search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1702346 [wpt PR 28323] - Fix typo in preserve-3d test, a=testonly
[gecko.git] / caps / nsScriptSecurityManager.cpp
blob5debbbb3e7a415baf3cea2ee179b040e2e0355c5
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "nsScriptSecurityManager.h"
8
9 #include "mozilla/ArrayUtils.h"
10 #include "mozilla/StaticPrefs_extensions.h"
11 #include "mozilla/StaticPrefs_security.h"
12 #include "mozilla/StoragePrincipalHelper.h"
13
14 #include "xpcpublic.h"
15 #include "XPCWrapper.h"
16 #include "nsILoadContext.h"
17 #include "nsIScriptObjectPrincipal.h"
18 #include "nsIScriptContext.h"
19 #include "nsIScriptError.h"
20 #include "nsINestedURI.h"
21 #include "nspr.h"
22 #include "nsJSPrincipals.h"
23 #include "mozilla/BasePrincipal.h"
24 #include "ExpandedPrincipal.h"
25 #include "SystemPrincipal.h"
26 #include "DomainPolicy.h"
27 #include "nsString.h"
28 #include "nsCRT.h"
29 #include "nsCRTGlue.h"
30 #include "nsContentSecurityUtils.h"
31 #include "nsDocShell.h"
32 #include "nsError.h"
33 #include "nsGlobalWindowInner.h"
34 #include "nsDOMCID.h"
35 #include "nsTextFormatter.h"
36 #include "nsIStringBundle.h"
37 #include "nsNetUtil.h"
38 #include "nsIEffectiveTLDService.h"
39 #include "nsDirectoryServiceDefs.h"
40 #include "nsIScriptGlobalObject.h"
41 #include "nsPIDOMWindow.h"
42 #include "nsIDocShell.h"
43 #include "nsIConsoleService.h"
44 #include "nsIOService.h"
45 #include "nsIContent.h"
46 #include "nsDOMJSUtils.h"
47 #include "nsAboutProtocolUtils.h"
48 #include "nsIClassInfo.h"
49 #include "nsIURIFixup.h"
50 #include "nsIChromeRegistry.h"
51 #include "nsIResProtocolHandler.h"
52 #include "nsIContentSecurityPolicy.h"
53 #include "mozilla/Components.h"
54 #include "mozilla/Preferences.h"
55 #include "mozilla/dom/BindingUtils.h"
56 #include "mozilla/NullPrincipal.h"
57 #include <stdint.h>
58 #include "mozilla/dom/ContentChild.h"
59 #include "mozilla/dom/ContentParent.h"
60 #include "mozilla/dom/Exceptions.h"
61 #include "mozilla/dom/nsCSPContext.h"
62 #include "mozilla/dom/ScriptSettings.h"
63 #include "mozilla/ClearOnShutdown.h"
64 #include "mozilla/ResultExtensions.h"
65 #include "mozilla/StaticPtr.h"
66 #include "mozilla/dom/WorkerCommon.h"
67 #include "mozilla/dom/WorkerPrivate.h"
68 #include "nsContentUtils.h"
69 #include "nsJSUtils.h"
70 #include "nsILoadInfo.h"
71
72 // This should be probably defined on some other place... but I couldn't find it
73 #define WEBAPPS_PERM_NAME "webapps-manage"
74
75 using namespace mozilla;
76 using namespace mozilla::dom;
77
78 nsIIOService* nsScriptSecurityManager::sIOService = nullptr;
79 bool nsScriptSecurityManager::sStrictFileOriginPolicy = true;
80
81 namespace {
82
83 class BundleHelper {
84 public:
85 NS_INLINE_DECL_REFCOUNTING(BundleHelper)
86
87 static nsIStringBundle* GetOrCreate() {
88 MOZ_ASSERT(!sShutdown);
89
90 // Already shutting down. Nothing should require the use of the string
91 // bundle when shutting down.
92 if (sShutdown) {
93 return nullptr;
94 }
95
96 if (!sSelf) {
97 sSelf = new BundleHelper();
98 }
99
100 return sSelf->GetOrCreateInternal();
101 }
102
103 static void Shutdown() {
104 sSelf = nullptr;
105 sShutdown = true;
106 }
107
108 private:
109 ~BundleHelper() = default;
110
111 nsIStringBundle* GetOrCreateInternal() {
112 if (!mBundle) {
113 nsCOMPtr<nsIStringBundleService> bundleService =
114 mozilla::components::StringBundle::Service();
115 if (NS_WARN_IF(!bundleService)) {
116 return nullptr;
117 }
118
119 nsresult rv = bundleService->CreateBundle(
120 "chrome://global/locale/security/caps.properties",
121 getter_AddRefs(mBundle));
122 if (NS_WARN_IF(NS_FAILED(rv))) {
123 return nullptr;
124 }
125 }
126
127 return mBundle;
128 }
129
130 nsCOMPtr<nsIStringBundle> mBundle;
131
132 static StaticRefPtr<BundleHelper> sSelf;
133 static bool sShutdown;
134 };
135
136 StaticRefPtr<BundleHelper> BundleHelper::sSelf;
137 bool BundleHelper::sShutdown = false;
138
139 } // namespace
140
141 ///////////////////////////
142 // Convenience Functions //
143 ///////////////////////////
144
145 class nsAutoInPrincipalDomainOriginSetter {
146 public:
147 nsAutoInPrincipalDomainOriginSetter() { ++sInPrincipalDomainOrigin; }
148 ~nsAutoInPrincipalDomainOriginSetter() { --sInPrincipalDomainOrigin; }
149 static uint32_t sInPrincipalDomainOrigin;
150 };
151 uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin;
152
153 static nsresult GetOriginFromURI(nsIURI* aURI, nsACString& aOrigin) {
154 if (!aURI) {
155 return NS_ERROR_NULL_POINTER;
156 }
157 if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin > 1) {
158 // Allow a single recursive call to GetPrincipalDomainOrigin, since that
159 // might be happening on a different principal from the first call. But
160 // after that, cut off the recursion; it just indicates that something
161 // we're doing in this method causes us to reenter a security check here.
162 return NS_ERROR_NOT_AVAILABLE;
163 }
164
165 nsAutoInPrincipalDomainOriginSetter autoSetter;
166
167 nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
168 NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
169
170 nsAutoCString hostPort;
171
172 nsresult rv = uri->GetHostPort(hostPort);
173 if (NS_SUCCEEDED(rv)) {
174 nsAutoCString scheme;
175 rv = uri->GetScheme(scheme);
176 NS_ENSURE_SUCCESS(rv, rv);
177 aOrigin = scheme + "://"_ns + hostPort;
178 } else {
179 // Some URIs (e.g., nsSimpleURI) don't support host. Just
180 // get the full spec.
181 rv = uri->GetSpec(aOrigin);
182 NS_ENSURE_SUCCESS(rv, rv);
183 }
184
185 return NS_OK;
186 }
187
188 static nsresult GetPrincipalDomainOrigin(nsIPrincipal* aPrincipal,
189 nsACString& aOrigin) {
190 aOrigin.Truncate();
191 nsCOMPtr<nsIURI> uri;
192 aPrincipal->GetDomain(getter_AddRefs(uri));
193 nsresult rv = GetOriginFromURI(uri, aOrigin);
194 if (NS_SUCCEEDED(rv)) {
195 return rv;
196 }
197 // If there is no Domain fallback to the Principals Origin
198 return aPrincipal->GetOriginNoSuffix(aOrigin);
199 }
200
201 inline void SetPendingExceptionASCII(JSContext* cx, const char* aMsg) {
202 JS_ReportErrorASCII(cx, "%s", aMsg);
203 }
204
205 inline void SetPendingException(JSContext* cx, const char16_t* aMsg) {
206 NS_ConvertUTF16toUTF8 msg(aMsg);
207 JS_ReportErrorUTF8(cx, "%s", msg.get());
208 }
209
210 /* static */
211 bool nsScriptSecurityManager::SecurityCompareURIs(nsIURI* aSourceURI,
212 nsIURI* aTargetURI) {
213 return NS_SecurityCompareURIs(aSourceURI, aTargetURI,
214 sStrictFileOriginPolicy);
215 }
216
217 // SecurityHashURI is consistent with SecurityCompareURIs because
218 // NS_SecurityHashURI is consistent with NS_SecurityCompareURIs. See
219 // nsNetUtil.h.
220 uint32_t nsScriptSecurityManager::SecurityHashURI(nsIURI* aURI) {
221 return NS_SecurityHashURI(aURI);
222 }
223
224 /*
225 * GetChannelResultPrincipal will return the principal that the resource
226 * returned by this channel will use. For example, if the resource is in
227 * a sandbox, it will return the nullprincipal. If the resource is forced
228 * to inherit principal, it will return the principal of its parent. If
229 * the load doesn't require sandboxing or inheriting, it will return the same
230 * principal as GetChannelURIPrincipal. Namely the principal of the URI
231 * that is being loaded.
