dom/security/ReferrerInfo.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef mozilla_dom_ReferrerInfo_h
   8 #define mozilla_dom_ReferrerInfo_h
   9
  10 #include "nsCOMPtr.h"
  11 #include "nsIReferrerInfo.h"
  12 #include "nsReadableUtils.h"
  13 #include "mozilla/Maybe.h"
  14 #include "mozilla/HashFunctions.h"
  15 #include "mozilla/dom/ReferrerPolicyBinding.h"
  16
  17 #define REFERRERINFO_CONTRACTID "@mozilla.org/referrer-info;1"
  18 // 041a129f-10ce-4bda-a60d-e027a26d5ed0
  19 #define REFERRERINFO_CID                             \
  20   {                                                  \
  21     0x041a129f, 0x10ce, 0x4bda, {                    \
  22       0xa6, 0x0d, 0xe0, 0x27, 0xa2, 0x6d, 0x5e, 0xd0 \
  23     }                                                \
  24   }
  25
  26 class nsIHttpChannel;
  27 class nsIURI;
  28 class nsIChannel;
  29 class nsILoadInfo;
  30 class nsINode;
  31 class nsIPrincipal;
  32
  33 namespace mozilla {
  34 class StyleSheet;
  35 class URLAndReferrerInfo;
  36
  37 namespace net {
  38 class HttpBaseChannel;
  39 class nsHttpChannel;
  40 }  // namespace net
  41 }  // namespace mozilla
  42
  43 namespace mozilla::dom {
  44
  45 /**
  46  * The ReferrerInfo class holds the raw referrer and potentially a referrer
  47  * policy which allows to query the computed referrer which should be applied to
  48  * a channel as the actual referrer value.
  49  *
  50  * The ReferrerInfo class solely contains readonly fields and represents a 1:1
  51  * sync to the referrer header of the corresponding channel. In turn that means
  52  * the class is immutable - so any modifications require to clone the current
  53  * ReferrerInfo.
  54  *
  55  * For example if a request undergoes a redirect, the new channel
  56  * will need a new ReferrerInfo clone with members being updated accordingly.
  57  */
  58
  59 class ReferrerInfo : public nsIReferrerInfo {
  60  public:
  61   typedef enum ReferrerPolicy ReferrerPolicyEnum;
  62   ReferrerInfo();
  63
  64   explicit ReferrerInfo(
  65       nsIURI* aOriginalReferrer,
  66       ReferrerPolicyEnum aPolicy = ReferrerPolicy::_empty,
  67       bool aSendReferrer = true,
  68       const Maybe<nsCString>& aComputedReferrer = Maybe<nsCString>());
  69
  70   // Creates already initialized ReferrerInfo from an element or a document.
  71   explicit ReferrerInfo(const Element&);
  72   explicit ReferrerInfo(const Document&);
  73
  74   // Creates already initialized ReferrerInfo from an element or a document with
  75   // a specific referrer policy.
  76   ReferrerInfo(const Element&, ReferrerPolicyEnum);
  77
  78   // create an exact copy of the ReferrerInfo
  79   already_AddRefed<ReferrerInfo> Clone() const;
  80
  81   // create an copy of the ReferrerInfo with new referrer policy
  82   already_AddRefed<ReferrerInfo> CloneWithNewPolicy(
  83       ReferrerPolicyEnum aPolicy) const;
  84
  85   // create an copy of the ReferrerInfo with new send referrer
  86   already_AddRefed<ReferrerInfo> CloneWithNewSendReferrer(
  87       bool aSendReferrer) const;
  88
  89   // create an copy of the ReferrerInfo with new original referrer
  90   already_AddRefed<ReferrerInfo> CloneWithNewOriginalReferrer(
  91       nsIURI* aOriginalReferrer) const;
  92
  93   // Record the telemetry for the referrer policy.
