| blob | edaddf779a4d72806ffaf3db60e1def1e3e3c37e |
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set sw=2 ts=8 et tw=80 : */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
70 // Create key from baseDomain that will access the default cookie namespace.
71 // TODO: When we figure out what the API will look like for nsICookieManager{2}
72 // on content processes (see bug 777620), change to use the appropriate app
73 // namespace. For now those IDLs aren't supported on child processes.
74 #define DEFAULT_APP_KEY(baseDomain) \
75 nsCookieKey(baseDomain, OriginAttributes())
77 /******************************************************************************
78 * nsCookieService impl:
79 * useful types & constants
80 ******************************************************************************/
85 // XXX_hack. See bug 178993.
86 // This is a hack to hide HttpOnly cookies from older browsers
90 #define COOKIES_SCHEMA_VERSION 9
92 // parameter indexes; see |Read|
93 #define IDX_NAME 0
94 #define IDX_VALUE 1
95 #define IDX_HOST 2
96 #define IDX_PATH 3
97 #define IDX_EXPIRY 4
98 #define IDX_LAST_ACCESSED 5
99 #define IDX_CREATION_TIME 6
100 #define IDX_SECURE 7
101 #define IDX_HTTPONLY 8
102 #define IDX_BASE_DOMAIN 9
103 #define IDX_ORIGIN_ATTRIBUTES 10
104 #define IDX_SAME_SITE 11
113 #undef LIMIT
114 #define LIMIT(x, low, high, default) ((x) >= (low) && (x) <= (high) ? (x) : (default))
116 #undef ADD_TEN_PERCENT
117 #define ADD_TEN_PERCENT(i) static_cast<uint32_t>((i) + (i)/10)
119 // default limits for the cookie list. these can be tuned by the
120 // network.cookie.maxNumber and network.cookie.maxPerHost prefs respectively.
127 // pref string constants
134 static const char kPrefThirdPartyNonsecureSession[] = "network.cookie.thirdparty.nonsecureSessionOnly";
137 // For telemetry COOKIE_LEAVE_SECURE_ALONE
138 #define BLOCKED_SECURE_SET_FROM_HTTP 0
139 #define BLOCKED_DOWNGRADE_SECURE_INEXACT 1
140 #define DOWNGRADE_SECURE_FROM_SECURE_INEXACT 2
141 #define EVICTED_NEWER_INSECURE 3
142 #define EVICTED_OLDEST_COOKIE 4
143 #define EVICTED_PREFERRED_COOKIE 5
144 #define EVICTING_SECURE_BLOCKED 6
145 #define BLOCKED_DOWNGRADE_SECURE_EXACT 7
146 #define DOWNGRADE_SECURE_FROM_SECURE_EXACT 8
148 static void
153 // stores the nsCookieEntry entryclass and an index into the cookie array
154 // within that entryclass, for purposes of storing an iteration state that
155 // points to a certain cookie.
156 struct nsListIter
157 {
158 // default (non-initializing) constructor.
161 // explicit constructor to a given iterator state with entryclass 'aEntry'
162 // and index 'aIndex'.
163 explicit
167 {
168 }
170 // get the nsCookie * the iterator currently points to.
172 {
174 }
178 };
180 /******************************************************************************
181 * Cookie logging handlers
182 * used for logging in nsCookieService
183 ******************************************************************************/
185 // logging handlers
186 #ifdef MOZ_LOGGING
187 // in order to do logging, the following environment variables need to be set:
188 //
189 // set MOZ_LOG=cookie:3 -- shows rejected cookies
190 // set MOZ_LOG=cookie:4 -- shows accepted and rejected cookies
191 // set MOZ_LOG_FILE=cookie.log
192 //
194 #endif
196 // define logging macros for convenience
197 #define SET_COOKIE true
198 #define GET_COOKIE false
202 #define COOKIE_LOGFAILURE(a, b, c, d) LogFailure(a, b, c, d)
203 #define COOKIE_LOGSUCCESS(a, b, c, d, e) LogSuccess(a, b, c, d, e)
205 #define COOKIE_LOGEVICTED(a, details) \
206 PR_BEGIN_MACRO \
207 if (MOZ_LOG_TEST(gCookieLog, LogLevel::Debug)) \
208 LogEvicted(a, details); \
209 PR_END_MACRO
211 #define COOKIE_LOGSTRING(lvl, fmt) \
212 PR_BEGIN_MACRO \
213 MOZ_LOG(gCookieLog, lvl, fmt); \
215 PR_END_MACRO
217 static void
219 {
220 // if logging isn't enabled, return now to save cycles
224 nsAutoCString spec;
234 PRExplodedTime explodedTime;
242 }
244 static void
246 {
247 PRExplodedTime explodedTime;
258 MOZ_LOG(gCookieLog, LogLevel::Debug,("%s: %s\n", aCookie->IsDomain() ? "domain" : "host", aCookie->Host().get()));
271 MOZ_LOG(gCookieLog, LogLevel::Debug,("is secure: %s\n", aCookie->IsSecure() ? "true" : "false"));
272 MOZ_LOG(gCookieLog, LogLevel::Debug,("is httpOnly: %s\n", aCookie->IsHttpOnly() ? "true" : "false"));
274 nsAutoCString suffix;
278 }
279 }
281 static void
282 LogSuccess(bool aSetCookie, nsIURI *aHostURI, const char *aCookieString, nsCookie *aCookie, bool aReplacing)
283 {
284 // if logging isn't enabled, return now to save cycles
287 }
289 nsAutoCString spec;
298 MOZ_LOG(gCookieLog, LogLevel::Debug,("replaces existing cookie: %s\n", aReplacing ? "true" : "false"));
303 }
305 static void
307 {
314 }
316 // inline wrappers to make passing in nsCStrings easier
318 LogFailure(bool aSetCookie, nsIURI *aHostURI, const nsCString& aCookieString, const char *aReason)
319 {
321 }
324 LogSuccess(bool aSetCookie, nsIURI *aHostURI, const nsCString& aCookieString, nsCookie *aCookie, bool aReplacing)
325 {
327 }
329 #ifdef DEBUG
330 #define NS_ASSERT_SUCCESS(res) \
331 PR_BEGIN_MACRO \
333 if (NS_FAILED(__rv)) { \
334 SmprintfPointer msg = mozilla::Smprintf("NS_ASSERT_SUCCESS(%s) failed with result 0x%" PRIX32, \
335 #res, static_cast<uint32_t>(__rv)); \
336 NS_ASSERTION(NS_SUCCEEDED(__rv), msg.get()); \
337 } \
338 PR_END_MACRO
339 #else
341 #endif
343 /******************************************************************************
344 * DBListenerErrorHandler impl:
345 * Parent class for our async storage listeners that handles the logging of
346 * errors.
347 ******************************************************************************/
349 {
357 {
362 nsAutoCString message;
368 }
370 // Rebuild the database.
374 }
375 };
377 /******************************************************************************
378 * InsertCookieDBListener impl:
379 * mozIStorageStatementCallback used to track asynchronous insertion operations.
380 ******************************************************************************/
382 {
389 NS_DECL_ISUPPORTS
393 {
397 }
399 {
400 // If we were rebuilding the db and we succeeded, make our corruptFlag say
401 // so.
407 }
409 }
410 };
414 /******************************************************************************
415 * UpdateCookieDBListener impl:
416 * mozIStorageStatementCallback used to track asynchronous update operations.
417 ******************************************************************************/
419 {
426 NS_DECL_ISUPPORTS
430 {
434 }
436 {
438 }
439 };
443 /******************************************************************************
444 * RemoveCookieDBListener impl:
445 * mozIStorageStatementCallback used to track asynchronous removal operations.
446 ******************************************************************************/
448 {
455 NS_DECL_ISUPPORTS
459 {
463 }
465 {
467 }
468 };
472 /******************************************************************************
473 * CloseCookieDBListener imp:
474 * Static mozIStorageCompletionCallback used to notify when the database is
475 * successfully closed.
476 ******************************************************************************/
478 {
484 NS_DECL_ISUPPORTS
487 {
490 }
491 };
502 NS_DECL_ISUPPORTS
504 // nsIObserver implementation.
505 NS_IMETHOD
507 {
516 return cookieManager->RemoveCookiesWithOriginAttributes(nsDependentString(aData), EmptyCString());
517 }
518 };
522 // comparator class for sorting cookies by entry and index.
526 {
530 }
533 {
534 // compare by entryclass pointer, then by index.
539 }
540 };
544 size_t
546 {
552 }
555 }
557 size_t
559 {
566 }
568 /******************************************************************************
569 * nsCookieService impl:
570 * singleton instance ctor/dtor methods
571 ******************************************************************************/
575 {
580 }
584 {
589 }
591 // Create a new singleton nsCookieService.
592 // We AddRef only once since XPCOM has rules about the ordering of module
593 // teardowns - by the time our module destructor is called, it's too late to
594 // Release our members (e.g. nsIObserverService and nsIPrefBranch), since GC
595 // cycles have already been completed and would result in serious leaks.
596 // See bug 209571.