232 */
233 NS_IMETHODIMP
234 nsScriptSecurityManager::GetChannelResultPrincipal(nsIChannel* aChannel,
235 nsIPrincipal** aPrincipal) {
236 return GetChannelResultPrincipal(aChannel, aPrincipal,
237 /*aIgnoreSandboxing*/ false);
238 }
239
240 nsresult nsScriptSecurityManager::GetChannelResultPrincipalIfNotSandboxed(
241 nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
242 return GetChannelResultPrincipal(aChannel, aPrincipal,
243 /*aIgnoreSandboxing*/ true);
244 }
245
246 NS_IMETHODIMP
247 nsScriptSecurityManager::GetChannelResultStoragePrincipal(
248 nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
249 nsCOMPtr<nsIPrincipal> principal;
250 nsresult rv = GetChannelResultPrincipal(aChannel, getter_AddRefs(principal),
251 /*aIgnoreSandboxing*/ false);
252 if (NS_WARN_IF(NS_FAILED(rv))) {
253 return rv;
254 }
255
256 return StoragePrincipalHelper::Create(
257 aChannel, principal, /* aForceIsolation */ false, aPrincipal);
258 }
259
260 NS_IMETHODIMP
261 nsScriptSecurityManager::GetChannelResultPrincipals(
262 nsIChannel* aChannel, nsIPrincipal** aPrincipal,
263 nsIPrincipal** aPartitionedPrincipal) {
264 nsresult rv = GetChannelResultPrincipal(aChannel, aPrincipal,
265 /*aIgnoreSandboxing*/ false);
266 if (NS_WARN_IF(NS_FAILED(rv))) {
267 return rv;
268 }
269
270 if (!(*aPrincipal)->GetIsContentPrincipal()) {
271 // If for some reason we don't have a content principal here, just reuse our
272 // principal for the storage principal too, since attempting to create a
273 // storage principal would fail anyway.
274 nsCOMPtr<nsIPrincipal> copy = *aPrincipal;
275 copy.forget(aPartitionedPrincipal);
276 return NS_OK;
277 }
278
279 return StoragePrincipalHelper::Create(
280 aChannel, *aPrincipal, /* aForceIsolation */ true, aPartitionedPrincipal);
281 }
282
283 nsresult nsScriptSecurityManager::GetChannelResultPrincipal(
284 nsIChannel* aChannel, nsIPrincipal** aPrincipal, bool aIgnoreSandboxing) {
285 MOZ_ASSERT(aChannel, "Must have channel!");
286
287 // Check whether we have an nsILoadInfo that says what we should do.
288 nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
289 if (loadInfo->GetForceInheritPrincipalOverruleOwner()) {
290 nsCOMPtr<nsIPrincipal> principalToInherit =
291 loadInfo->FindPrincipalToInherit(aChannel);
292 principalToInherit.forget(aPrincipal);
293 return NS_OK;
294 }
295
296 nsCOMPtr<nsISupports> owner;
297 aChannel->GetOwner(getter_AddRefs(owner));
298 if (owner) {
299 CallQueryInterface(owner, aPrincipal);
300 if (*aPrincipal) {
301 return NS_OK;
302 }
303 }
304
305 if (!aIgnoreSandboxing && loadInfo->GetLoadingSandboxed()) {
306 nsCOMPtr<nsIPrincipal> sandboxedLoadingPrincipal =
307 loadInfo->GetSandboxedLoadingPrincipal();
308 MOZ_ASSERT(sandboxedLoadingPrincipal);
309 sandboxedLoadingPrincipal.forget(aPrincipal);
310 return NS_OK;
311 }
312
313 bool forceInherit = loadInfo->GetForceInheritPrincipal();
314 if (aIgnoreSandboxing && !forceInherit) {
315 // Check if SEC_FORCE_INHERIT_PRINCIPAL was dropped because of
316 // sandboxing:
317 if (loadInfo->GetLoadingSandboxed() &&
318 loadInfo->GetForceInheritPrincipalDropped()) {
319 forceInherit = true;
320 }
321 }
322 if (forceInherit) {
323 nsCOMPtr<nsIPrincipal> principalToInherit =
324 loadInfo->FindPrincipalToInherit(aChannel);
325 principalToInherit.forget(aPrincipal);
326 return NS_OK;
327 }
328
329 auto securityMode = loadInfo->GetSecurityMode();
330 // The data: inheritance flags should only apply to the initial load,
331 // not to loads that it might have redirected to.
332 if (loadInfo->RedirectChain().IsEmpty() &&
333 (securityMode ==
334 nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT ||
335 securityMode ==
336 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT ||
337 securityMode == nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT)) {
338 nsCOMPtr<nsIURI> uri;
339 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
340 NS_ENSURE_SUCCESS(rv, rv);
341
342 nsCOMPtr<nsIPrincipal> principalToInherit =
343 loadInfo->FindPrincipalToInherit(aChannel);
344 bool inheritForAboutBlank = loadInfo->GetAboutBlankInherits();
345
346 if (nsContentUtils::ChannelShouldInheritPrincipal(
347 principalToInherit, uri, inheritForAboutBlank, false)) {
348 principalToInherit.forget(aPrincipal);
349 return NS_OK;
350 }
351 }
352 return GetChannelURIPrincipal(aChannel, aPrincipal);
353 }
354
355 /* The principal of the URI that this channel is loading. This is never
356 * affected by things like sandboxed loads, or loads where we forcefully
357 * inherit the principal. Think of this as the principal of the server
358 * which this channel is loading from. Most callers should use
359 * GetChannelResultPrincipal instead of GetChannelURIPrincipal. Only
360 * call GetChannelURIPrincipal if you are sure that you want the
361 * principal that matches the uri, even in cases when the load is
362 * sandboxed or when the load could be a blob or data uri (i.e even when
363 * you encounter loads that may or may not be sandboxed and loads
364 * that may or may not inherit)."
365 */
366 NS_IMETHODIMP
367 nsScriptSecurityManager::GetChannelURIPrincipal(nsIChannel* aChannel,
368 nsIPrincipal** aPrincipal) {
369 MOZ_ASSERT(aChannel, "Must have channel!");
370
371 // Get the principal from the URI. Make sure this does the same thing
372 // as Document::Reset and PrototypeDocumentContentSink::Init.
373 nsCOMPtr<nsIURI> uri;
374 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
375 NS_ENSURE_SUCCESS(rv, rv);
376
377 nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
378
379 // Inherit the origin attributes from loadInfo.
380 // If this is a top-level document load, the origin attributes of the
381 // loadInfo will be set from nsDocShell::DoURILoad.
382 // For subresource loading, the origin attributes of the loadInfo is from
383 // its loadingPrincipal.
384 OriginAttributes attrs = loadInfo->GetOriginAttributes();
385
386 nsCOMPtr<nsIPrincipal> prin =
387 BasePrincipal::CreateContentPrincipal(uri, attrs);
388 prin.forget(aPrincipal);
389 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
390 }
391
392 /////////////////////////////
393 // nsScriptSecurityManager //
394 /////////////////////////////
395
396 ////////////////////////////////////
397 // Methods implementing ISupports //
398 ////////////////////////////////////
399 NS_IMPL_ISUPPORTS(nsScriptSecurityManager, nsIScriptSecurityManager)
400
401 ///////////////////////////////////////////////////
402 // Methods implementing nsIScriptSecurityManager //
403 ///////////////////////////////////////////////////
404
405 ///////////////// Security Checks /////////////////
406
407 bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
408 JSContext* cx, JS::HandleString aCode) {
409 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
410
411 // Get the window, if any, corresponding to the current global
412 nsCOMPtr<nsIContentSecurityPolicy> csp;
413 if (nsGlobalWindowInner* win = xpc::CurrentWindowOrNull(cx)) {
414 csp = win->GetCsp();
415 }
416
417 nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
418 if (!csp) {
419 // Get the CSP for addon sandboxes. If the principal is expanded and has a
420 // csp, we're probably in luck.
421 auto* basePrin = BasePrincipal::Cast(subjectPrincipal);
422 // ContentScriptAddonPolicy means it is also an expanded principal, thus
423 // this is in a sandbox used as a content script.
424 if (basePrin->ContentScriptAddonPolicy()) {
425 basePrin->As<ExpandedPrincipal>()->GetCsp(getter_AddRefs(csp));
426 }
427 // don't do anything unless there's a CSP
428 if (!csp) {
429 return true;
430 }
431 }
432
433 nsCOMPtr<nsICSPEventListener> cspEventListener;
434 if (!NS_IsMainThread()) {
435 WorkerPrivate* workerPrivate =
436 mozilla::dom::GetWorkerPrivateFromContext(cx);
437 if (workerPrivate) {
438 cspEventListener = workerPrivate->CSPEventListener();
439 }
440 }
441
442 bool evalOK = true;
443 bool reportViolation = false;
444 nsresult rv = csp->GetAllowsEval(&reportViolation, &evalOK);
445
446 // A little convoluted. We want the scriptSample for a) reporting a violation
447 // or b) passing it to AssertEvalNotUsingSystemPrincipal or c) we're in the
448 // parent process. So do the work to get it if either of those cases is true.