  94   void RecordTelemetry(nsIHttpChannel* aChannel);
  95
  96   /*
  97    * Helper function to create a new ReferrerInfo object from a given document
  98    * and override referrer policy if needed (for example, when parsing link
  99    * header or speculative loading).
 100    *
 101    * @param aDocument the document to init referrerInfo object.
 102    * @param aPolicyOverride referrer policy to override if necessary.
 103    */
 104   static already_AddRefed<nsIReferrerInfo> CreateFromDocumentAndPolicyOverride(
 105       Document* aDoc, ReferrerPolicyEnum aPolicyOverride);
 106
 107   /*
 108    * Implements step 3.1 and 3.3 of the Determine request's Referrer algorithm
 109    * from the Referrer Policy specification.
 110    *
 111    * https://w3c.github.io/webappsec/specs/referrer-policy/#determine-requests-referrer
 112    */
 113   static already_AddRefed<nsIReferrerInfo> CreateForFetch(
 114       nsIPrincipal* aPrincipal, Document* aDoc);
 115
 116   /**
 117    * Helper function to create new ReferrerInfo object from a given external
 118    * stylesheet. The returned nsIReferrerInfo object will be used for any
 119    * requests or resources referenced by the sheet.
 120    *
 121    * @param aSheet the stylesheet to init referrerInfo.
 122    * @param aPolicy referrer policy from header if there's any.
 123    */
 124   static already_AddRefed<nsIReferrerInfo> CreateForExternalCSSResources(
 125       StyleSheet* aExternalSheet,
 126       ReferrerPolicyEnum aPolicy = ReferrerPolicy::_empty);
 127
 128   /**
 129    * Helper function to create new ReferrerInfo object from a given document.
 130    * The returned nsIReferrerInfo object will be used for any requests or
 131    * resources referenced by internal stylesheet (for example style="" or
 132    * wrapped by <style> tag), as well as SVG resources.
 133    *
 134    * @param aDocument the document to init referrerInfo object.
 135    */
 136   static already_AddRefed<nsIReferrerInfo> CreateForInternalCSSAndSVGResources(
 137       Document* aDocument);
 138
 139   /**
 140    * Check whether the given referrer's scheme is allowed to be computed and
 141    * sent. The allowlist schemes are: http, https.
 142    */
 143   static bool IsReferrerSchemeAllowed(nsIURI* aReferrer);
 144
 145   /*
 146    * The Referrer Policy should be inherited for nested browsing contexts that
 147    * are not created from responses. Such as: srcdoc, data, blob.
 148    */
 149   static bool ShouldResponseInheritReferrerInfo(nsIChannel* aChannel);
 150
 151   /*
 152    * Check whether referrer is allowed to send in secure to insecure scenario.
 153    */
 154   static nsresult HandleSecureToInsecureReferral(nsIURI* aOriginalURI,
 155                                                  nsIURI* aURI,
 156                                                  ReferrerPolicyEnum aPolicy,
 157                                                  bool& aAllowed);
 158
 159   /**
 160    * Returns true if the given channel is cross-origin request
 161    *
 162    * Computing whether the request is cross-origin may be expensive, so please
 163    * do that in cases where we're going to use this information later on.
 164    */
 165   static bool IsCrossOriginRequest(nsIHttpChannel* aChannel);
 166
 167   /**
 168    * Returns true if aReferrer's origin and aChannel's URI are cross-origin.
 169    */
 170   static bool IsReferrerCrossOrigin(nsIHttpChannel* aChannel,
 171                                     nsIURI* aReferrer);
 172
 173   /**
 174    * Returns true if the given channel is cross-site request.
 175    */
 176   static bool IsCrossSiteRequest(nsIHttpChannel* aChannel);
 177
 178   /**
 179    * Returns true if the given channel is suppressed by Referrer-Policy header
 180    * and should set "null" to Origin header.
 181    */
 182   static bool ShouldSetNullOriginHeader(net::HttpBaseChannel* aChannel,
 183                                         nsIURI* aOriginURI);
 184
 185   /**
 186    * Getter for network.http.sendRefererHeader.
