| blob | 5ca8a9743a2792a8ba9d1d800ef1e22dad489722 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
60 // Allowlist of hostnames that should be considered secure contexts even when
61 // served over http:// or ws://
70 };
81 nsAutoCString messageCategory;
83 nsAutoCString messageLookupKey;
92 }
100 }
101 }
103 // if the callee explicitly wants to use a special message for this
104 // console report, then we allow to overrule the default with the
105 // explicitly provided one here.
108 }
110 nsAutoString localizedMsg;
116 localizedMsg);
120 aRequestingLocation);
121 }
123 /* nsIChannelEventSink implementation
124 * This code is called when a request is redirected.
125 * We check the channel associated with the new uri is allowed to load
126 * in the current context
127 */
128 NS_IMETHODIMP
137 }
139 // If we are in the parent process in e10s, we don't have access to the
140 // document node, and hence ShouldLoad will fail when we try to get
141 // the docShell. If that's the case, ignore mixed content checks
142 // on redirects in the parent. Let the child check for mixed content.
149 }
151 // Don't do these checks if we're switching from DocumentChannel
152 // to a real channel. In that case, we should already have done
153 // the checks in the parent process. AsyncOnChannelRedirect
154 // isn't called in the content process if we switch process,
155 // so checking here would just hide bugs in the process switch
156 // cases.
159 }
161 nsresult rv;
170 // Get the loading Info from the old channel
174 // Since we are calling shouldLoad() directly on redirects, we don't go
175 // through the code in nsContentPolicyUtils::NS_CheckContentLoadPolicy().
176 // Hence, we have to duplicate parts of it here.
178 // We check to see if the loadingPrincipal is systemPrincipal and return
179 // early if it is
182 }
183 }
191 }
193 // If the channel is about to load mixed content, abort the channel
198 }
201 }
203 /* This version of ShouldLoad() is non-static and called by the Content Policy
204 * API and AsyncOnChannelRedirect(). See nsIContentPolicy::ShouldLoad()
205 * for detailed description of the parameters.
206 */
207 NS_IMETHODIMP
210 // We pass in false as the first parameter to ShouldLoad(), because the
211 // callers of this method don't know whether the load went through cached
212 // image redirects. This is handled by direct callers of the static
213 // ShouldLoad.
220 }
223 }
229 }
232 NetAddr addr;
235 }
237 // Step 4 of
238 // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy says
239 // we should only consider [::1]/128 as a potentially trustworthy IPv6
240 // address, whereas for IPv4 127.0.0.1/8 are considered as potentially
241 // trustworthy.
243 }
248 }
249 nsAutoCString asciiHost;
253 }
255 /* Maybe we have a .onion URL. Treat it as trustworthy as well if
256 * `dom.securecontext.allowlist_onions` is `true`.
257 */
261 }
263 nsAutoCString host;
267 }
269 // static
275 }
277 // static
286 }
288 }
290 // static
295 }
296 }
299 // The following implements:
300 // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
302 nsAutoCString scheme;
306 }
308 // Blobs are expected to inherit their principal so we don't expect to have
309 // a content principal with scheme 'blob' here. We can't assert that though
310 // since someone could mess with a non-blob URI to give it that scheme.
314 // According to the specification, the user agent may choose to extend the
315 // trust to other, vendor-specific URL schemes. We use this for "resource:",
316 // which is technically a substituting protocol handler that is not limited to
317 // local resource mapping, but in practice is never mapped remotely as this
318 // would violate assumptions a lot of code makes.
319 // We use nsIProtocolHandler flags to determine which protocols we consider a
320 // priori authenticated.
326 }
330 }
332 nsAutoCString host;
336 }
340 }
342 // If a host is not considered secure according to the default algorithm, then
343 // check to see if it has been allowlisted by the user. We only apply this
344 // allowlist for network resources, i.e., those with scheme "http" or "ws".
345 // The pref should contain a comma-separated list of hostnames.
349 }
351 nsAutoCString allowlist;
357 }
358 }
360 // Maybe we have a .onion URL. Treat it as trustworthy as well if
361 // `dom.securecontext.allowlist_onions` is `true`.
364 }
366 }
368 /* static */
376 }
394 }
395 }
397 /*
398 * Return the URI of the precusor principal or the URI of aPrincipal if there is
399 * no precursor URI.
400 */
406 #ifdef DEBUG
410 }
411 #endif
415 }
417 /* Static version of ShouldLoad() that contains all the Mixed Content Blocker
418 * logic. Called from non-static ShouldLoad().
419 */
425 // Asserting that we are on the main thread here and hence do not have to lock
426 // and unlock security.mixed_content.block_active_content and
427 // security.mixed_content.block_display_content before reading/writing to
428 // them.