449 nsAutoJSString scriptSample;
450 if (reportViolation || subjectPrincipal->IsSystemPrincipal() ||
451 XRE_IsE10sParentProcess()) {
452 if (NS_WARN_IF(!scriptSample.init(cx, aCode))) {
453 JS_ClearPendingException(cx);
454 return false;
455 }
456 }
457
458 #if !defined(ANDROID)
459 if (!nsContentSecurityUtils::IsEvalAllowed(
460 cx, subjectPrincipal->IsSystemPrincipal(), scriptSample)) {
461 return false;
462 }
463 #endif
464
465 if (NS_FAILED(rv)) {
466 NS_WARNING("CSP: failed to get allowsEval");
467 return true; // fail open to not break sites.
468 }
469
470 if (reportViolation) {
471 JS::AutoFilename scriptFilename;
472 nsAutoString fileName;
473 unsigned lineNum = 0;
474 unsigned columnNum = 0;
475 if (JS::DescribeScriptedCaller(cx, &scriptFilename, &lineNum, &columnNum)) {
476 if (const char* file = scriptFilename.get()) {
477 CopyUTF8toUTF16(nsDependentCString(file), fileName);
478 }
479 } else {
480 MOZ_ASSERT(!JS_IsExceptionPending(cx));
481 }
482 csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
483 nullptr, // triggering element
484 cspEventListener, fileName, scriptSample, lineNum,
485 columnNum, u""_ns, u""_ns);
486 }
487
488 return evalOK;
489 }
490
491 // static
492 bool nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals* first,
493 JSPrincipals* second) {
494 return nsJSPrincipals::get(first)->Subsumes(nsJSPrincipals::get(second));
495 }
496
497 NS_IMETHODIMP
498 nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI,
499 nsIURI* aTargetURI,
500 bool reportError,
501 bool aFromPrivateWindow) {
502 // Please note that aFromPrivateWindow is only 100% accurate if
503 // reportError is true.
504 if (!SecurityCompareURIs(aSourceURI, aTargetURI)) {
505 if (reportError) {
506 ReportError("CheckSameOriginError", aSourceURI, aTargetURI,
507 aFromPrivateWindow);
508 }
509 return NS_ERROR_DOM_BAD_URI;
510 }
511 return NS_OK;
512 }
513
514 NS_IMETHODIMP
515 nsScriptSecurityManager::CheckLoadURIFromScript(JSContext* cx, nsIURI* aURI) {
516 // Get principal of currently executing script.
517 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
518 nsIPrincipal* principal = nsContentUtils::SubjectPrincipal();
519 nsresult rv = CheckLoadURIWithPrincipal(
520 // Passing 0 for the window ID here is OK, because we will report a
521 // script-visible exception anyway.
522 principal, aURI, nsIScriptSecurityManager::STANDARD, 0);
523 if (NS_SUCCEEDED(rv)) {
524 // OK to load
525 return NS_OK;
526 }
527
528 // Report error.
529 nsAutoCString spec;
530 if (NS_FAILED(aURI->GetAsciiSpec(spec))) return NS_ERROR_FAILURE;
531 nsAutoCString msg("Access to '");
532 msg.Append(spec);
533 msg.AppendLiteral("' from script denied");
534 SetPendingExceptionASCII(cx, msg.get());
535 return NS_ERROR_DOM_BAD_URI;
536 }
537
538 /**
539 * Helper method to handle cases where a flag passed to
540 * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
541 * nsIProtocolHandler flags set.
542 * @return if success, access is allowed. Otherwise, deny access
543 */
544 static nsresult DenyAccessIfURIHasFlags(nsIURI* aURI, uint32_t aURIFlags) {
545 MOZ_ASSERT(aURI, "Must have URI!");
546
547 bool uriHasFlags;
548 nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &uriHasFlags);
549 NS_ENSURE_SUCCESS(rv, rv);
550
551 if (uriHasFlags) {
552 return NS_ERROR_DOM_BAD_URI;
553 }
554
555 return NS_OK;
556 }
557
558 static bool EqualOrSubdomain(nsIURI* aProbeArg, nsIURI* aBase) {
559 nsresult rv;
560 nsCOMPtr<nsIURI> probe = aProbeArg;
561
562 nsCOMPtr<nsIEffectiveTLDService> tldService =
563 do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
564 NS_ENSURE_TRUE(tldService, false);
565 while (true) {
566 if (nsScriptSecurityManager::SecurityCompareURIs(probe, aBase)) {
567 return true;
568 }
569
570 nsAutoCString host, newHost;
571 rv = probe->GetHost(host);
572 NS_ENSURE_SUCCESS(rv, false);
573
574 rv = tldService->GetNextSubDomain(host, newHost);
575 if (rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS) {
576 return false;
577 }
578 NS_ENSURE_SUCCESS(rv, false);
579 rv = NS_MutateURI(probe).SetHost(newHost).Finalize(probe);
580 NS_ENSURE_SUCCESS(rv, false);
581 }
582 }
583
584 NS_IMETHODIMP
585 nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
586 nsIURI* aTargetURI,
587 uint32_t aFlags,
588 uint64_t aInnerWindowID) {
589 MOZ_ASSERT(aPrincipal, "CheckLoadURIWithPrincipal must have a principal");
590
591 // If someone passes a flag that we don't understand, we should
592 // fail, because they may need a security check that we don't
593 // provide.
594 NS_ENSURE_FALSE(
595 aFlags &
596 ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
597 nsIScriptSecurityManager::ALLOW_CHROME |
598 nsIScriptSecurityManager::DISALLOW_SCRIPT |
599 nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL |
600 nsIScriptSecurityManager::DONT_REPORT_ERRORS),
601 NS_ERROR_UNEXPECTED);
602 NS_ENSURE_ARG_POINTER(aPrincipal);
603 NS_ENSURE_ARG_POINTER(aTargetURI);
604
605 // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
606 // would do such inheriting. That would be URIs that do not have their own
607 // security context. We do this even for the system principal.
608 if (aFlags & nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL) {
609 nsresult rv = DenyAccessIfURIHasFlags(
610 aTargetURI, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT);
611 NS_ENSURE_SUCCESS(rv, rv);
612 }
613
614 if (aPrincipal == mSystemPrincipal) {
615 // Allow access
616 return NS_OK;
617 }
618
619 nsCOMPtr<nsIURI> sourceURI;
620 auto* basePrin = BasePrincipal::Cast(aPrincipal);
621 basePrin->GetURI(getter_AddRefs(sourceURI));
622 if (!sourceURI) {
623 if (basePrin->Is<ExpandedPrincipal>()) {
624 auto expanded = basePrin->As<ExpandedPrincipal>();
625 const auto& allowList = expanded->AllowList();
626 // Only report errors when all principals fail.
627 uint32_t flags = aFlags | nsIScriptSecurityManager::DONT_REPORT_ERRORS;
628 for (size_t i = 0; i < allowList.Length() - 1; i++) {
629 nsresult rv = CheckLoadURIWithPrincipal(allowList[i], aTargetURI, flags,
630 aInnerWindowID);
631 if (NS_SUCCEEDED(rv)) {
632 // Allow access if it succeeded with one of the allowlisted principals
633 return NS_OK;
634 }
635 }
636
637 // Report errors (if requested) for the last principal.
638 return CheckLoadURIWithPrincipal(allowList.LastElement(), aTargetURI,
639 aFlags, aInnerWindowID);
640 }
641 NS_ERROR(
642 "Non-system principals or expanded principal passed to "
643 "CheckLoadURIWithPrincipal "
644 "must have a URI!");
645 return NS_ERROR_UNEXPECTED;
646 }
647
648 // Automatic loads are not allowed from certain protocols.