 187    */
 188   static uint32_t GetUserReferrerSendingPolicy();
 189
 190   /**
 191    * Getter for network.http.referer.XOriginPolicy.
 192    */
 193   static uint32_t GetUserXOriginSendingPolicy();
 194
 195   /**
 196    * Getter for network.http.referer.trimmingPolicy.
 197    */
 198   static uint32_t GetUserTrimmingPolicy();
 199
 200   /**
 201    * Getter for network.http.referer.XOriginTrimmingPolicy.
 202    */
 203   static uint32_t GetUserXOriginTrimmingPolicy();
 204
 205   /**
 206    * Return default referrer policy which is controlled by user
 207    * prefs:
 208    * network.http.referer.defaultPolicy for regular mode
 209    * network.http.referer.defaultPolicy.trackers for third-party trackers
 210    * in regular mode
 211    * network.http.referer.defaultPolicy.pbmode for private mode
 212    * network.http.referer.defaultPolicy.trackers.pbmode for third-party trackers
 213    * in private mode
 214    */
 215   static ReferrerPolicyEnum GetDefaultReferrerPolicy(
 216       nsIHttpChannel* aChannel = nullptr, nsIURI* aURI = nullptr,
 217       bool aPrivateBrowsing = false);
 218
 219   /**
 220    * Return default referrer policy for third party which is controlled by user
 221    * prefs:
 222    * network.http.referer.defaultPolicy.trackers for regular mode
 223    * network.http.referer.defaultPolicy.trackers.pbmode for private mode
 224    */
 225   static ReferrerPolicyEnum GetDefaultThirdPartyReferrerPolicy(
 226       bool aPrivateBrowsing = false);
 227
 228   /*
 229    * Helper function to parse ReferrerPolicy from meta tag referrer content.
 230    * For example: <meta name="referrer" content="origin">
 231    *
 232    * @param aContent content string to be transformed into ReferrerPolicyEnum,
 233    *                 e.g. "origin".
 234    */
 235   static ReferrerPolicyEnum ReferrerPolicyFromMetaString(
 236       const nsAString& aContent);
 237
 238   /*
 239    * Helper function to parse ReferrerPolicy from string content of
 240    * referrerpolicy attribute.
 241    * For example: <a href="http://example.com" referrerpolicy="no-referrer">
 242    *
 243    * @param aContent content string to be transformed into ReferrerPolicyEnum,
 244    *                 e.g. "no-referrer".
 245    */
 246   static ReferrerPolicyEnum ReferrerPolicyAttributeFromString(
 247       const nsAString& aContent);
 248
 249   /*
 250    * Helper function to parse ReferrerPolicy from string content of
 251    * Referrer-Policy header.
 252    * For example: Referrer-Policy: origin no-referrer
 253    * https://www.w3.org/tr/referrer-policy/#parse-referrer-policy-from-header
 254    *
 255    * @param aContent content string to be transformed into ReferrerPolicyEnum.
 256    *                e.g. "origin no-referrer"
 257    */
 258   static ReferrerPolicyEnum ReferrerPolicyFromHeaderString(
 259       const nsAString& aContent);
 260
 261   /**
 262    * Hash function for this object
 263    */
 264   HashNumber Hash() const;
 265
 266   NS_DECL_THREADSAFE_ISUPPORTS
 267   NS_DECL_NSIREFERRERINFO
 268   NS_DECL_NSISERIALIZABLE
 269
 270  private:
 271   virtual ~ReferrerInfo() = default;
 272
 273   ReferrerInfo(const ReferrerInfo& rhs);
 274
 275   /*
 276    * Trimming policy when compute referrer, indicate how much information in the
 277    * referrer will be sent. Order matters here.