603 }
604 }
607 }
611 {
616 }
618 /******************************************************************************
619 * nsCookieService impl:
620 * public methods
621 ******************************************************************************/
624 nsICookieService,
625 nsICookieManager,
626 nsIObserver,
627 nsISupportsWeakReference,
628 nsIMemoryReporter)
644 {
645 }
647 nsresult
649 {
650 nsresult rv;
660 // init our pref and observer
671 }
676 // Init our default, and possibly private DBStates.
690 }
692 void
694 {
701 // Create a new default DBState and set our current one.
707 // Get our cookie file.
711 // We've already set up our DBStates appropriately; nothing more to do.
718 }
730 // Attempt to open and read the database. If TryInitDB() returns RESULT_RETRY,
731 // do so.
734 // Database may be corrupt. Synchronously close the connection, clean up the
735 // default DBState, and try again.
741 // We're done. Change the code to failure so we clean up below.
743 }
744 }
750 // Connection failure is unrecoverable. Clean up our connection. We can run
751 // fine without persistent storage -- e.g. if there's no profile.
755 // No need to initialize dbConn
757 }
765 })
766 );
768 });
771 }
776 {
779 NS_DECL_ISUPPORTS
780 NS_DECL_MOZISTORAGEFUNCTION
781 };
785 NS_IMETHODIMP
788 {
789 nsresult rv;
795 // Create an originAttributes object by inIsolatedMozBrowser.
796 // Then create the originSuffix string from this object.
799 nsAutoCString suffix;
808 }
811 {
814 NS_DECL_ISUPPORTS
815 NS_DECL_MOZISTORAGEFUNCTION
816 };
820 NS_IMETHODIMP
823 {
824 nsresult rv;
825 nsAutoCString suffix;
826 OriginAttributes attrs;
839 }
842 public mozIStorageFunction
843 {
846 NS_DECL_ISUPPORTS
847 NS_DECL_MOZISTORAGEFUNCTION
848 };
851 mozIStorageFunction);
853 NS_IMETHODIMP
856 {
857 nsresult rv;
858 nsAutoCString suffix;
859 OriginAttributes attrs;
872 }
876 /* Attempt to open and read the database. If 'aRecreateDB' is true, try to
877 * move the existing database file out of the way and create a new one.
878 *
879 * @returns RESULT_OK if opening or creating the database succeeded;
880 * RESULT_RETRY if the database cannot be opened, is corrupt, or some
881 * other failure occurred that might be resolved by recreating the
882 * database; or RESULT_FAILED if there was an unrecoverable error and
883 * we must run without a database.
884 *
885 * If RESULT_RETRY or RESULT_FAILED is returned, the caller should perform
886 * cleanup of the default DBState.
887 */
888 OpenDBResult
890 {
897 // Ditch an existing db, if we've been told to (i.e. it's corrupt). We don't
898 // want to delete it outright, since it may be useful for debugging purposes,
899 // so we move it out of the way.
900 nsresult rv;
907 }
909 // This block provides scope for the Telemetry AutoTimer
910 {
912 telemetry;
915 // open a connection to the cookie database, and only cache our connection
916 // and statements upon success. The connection is opened unshared to eliminate
917 // cache contention between the main and background threads.
921 }
925 });
935 // table already exists; check the schema version before reading
940 // Start a transaction for the whole migration block.
944 // Upgrading.
945 // Every time you increment the database schema, you need to implement
946 // the upgrading code from the previous version to the new one. If migration
947 // fails for any reason, it's a bug -- so we return RESULT_RETRY such that
948 // the original database will be saved, in the hopes that we might one day
949 // see it and fix it.
951 {
952 // Add the lastAccessed column to the table.
956 }
957 // Fall through to the next upgrade.
958 MOZ_FALLTHROUGH;
961 {
962 // Add the baseDomain column and index to the table.
967 // Compute the baseDomains for the table. This must be done eagerly
968 // otherwise we won't be able to synchronously read in individual
969 // domains on demand.
1001 baseDomain);
1004 id);
1009 }
1011 // Create an index on baseDomain.
1015 }
1016 // Fall through to the next upgrade.
1017 MOZ_FALLTHROUGH;
1020 {
1021 // Add the creationTime column to the table, and create a unique index
1022 // on (name, host, path). Before we do this, we have to purge the table
1023 // of expired cookies such that we know that the (name, host, path)
1024 // index is truly unique -- otherwise we can't create the index. Note
1025 // that we can't just execute a statement to delete all rows where the
1026 // expiry column is in the past -- doing so would rely on the clock
1027 // (both now and when previous cookies were set) being monotonic.
1029 // Select the whole table, and order by the fields we're interested in.
1030 // This means we can simply do a linear traversal of the results and
1031 // check for duplicates as we go.
1038 "SELECT id, name, host, path FROM moz_cookies "
1049 // Read the first row.
1063 // Read the second row.
1075 // If the two rows match in (name, host, path), we know the earlier
1076 // row has an earlier expiry time. Delete it.
1081 id1);
1086 }
1088 // Make the second row the first for the next iteration.
1093 }
1094 }
1096 // Add the creationTime column to the table.
1101 // Copy the id of each row into the new creationTime column.
1103 "UPDATE moz_cookies SET creationTime = "
1107 // Create a unique index on (name, host, path) to allow fast lookup.
1109 "CREATE UNIQUE INDEX moz_uniqueid "
1112 }
1113 // Fall through to the next upgrade.
1114 MOZ_FALLTHROUGH;
1117 {
1118 // We need to add appId/inBrowserElement, plus change a constraint on
1119 // the table (unique entries now include appId/inBrowserElement):
1120 // this requires creating a new table and copying the data to it. We
1121 // then rename the new table to the old name.
1122 //
1123 // Why we made this change: appId/inBrowserElement allow "cookie jars"
1124 // for Firefox OS. We create a separate cookie namespace per {appId,
1125 // inBrowserElement}. When upgrading, we convert existing cookies
1126 // (which imply we're on desktop/mobile) to use {0, false}, as that is
1127 // the only namespace used by a non-Firefox-OS implementation.
1129 // Rename existing table
1134 // Drop existing index (CreateTable will create new one for new table)
1139 // Create new table (with new fields and new unique constraint)
1143 // Copy data from old table, using appId/inBrowser=0 for existing rows
1145 "INSERT INTO moz_cookies "
1146 "(baseDomain, appId, inBrowserElement, name, value, host, path, expiry,"
1147 " lastAccessed, creationTime, isSecure, isHttpOnly) "
1148 "SELECT baseDomain, 0, 0, name, value, host, path, expiry,"
1149 " lastAccessed, creationTime, isSecure, isHttpOnly "
1153 // Drop old table
1160 }
1161 // Fall through to the next upgrade.
1162 MOZ_FALLTHROUGH;
1165 {
1166 // Change in the version: Replace the columns |appId| and
1167 // |inBrowserElement| by a single column |originAttributes|.
1168 //
1169 // Why we made this change: FxOS new security model (NSec) encapsulates
1170 // "appId/inIsolatedMozBrowser" in nsIPrincipal::originAttributes to make
1171 // it easier to modify the contents of this structure in the future.
1172 //
1173 // We do the migration in several steps:
1174 // 1. Rename the old table.
1175 // 2. Create a new table.
1176 // 3. Copy data from the old table to the new table; convert appId and
1177 // inBrowserElement to originAttributes in the meantime.
1179 // Rename existing table.
1184 // Drop existing index (CreateTable will create new one for new table).
1189 // Create new table with new fields and new unique constraint.
1193 // Copy data from old table without the two deprecated columns appId and
1194 // inBrowserElement.
1207 "INSERT INTO moz_cookies "
1208 "(baseDomain, originAttributes, name, value, host, path, expiry,"
1209 " lastAccessed, creationTime, isSecure, isHttpOnly) "
1210 "SELECT baseDomain, "
1211 " CONVERT_TO_ORIGIN_ATTRIBUTES(appId, inBrowserElement),"
1212 " name, value, host, path, expiry, lastAccessed, creationTime, "
1213 " isSecure, isHttpOnly "
1220 // Drop old table
1227 }
1228 MOZ_FALLTHROUGH;
1231 {
1232 // We made a mistake in schema version 6. We cannot remove expected
1233 // columns of any version (checked in the default case) from cookie
1234 // database, because doing this would destroy the possibility of
1235 // downgrading database.
1236 //
1237 // This version simply restores appId and inBrowserElement columns in
1238 // order to fix downgrading issue even though these two columns are no
1239 // longer used in the latest schema.
1248 // Compute and populate the values of appId and inBrwoserElement from
1249 // originAttributes.
1266 setInBrowser);
1270 "UPDATE moz_cookies SET appId = SET_APP_ID(originAttributes), "
1271 "inBrowserElement = SET_IN_BROWSER(originAttributes);"
1272 ));
1283 }
1284 MOZ_FALLTHROUGH;
1287 {
1288 // Remove the appId field from moz_cookies.
1289 //
1290 // Unfortunately sqlite doesn't support dropping columns using ALTER
1291 // TABLE, so we need to go through the procedure documented in
1292 // https://www.sqlite.org/lang_altertable.html.
1294 // Drop existing index
1299 // Create a new_moz_cookies table without the appId field.
1303 // Move the data over.