649 if (aFlags &
650 nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT) {
651 nsresult rv = DenyAccessIfURIHasFlags(
652 sourceURI,
653 nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT);
654 NS_ENSURE_SUCCESS(rv, rv);
655 }
656
657 // If either URI is a nested URI, get the base URI
658 nsCOMPtr<nsIURI> sourceBaseURI = NS_GetInnermostURI(sourceURI);
659 nsCOMPtr<nsIURI> targetBaseURI = NS_GetInnermostURI(aTargetURI);
660
661 //-- get the target scheme
662 nsAutoCString targetScheme;
663 nsresult rv = targetBaseURI->GetScheme(targetScheme);
664 if (NS_FAILED(rv)) return rv;
665
666 //-- Some callers do not allow loading javascript:
667 if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
668 targetScheme.EqualsLiteral("javascript")) {
669 return NS_ERROR_DOM_BAD_URI;
670 }
671
672 // Check for uris that are only loadable by principals that subsume them
673 bool targetURIIsLoadableBySubsumers = false;
674 rv = NS_URIChainHasFlags(targetBaseURI,
675 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
676 &targetURIIsLoadableBySubsumers);
677 NS_ENSURE_SUCCESS(rv, rv);
678
679 if (targetURIIsLoadableBySubsumers) {
680 // check nothing else in the URI chain has flags that prevent
681 // access:
682 rv = CheckLoadURIFlags(
683 sourceURI, aTargetURI, sourceBaseURI, targetBaseURI, aFlags,
684 aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0,
685 aInnerWindowID);
686 NS_ENSURE_SUCCESS(rv, rv);
687 // Check the principal is allowed to load the target.
688 if (aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS) {
689 return aPrincipal->CheckMayLoad(targetBaseURI, false);
690 }
691 return aPrincipal->CheckMayLoadWithReporting(targetBaseURI, false,
692 aInnerWindowID);
693 }
694
695 //-- get the source scheme
696 nsAutoCString sourceScheme;
697 rv = sourceBaseURI->GetScheme(sourceScheme);
698 if (NS_FAILED(rv)) return rv;
699
700 if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
701 // A null principal can target its own URI.
702 if (sourceURI == aTargetURI) {
703 return NS_OK;
704 }
705 } else if (sourceScheme.EqualsIgnoreCase("file") &&
706 targetScheme.EqualsIgnoreCase("moz-icon")) {
707 // exception for file: linking to moz-icon://.ext?size=...
708 // Note that because targetScheme is the base (innermost) URI scheme,
709 // this does NOT allow file -> moz-icon:file:///... links.
710 // This is intentional.
711 return NS_OK;
712 }
713
714 // Check for webextension
715 bool targetURIIsLoadableByExtensions = false;
716 rv = NS_URIChainHasFlags(aTargetURI,
717 nsIProtocolHandler::URI_LOADABLE_BY_EXTENSIONS,
718 &targetURIIsLoadableByExtensions);
719 NS_ENSURE_SUCCESS(rv, rv);
720
721 if (targetURIIsLoadableByExtensions &&
722 BasePrincipal::Cast(aPrincipal)->AddonPolicy()) {
723 return NS_OK;
724 }
725
726 // If we get here, check all the schemes can link to each other, from the top
727 // down:
728 nsCOMPtr<nsIURI> currentURI = sourceURI;
729 nsCOMPtr<nsIURI> currentOtherURI = aTargetURI;
730
731 bool denySameSchemeLinks = false;
732 rv = NS_URIChainHasFlags(aTargetURI,
733 nsIProtocolHandler::URI_SCHEME_NOT_SELF_LINKABLE,
734 &denySameSchemeLinks);
735 if (NS_FAILED(rv)) return rv;
736
737 while (currentURI && currentOtherURI) {
738 nsAutoCString scheme, otherScheme;
739 currentURI->GetScheme(scheme);
740 currentOtherURI->GetScheme(otherScheme);
741
742 bool schemesMatch =
743 scheme.Equals(otherScheme, nsCaseInsensitiveCStringComparator);
744 bool isSamePage = false;
745 // about: URIs are special snowflakes.
746 if (scheme.EqualsLiteral("about") && schemesMatch) {
747 nsAutoCString moduleName, otherModuleName;
748 // about: pages can always link to themselves:
749 isSamePage =
750 NS_SUCCEEDED(NS_GetAboutModuleName(currentURI, moduleName)) &&
751 NS_SUCCEEDED(
752 NS_GetAboutModuleName(currentOtherURI, otherModuleName)) &&
753 moduleName.Equals(otherModuleName);
754 if (!isSamePage) {
755 // We will have allowed the load earlier if the source page has
756 // system principal. So we know the source has a content
757 // principal, and it's trying to link to something else.
758 // Linkable about: pages are always reachable, even if we hit
759 // the CheckLoadURIFlags call below.
760 // We punch only 1 other hole: iff the source is unlinkable,
761 // we let them link to other pages explicitly marked SAFE
762 // for content. This avoids world-linkable about: pages linking
763 // to non-world-linkable about: pages.
764 nsCOMPtr<nsIAboutModule> module, otherModule;
765 bool knowBothModules =
766 NS_SUCCEEDED(
767 NS_GetAboutModule(currentURI, getter_AddRefs(module))) &&
768 NS_SUCCEEDED(NS_GetAboutModule(currentOtherURI,
769 getter_AddRefs(otherModule)));
770 uint32_t aboutModuleFlags = 0;
771 uint32_t otherAboutModuleFlags = 0;
772 knowBothModules =
773 knowBothModules &&
774 NS_SUCCEEDED(module->GetURIFlags(currentURI, &aboutModuleFlags)) &&
775 NS_SUCCEEDED(otherModule->GetURIFlags(currentOtherURI,
776 &otherAboutModuleFlags));
777 if (knowBothModules) {
778 isSamePage = !(aboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) &&
779 (otherAboutModuleFlags &
780 nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT);
781 if (isSamePage &&
782 otherAboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) {
783 // XXXgijs: this is a hack. The target will be nested
784 // (with innerURI of moz-safe-about:whatever), and
785 // the source isn't, so we won't pass if we finish
786 // the loop. We *should* pass, though, so return here.
787 // This hack can go away when bug 1228118 is fixed.
788 return NS_OK;
789 }
790 }
791 }
792 } else {
793 bool equalExceptRef = false;
794 rv = currentURI->EqualsExceptRef(currentOtherURI, &equalExceptRef);
795 isSamePage = NS_SUCCEEDED(rv) && equalExceptRef;
796 }
797
798 // If schemes are not equal, or they're equal but the target URI
799 // is different from the source URI and doesn't always allow linking
800 // from the same scheme, check if the URI flags of the current target
801 // URI allow the current source URI to link to it.
802 // The policy is specified by the protocol flags on both URIs.
803 if (!schemesMatch || (denySameSchemeLinks && !isSamePage)) {
804 return CheckLoadURIFlags(
805 currentURI, currentOtherURI, sourceBaseURI, targetBaseURI, aFlags,
806 aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0,
807 aInnerWindowID);
808 }
809 // Otherwise... check if we can nest another level:
810 nsCOMPtr<nsINestedURI> nestedURI = do_QueryInterface(currentURI);
811 nsCOMPtr<nsINestedURI> nestedOtherURI = do_QueryInterface(currentOtherURI);
812
813 // If schemes match and neither URI is nested further, we're OK.
814 if (!nestedURI && !nestedOtherURI) {
815 return NS_OK;
816 }
817 // If one is nested and the other isn't, something is wrong.
818 if (!nestedURI != !nestedOtherURI) {
819 return NS_ERROR_DOM_BAD_URI;
820 }
821 // Otherwise, both should be nested and we'll go through the loop again.
822 nestedURI->GetInnerURI(getter_AddRefs(currentURI));
823 nestedOtherURI->GetInnerURI(getter_AddRefs(currentOtherURI));
824 }
825
826 // We should never get here. We should always return from inside the loop.
827 return NS_ERROR_DOM_BAD_URI;
828 }
829
830 /**
831 * Helper method to check whether the target URI and its innermost ("base") URI
832 * has protocol flags that should stop it from being loaded by the source URI
833 * (and/or the source URI's innermost ("base") URI), taking into account any
834 * nsIScriptSecurityManager flags originally passed to
835 * CheckLoadURIWithPrincipal and friends.
836 *
837 * @return if success, access is allowed. Otherwise, deny access
838 */
839 nsresult nsScriptSecurityManager::CheckLoadURIFlags(
840 nsIURI* aSourceURI, nsIURI* aTargetURI, nsIURI* aSourceBaseURI,
841 nsIURI* aTargetBaseURI, uint32_t aFlags, bool aFromPrivateWindow,
842 uint64_t aInnerWindowID) {
843 // Note that the order of policy checks here is very important!
844 // We start from most restrictive and work our way down.
845 bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
846 const char* errorTag = "CheckLoadURIError";
847
848 nsAutoCString targetScheme;
849 nsresult rv = aTargetBaseURI->GetScheme(targetScheme);
850 if (NS_FAILED(rv)) return rv;
851
852 // Check for system target URI
853 rv = DenyAccessIfURIHasFlags(aTargetURI,
854 nsIProtocolHandler::URI_DANGEROUS_TO_LOAD);
855 if (NS_FAILED(rv)) {
856 // Deny access, since the origin principal is not system
857 if (reportErrors) {
858 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
859 aInnerWindowID);
860 }
861 return rv;
862 }
863
864 // Used by ExtensionProtocolHandler to prevent loading extension resources
865 // in private contexts if the extension does not have permission.