 278    */
 279   enum TrimmingPolicy : uint32_t {
 280     ePolicyFullURI = 0,
 281     ePolicySchemeHostPortPath = 1,
 282     ePolicySchemeHostPort = 2,
 283   };
 284
 285   /*
 286    * Referrer sending policy, indicates type of action could trigger to send
 287    * referrer header, not send at all, send only with user's action (click on a
 288    * link) or send even with inline content request (image request).
 289    * Order matters here.
 290    */
 291   enum ReferrerSendingPolicy : uint32_t {
 292     ePolicyNotSend = 0,
 293     ePolicySendWhenUserTrigger = 1,
 294     ePolicySendInlineContent = 2,
 295   };
 296
 297   /*
 298    * Sending referrer when cross origin policy, indicates when referrer should
 299    * be send when compare 2 origins. Order matters here.
 300    */
 301   enum XOriginSendingPolicy : uint32_t {
 302     ePolicyAlwaysSend = 0,
 303     ePolicySendWhenSameDomain = 1,
 304     ePolicySendWhenSameHost = 2,
 305   };
 306
 307   /*
 308    * Handle user controlled pref network.http.referer.XOriginPolicy
 309    */
 310   nsresult HandleUserXOriginSendingPolicy(nsIURI* aURI, nsIURI* aReferrer,
 311                                           bool& aAllowed) const;
 312
 313   /*
 314    * Handle user controlled pref network.http.sendRefererHeader
 315    */
 316   nsresult HandleUserReferrerSendingPolicy(nsIHttpChannel* aChannel,
 317                                            bool& aAllowed) const;
 318
 319   /*
 320    * Compute trimming policy from user controlled prefs.
 321    * This function is called when we already made sure a nonempty referrer is
 322    * allowed to send.
 323    */
 324   TrimmingPolicy ComputeTrimmingPolicy(nsIHttpChannel* aChannel,
 325                                        nsIURI* aReferrer) const;
 326
 327   // HttpBaseChannel could access IsInitialized() and ComputeReferrer();
 328   friend class mozilla::net::HttpBaseChannel;
 329
 330   /*
 331    * Compute referrer for a given channel. The computation result then will be
 332    * stored in this class and then used to set the actual referrer header of
 333    * the channel. The computation could be controlled by several user prefs
 334    * which are defined in StaticPrefList.yaml (see StaticPrefList.yaml for more
 335    * details):
 336    *  network.http.sendRefererHeader
 337    *  network.http.referer.spoofSource
 338    *  network.http.referer.hideOnionSource
 339    *  network.http.referer.XOriginPolicy
 340    *  network.http.referer.trimmingPolicy
 341    *  network.http.referer.XOriginTrimmingPolicy
 342    */
 343   nsresult ComputeReferrer(nsIHttpChannel* aChannel);
 344
 345   /*
 346    * Check whether the ReferrerInfo has been initialized or not.
 347    */
 348   bool IsInitialized() { return mInitialized; }
 349
 350   // nsHttpChannel, Document could access IsPolicyOverrided();
 351   friend class mozilla::net::nsHttpChannel;
 352   friend class mozilla::dom::Document;
 353   /*
 354    * Check whether if unset referrer policy is overrided by default or not
 355    */
 356   bool IsPolicyOverrided() { return mOverridePolicyByDefault; }
 357
 358   /*
 359    *  Get origin string from a given valid referrer URI (http, https)
 360    *
 361    *  @aReferrer - the full referrer URI
 362    *  @aResult - the resulting aReferrer in string format.
 363    */
 364   nsresult GetOriginFromReferrerURI(nsIURI* aReferrer,
 365                                     nsACString& aResult) const;
 366
 367   /*
 368    * Trim a given referrer with a given a trimming policy,
 369    */
 370   nsresult TrimReferrerWithPolicy(nsIURI* aReferrer,
 371                                   TrimmingPolicy aTrimmingPolicy,
 372                                   nsACString& aResult) const;
 373
 374   /**
 375    * Returns true if we should ignore less restricted referrer policies,
 376    * including 'unsafe_url', 'no_referrer_when_downgrade' and
 377    * 'origin_when_cross_origin', for the given channel. We only apply this
 378    * restriction for cross-site requests. For the same-site request, we will
 379    * still allow overriding the default referrer policy with less restricted
 380    * one.