1305 "INSERT INTO new_moz_cookies ("
1306 "id, "
1307 "baseDomain, "
1308 "originAttributes, "
1309 "name, "
1310 "value, "
1311 "host, "
1312 "path, "
1313 "expiry, "
1314 "lastAccessed, "
1315 "creationTime, "
1316 "isSecure, "
1317 "isHttpOnly, "
1318 "inBrowserElement "
1319 ") SELECT "
1320 "id, "
1321 "baseDomain, "
1322 "originAttributes, "
1323 "name, "
1324 "value, "
1325 "host, "
1326 "path, "
1327 "expiry, "
1328 "lastAccessed, "
1329 "creationTime, "
1330 "isSecure, "
1331 "isHttpOnly, "
1332 "inBrowserElement "
1336 // Drop the old table
1341 // Rename new_moz_cookies to moz_cookies.
1346 // Recreate our index.
1352 }
1353 MOZ_FALLTHROUGH;
1356 {
1357 // Add the sameSite column to the table.
1362 }
1364 // No more upgrades. Update the schema version.
1368 MOZ_FALLTHROUGH;
1374 {
1377 // the table may be usable; someone might've just clobbered the schema
1378 // version. we can treat this case like a downgrade using the codepath
1379 // below, by verifying the columns we care about are all there. for now,
1380 // re-set the schema version in the db, in case the checks succeed (if
1381 // they don't, we're dropping the table anyway).
1384 }
1385 // fall through to downgrade check
1386 MOZ_FALLTHROUGH;
1388 // downgrading.
1389 // if columns have been added to the table, we can still use the ones we
1390 // understand safely. if columns have been deleted or altered, just
1391 // blow away the table and start from scratch! if you change the way
1392 // a column is interpreted, make sure you also change its name so this
1393 // check will catch it.
1395 {
1396 // check if all the expected columns exist
1399 "SELECT "
1400 "id, "
1401 "baseDomain, "
1402 "originAttributes, "
1403 "name, "
1404 "value, "
1405 "host, "
1406 "path, "
1407 "expiry, "
1408 "lastAccessed, "
1409 "creationTime, "
1410 "isSecure, "
1411 "isHttpOnly, "
1412 "sameSite "
1417 // our columns aren't there - drop the table!
1424 }
1426 }
1427 }
1429 // if we deleted a corrupt db, don't attempt to import - return now
1432 }
1434 // check whether to import or just read in the db
1437 }
1448 }
1450 // Import cookies, and clean up the old file regardless of success or failure.
1451 // Note that we have to switch out our DBState temporarily, in case we're in
1452 // private browsing mode; otherwise ImportCookies() won't be happy.
1459 });
1464 }
1466 void
1468 {
1471 // We should skip InitDBConn if we close profile during initializing DBStates
1472 // and then InitDBConn is called after we close the DBStates.
1475 }
1493 }
1503 // Game over, clean the connections.
1506 }
1507 }
1517 }
1518 }
1520 nsresult
1522 {
1529 // Set up our listeners.
1535 // Grow cookie db in 512KB increments
1538 // make operations on the table asynchronous, for performance
1542 // Use write-ahead-logging for performance. We cap the autocheckpoint limit at
1543 // 16 pages (around 500KB).
1549 // cache frequently used statements (for insertion, deletion, and updating)
1551 "INSERT INTO moz_cookies ("
1552 "baseDomain, "
1553 "originAttributes, "
1554 "name, "
1555 "value, "
1556 "host, "
1557 "path, "
1558 "expiry, "
1559 "lastAccessed, "
1560 "creationTime, "
1561 "isSecure, "
1562 "isHttpOnly, "
1563 "sameSite "
1564 ") VALUES ("
1565 ":baseDomain, "
1566 ":originAttributes, "
1567 ":name, "
1568 ":value, "
1569 ":host, "
1570 ":path, "
1571 ":expiry, "
1572 ":lastAccessed, "
1573 ":creationTime, "
1574 ":isSecure, "
1575 ":isHttpOnly, "
1576 ":sameSite"
1582 "DELETE FROM moz_cookies "
1583 "WHERE name = :name AND host = :host AND path = :path AND originAttributes = :originAttributes"),
1588 "UPDATE moz_cookies SET lastAccessed = :lastAccessed "
1589 "WHERE name = :name AND host = :host AND path = :path AND originAttributes = :originAttributes"),
1592 }
1594 // Sets the schema version and creates the moz_cookies table.
1595 nsresult
1597 {
1598 // Create the table.
1599 // We default originAttributes to empty string: this is so if users revert to
1600 // an older Firefox version that doesn't know about this field, any cookies
1601 // set will still work once they upgrade back.
1605 "id INTEGER PRIMARY KEY, "
1606 "baseDomain TEXT, "
1607 "originAttributes TEXT NOT NULL DEFAULT '', "
1608 "name TEXT, "
1609 "value TEXT, "
1610 "host TEXT, "
1611 "path TEXT, "
1612 "expiry INTEGER, "
1613 "lastAccessed INTEGER, "
1614 "creationTime INTEGER, "
1615 "isSecure INTEGER, "
1616 "isHttpOnly INTEGER, "
1617 "inBrowserElement INTEGER DEFAULT 0, "
1618 "sameSite INTEGER DEFAULT 0, "
1619 "CONSTRAINT moz_uniqueid UNIQUE (name, host, path, originAttributes)"
1622 }
1624 // Sets the schema version and creates the moz_cookies table.
1625 nsresult
1627 {
1628 // Set the schema version, before creating the table.
1630 COOKIES_SCHEMA_VERSION);
1637 }
1639 nsresult
1641 {
1642 // Create an index on baseDomain.
1644 "CREATE INDEX moz_basedomain ON moz_cookies (baseDomain, "
1646 }
1648 // Sets the schema version and creates the moz_cookies table.
1649 nsresult
1651 {
1652 // Set the schema version, before creating the table.
1656 // Create the table.
1657 // We default originAttributes to empty string: this is so if users revert to
1658 // an older Firefox version that doesn't know about this field, any cookies
1659 // set will still work once they upgrade back.
1661 "CREATE TABLE moz_cookies ("
1662 "id INTEGER PRIMARY KEY, "
1663 "baseDomain TEXT, "
1664 "originAttributes TEXT NOT NULL DEFAULT '', "
1665 "name TEXT, "
1666 "value TEXT, "
1667 "host TEXT, "
1668 "path TEXT, "
1669 "expiry INTEGER, "
1670 "lastAccessed INTEGER, "
1671 "creationTime INTEGER, "
1672 "isSecure INTEGER, "
1673 "isHttpOnly INTEGER, "
1674 "CONSTRAINT moz_uniqueid UNIQUE (name, host, path, originAttributes)"
1678 // Create an index on baseDomain.
1680 "CREATE INDEX moz_basedomain ON moz_cookies (baseDomain, "
1682 }
1684 // Sets the schema version and creates the moz_cookies table.
1685 nsresult
1687 {
1688 // Set the schema version, before creating the table.
1692 // Create the table. We default appId/inBrowserElement to 0: this is so if
1693 // users revert to an older Firefox version that doesn't know about these
1694 // fields, any cookies set will still work once they upgrade back.
1696 "CREATE TABLE moz_cookies ("
1697 "id INTEGER PRIMARY KEY, "
1698 "baseDomain TEXT, "
1699 "appId INTEGER DEFAULT 0, "
1700 "inBrowserElement INTEGER DEFAULT 0, "
1701 "name TEXT, "
1702 "value TEXT, "
1703 "host TEXT, "
1704 "path TEXT, "
1705 "expiry INTEGER, "
1706 "lastAccessed INTEGER, "
1707 "creationTime INTEGER, "
1708 "isSecure INTEGER, "
1709 "isHttpOnly INTEGER, "
1710 "CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement)"
1714 // Create an index on baseDomain.
1716 "CREATE INDEX moz_basedomain ON moz_cookies (baseDomain, "
1717 "appId, "
1719 }
1721 void
1723 {
1724 // return if we already closed
1727 }
1732 }
1734 // Null out our private and pointer DBStates regardless.
1738 // If we don't have a default DBState, we're done.
1742 // Cleanup cached statements before we can close anything.
1746 // Asynchronously close the connection. We will null it below.
1748 }
1755 }
1757 // Null out the statements.
1758 // This must be done before closing the connection.
1759 void
1761 {
1765 }
1767 // Null out the listeners, and the database connection itself. This
1768 // will not null out the statements, cancel a pending read or
1769 // asynchronously close the connection -- these must be done
1770 // beforehand if necessary.
1771 void
1773 {
1778 // Null out the database connections. If 'dbConn' has not been used for any
1779 // asynchronous operations yet, this will synchronously close it; otherwise,
1780 // it's expected that the caller has performed an AsyncClose prior.
1783 // Manually null out our listeners. This is necessary because they hold a
1784 // strong ref to the DBState itself. They'll stay alive until whatever
1785 // statements are still executing complete.
1790 }
1792 void
1794 {
1802 // Database is healthy. Notify of closure.
1805 }
1807 }
1809 // Our close finished. Start the rebuild, and notify of db closure later.
