabled" prefs
1476 ScriptSecurityPrefChanged();
1478 // set observer callbacks in case the value of the prefs change
1479 Preferences::AddStrongObservers(this, kObservedPrefs
);
1487 GetJarPrefix(uint32_t aAppId
, bool aInMozBrowser
, nsACString
& aJarPrefix
)
1489 MOZ_ASSERT(aAppId
!= nsIScriptSecurityManager::UNKNOWN_APP_ID
);
1491 if (aAppId
== nsIScriptSecurityManager::UNKNOWN_APP_ID
) {
1492 aAppId
= nsIScriptSecurityManager::NO_APP_ID
;
1495 aJarPrefix
.Truncate();
1498 if (aAppId
== nsIScriptSecurityManager::NO_APP_ID
&& !aInMozBrowser
) {
1502 // aJarPrefix = appId + "+" + { 't', 'f' } + "+";
1503 aJarPrefix
.AppendInt(aAppId
);
1504 aJarPrefix
.Append('+');
1505 aJarPrefix
.Append(aInMozBrowser
? 't' : 'f');
1506 aJarPrefix
.Append('+');
1511 } // namespace mozilla
1514 nsScriptSecurityManager::GetJarPrefix(uint32_t aAppId
,
1516 nsACString
& aJarPrefix
)
1518 MOZ_ASSERT(aAppId
!= nsIScriptSecurityManager::UNKNOWN_APP_ID
);
1520 mozilla::GetJarPrefix(aAppId
, aInMozBrowser
, aJarPrefix
);
1525 nsScriptSecurityManager::GetDomainPolicyActive(bool *aRv
)
1527 *aRv
= !!mDomainPolicy
;
1532 nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy
** aRv
)
1534 // We only allow one domain policy at a time. The holder of the previous
1535 // policy must explicitly deactivate it first.
1536 if (mDomainPolicy
) {
1537 return NS_ERROR_SERVICE_NOT_AVAILABLE
;
1540 mDomainPolicy
= new DomainPolicy();
1541 nsCOMPtr
<nsIDomainPolicy
> ptr
= mDomainPolicy
;
1546 // Intentionally non-scriptable. Script must have a reference to the
1547 // nsIDomainPolicy to deactivate it.
1549 nsScriptSecurityManager::DeactivateDomainPolicy()
1551 mDomainPolicy
= nullptr;
1555 nsScriptSecurityManager::PolicyAllowsScript(nsIURI
* aURI
, bool *aRv
)
1559 // Compute our rule. If we don't have any domain policy set up that might
1560 // provide exceptions to this rule, we're done.
1561 *aRv
= mIsJavaScriptEnabled
;
1562 if (!mDomainPolicy
) {
1566 // We have a domain policy. Grab the appropriate set of exceptions to the
1567 // rule (either the blacklist or the whitelist, depending on whether script
1568 // is enabled or disabled by default).
1569 nsCOMPtr
<nsIDomainSet
> exceptions
;
1570 nsCOMPtr
<nsIDomainSet
> superExceptions
;
1572 mDomainPolicy
->GetBlacklist(getter_AddRefs(exceptions
));
1573 mDomainPolicy
->GetSuperBlacklist(getter_AddRefs(superExceptions
));
1575 mDomainPolicy
->GetWhitelist(getter_AddRefs(exceptions
));
1576 mDomainPolicy
->GetSuperWhitelist(getter_AddRefs(superExceptions
));
1580 rv
= exceptions
->Contains(aURI
, &contains
);
1581 NS_ENSURE_SUCCESS(rv
, rv
);
1586 rv
= superExceptions
->ContainsSuperDomain(aURI
, &contains
);
1587 NS_ENSURE_SUCCESS(rv
, rv
);