866 if (aFromPrivateWindow) {
867 rv = DenyAccessIfURIHasFlags(
868 aTargetURI, nsIProtocolHandler::URI_DISALLOW_IN_PRIVATE_CONTEXT);
869 if (NS_FAILED(rv)) {
870 if (reportErrors) {
871 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
872 aInnerWindowID);
873 }
874 return rv;
875 }
876 }
877
878 // Check for chrome target URI
879 bool targetURIIsUIResource = false;
880 rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_UI_RESOURCE,
881 &targetURIIsUIResource);
882 NS_ENSURE_SUCCESS(rv, rv);
883 if (targetURIIsUIResource) {
884 // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
885 // loads (since docshell loads run the loaded content with its origin
886 // principal). We are effectively allowing resource:// and chrome://
887 // URIs to load as long as they are content accessible and as long
888 // they're not loading it as a document.
889 if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
890 bool sourceIsUIResource = false;
891 rv = NS_URIChainHasFlags(aSourceBaseURI,
892 nsIProtocolHandler::URI_IS_UI_RESOURCE,
893 &sourceIsUIResource);
894 NS_ENSURE_SUCCESS(rv, rv);
895 if (sourceIsUIResource) {
896 // TODO Bug 1654488: Remove pref in CheckLoadURIFlags which
897 // allows all UI resources to load
898 if (StaticPrefs::
899 security_caps_allow_uri_is_ui_resource_in_checkloaduriflags()) {
900 return NS_OK;
901 }
902 // Special case for moz-icon URIs loaded by a local resources like
903 // e.g. chrome: or resource:
904 if (targetScheme.EqualsLiteral("moz-icon")) {
905 return NS_OK;
906 }
907 }
908
909 if (targetScheme.EqualsLiteral("resource")) {
910 if (StaticPrefs::security_all_resource_uri_content_accessible()) {
911 return NS_OK;
912 }
913
914 nsCOMPtr<nsIProtocolHandler> ph;
915 rv = sIOService->GetProtocolHandler("resource", getter_AddRefs(ph));
916 NS_ENSURE_SUCCESS(rv, rv);
917 if (!ph) {
918 return NS_ERROR_DOM_BAD_URI;
919 }
920
921 nsCOMPtr<nsIResProtocolHandler> rph = do_QueryInterface(ph);
922 if (!rph) {
923 return NS_ERROR_DOM_BAD_URI;
924 }
925
926 bool accessAllowed = false;
927 rph->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
928 if (accessAllowed) {
929 return NS_OK;
930 }
931 } else if (targetScheme.EqualsLiteral("chrome")) {
932 // Allow the load only if the chrome package is allowlisted.
933 nsCOMPtr<nsIXULChromeRegistry> reg(
934 do_GetService(NS_CHROMEREGISTRY_CONTRACTID));
935 if (reg) {
936 bool accessAllowed = false;
937 reg->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
938 if (accessAllowed) {
939 return NS_OK;
940 }
941 }
942 } else if (targetScheme.EqualsLiteral("moz-page-thumb")) {
943 if (XRE_IsParentProcess()) {
944 return NS_OK;
945 }
946
947 auto& remoteType = dom::ContentChild::GetSingleton()->GetRemoteType();
948 if (remoteType == PRIVILEGEDABOUT_REMOTE_TYPE) {
949 return NS_OK;
950 }
951 }
952 }
953
954 if (reportErrors) {
955 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
956 aInnerWindowID);
957 }
958 return NS_ERROR_DOM_BAD_URI;
959 }
960
961 // Check for target URI pointing to a file
962 bool targetURIIsLocalFile = false;
963 rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_LOCAL_FILE,
964 &targetURIIsLocalFile);
965 NS_ENSURE_SUCCESS(rv, rv);
966 if (targetURIIsLocalFile) {
967 // Allow domains that were allowlisted in the prefs. In 99.9% of cases,
968 // this array is empty.
969 bool isAllowlisted;
970 MOZ_ALWAYS_SUCCEEDS(InFileURIAllowlist(aSourceURI, &isAllowlisted));
971 if (isAllowlisted) {
972 return NS_OK;
973 }
974
975 // Allow chrome://
976 if (aSourceBaseURI->SchemeIs("chrome")) {
977 return NS_OK;
978 }
979
980 // Nothing else.
981 if (reportErrors) {
982 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
983 aInnerWindowID);
984 }
985 return NS_ERROR_DOM_BAD_URI;
986 }
987
988 #ifdef DEBUG
989 {
990 // Everyone is allowed to load this. The case URI_LOADABLE_BY_SUBSUMERS
991 // is handled by the caller which is just delegating to us as a helper.
992 bool hasSubsumersFlag = false;
993 NS_URIChainHasFlags(aTargetBaseURI,
994 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
995 &hasSubsumersFlag);
996 bool hasLoadableByAnyone = false;
997 NS_URIChainHasFlags(aTargetBaseURI,
998 nsIProtocolHandler::URI_LOADABLE_BY_ANYONE,
999 &hasLoadableByAnyone);
1000 MOZ_ASSERT(hasLoadableByAnyone || hasSubsumersFlag,
1001 "why do we get here and do not have any of the two flags set?");
1002 }
1003 #endif
1004
1005 return NS_OK;
1006 }
1007
1008 nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1009 const nsACString& aSourceSpec,
1010 const nsACString& aTargetSpec,
1011 bool aFromPrivateWindow,
1012 uint64_t aInnerWindowID) {
1013 if (aSourceSpec.IsEmpty() || aTargetSpec.IsEmpty()) {
1014 return NS_OK;
1015 }
1016
1017 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1018 if (NS_WARN_IF(!bundle)) {
1019 return NS_OK;
1020 }
1021
1022 // Localize the error message
1023 nsAutoString message;
1024 AutoTArray<nsString, 2> formatStrings;
1025 CopyASCIItoUTF16(aSourceSpec, *formatStrings.AppendElement());
1026 CopyASCIItoUTF16(aTargetSpec, *formatStrings.AppendElement());
1027 nsresult rv =
1028 bundle->FormatStringFromName(aMessageTag, formatStrings, message);
1029 NS_ENSURE_SUCCESS(rv, rv);
1030
1031 nsCOMPtr<nsIConsoleService> console(
1032 do_GetService(NS_CONSOLESERVICE_CONTRACTID));
1033 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
1034 nsCOMPtr<nsIScriptError> error(do_CreateInstance(NS_SCRIPTERROR_CONTRACTID));
1035 NS_ENSURE_TRUE(error, NS_ERROR_FAILURE);
1036
1037 // using category of "SOP" so we can link to MDN
1038 if (aInnerWindowID != 0) {
1039 rv = error->InitWithWindowID(
1040 message, u""_ns, u""_ns, 0, 0, nsIScriptError::errorFlag, "SOP"_ns,
1041 aInnerWindowID, true /* From chrome context */);
1042 } else {
1043 rv = error->Init(message, u""_ns, u""_ns, 0, 0, nsIScriptError::errorFlag,
1044 "SOP", aFromPrivateWindow, true /* From chrome context */);
1045 }
1046 NS_ENSURE_SUCCESS(rv, rv);
1047 console->LogMessage(error);
1048 return NS_OK;
1049 }
1050
1051 nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1052 nsIURI* aSource, nsIURI* aTarget,
1053 bool aFromPrivateWindow,
1054 uint64_t aInnerWindowID) {
1055 NS_ENSURE_TRUE(aSource && aTarget, NS_ERROR_NULL_POINTER);
1056
1057 // Get the source URL spec
1058 nsAutoCString sourceSpec;
1059 nsresult rv = aSource->GetAsciiSpec(sourceSpec);
1060 NS_ENSURE_SUCCESS(rv, rv);
1061
1062 // Get the target URL spec
1063 nsAutoCString targetSpec;
1064 rv = aTarget->GetAsciiSpec(targetSpec);
1065 NS_ENSURE_SUCCESS(rv, rv);
1066
1067 return ReportError(aMessageTag, sourceSpec, targetSpec, aFromPrivateWindow,
1068 aInnerWindowID);
1069 }
1070
1071 NS_IMETHODIMP
1072 nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(
1073 nsIPrincipal* aPrincipal, const nsACString& aTargetURIStr,
1074 uint32_t aFlags) {
1075 nsresult rv;
1076 nsCOMPtr<nsIURI> target;
1077 rv = NS_NewURI(getter_AddRefs(target), aTargetURIStr);
1078 NS_ENSURE_SUCCESS(rv, rv);
1079
1080 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1081 if (rv == NS_ERROR_DOM_BAD_URI) {
1082 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1083 // return values.
1084 return rv;
1085 }
1086 NS_ENSURE_SUCCESS(rv, rv);
1087
1088 // Now start testing fixup -- since aTargetURIStr is a string, not
1089 // an nsIURI, we may well end up fixing it up before loading.