1812 }
1814 // We encountered an error during rebuild, closed the database, and now
1815 // here we are. We already have a 'cookies.sqlite.bak' from the original
1816 // dead database; we don't want to overwrite it, so let's move this one to
1817 // 'cookies.sqlite.bak-rebuild'.
1829 }
1831 }
1832 }
1833 }
1835 void
1837 {
1839 // We've either closed the state or we've switched profiles. It's getting
1840 // a bit late to rebuild -- bail instead.
1844 }
1850 // Mark the database corrupt, so the close listener can begin reconstructing
1851 // it.
1854 // Move to 'closing' state.
1861 }
1863 // We had an error while waiting for close completion. That's OK, just
1864 // ignore it -- we're rebuilding anyway.
1866 }
1868 // We had an error while rebuilding the DB. Game over. Close the database
1869 // and let the close handler do nothing; then we'll move it out of the way.
1873 }
1876 }
1877 }
1878 }
1880 void
1882 {
1892 // We've either closed the state or we've switched profiles. It's getting
1893 // a bit late to rebuild -- bail instead. In any case, we were waiting
1894 // on rebuild completion to notify of the db closure, which won't happen --
1895 // do so now.
1900 }
1902 }
1911 // The database has been closed, and we're ready to rebuild. Open a
1912 // connection.
1921 // We're done. Reset our DB connection and statements, and notify of
1922 // closure.
1930 }
1932 }
1934 // Notify observers that we're beginning the rebuild.
1937 }
1941 // Enumerate the hash, and add cookies to the params array.
1956 }
1957 }
1958 }
1960 // Make sure we've got something to write. If we don't, we're done.
1968 }
1970 // Execute the statement. If any errors crop up, we won't try again.
1977 });
1979 });
1981 }
1984 {
1990 }
1992 NS_IMETHODIMP
1996 {
1997 // check the topic
1999 // The profile is about to change,
2000 // or is going away because the application is shutting down.
2002 // Close the default DB connection and null out our DBStates before
2003 // changing.
2010 // the profile has already changed; init the db from the new location.
2011 // if we are in the private browsing state, however, we do not want to read
2012 // data into it - we should instead put it into the default state, so it's
2013 // ready for us if and when we switch back to it.
2022 // Flush all the cookies stored by private browsing contexts
2027 }
2031 }
2033 NS_IMETHODIMP
2037 {
2039 }
2041 NS_IMETHODIMP
2046 {
2048 }
2050 nsresult
2055 {
2059 // Determine whether the request is foreign. Failure is acceptable.
2069 // Check first-party storage access even for non-tracking resources, since
2070 // we will need the result when computing the access rights for the reject
2071 // foreign cookie behavior mode.
2074 aHostURI,
2077 }
2078 }
2080 OriginAttributes attrs;
2083 }
2087 nsAutoCString result;
2093 }
2095 NS_IMETHODIMP
2100 {
2101 // The aPrompt argument is deprecated and unused. Avoid introducing new
2102 // code that uses this argument by warning if the value is non-null.
2110 }
2111 }
2114 }
2116 NS_IMETHODIMP
2123 {
2124 // The aPrompt argument is deprecated and unused. Avoid introducing new
2125 // code that uses this argument by warning if the value is non-null.
2133 }
2134 }
2137 }
2139 int64_t
2141 {
2142 // parse server local time. this is not just done here for efficiency
2143 // reasons - if there's an error parsing it, and we need to default it
2144 // to the current time, we must do it here since the current time in
2145 // SetCookieInternal() will change for each cookie processed (e.g. if the
2146 // user is prompted).
2147 PRTime tempServerTime;
2155 }
2158 }
2160 nsresult
2166 {
2170 // Determine whether the request is foreign. Failure is acceptable.
2180 // Check first-party storage access even for non-tracking resources, since
2181 // we will need the result when computing the access rights for the reject
2182 // foreign cookie behavior mode.
2185 aHostURI,
2188 }
2189 }
2191 OriginAttributes attrs;
2194 }
2202 }
2204 void
2214 {
2220 }
2227 // get the base domain for the host URI.
2228 // e.g. for "www.bbc.co.uk", this would be "bbc.co.uk".
2229 // file:// URI's (i.e. with an empty host) are allowed, but any other
2230 // scheme must have a non-empty host. A trailing dot in the host
2231 // is acceptable.
2233 nsAutoCString baseDomain;
2239 }
2243 // check default prefs
2246 nsAutoCString hostFromURI;
2250 mThirdPartySession,
2253 aFirstPartyStorageAccessGranted,
2259 // fire a notification if third party or if cookie was rejected
2260 // (but not if there was an error)
2266 }
2274 }
2278 }
2282 // process each cookie in the header
2285 // document.cookie can only set one cookie at a time
2288 }
2289 }
2291 // notify observers that a cookie was rejected due to the users' prefs.
2292 void
2295 {
2299 }
2302 }
2304 // notify observers that a third-party cookie was accepted/rejected
2305 // if the cookie issuer is unknown, it defaults to "?"
2306 void
2308 {
2312 }
2317 // Regular (non-private) browsing
2322 }
2324 // Private browsing
2329 }
2330 }
2333 // Attempt to find the host of aChannel.
2336 }
2341 }
2343 nsAutoCString referringHost;
2347 }
2354 // This can fail for a number of reasons, in which kind we fallback to "?"
2356 }
2358 // notify observers that the cookie list changed. there are five possible
2359 // values for aData:
2360 // "deleted" means a cookie was deleted. aSubject is the deleted cookie.
2361 // "added" means a cookie was added. aSubject is the added cookie.
2362 // "changed" means a cookie was altered. aSubject is the new cookie.
2363 // "cleared" means the entire cookie list was cleared. aSubject is null.
2364 // "batch-deleted" means a set of cookies was purged. aSubject is the list of
2365 // cookies.
2366 void
2371 {
2377 }
2378 // Notify for topic "private-cookie-changed" or "cookie-changed"
2381 // Notify for topic "session-cookie-changed" to update the copy of session
2382 // cookies in session restore component.
2383 // Ignore private session cookies since they will not be restored.
2386 }
2387 // Filter out notifications for individual non-session cookies.
2396 }
2397 }
2399 }
2403 {
2408 }
2410 void
2412 {
2418 }
2426 }
2427 }
2429 /******************************************************************************
2430 * nsCookieService:
2431 * public transaction helper impl
2432 ******************************************************************************/
2434 NS_IMETHODIMP
2436 {
2441 }
2447 }
2453 }
2455 }
2457 /******************************************************************************
2458 * nsCookieService:
2459 * pref observer impl
2460 ******************************************************************************/
2462 void
2464 {
2473 mCookieQuotaPerHost =
2475 }
2478 mMaxCookiesPerHost =
2480 }
2483 mCookiePurgeAge =
2485 }
2496 }
2498 /******************************************************************************
2499 * nsICookieManager impl:
2500 * nsICookieManager
2501 ******************************************************************************/
2503 NS_IMETHODIMP
2505 {
2509 }
2515 // clear the cookie file
2528 // Recreate the database.
2532 }
2533 }
2537 }
2539 NS_IMETHODIMP
2541 {
2545 }
2554 }
2555 }
2558 }
2560 NS_IMETHODIMP
2562 {
2566 }
2575 // Filter out non-session cookies.
2578 }
2579 }
2580 }
2583 }
2585 NS_IMETHODIMP
2597 {
2598 OriginAttributes attrs;
2603 }
2607 }
2620 {
2623 }
2628 }
2635 // first, normalize the hostname, and fail if it contains illegal characters.
2640 // get the base domain for the host URI.
2641 // e.g. for "www.bbc.co.uk", this would be "bbc.co.uk".
2642 nsAutoCString baseDomain;
2651 aExpiry,
2652 currentTimeInUsec,
2654 aIsSession,
2655 aIsSecure,
2656 aIsHttpOnly,
2658 aSameSite);
2661 }
2665 }
2668 nsresult
2672 {
2676 }
2683 // first, normalize the hostname, and fail if it contains illegal characters.
2688 nsAutoCString baseDomain;
2692 nsListIter matchIter;
2695 host,
2698 matchIter)) {
2701 }
2703 // check if we need to add the host to the permissions blacklist.
2705 // strip off the domain dot, if necessary
2716 }
2719 // Everything's done. Notify observers.
2721 }
2724 }
2726 NS_IMETHODIMP
2733 {
2734 OriginAttributes attrs;
2739 }
2742 }
2750 {
2753 }
2758 }
2761 }
2763 /******************************************************************************
2764 * nsCookieService impl:
2765 * private file I/O functions
2766 ******************************************************************************/
2768 // Extract data from a single result row and create an nsCookie.
2772 {
2773 // Skip reading 'baseDomain' -- up to the caller.
2791 // Create a new constCookie and assign the data.
2793 value,
2794 host,
2795 path,
2796 expiry,
2797 lastAccessed,
2798 creationTime,
2799 isSecure,
2800 isHttpOnly,
2801 aOriginAttributes,
2802 sameSite);
2803 }
2805 void
2807 {
2818 }
2820 startBlockTime);
2824 // We didn't block main thread, and here comes the first cookie request.
2825 // Collect how close we're going to block main thread.