432 nsAutoCString asciiUrl;
437 }
439 nsContentPolicyType internalContentType =
450 nsAutoCString loadingPrincipalAsciiUrl;
456 }
458 nsAutoCString triggeringPrincipalAsciiUrl;
462 }
469 // The content policy type that we receive may be an internal type for
470 // scripts. Let's remember if we have seen a worker type, and reset it to the
471 // external type in all cases right now.
474 internalContentType ==
478 ExtContentPolicyType contentType =
481 // Assume active (high risk) content and blocked by default
483 // Make decision to block/reject by default
486 // Notes on non-obvious decisions:
487 //
488 // TYPE_DTD: A DTD can contain entity definitions that expand to scripts.
489 //
490 // TYPE_FONT: The TrueType hinting mechanism is basically a scripting
491 // language that gets interpreted by the operating system's font rasterizer.
492 // Mixed content web fonts are relatively uncommon, and we can can fall back
493 // to built-in fonts with minimal disruption in almost all cases.
494 //
495 // TYPE_OBJECT_SUBREQUEST could actually be either active content (e.g. a
496 // script that a plugin will execute) or display content (e.g. Flash video
497 // content). Until we have a way to determine active vs passive content
498 // from plugin requests (bug 836352), we will treat this as passive content.
499 // This is to prevent false positives from causing users to become
500 // desensitized to the mixed content blocker.
501 //
502 // TYPE_CSP_REPORT: High-risk because they directly leak information about
503 // the content of the page, and because blocking them does not have any
504 // negative effect on the page loading.
505 //
506 // TYPE_PING: Ping requests are POSTS, not GETs like images and media.
507 // Also, PING requests have no bearing on the rendering or operation of
508 // the page when used as designed, so even though they are lower risk than
509 // scripts, blocking them is basically risk-free as far as compatibility is
510 // concerned.
511 //
512 // TYPE_STYLESHEET: XSLT stylesheets can insert scripts. CSS positioning
513 // and other advanced CSS features can possibly be exploited to cause
514 // spoofing attacks (e.g. make a "grant permission" button look like a
515 // "refuse permission" button).
516 //
517 // TYPE_BEACON: Beacon requests are similar to TYPE_PING, and are blocked by
518 // default.
519 //
520 // TYPE_WEBSOCKET: The Websockets API requires browsers to
521 // reject mixed-content websockets: "If secure is false but the origin of
522 // the entry script has a scheme component that is itself a secure protocol,
523 // e.g. HTTPS, then throw a SecurityError exception." We already block mixed
524 // content websockets within the websockets implementation, so we don't need
525 // to do any blocking here, nor do we need to provide a way to undo or
526 // override the blocking. Websockets without TLS are very flaky anyway in the
527 // face of many HTTP-aware proxies. Compared to passive content, there is
528 // additional risk that the script using WebSockets will disclose sensitive
529 // information from the HTTPS page and/or eval (directly or indirectly)
530 // received data.
531 //
532 // TYPE_XMLHTTPREQUEST: XHR requires either same origin or CORS, so most
533 // mixed-content XHR will already be blocked by that check. This will also
534 // block HTTPS-to-HTTP XHR with CORS. The same security concerns mentioned
535 // above for WebSockets apply to XHR, and XHR should have the same security
536 // properties as WebSockets w.r.t. mixed content. XHR's handling of redirects
537 // amplifies these concerns.
538 //
539 // TYPE_PROXIED_WEBRTC_MEDIA: Ordinarily, webrtc uses low-level sockets for
540 // peer-to-peer media, which bypasses this code entirely. However, when a
541 // web proxy is being used, the TCP and TLS webrtc connections are routed
542 // through the web proxy (using HTTP CONNECT), which causes these connections
543 // to be checked. We just skip mixed content blocking in that case.
546 // The top-level document cannot be mixed content by definition
550 // Creating insecure websocket connections in a secure page is blocked
551 // already in the websocket constructor. We don't need to check the blocking
552 // here and we don't want to un-block
557 // TYPE_SAVEAS_DOWNLOAD: Save-link-as feature is used to download a
558 // resource
559 // without involving a docShell. This kind of loading must be
560 // allowed, if not disabled in the preferences.
561 // Creating insecure connections for a save-as link download is
562 // acceptable. This download is completely disconnected from the docShell,
563 // but still using the same loading principal.
570 // It does not make sense to subject webrtc media connections to mixed
571 // content blocking, since those connections are peer-to-peer and will
572 // therefore almost never match the origin.