1090 // Note: This needs to stay in sync with the nsIURIFixup api.
1091 nsCOMPtr<nsIURIFixup> fixup = components::URIFixup::Service();
1092 if (!fixup) {
1093 return rv;
1094 }
1095
1096 // URIFixup's keyword and alternate flags can only fixup to http/https, so we
1097 // can skip testing them. This simplifies our life because this code can be
1098 // invoked from the content process where the search service would not be
1099 // available.
1100 uint32_t flags[] = {nsIURIFixup::FIXUP_FLAG_NONE,
1101 nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS};
1102 for (uint32_t i = 0; i < ArrayLength(flags); ++i) {
1103 uint32_t fixupFlags = flags[i];
1104 if (aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0) {
1105 fixupFlags |= nsIURIFixup::FIXUP_FLAG_PRIVATE_CONTEXT;
1106 }
1107 nsCOMPtr<nsIURIFixupInfo> fixupInfo;
1108 rv = fixup->GetFixupURIInfo(aTargetURIStr, fixupFlags,
1109 getter_AddRefs(fixupInfo));
1110 NS_ENSURE_SUCCESS(rv, rv);
1111 rv = fixupInfo->GetPreferredURI(getter_AddRefs(target));
1112 NS_ENSURE_SUCCESS(rv, rv);
1113
1114 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1115 if (rv == NS_ERROR_DOM_BAD_URI) {
1116 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1117 // return values.
1118 return rv;
1119 }
1120 NS_ENSURE_SUCCESS(rv, rv);
1121 }
1122
1123 return rv;
1124 }
1125
1126 NS_IMETHODIMP
1127 nsScriptSecurityManager::CheckLoadURIWithPrincipalFromJS(
1128 nsIPrincipal* aPrincipal, nsIURI* aTargetURI, uint32_t aFlags,
1129 uint64_t aInnerWindowID, JSContext* aCx) {
1130 MOZ_ASSERT(aPrincipal,
1131 "CheckLoadURIWithPrincipalFromJS must have a principal");
1132 NS_ENSURE_ARG_POINTER(aPrincipal);
1133 NS_ENSURE_ARG_POINTER(aTargetURI);
1134
1135 nsresult rv =
1136 CheckLoadURIWithPrincipal(aPrincipal, aTargetURI, aFlags, aInnerWindowID);
1137 if (NS_FAILED(rv)) {
1138 nsAutoCString uriStr;
1139 Unused << aTargetURI->GetSpec(uriStr);
1140
1141 nsAutoCString message("Load of ");
1142 message.Append(uriStr);
1143
1144 nsAutoCString principalStr;
1145 Unused << aPrincipal->GetSpec(principalStr);
1146 if (!principalStr.IsEmpty()) {
1147 message.AppendPrintf(" from %s", principalStr.get());
1148 }
1149
1150 message.Append(" denied");
1151
1152 dom::Throw(aCx, rv, message);
1153 }
1154
1155 return rv;
1156 }
1157
1158 NS_IMETHODIMP
1159 nsScriptSecurityManager::CheckLoadURIStrWithPrincipalFromJS(
1160 nsIPrincipal* aPrincipal, const nsACString& aTargetURIStr, uint32_t aFlags,
1161 JSContext* aCx) {
1162 nsCOMPtr<nsIURI> targetURI;
1163 MOZ_TRY(NS_NewURI(getter_AddRefs(targetURI), aTargetURIStr));
1164
1165 return CheckLoadURIWithPrincipalFromJS(aPrincipal, targetURI, aFlags, 0, aCx);
1166 }
1167
1168 NS_IMETHODIMP
1169 nsScriptSecurityManager::InFileURIAllowlist(nsIURI* aUri, bool* aResult) {
1170 MOZ_ASSERT(aUri);
1171 MOZ_ASSERT(aResult);
1172
1173 *aResult = false;
1174 for (nsIURI* uri : EnsureFileURIAllowlist()) {
1175 if (EqualOrSubdomain(aUri, uri)) {
1176 *aResult = true;
1177 return NS_OK;
1178 }
1179 }
1180
1181 return NS_OK;
1182 }
1183
1184 ///////////////// Principals ///////////////////////
1185
1186 NS_IMETHODIMP
1187 nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal** result) {
1188 NS_ADDREF(*result = mSystemPrincipal);
1189
1190 return NS_OK;
1191 }
1192
1193 NS_IMETHODIMP
1194 nsScriptSecurityManager::CreateContentPrincipal(
1195 nsIURI* aURI, JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1196 nsIPrincipal** aPrincipal) {
1197 OriginAttributes attrs;
1198 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1199 return NS_ERROR_INVALID_ARG;
1200 }
1201 nsCOMPtr<nsIPrincipal> prin =
1202 BasePrincipal::CreateContentPrincipal(aURI, attrs);
1203 prin.forget(aPrincipal);
1204 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1205 }
1206
1207 NS_IMETHODIMP
1208 nsScriptSecurityManager::CreateContentPrincipalFromOrigin(
1209 const nsACString& aOrigin, nsIPrincipal** aPrincipal) {
1210 if (StringBeginsWith(aOrigin, "["_ns)) {
1211 return NS_ERROR_INVALID_ARG;
1212 }
1213
1214 if (StringBeginsWith(aOrigin,
1215 nsLiteralCString(NS_NULLPRINCIPAL_SCHEME ":"))) {
1216 return NS_ERROR_INVALID_ARG;
1217 }
1218
1219 nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(aOrigin);
1220 prin.forget(aPrincipal);
1221 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1222 }
1223
1224 NS_IMETHODIMP
1225 nsScriptSecurityManager::PrincipalToJSON(nsIPrincipal* aPrincipal,
1226 nsACString& aJSON) {
1227 aJSON.Truncate();
1228 if (!aPrincipal) {
1229 return NS_ERROR_FAILURE;
1230 }
1231
1232 BasePrincipal::Cast(aPrincipal)->ToJSON(aJSON);
1233
1234 if (aJSON.IsEmpty()) {
1235 return NS_ERROR_FAILURE;
1236 }
1237
1238 return NS_OK;
1239 }
1240
1241 NS_IMETHODIMP
1242 nsScriptSecurityManager::JSONToPrincipal(const nsACString& aJSON,
1243 nsIPrincipal** aPrincipal) {
1244 if (aJSON.IsEmpty()) {
1245 return NS_ERROR_FAILURE;
1246 }
1247
1248 nsCOMPtr<nsIPrincipal> principal = BasePrincipal::FromJSON(aJSON);
1249
1250 if (!principal) {
1251 return NS_ERROR_FAILURE;
1252 }
1253
1254 principal.forget(aPrincipal);
1255 return NS_OK;
1256 }
1257
1258 NS_IMETHODIMP
1259 nsScriptSecurityManager::CreateNullPrincipal(
1260 JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1261 nsIPrincipal** aPrincipal) {
1262 OriginAttributes attrs;
1263 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1264 return NS_ERROR_INVALID_ARG;
1265 }
1266 nsCOMPtr<nsIPrincipal> prin = NullPrincipal::Create(attrs);
1267 prin.forget(aPrincipal);
1268 return NS_OK;
1269 }
1270
1271 NS_IMETHODIMP
1272 nsScriptSecurityManager::GetLoadContextContentPrincipal(
1273 nsIURI* aURI, nsILoadContext* aLoadContext, nsIPrincipal** aPrincipal) {
1274 NS_ENSURE_STATE(aLoadContext);
1275 OriginAttributes docShellAttrs;
1276 aLoadContext->GetOriginAttributes(docShellAttrs);
1277
1278 nsCOMPtr<nsIPrincipal> prin =
1279 BasePrincipal::CreateContentPrincipal(aURI, docShellAttrs);
1280 prin.forget(aPrincipal);
1281 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1282 }
1283
1284 NS_IMETHODIMP
1285 nsScriptSecurityManager::GetDocShellContentPrincipal(
1286 nsIURI* aURI, nsIDocShell* aDocShell, nsIPrincipal** aPrincipal) {
1287 nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(
1288 aURI, nsDocShell::Cast(aDocShell)->GetOriginAttributes());
1289 prin.forget(aPrincipal);
1290 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1291 }
1292
1293 NS_IMETHODIMP
1294 nsScriptSecurityManager::PrincipalWithOA(
1295 nsIPrincipal* aPrincipal, JS::Handle<JS::Value> aOriginAttributes,
1296 JSContext* aCx, nsIPrincipal** aReturnPrincipal) {
1297 if (!aPrincipal) {
1298 return NS_OK;
1299 }
1300 if (aPrincipal->GetIsContentPrincipal()) {
1301 OriginAttributes attrs;
1302 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1303 return NS_ERROR_INVALID_ARG;
1304 }
1305 RefPtr<ContentPrincipal> copy = new ContentPrincipal();
1306 auto* contentPrincipal = static_cast<ContentPrincipal*>(aPrincipal);
1307 nsresult rv = copy->Init(contentPrincipal, attrs);
1308 NS_ENSURE_SUCCESS(rv, rv);
1309 copy.forget(aReturnPrincipal);
1310 } else {
1311 // We do this for null principals, system principals (both fine)
1312 // ... and expanded principals, where we should probably do something
1313 // cleverer, but I also don't think we care too much.