2828 // Nullify the timestamp so wo don't accumulate this telemetry probe again.
2832 // A request comes while we finished cookie thread task and InitDBConn is
2833 // on the way from cookie thread to main thread. We're very close to block
2834 // main thread.
2837 }
2842 // Nullify the timestamp so wo don't accumulate this telemetry probe again.
2844 }
2845 }
2846 }
2848 OpenDBResult
2850 {
2853 // Set up a statement to delete any rows with a nullptr 'baseDomain'
2854 // column. This takes care of any cookies set by browsers that don't
2855 // understand the 'baseDomain' column, where the database schema version
2856 // is from one that does. (This would occur when downgrading.)
2861 // Read in the data synchronously.
2862 // see IDX_NAME, etc. for parameter indexes
2865 "SELECT "
2866 "name, "
2867 "value, "
2868 "host, "
2869 "path, "
2870 "expiry, "
2871 "lastAccessed, "
2872 "creationTime, "
2873 "isSecure, "
2874 "isHttpOnly, "
2875 "baseDomain, "
2876 "originAttributes, "
2877 "sameSite "
2878 "FROM moz_cookies "
2885 }
2895 }
2900 // Make sure we haven't already read the data.
2903 nsAutoCString suffix;
2904 OriginAttributes attrs;
2906 // If PopulateFromSuffix failed we just ignore the OA attributes
2907 // that we don't support
2914 }
2919 }
2921 NS_IMETHODIMP
2923 {
2927 }
2931 // Make sure we're in the default DB state. We don't want people importing
2932 // cookies into a private browsing session!
2936 }
2938 nsresult rv;
2950 int32_t hostIndex, isDomainIndex, pathIndex, secureIndex, expiresIndex, nameIndex, cookieIndex;
2958 // we use lastAccessedCounter to keep cookies in recently-used order,
2959 // so we start by initializing to currentTime (somewhat arbitrary)
2962 /* file format is:
2963 *
2964 * host \t isDomain \t path \t secure \t expires \t name \t cookie
2965 *
2966 * if this format isn't respected we move onto the next line in the file.
2967 * isDomain is "TRUE" or "FALSE" (default to "FALSE")
2968 * isSecure is "TRUE" or "FALSE" (default to "TRUE")
2969 * expires is a int64_t integer
2970 * note 1: cookie can contain tabs.
2971 * note 2: cookies will be stored in order of lastAccessed time:
2972 * most-recently used come first; least-recently-used come last.
2973 */
2975 /*
2976 * ...but due to bug 178933, we hide HttpOnly cookies from older code
2977 * in a comment, so they don't expose HttpOnly cookies to JS.
2978 *
2979 * The format for HttpOnly cookies is
2980 *
2981 * #HttpOnly_host \t isDomain \t path \t secure \t expires \t name \t cookie
2982 *
2983 */
2985 // We will likely be adding a bunch of cookies to the DB, so we use async
2986 // batching with storage to make this super fast.
2990 }
3001 }
3003 // this is a cheap, cheesy way of parsing a tab-delimited line into
3004 // string indexes, which can be lopped off into substrings. just for
3005 // purposes of obfuscation, it also checks that each token was found.
3006 // todo: use iterators?
3014 }
3016 // check the expirytime first - if it's expired, ignore
3017 // nullstomp the trailing tab, to avoid copying the string
3023 }
3025 isDomain = Substring(buffer, isDomainIndex, pathIndex - isDomainIndex - 1).EqualsLiteral(kTrue);
3027 // check for bad legacy cookies (domain not starting with a dot, or containing a port),
3028 // and discard
3032 }
3034 // compute the baseDomain from the host
3039 // pre-existing cookies have inIsolatedMozBrowser=false set by default
3040 // constructor of OriginAttributes().
3043 // Create a new nsCookie and assign the data. We don't know the cookie
3044 // creation time, so just use the current time to generate a unique one.
3048 host,
3050 expires,
3051 lastAccessedCounter,
3055 isHttpOnly,
3060 }
3062 // trick: preserve the most-recently-used cookie ordering,
3063 // by successively decrementing the lastAccessed time
3064 lastAccessedCounter--;
3068 }
3072 }
3073 }
3075 // If we need to write to disk, do so now.
3086 }
3087 }
3093 }
3095 /******************************************************************************
3096 * nsCookieService impl:
3097 * private GetCookie/SetCookie helpers
3098 ******************************************************************************/
3100 // helper function for GetCookieList
3101 static inline bool ispathdelimiter(char c) { return c == '/' || c == '?' || c == '#' || c == ';'; }
3103 bool
3106 {
3107 // first, check for an exact host or domain cookie match, e.g. "google.com"
3108 // or ".google.com"; second a subdomain match, e.g.
3109 // host = "mail.google.com", cookie domain = ".google.com".
3112 }
3114 bool
3116 {
3122 }
3124 }
3126 bool
3129 {
3130 // calculate cookie path length, excluding trailing '/'
3135 // if the given path is shorter than the cookie path, it doesn't match
3136 // if the given path doesn't start with the cookie path, it doesn't match.
3140 // if the given path is longer than the cookie path, and the first char after
3141 // the cookie path is not a path delimiter, it doesn't match.
3144 /*
3145 * |ispathdelimiter| tests four cases: '/', '?', '#', and ';'.
3146 * '/' is the "standard" case; the '?' test allows a site at host/abc?def
3147 * to receive a cookie that has a path attribute of abc. this seems
3148 * strange but at least one major site (citibank, bug 156725) depends
3149 * on it. The test for # and ; are put in to proactively avoid problems
3150 * with other sites - these are the only other chars allowed in the path.
3151 */
3153 }
3155 // either the paths match exactly, or the cookie path is a prefix of
3156 // the given path.
3158 }
3160 void
3170 {
3176 }
3183 // get the base domain, host, and path from the URI.
3184 // e.g. for "www.bbc.co.uk", the base domain would be "bbc.co.uk".
3185 // file:// URI's (i.e. with an empty host) are allowed, but any other
3186 // scheme must have a non-empty host. A trailing dot in the host
3187 // is acceptable.
3198 }
3200 // check default prefs
3204 mThirdPartySession,
3207 aFirstPartyStorageAccessGranted,
3211 // for GetCookie(), we don't fire rejection notifications.
3218 }
3220 // Note: The following permissions logic is mirrored in
3221 // extensions::MatchPattern::MatchesCookie.
3222 // If it changes, please update that function, or file a bug for someone
3223 // else to do so.
3225 // check if aHostURI is using an https secure protocol.
3226 // if it isn't, then we can't send a secure cookie over the connection.
3227 // if SchemeIs fails, assume an insecure connection, to be on the safe side
3231 }
3240 // perform the hash lookup
3245 // iterate the cookies!
3250 // check the host, since the base domain lookup is conservative.
3254 // if the cookie is secure and the host scheme isn't, we can't send it
3261 // it if's a cross origin request and the cookie is same site only (strict)
3262 // don't send it
3265 }
3266 // if it's a cross origin request, the cookie is same site lax, but it's not
3267 // a top-level navigation, don't send it
3270 }
3271 }
3273 // if the cookie is httpOnly and it's not going directly to the HTTP
3274 // connection, don't send it
3278 // if the nsIURI path doesn't match the cookie path, don't send it back
3282 // check if the cookie has expired
3285 }
3287 // all checks passed - add to list and check if lastAccessed stamp needs updating
3291 }
3292 }
3298 // update lastAccessed timestamps. we only do this if the timestamp is stale
3299 // by a certain amount, to avoid thrashing the db during pageload.
3301 // Create an array of parameters to bind to our update statement. Batching
3302 // is OK here since we're updating cookies with no interleaved operations.
3307 }
3314 }
3315 }
3316 // Update the database now if necessary.
3327 }
3328 }
3329 }
3331 // return cookies in order of path length; longest to shortest.
3332 // this is required per RFC2109. if cookies match in length,
3333 // then sort by creation time (see bug 236772).
3335 }
3337 void
3347 {
3352 foundCookieList);
3358 // check if we have anything to write
3360 // if we've already added a cookie to the return list, append a "; " so
3361 // that subsequent cookies are delimited in the final list.
3364 }
3367 // we have a name and value - write both
3370 // just write value
3372 }
3373 }
3374 }
3378 }
3380 // processes a single cookie, and returns true if there are more cookies
3381 // to be processed
3382 bool
3387 CookieStatus aStatus,
3395 {
3400 // init expiryTime such that session cookies won't prematurely expire
3403 // aCookieHeader is an in/out param to point to the next cookie, if
3404 // there is one. Save the present value for logging purposes
3407 // newCookie says whether there are multiple cookies in the header;
3408 // so we can handle them separately.
3411 // Collect telemetry on how often secure cookies are set from non-secure
3412 // origins, and vice-versa.
3413 //
3414 // 0 = nonsecure and "http:"
3415 // 1 = nonsecure and "https:"
3416 // 2 = secure and "http:"
3417 // 3 = secure and "https:"
3425 // Collect telemetry on how often are first- and third-party cookies set
3426 // from HTTPS origins:
3427 //
3428 // 0 (000) = first-party and "http:"
3429 // 1 (001) = first-party and "http:" with bogus Secure cookie flag?!