 381    *
 382    * Note that the channel triggered by the system and the extension will be
 383    * exempt from this restriction.
 384    */
 385   bool ShouldIgnoreLessRestrictedPolicies(
 386       nsIHttpChannel* aChannel, const ReferrerPolicyEnum aPolicy) const;
 387
 388   /*
 389    *  Limit referrer length using the following ruleset:
 390    *   - If the length of referrer URL is over max length, strip down to origin.
 391    *   - If the origin is still over max length, remove the referrer entirely.
 392    *
 393    *  This function comlements TrimReferrerPolicy and needs to be called right
 394    *  after TrimReferrerPolicy.
 395    *
 396    *  @aChannel - used to query information needed for logging to the console.
 397    *  @aReferrer - the full referrer URI; needs to be identical to aReferrer
 398    *               passed to TrimReferrerPolicy.
 399    *  @aTrimmingPolicy - represents the trimming policy which was applied to the
 400    *                     referrer; needs to be identical to aTrimmingPolicy
 401    *                     passed to TrimReferrerPolicy.
 402    *  @aInAndOutTrimmedReferrer -  an in and outgoing argument representing the
 403    *                               referrer value. Please pass the result of
 404    *                               TrimReferrerWithPolicy as
 405    *                               aInAndOutTrimmedReferrer which will then be
 406    *                               reduced to the origin or completely truncated
 407    *                               in case the referrer value exceeds the length
 408    *                               limitation.
 409    */
 410   nsresult LimitReferrerLength(nsIHttpChannel* aChannel, nsIURI* aReferrer,
 411                                TrimmingPolicy aTrimmingPolicy,
 412                                nsACString& aInAndOutTrimmedReferrer) const;
 413
 414   /**
 415    * The helper function to read the old data format before gecko 100 for
 416    * deserialization.
 417    */
 418   nsresult ReadTailDataBeforeGecko100(const uint32_t& aData,
 419                                       nsIObjectInputStream* aInputStream);
 420
 421   /*
 422    * Write message to the error console
 423    */
 424   void LogMessageToConsole(nsIHttpChannel* aChannel, const char* aMsg,
 425                            const nsTArray<nsString>& aParams) const;
 426
 427   friend class mozilla::URLAndReferrerInfo;
 428
 429   nsCOMPtr<nsIURI> mOriginalReferrer;
 430
 431   ReferrerPolicyEnum mPolicy;
 432
 433   // The referrer policy that has been set originally for the channel. Note that
 434   // the policy may have been overridden by the default referrer policy, so we
 435   // need to keep track of this if we need to recover the original referrer
 436   // policy.
 437   ReferrerPolicyEnum mOriginalPolicy;
 438
 439   // Indicates if the referrer should be sent or not even when it's available
 440   // (default is true).
 441   bool mSendReferrer;
 442
 443   // Since the ReferrerInfo is immutable, we use this member as a helper to
 444   // ensure no one can call e.g. init() twice to modify state of the
 445   // ReferrerInfo.
 446   bool mInitialized;
 447
 448   // Indicates if unset referrer policy is overrided by default
 449   bool mOverridePolicyByDefault;
 450
 451   // Store a computed referrer for a given channel
 452   Maybe<nsCString> mComputedReferrer;
 453
 454 #ifdef DEBUG
 455   // Indicates if the telemetry has been recorded. This is used to make sure the
 456   // telemetry will be only recored once.
 457   bool mTelemetryRecorded = false;
 458 #endif  // DEBUG
 459 };
 460
 461 }  // namespace mozilla::dom
 462
 463 #endif  // mozilla_dom_ReferrerInfo_h