1314 nsCOMPtr<nsIPrincipal> prin = aPrincipal;
1315 prin.forget(aReturnPrincipal);
1316 }
1317
1318 return *aReturnPrincipal ? NS_OK : NS_ERROR_FAILURE;
1319 }
1320
1321 NS_IMETHODIMP
1322 nsScriptSecurityManager::CanCreateWrapper(JSContext* cx, const nsIID& aIID,
1323 nsISupports* aObj,
1324 nsIClassInfo* aClassInfo) {
1325 // XXX Special case for Exception ?
1326
1327 // We give remote-XUL allowlisted domains a free pass here. See bug 932906.
1328 JS::Rooted<JS::Realm*> contextRealm(cx, JS::GetCurrentRealmOrNull(cx));
1329 MOZ_RELEASE_ASSERT(contextRealm);
1330 if (!xpc::AllowContentXBLScope(contextRealm)) {
1331 return NS_OK;
1332 }
1333
1334 if (nsContentUtils::IsCallerChrome()) {
1335 return NS_OK;
1336 }
1337
1338 //-- Access denied, report an error
1339 nsAutoCString originUTF8;
1340 nsIPrincipal* subjectPrincipal = nsContentUtils::SubjectPrincipal();
1341 GetPrincipalDomainOrigin(subjectPrincipal, originUTF8);
1342 NS_ConvertUTF8toUTF16 originUTF16(originUTF8);
1343 nsAutoCString classInfoNameUTF8;
1344 if (aClassInfo) {
1345 aClassInfo->GetClassDescription(classInfoNameUTF8);
1346 }
1347 if (classInfoNameUTF8.IsEmpty()) {
1348 classInfoNameUTF8.AssignLiteral("UnnamedClass");
1349 }
1350
1351 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1352 if (NS_WARN_IF(!bundle)) {
1353 return NS_OK;
1354 }
1355
1356 NS_ConvertUTF8toUTF16 classInfoUTF16(classInfoNameUTF8);
1357 nsresult rv;
1358 nsAutoString errorMsg;
1359 if (originUTF16.IsEmpty()) {
1360 AutoTArray<nsString, 1> formatStrings = {classInfoUTF16};
1361 rv = bundle->FormatStringFromName("CreateWrapperDenied", formatStrings,
1362 errorMsg);
1363 } else {
1364 AutoTArray<nsString, 2> formatStrings = {classInfoUTF16, originUTF16};
1365 rv = bundle->FormatStringFromName("CreateWrapperDeniedForOrigin",
1366 formatStrings, errorMsg);
1367 }
1368 NS_ENSURE_SUCCESS(rv, rv);
1369
1370 SetPendingException(cx, errorMsg.get());
1371 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1372 }
1373
1374 NS_IMETHODIMP
1375 nsScriptSecurityManager::CanCreateInstance(JSContext* cx, const nsCID& aCID) {
1376 if (nsContentUtils::IsCallerChrome()) {
1377 return NS_OK;
1378 }
1379
1380 //-- Access denied, report an error
1381 nsAutoCString errorMsg("Permission denied to create instance of class. CID=");
1382 char cidStr[NSID_LENGTH];
1383 aCID.ToProvidedString(cidStr);
1384 errorMsg.Append(cidStr);
1385 SetPendingExceptionASCII(cx, errorMsg.get());
1386 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1387 }
1388
1389 NS_IMETHODIMP
1390 nsScriptSecurityManager::CanGetService(JSContext* cx, const nsCID& aCID) {
1391 if (nsContentUtils::IsCallerChrome()) {
1392 return NS_OK;
1393 }
1394
1395 //-- Access denied, report an error
1396 nsAutoCString errorMsg("Permission denied to get service. CID=");
1397 char cidStr[NSID_LENGTH];
1398 aCID.ToProvidedString(cidStr);
1399 errorMsg.Append(cidStr);
1400 SetPendingExceptionASCII(cx, errorMsg.get());
1401 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1402 }
1403
1404 const char sJSEnabledPrefName[] = "javascript.enabled";
1405 const char sFileOriginPolicyPrefName[] =
1406 "security.fileuri.strict_origin_policy";
1407
1408 static const char* kObservedPrefs[] = {sJSEnabledPrefName,
1409 sFileOriginPolicyPrefName,
1410 "capability.policy.", nullptr};
1411
1412 /////////////////////////////////////////////
1413 // Constructor, Destructor, Initialization //
1414 /////////////////////////////////////////////
1415 nsScriptSecurityManager::nsScriptSecurityManager(void)
1416 : mPrefInitialized(false), mIsJavaScriptEnabled(false) {
1417 static_assert(
1418 sizeof(intptr_t) == sizeof(void*),
1419 "intptr_t and void* have different lengths on this platform. "
1420 "This may cause a security failure with the SecurityLevel union.");
1421 }
1422
1423 nsresult nsScriptSecurityManager::Init() {
1424 nsresult rv = CallGetService(NS_IOSERVICE_CONTRACTID, &sIOService);
1425 NS_ENSURE_SUCCESS(rv, rv);
1426
1427 InitPrefs();
1428
1429 // Create our system principal singleton
1430 RefPtr<SystemPrincipal> system = SystemPrincipal::Create();
1431
1432 mSystemPrincipal = system;
1433
1434 return NS_OK;
1435 }
1436
1437 void nsScriptSecurityManager::InitJSCallbacks(JSContext* aCx) {
1438 //-- Register security check callback in the JS engine
1439 // Currently this is used to control access to function.caller
1440
1441 static const JSSecurityCallbacks securityCallbacks = {
1442 ContentSecurityPolicyPermitsJSAction,
1443 JSPrincipalsSubsume,
1444 };
1445
1446 MOZ_ASSERT(!JS_GetSecurityCallbacks(aCx));
1447 JS_SetSecurityCallbacks(aCx, &securityCallbacks);
1448 JS_InitDestroyPrincipalsCallback(aCx, nsJSPrincipals::Destroy);
1449
1450 JS_SetTrustedPrincipals(aCx, BasePrincipal::Cast(mSystemPrincipal));
1451 }
1452
1453 /* static */
1454 void nsScriptSecurityManager::ClearJSCallbacks(JSContext* aCx) {
1455 JS_SetSecurityCallbacks(aCx, nullptr);
1456 JS_SetTrustedPrincipals(aCx, nullptr);
1457 }
1458
1459 static StaticRefPtr<nsScriptSecurityManager> gScriptSecMan;
1460
1461 nsScriptSecurityManager::~nsScriptSecurityManager(void) {
1462 Preferences::UnregisterPrefixCallbacks(
1463 nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1464 if (mDomainPolicy) {
1465 mDomainPolicy->Deactivate();
1466 }
1467 // ContentChild might hold a reference to the domain policy,
1468 // and it might release it only after the security manager is
1469 // gone. But we can still assert this for the main process.
1470 MOZ_ASSERT_IF(XRE_IsParentProcess(), !mDomainPolicy);
1471 }
1472
1473 void nsScriptSecurityManager::Shutdown() {
1474 NS_IF_RELEASE(sIOService);
1475 BundleHelper::Shutdown();
1476 }
1477
1478 nsScriptSecurityManager* nsScriptSecurityManager::GetScriptSecurityManager() {
1479 return gScriptSecMan;
1480 }
1481
1482 /* static */
1483 void nsScriptSecurityManager::InitStatics() {
1484 RefPtr<nsScriptSecurityManager> ssManager = new nsScriptSecurityManager();
1485 nsresult rv = ssManager->Init();
1486 if (NS_FAILED(rv)) {
1487 MOZ_CRASH("ssManager->Init() failed");
1488 }
1489
1490 ClearOnShutdown(&gScriptSecMan);
1491 gScriptSecMan = ssManager;
1492 }
1493
1494 // Currently this nsGenericFactory constructor is used only from FastLoad
1495 // (XPCOM object deserialization) code, when "creating" the system principal
1496 // singleton.