3430 // 2 (010) = first-party and "https:"
3431 // 3 (011) = first-party and "https:" with Secure cookie flag
3432 // 4 (100) = third-party and "http:"
3433 // 5 (101) = third-party and "http:" with bogus Secure cookie flag?!
3434 // 6 (110) = third-party and "https:"
3435 // 7 (111) = third-party and "https:" with Secure cookie flag
3443 }
3444 }
3448 // calculate expiry time of cookie.
3452 // force lifetime to session. note that the expiration time, if set above,
3453 // will still apply.
3455 }
3457 // reject cookie if it's over the size limit, per RFC2109
3458 if ((aCookieAttributes.name.Length() + aCookieAttributes.value.Length()) > kMaxBytesPerCookie) {
3461 }
3472 }
3474 // domain & path checks
3478 }
3482 }
3483 // magic prefix checks. MUST be run after CheckDomain() and CheckPath()
3487 }
3489 // reject cookie if value contains an RFC 6265 disallowed character - see
3490 // https://bugzilla.mozilla.org/show_bug.cgi?id=1191423
3491 // NOTE: this is not the full set of characters disallowed by 6265 - notably
3492 // 0x09, 0x20, 0x22, 0x2C, 0x5C, and 0x7F are missing from this list. This is
3493 // for parity with Chrome. This only applies to cookies set via the Set-Cookie
3494 // header, as document.cookie is defined to be UTF-8. Hooray for
3495 // symmetry!</sarcasm>
3504 }
3506 // if the new cookie is httponly, make sure we're not coming from script
3511 }
3516 }
3518 // If the new cookie is non-https and wants to set secure flag,
3519 // browser have to ignore this new cookie.
3520 // (draft-ietf-httpbis-cookie-alone section 3.1)
3525 BLOCKED_SECURE_SET_FROM_HTTP);
3527 }
3529 // If the new cookie is same-site but in a cross site context,
3530 // browser must ignore the cookie.
3532 aThirdPartyUtil &&
3535 // Do not treat loads triggered by web extensions as foreign
3544 }
3553 }
3554 }
3555 }
3559 }
3561 // processes a single cookie, and returns true if there are more cookies
3562 // to be processed
3563 bool
3567 CookieStatus aStatus,
3572 {
3576 nsCookieAttributes cookieAttributes;
3580 mThirdPartyUtil);
3584 }
3587 // create a new nsCookie and copy attributes
3594 currentTimeInUsec,
3604 // check permissions from site permission list, or ask the user,
3605 // to determine if we can set the cookie
3609 aChannel,
3615 COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "cookie rejected by permission manager");
3619 }
3621 // update isSession and expiry attributes, in case they changed
3624 }
3626 // add the cookie to the list. AddInternal() takes care of logging.
3627 // we get the current time again here, since it may have changed during prompting
3629 aFromHttp);
3631 }
3633 // this is a backend function for adding a cookie to the list, via SetCookie.
3634 // also used in the cookie manager, for profile migration from IE.
3635 // it either replaces an existing cookie; or adds the cookie to the hashtable,
3636 // and deletes a cookie (if maximum number of cookies has been
3637 // reached). also performs list maintenance by removing expired cookies.
3638 void
3645 {
3651 nsListIter exactIter;
3659 }
3662 // Step1, call FindSecureCookie(). FindSecureCookie() would
3663 // find the existing cookie with the security flag and has
3664 // the same name, host and path of the new cookie, if there is any.
3665 // Step2, Confirm new cookie's security setting. If any targeted
3666 // cookie had been found in Step1, then confirm whether the
3667 // new cookie could modify it. If the new created cookie’s
3668 // "secure-only-flag" is not set, and the "scheme" component
3669 // of the "request-uri" does not denote a "secure" protocol,
3670 // then ignore the new cookie.
3671 // (draft-ietf-httpbis-cookie-alone section 3.2)
3676 "cookie can't save because older cookie is secure cookie but newer cookie is non-secure cookie");
3679 BLOCKED_DOWNGRADE_SECURE_EXACT);
3682 BLOCKED_DOWNGRADE_SECURE_INEXACT);
3683 }
3685 }
3686 // A secure site is allowed to downgrade a secure cookie
3687 // but we want to measure anyway.
3690 DOWNGRADE_SECURE_FROM_SECURE_EXACT);
3693 DOWNGRADE_SECURE_FROM_SECURE_INEXACT);
3694 }
3695 }
3696 }
3704 // Check if the old cookie is stale (i.e. has already expired). If so, we
3705 // need to be careful about the semantics of removing it and adding the new
3706 // cookie: we want the behavior wrt adding the new cookie to be the same as
3707 // if it didn't exist, but we still want to fire a removal notification.
3710 // The new cookie has expired and the old one is stale. Nothing to do.
3714 }
3716 // Remove the stale cookie. We save notification for later, once all list
3717 // modifications are complete.
3723 // We've done all we need to wrt removing and notifying the stale cookie.
3724 // From here on out, we pretend pretend it didn't exist, so that we
3725 // preserve expected notification semantics when adding the new cookie.
3729 // If the old cookie is httponly, make sure we're not coming from script.
3734 }
3736 // If the new cookie has the same value, expiry date, isSecure, isSession,
3737 // isHttpOnly and sameSite flags then we can just keep the old one.
3738 // Only if any of these differ we would want to override the cookie.
3745 // We don't want to perform this optimization if the cookie is
3746 // considered stale, since in this case we would need to update the
3747 // database.
3749 // Update the last access time on the old cookie.
3753 }
3755 // Remove the old cookie.
3758 // If the new cookie has expired -- i.e. the intent was simply to delete
3759 // the old cookie -- then we're done.
3765 }
3767 // Preserve creation time of cookie for ordering purposes.
3769 }
3772 // check if cookie has already expired
3777 }
3779 // check if we have to delete an old cookie.
3783 // Prioritize evicting insecure cookies.
3784 // (draft-ietf-httpbis-cookie-alone section 3.3)
3790 // It's valid to evict a secure cookie for another secure cookie.
3794 EVICTING_SECURE_BLOCKED);
3798 }
3799 }
3802 // Sort |removedIterList| by index again, since we have to remove the cookie
3803 // in the reverse order.
3810 }
3815 }
3821 // we're over both size and age limits by 10%; time to purge the table!
3822 // do this by:
3823 // 1) removing expired cookies;
3824 // 2) evicting the balance of old cookies until we reach the size limit.
3825 // note that the cookieOldestTime indicator can be pessimistic - if it's
3826 // older than the actual oldest cookie, we'll just purge more eagerly.
3828 }
3829 }
3830 }
3832 // Add the cookie to the db. We do not supply a params array for batching
3833 // because this might result in removals and additions being out of order.
3837 // Now that list mutations are complete, notify observers. We do it here
3838 // because observers may themselves attempt to mutate the list.
3841 }
3844 }
3846 /******************************************************************************
3847 * nsCookieService impl:
3848 * private cookie header parsing functions
3849 ******************************************************************************/
3851 // The following comment block elucidates the function of ParseAttributes.
3852 /******************************************************************************
3853 ** Augmented BNF, modified from RFC2109 Section 4.2.2 and RFC2616 Section 2.1
3854 ** please note: this BNF deviates from both specifications, and reflects this
3855 ** implementation. <bnf> indicates a reference to the defined grammar "bnf".
3857 ** Differences from RFC2109/2616 and explanations:
3858 1. implied *LWS
3859 The grammar described by this specification is word-based. Except
3860 where noted otherwise, linear white space (<LWS>) can be included
3861 between any two adjacent words (token or quoted-string), and
3862 between adjacent words and separators, without changing the
3863 interpretation of a field.
3864 <LWS> according to spec is SP|HT|CR|LF, but here, we allow only SP | HT.
3866 2. We use CR | LF as cookie separators, not ',' per spec, since ',' is in
3867 common use inside values.
3869 3. tokens and values have looser restrictions on allowed characters than
3870 spec. This is also due to certain characters being in common use inside
3871 values. We allow only '=' to separate token/value pairs, and ';' to
3872 terminate tokens or values. <LWS> is allowed within tokens and values
3873 (see bug 206022).
3875 4. where appropriate, full <OCTET>s are allowed, where the spec dictates to
3876 reject control chars or non-ASCII chars. This is erring on the loose
3877 side, since there's probably no good reason to enforce this strictness.
3879 5. cookie <NAME> is optional, where spec requires it. This is a fairly
3880 trivial case, but allows the flexibility of setting only a cookie <VALUE>
3881 with a blank <NAME> and is required by some sites (see bug 169091).
3883 6. Attribute "HttpOnly", not covered in the RFCs, is supported
3884 (see bug 178993).
3886 ** Begin BNF:
3887 token = 1*<any allowed-chars except separators>
3888 value = 1*<any allowed-chars except value-sep>
3889 separators = ";" | "="
3890 value-sep = ";"
3891 cookie-sep = CR | LF
3892 allowed-chars = <any OCTET except NUL or cookie-sep>
3893 OCTET = <any 8-bit sequence of data>
3894 LWS = SP | HT
3895 NUL = <US-ASCII NUL, null control character (0)>
3896 CR = <US-ASCII CR, carriage return (13)>
3897 LF = <US-ASCII LF, linefeed (10)>
3898 SP = <US-ASCII SP, space (32)>
3899 HT = <US-ASCII HT, horizontal-tab (9)>
3901 set-cookie = "Set-Cookie:" cookies
3902 cookies = cookie *( cookie-sep cookie )
3903 cookie = [NAME "="] VALUE *(";" cookie-av) ; cookie NAME/VALUE must come first
3904 NAME = token ; cookie name
3905 VALUE = value ; cookie value
3906 cookie-av = token ["=" value]
3908 valid values for cookie-av (checked post-parsing) are:
3909 cookie-av = "Path" "=" value
3910 | "Domain" "=" value
3911 | "Expires" "=" value
3912 | "Max-Age" "=" value
3913 | "Comment" "=" value
3914 | "Version" "=" value
3915 | "Secure"
3916 | "HttpOnly"
3918 ******************************************************************************/
3920 // helper functions for GetTokenValue
3926 // Parse a single token/value pair.
3927 // Returns true if a cookie terminator is found, so caller can parse new cookie.
3928 bool
3934 {
3936 // initialize value string to clear garbage
3939 // find <token>, including any <LWS> between the end-of-token and the
3940 // token separator. we'll remove trailing <LWS> next
3947 // remove trailing <LWS>; first check we're not at the beginning
3953 }
3958 // find <value>
3964 // process <token>
3965 // just look for ';' to terminate ('=' allowed)
3969 // remove trailing <LWS>; first check we're not at the beginning
3975 }
3976 }
3978 // aIter is on ';', or terminator, or EOS
3980 // if on terminator, increment past & return true to process new cookie
3984 }
3985 // fall-through: aIter is on ';', increment and return false
3987 }
3989 }
3991 // Parses attributes from cookie header. expires/max-age attributes aren't folded into the
3992 // cookie struct here, because we don't know which one to use until we've parsed the header.
3993 bool
3996 {
4020 // extract cookie <NAME> & <VALUE> (first attribute), and copy the strings.
4021 // if we find multiple cookies, return for processing
4022 // note: if there's no '=', we assume token is <VALUE>. this is required by
4023 // some sites (see bug 169091).
4024 // XXX fix the parser to parse according to <VALUE> grammar for this case
4031 }
4033 // extract remaining attributes
4040 }
4042 // decide which attribute we have, and copy the string
4055 // ignore any tokenValue for isSecure; just set the boolean
4059 // ignore any tokenValue for isHttpOnly (see bug 178993);
4060 // just set the boolean
4069 }
4070 }
4071 }
4073 // rebind aCookieHeader, in case we need to process another cookie
4076 }
4078 /******************************************************************************
4079 * nsCookieService impl:
4080 * private domain & permission compliance enforcement functions
4081 ******************************************************************************/
4083 // Get the base domain for aHostURI; e.g. for "www.bbc.co.uk", this would be
4084 // "bbc.co.uk". Only properly-formed URI's are tolerated, though a trailing
4085 // dot may be present. If aHostURI is an IP address, an alias such as
4086 // 'localhost', an eTLD such as 'co.uk', or the empty string, aBaseDomain will
4087 // be the exact host, and aRequireHostMatch will be true to indicate that
4088 // substring matches should not be performed.
4089 nsresult
4094 {
4095 // get the base domain. this will fail if the host contains a leading dot,
4096 // more than one trailing dot, or is otherwise malformed.
4101 // aHostURI is either an IP address, an alias such as 'localhost', an eTLD
4102 // such as 'co.uk', or the empty string. use the host as a key in such
4103 // cases.
4105 }
4108 // aHost (and thus aBaseDomain) may be the string '.'. If so, fail.
4112 // block any URIs without a host that aren't file:// URIs.
4118 }
4121 }
4123 // Get the base domain for aHost; e.g. for "www.bbc.co.uk", this would be
4124 // "bbc.co.uk". This is done differently than GetBaseDomain(mTLDService, ): it is assumed
4125 // that aHost is already normalized, and it may contain a leading dot
4126 // (indicating that it represents a domain). A trailing dot may be present.
4127 // If aHost is an IP address, an alias such as 'localhost', an eTLD such as
4128 // 'co.uk', or the empty string, aBaseDomain will be the exact host, and a
4129 // leading dot will be treated as an error.
4130 nsresult
4134 {
4135 // aHost must not be the string '.'.
4139 // aHost may contain a leading dot; if so, strip it now.
4142 // get the base domain. this will fail if the host contains a leading dot,
4143 // more than one trailing dot, or is otherwise malformed.
4147 // aHost is either an IP address, an alias such as 'localhost', an eTLD
4148 // such as 'co.uk', or the empty string. use the host as a key in such
4149 // cases; however, we reject any such hosts with a leading dot, since it
4150 // doesn't make sense for them to be domain cookies.
4156 }
4158 }
4160 // Normalizes the given hostname, component by component. ASCII/ACE
4161 // components are lower-cased, and UTF-8 components are normalized per
4162 // RFC 3454 and converted to ACE.
4163 nsresult
4165 {
4167 nsAutoCString host;
4173 }
4177 }
4179 // returns true if 'a' is equal to or a subdomain of 'b',
4180 // assuming no leading dots are present.
4182 {
4188 }
4190 CookieStatus
4203 {
4204 nsresult rv;
4206 // Let's use a internal value in order to avoid a null check on
4207 // aRejectedReason everywhere.
4211 }
4215 // don't let ftp sites get/set cookies (could be a security issue)
4218 COOKIE_LOGFAILURE(aCookieHeader ? SET_COOKIE : GET_COOKIE, aHostURI, aCookieHeader, "ftp sites cannot read cookies");
4220 }
4226 COOKIE_LOGFAILURE(aCookieHeader ? SET_COOKIE : GET_COOKIE, aHostURI, aCookieHeader, "non-codebase principals cannot get/set cookies");
4228 }
4230 // check the permission list first; if we find an entry, it overrides
4231 // default prefs. see bug 184059.
4233 nsCookieAccess access;
4234 // Not passing an nsIChannel here is probably OK; our implementation
4235 // doesn't do anything with it anyway.
4238 // if we found an entry, use it
4258 }
4270 }
4272 }
4273 }
4274 }
4276 // No cookies allowed if this request comes from a tracker, in a 3rd party
4277 // context, when anti-tracking protection is enabled and when we don't have
4278 // access to the first-party cookie jar.
4281 COOKIE_LOGFAILURE(aCookieHeader ? SET_COOKIE : GET_COOKIE, aHostURI, aCookieHeader, "cookies are disabled in trackers");
4284 }
4286 // check default prefs
4288 COOKIE_LOGFAILURE(aCookieHeader ? SET_COOKIE : GET_COOKIE, aHostURI, aCookieHeader, "cookies are disabled");
4291 }
4293 // check if cookie is foreign
4295 // Check aFirstPartyStorageAccessGranted when rejecting all third-party cookies,
4296 // so that we take things such as the content blocking allow list into account.
4299 COOKIE_LOGFAILURE(aCookieHeader ? SET_COOKIE : GET_COOKIE, aHostURI, aCookieHeader, "context is third party");
4302 }
4306 COOKIE_LOGFAILURE(aCookieHeader ? SET_COOKIE : GET_COOKIE, aHostURI, aCookieHeader, "context is third party");
4309 }
4310 }
4314 // But with permission granted.
4326 }
4327 }
4329 // if nothing has complained, accept cookie
4331 }
4333 // processes domain attribute, and returns true if host has permission to set for this domain.
4334 bool
4339 {
4340 // Note: The logic in this function is mirrored in
4341 // toolkit/components/extensions/ext-cookies.js:checkSetCookiePermissions().
4342 // If it changes, please update that function, or file a bug for someone
4343 // else to do so.
4345 // get host from aHostURI
4346 nsAutoCString hostFromURI;
4349 // if a domain is given, check the host has permission
4351 // Tolerate leading '.' characters, but not if it's otherwise an empty host.
4355 }
4357 // switch to lowercase now, to avoid case-insensitive compares everywhere
4360 // check whether the host is either an IP address, an alias such as
4361 // 'localhost', an eTLD such as 'co.uk', or the empty string. in these
4362 // cases, require an exact string match for the domain, and leave the cookie
4363 // as a non-domain one. bug 105917 originally noted the requirement to deal
4364 // with IP addresses.
4368 // ensure the proposed domain is derived from the base domain; and also
4369 // that the host domain is derived from the proposed domain (per RFC2109).
4372 // prepend a dot to indicate a domain cookie
4375 }
4377 /*
4378 * note: RFC2109 section 4.3.2 requires that we check the following:
4379 * that the portion of host not in domain does not contain a dot.
4380 * this prevents hosts of the form x.y.co.nz from setting cookies in the
4381 * entire .co.nz domain. however, it's only a only a partial solution and
4382 * it breaks sites (IE doesn't enforce it), so we don't perform this check.
4383 */
4385 }
4387 // no domain specified, use hostFromURI
4390 }
4392 nsAutoCString
4394 {
4395 // strip down everything after the last slash to get the path,
4396 // ignoring slashes in the query string part.