1497 already_AddRefed<SystemPrincipal>
1498 nsScriptSecurityManager::SystemPrincipalSingletonConstructor() {
1499 if (gScriptSecMan)
1500 return do_AddRef(gScriptSecMan->mSystemPrincipal)
1501 .downcast<SystemPrincipal>();
1502 return nullptr;
1503 }
1504
1505 struct IsWhitespace {
1506 static bool Test(char aChar) { return NS_IsAsciiWhitespace(aChar); };
1507 };
1508 struct IsWhitespaceOrComma {
1509 static bool Test(char aChar) {
1510 return aChar == ',' || NS_IsAsciiWhitespace(aChar);
1511 };
1512 };
1513
1514 template <typename Predicate>
1515 uint32_t SkipPast(const nsCString& str, uint32_t base) {
1516 while (base < str.Length() && Predicate::Test(str[base])) {
1517 ++base;
1518 }
1519 return base;
1520 }
1521
1522 template <typename Predicate>
1523 uint32_t SkipUntil(const nsCString& str, uint32_t base) {
1524 while (base < str.Length() && !Predicate::Test(str[base])) {
1525 ++base;
1526 }
1527 return base;
1528 }
1529
1530 // static
1531 void nsScriptSecurityManager::ScriptSecurityPrefChanged(const char* aPref,
1532 void* aSelf) {
1533 static_cast<nsScriptSecurityManager*>(aSelf)->ScriptSecurityPrefChanged(
1534 aPref);
1535 }
1536
1537 inline void nsScriptSecurityManager::ScriptSecurityPrefChanged(
1538 const char* aPref) {
1539 MOZ_ASSERT(mPrefInitialized);
1540 mIsJavaScriptEnabled =
1541 Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
1542 sStrictFileOriginPolicy =
1543 Preferences::GetBool(sFileOriginPolicyPrefName, false);
1544 mFileURIAllowlist.reset();
1545 }
1546
1547 void nsScriptSecurityManager::AddSitesToFileURIAllowlist(
1548 const nsCString& aSiteList) {
1549 for (uint32_t base = SkipPast<IsWhitespace>(aSiteList, 0), bound = 0;
1550 base < aSiteList.Length();
1551 base = SkipPast<IsWhitespace>(aSiteList, bound)) {
1552 // Grab the current site.
1553 bound = SkipUntil<IsWhitespace>(aSiteList, base);
1554 nsAutoCString site(Substring(aSiteList, base, bound - base));
1555
1556 // Check if the URI is schemeless. If so, add both http and https.
1557 nsAutoCString unused;
1558 if (NS_FAILED(sIOService->ExtractScheme(site, unused))) {
1559 AddSitesToFileURIAllowlist("http://"_ns + site);
1560 AddSitesToFileURIAllowlist("https://"_ns + site);
1561 continue;
1562 }
1563
1564 // Convert it to a URI and add it to our list.
1565 nsCOMPtr<nsIURI> uri;
1566 nsresult rv = NS_NewURI(getter_AddRefs(uri), site);
1567 if (NS_SUCCEEDED(rv)) {
1568 mFileURIAllowlist.ref().AppendElement(uri);
1569 } else {
1570 nsCOMPtr<nsIConsoleService> console(
1571 do_GetService("@mozilla.org/consoleservice;1"));
1572 if (console) {
1573 nsAutoString msg =
1574 u"Unable to to add site to file:// URI allowlist: "_ns +
1575 NS_ConvertASCIItoUTF16(site);
1576 console->LogStringMessage(msg.get());
1577 }
1578 }
1579 }
1580 }
1581
1582 nsresult nsScriptSecurityManager::InitPrefs() {
1583 nsIPrefBranch* branch = Preferences::GetRootBranch();
1584 NS_ENSURE_TRUE(branch, NS_ERROR_FAILURE);
1585
1586 mPrefInitialized = true;
1587
1588 // Set the initial value of the "javascript.enabled" prefs
1589 ScriptSecurityPrefChanged();
1590
1591 // set observer callbacks in case the value of the prefs change
1592 Preferences::RegisterPrefixCallbacks(
1593 nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1594
1595 return NS_OK;
1596 }
1597
1598 NS_IMETHODIMP
1599 nsScriptSecurityManager::GetDomainPolicyActive(bool* aRv) {
1600 *aRv = !!mDomainPolicy;
1601 return NS_OK;
1602 }
1603
1604 NS_IMETHODIMP
1605 nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy** aRv) {
1606 if (!XRE_IsParentProcess()) {
1607 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1608 }
1609
1610 return ActivateDomainPolicyInternal(aRv);
1611 }
1612
1613 NS_IMETHODIMP
1614 nsScriptSecurityManager::ActivateDomainPolicyInternal(nsIDomainPolicy** aRv) {
1615 // We only allow one domain policy at a time. The holder of the previous
1616 // policy must explicitly deactivate it first.
1617 if (mDomainPolicy) {
1618 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1619 }
1620
1621 mDomainPolicy = new DomainPolicy();
1622 nsCOMPtr<nsIDomainPolicy> ptr = mDomainPolicy;
1623 ptr.forget(aRv);
1624 return NS_OK;
1625 }
1626
1627 // Intentionally non-scriptable. Script must have a reference to the
1628 // nsIDomainPolicy to deactivate it.
1629 void nsScriptSecurityManager::DeactivateDomainPolicy() {
1630 mDomainPolicy = nullptr;
1631 }
1632
1633 void nsScriptSecurityManager::CloneDomainPolicy(DomainPolicyClone* aClone) {
1634 MOZ_ASSERT(aClone);
1635 if (mDomainPolicy) {
1636 mDomainPolicy->CloneDomainPolicy(aClone);
1637 } else {
1638 aClone->active() = false;
1639 }
1640 }
1641
1642 NS_IMETHODIMP
1643 nsScriptSecurityManager::PolicyAllowsScript(nsIURI* aURI, bool* aRv) {
1644 nsresult rv;
1645
1646 // Compute our rule. If we don't have any domain policy set up that might
1647 // provide exceptions to this rule, we're done.
1648 *aRv = mIsJavaScriptEnabled;
1649 if (!mDomainPolicy) {
1650 return NS_OK;
1651 }
1652
1653 // We have a domain policy. Grab the appropriate set of exceptions to the
1654 // rule (either the blocklist or the allowlist, depending on whether script
1655 // is enabled or disabled by default).
1656 nsCOMPtr<nsIDomainSet> exceptions;
1657 nsCOMPtr<nsIDomainSet> superExceptions;
1658 if (*aRv) {
1659 mDomainPolicy->GetBlocklist(getter_AddRefs(exceptions));
1660 mDomainPolicy->GetSuperBlocklist(getter_AddRefs(superExceptions));
1661 } else {
1662 mDomainPolicy->GetAllowlist(getter_AddRefs(exceptions));
1663 mDomainPolicy->GetSuperAllowlist(getter_AddRefs(superExceptions));
1664 }
1665
1666 bool contains;
1667 rv = exceptions->Contains(aURI, &contains);
1668 NS_ENSURE_SUCCESS(rv, rv);
1669 if (contains) {
1670 *aRv = !*aRv;
1671 return NS_OK;
1672 }
1673 rv = superExceptions->ContainsSuperDomain(aURI, &contains);
1674 NS_ENSURE_SUCCESS(rv, rv);
1675 if (contains) {
1676 *aRv = !*aRv;
1677 }
1678
1679 return NS_OK;
1680 }
1681
1682 const nsTArray<nsCOMPtr<nsIURI>>&
1683 nsScriptSecurityManager::EnsureFileURIAllowlist() {
1684 if (mFileURIAllowlist.isSome()) {
1685 return mFileURIAllowlist.ref();
1686 }
1687
1688 //
1689 // Rebuild the set of principals for which we allow file:// URI loads. This
1690 // implements a small subset of an old pref-based CAPS people that people
1691 // have come to depend on. See bug 995943.
1692 //
1693
1694 mFileURIAllowlist.emplace();
1695 nsAutoCString policies;
1696 mozilla::Preferences::GetCString("capability.policy.policynames", policies);
1697 for (uint32_t base = SkipPast<IsWhitespaceOrComma>(policies, 0), bound = 0;
1698 base < policies.Length();
1699 base = SkipPast<IsWhitespaceOrComma>(policies, bound)) {
1700 // Grab the current policy name.
1701 bound = SkipUntil<IsWhitespaceOrComma>(policies, base);
1702 auto policyName = Substring(policies, base, bound - base);
1703
1704 // Figure out if this policy allows loading file:// URIs. If not, we can
1705 // skip it.
1706 nsCString checkLoadURIPrefName =
1707 "capability.policy."_ns + policyName + ".checkloaduri.enabled"_ns;
1708 nsAutoString value;
1709 nsresult rv = Preferences::GetString(checkLoadURIPrefName.get(), value);
1710 if (NS_FAILED(rv) || !value.LowerCaseEqualsLiteral("allaccess")) {
1711 continue;
1712 }
1713
1714 // Grab the list of domains associated with this policy.
1715 nsCString domainPrefName =
1716 "capability.policy."_ns + policyName + ".sites"_ns;
1717 nsAutoCString siteList;
1718 Preferences::GetCString(domainPrefName.get(), siteList);
1719 AddSitesToFileURIAllowlist(siteList);
1720 }
1721
1722 return mFileURIAllowlist.ref();
1723 }