4397 // if we can QI to nsIURL, that'll take care of the query string portion.
4398 // otherwise, it's not an nsIURL and can't have a query string, so just find the last slash.
4399 nsAutoCString path;
4408 }
4409 }
4411 }
4413 bool
4416 {
4417 // if a path is given, check the host has permission
4421 #if 0
4423 /**
4424 * The following test is part of the RFC2109 spec. Loosely speaking, it says that a site
4425 * cannot set a cookie for a path that it is not on. See bug 155083. However this patch
4426 * broke several sites -- nordea (bug 155768) and citibank (bug 156725). So this test has
4427 * been disabled, unless we can evangelize these sites.
4428 */
4429 // get path from aHostURI
4430 nsAutoCString pathFromURI;
4434 }
4435 #endif
4436 }
4443 }
4445 // CheckPrefixes
4446 //
4447 // Reject cookies whose name starts with the magic prefixes from
4448 // https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
4449 // if they do not meet the criteria required by the prefix.
4450 //
4451 // Must not be called until after CheckDomain() and CheckPath() have
4452 // regularized and validated the nsCookieAttributes values!
4453 bool
4456 {
4466 // not one of the magic prefixes: carry on
4468 }
4471 // the magic prefixes may only be used from a secure request and
4472 // the secure attribute must be set on the cookie
4474 }
4477 // The host prefix requires that the path is "/" and that the cookie
4478 // had no domain attribute. CheckDomain() and CheckPath() MUST be run
4479 // first to make sure invalid attributes are rejected and to regularlize
4480 // them. In particular all explicit domain attributes result in a host
4481 // that starts with a dot, and if the host doesn't start with a dot it
4482 // correctly matches the true host.
4486 }
4487 }
4490 }
4492 bool
4496 {
4497 /* Determine when the cookie should expire. This is done by taking the difference between
4498 * the server time and the time the server wants the cookie to expire, and adding that
4499 * difference to the client time. This localizes the client time regardless of whether or
4500 * not the TZ environment variable was set on the client.
4501 *
4502 * Note: We need to consider accounting for network lag here, per RFC.
4503 */
4504 // check for max-age attribute first; this overrides expires attribute
4506 // obtain numeric value of maxageAttribute
4510 // default to session cookie if the conversion failed
4513 }
4515 // if this addition overflows, expiryTime will be less than currentTime
4516 // and the cookie will be expired - that's okay.
4519 // check for expires attribute
4521 PRTime expires;
4523 // parse expiry time
4526 }
4528 // If set-cookie used absolute time to set expiration, and it can't use
4529 // client time to set expiration.
4530 // Because if current time be set in the future, but the cookie expire
4531 // time be set less than current time and more than server time.
4532 // The cookie item have to be used to the expired cookie.
4535 // default to session cookie if no attributes found
4538 }
4541 }
4543 /******************************************************************************
4544 * nsCookieService impl:
4545 * private cookielist management functions
4546 ******************************************************************************/
4548 void
4550 {
4551 // clearing the hashtable will call each nsCookieEntry's dtor,
4552 // which releases all their respective children.
4556 }
4558 // comparator class for lastaccessed times of cookies.
4562 {
4565 }
4568 {
4569 // compare by lastAccessed time, and tiebreak by creationTime.
4575 }
4576 };
4578 // purges expired and old cookies in a batch operation.
4581 {
4594 // Create a params array to batch the removals. This is OK here because
4595 // all the removals are in order, and there are no interleaved additions.
4600 }
4615 // check if the cookie has expired
4620 // remove from list; do not increment our iterator, but stop if we're
4621 // done already.
4625 }
4627 // check if the cookie is over the age limit
4632 // reset our indicator
4634 }
4637 }
4639 }
4640 }
4644 // now we have a list of iterators for cookies over the age limit.
4645 // sort them by age, and then we'll see how many to remove...
4648 // only remove old cookies until we reach the max cookie limit, no more.
4652 // We're not purging everything in the list, so update our indicator.
4656 }
4658 // sort the list again, this time grouping cookies with a common entryclass
4659 // together, and with ascending index. this allows us to iterate backwards
4660 // over the list removing cookies, without having to adjust indexes as we go.
4668 }
4670 // Update the database if we have entries to purge.
4680 }
4681 }
4683 // reset the oldest time indicator
4695 }
4697 // find whether a given cookie has been previously set. this is provided by the
4698 // nsICookieManager interface.
4699 NS_IMETHODIMP
4706 {
4710 OriginAttributes attrs;
4714 }
4716 }
4724 {
4731 }
4738 nsAutoCString baseDomain;
4742 nsListIter iter;
4748 }
4750 // Cookie comparator for the priority queue used in FindStaleCookies.
4751 // Note that the expired cookie has the highest priority.
4752 // Other non-expired cookies are sorted by their age.
4755 CompareCookiesByAge mAgeComparator;
4763 {
4768 }
4772 }
4775 }
4776 };
4778 // Given the output iter array and the count limit, find cookies
4779 // sort by expiry and lastAccessed time.
4780 void
4786 {
4801 }
4804 // We want to look for the non-secure cookie first time through,
4805 // then find the secure cookie the second time this function is called.
4808 }
4809 }
4812 }
4817 count++;
4818 }
4819 }
4821 void
4824 {
4825 // We need to record the evicting cookie to telemetry.
4829 EVICTED_NEWER_INSECURE);
4832 EVICTED_OLDEST_COOKIE);
4833 }
4836 EVICTED_PREFERRED_COOKIE);
4837 }
4838 }
4840 // count the number of cookies stored by a particular host. this is provided by the
4841 // nsICookieManager interface.
4842 NS_IMETHODIMP
4845 {
4849 }
4853 // first, normalize the hostname, and fail if it contains illegal characters.
4858 nsAutoCString baseDomain;
4864 // Return a count of all cookies, including expired.
4868 }
4870 // get an enumerator of cookies stored by a particular host. this is provided by the
4871 // nsICookieManager interface.
4872 NS_IMETHODIMP
4877 {
4881 }
4885 // first, normalize the hostname, and fail if it contains illegal characters.
4890 nsAutoCString baseDomain;
4894 OriginAttributes attrs;
4898 }
4913 }
4916 }
4918 NS_IMETHODIMP
4922 {
4926 }
4932 nsAutoCString baseDomain;
4937 }
4939 nsresult
4944 {
4948 }
4961 }
4965 }
4971 }
4972 }
4975 }
4977 NS_IMETHODIMP
4980 {
4986 }
4992 nsAutoCString baseDomain;
4997 }
4999 nsresult
5003 {
5007 }
5016 // Iterate the hash table of nsCookieEntry.
5022 }
5026 }
5028 // Pattern matches. Delete all cookies within this nsCookieEntry.
5032 // Remove the first cookie from the list.
5036 // Remove the cookie.
5041 }
5042 }
5043 }
5048 }
5050 // find an secure cookie specified by host and name
5051 bool
5054 {
5062 // isn't a match if insecure or a different name
5066 // The host must "domain-match" an existing cookie or vice-versa
5069 // If the path of new cookie and the path of existing cookie
5070 // aren't "/", then this situation needs to compare paths to
5071 // ensure only that a newly-created non-secure cookie does not
5072 // overlay an existing secure cookie.
5075 }
5076 }
5077 }
5080 }
5082 // find an exact cookie specified by host, name, and path that hasn't expired.
5083 bool
5089 {
5090 // Should |EnsureReadComplete| before.
5107 }
5108 }
5111 }
5113 // remove a cookie from the hashtable, and update the iterator state.
5114 void
5117 {
5118 // if it's a non-session cookie, remove it from the db
5120 // Use the asynchronous binding methods to ensure that we do not acquire
5121 // the database lock.
5126 }
5144 nsAutoCString suffix;
5153 // If we weren't given a params array, we'll need to remove it ourselves.
5160 }
5161 }
5164 // we're removing the last element in the array - so just remove the entry
5165 // from the hash. note that the entryclass' dtor will take care of
5166 // releasing this last element for us!
5170 // just remove the element from the list
5172 }
5175 }
5177 void
5181 {
5185 // Use the asynchronous binding methods to ensure that we do not acquire the
5186 // database lock.
5192 // Bind our values to params
5197 nsAutoCString suffix;
5200 suffix);
5243 // Bind the params to the array.
5246 }
5248 void
5251 {
5254 }
5255 }
5257 void
5263 {
5272 }
5280 // keep track of the oldest cookie, for when it comes time to purge
5283 // if it's a non-session cookie and hasn't just been read from the db, write it out.
5289 }
5292 // If we were supplied an array to store parameters, we shouldn't call
5293 // executeAsync - someone up the stack will do this for us.
5300 }
5301 }
5302 }
5304 void
5308 {
5311 // udpate the lastAccessed timestamp
5314 // if it's a non-session cookie, update it in the db too
5316 // Create our params holder.
5320 // Bind our parameters.
5323 aLastAccessed);
5338 nsAutoCString suffix;
5344 // Add our bound parameters to the array.
5347 }
5348 }
5350 size_t
5352 {
5357 }
5360 }
5363 }
5367 NS_IMETHODIMP
5370 {
5377 }