577 // Static display content is considered moderate risk for mixed content so
578 // these will be blocked according to the mixed display preference
588 }
591 // Active content (or content with a low value/risk-of-blocking ratio)
592 // that has been explicitly evaluated; listed here for documentation
593 // purposes and to avoid the assertion and warning for the default case.
617 // Do not add default: so that compilers can catch the missing case.
618 }
620 // Make sure to get the URI the load started with. No need to check
621 // outer schemes because all the wrapping pseudo protocols inherit the
622 // security properties of the actual network request represented
623 // by the innerMost URL.
630 "URI could not be "
633 }
635 // TYPE_IMAGE redirects are cached based on the original URI, not the final
636 // destination and hence cache hits for images may not have the correct
637 // innerContentLocation. Check if the cached hit went through an http
638 // redirect, and if it did, we can't treat this as a secure subresource.
643 }
645 /*
646 * Most likely aLoadingPrincipal reflects the security context of the owning
647 * document for this mixed content check. There are cases where that is not
648 * true, hence we have to we process requests in the following order:
649 * 1) If the load is triggered by the SystemPrincipal, we allow the load.
650 * Content scripts from addon code do provide aTriggeringPrincipal, which
651 * is an ExpandedPrincipal. If encountered, we allow the load.
652 * 2) If aLoadingPrincipal does not yield to a requestingLocation, then we
653 * fall back to querying the requestingLocation from aTriggeringPrincipal.
654 * 3) If we still end up not having a requestingLocation, we reject the load.
655 */
657 // 1) Check if the load was triggered by the system (SystemPrincipal) or
658 // a content script from addons code (ExpandedPrincipal) in which case the
659 // load is not subject to mixed content blocking.
664 }
670 }
671 }
673 // 2) If aLoadingPrincipal does not provide a requestingLocation, then
674 // we fall back to to querying the requestingLocation from
675 // aTriggeringPrincipal.
679 requestingLocation =
681 }
683 // 3) Giving up. We still don't have a requesting location, therefore we can't
684 // tell if this is a mixed content load. Deny to be safe.
689 "location could be "
692 }
694 // Check the parent scheme. If it is not an HTTPS page then mixed content
695 // restrictions do not apply.
703 "URI of the "
706 }
713 "location is not using "
716 }
718 // Disallow mixed content loads for workers, shared workers and service
719 // workers.
721 // For workers, we can assume that we're mixed content at this point, since
722 // the parent is https, and the protocol associated with
723 // innerContentLocation doesn't map to the secure URI flags checked above.
724 // Assert this for sanity's sake
725 #ifdef DEBUG
728 #endif
734 }
740 }
742 // Check if https-only mode upgrades this later anyway
746 }
748 // The page might have set the CSP directive 'upgrade-insecure-requests'. In
749 // such a case allow the http: load to succeed with the promise that the
750 // channel will get upgraded to https before fetching any data from the
751 // netwerk. Please see: nsHttpChannel::Connect()
752 //
753 // Please note that the CSP directive 'upgrade-insecure-requests' only applies
754 // to http: and ws: (for websockets). Websockets are not subject to mixed
755 // content blocking since insecure websockets are not allowed within secure
756 // pages. Hence, we only have to check against http: here. Skip mixed content
757 // blocking if the subresource load uses http: and the CSP directive
758 // 'upgrade-insecure-requests' is present on the page.
760 // Carve-out: if we're in the parent and we're loading media, e.g. through
761 // webbrowserpersist, don't reject it if we can't find a docshell.
767 }
768 // Otherwise, we must have a window
774 }
776 // Allow http: mixed content if we are choosing to upgrade them when the
777 // pref "security.mixed_content.upgrade_display_content" is true.
778 // This behaves like GetUpgradeInsecureRequests above in that the channel will
779 // be upgraded to https before fetching any data from the netwerk.
786 }
787 }
789 // The page might have set the CSP directive 'block-all-mixed-content' which
790 // should block not only active mixed content loads but in fact all mixed
791 // content loads, see https://www.w3.org/TR/mixed-content/#strict-checking
792 // Block all non secure loads in case the CSP directive is present. Please
793 // note that at this point we already know, based on |schemeSecure| that the
794 // load is not secure, so we can bail out early at this point.
796 // log a message to the console before returning.
797 nsAutoCString spec;
816 "'block-all-mixed-content' was set while trying to load data from "
819 }
821 // Determine if the rootDoc is https and if the user decided to allow Mixed
822 // Content
827 // When navigating an iframe, the iframe may be https but its parents may not
828 // be. Check the parents to see if any of them are https. If none of the
829 // parents are https, allow the load.
838 }
843 }
844 }
846 OriginAttributes originAttributes;
851 }
853 // At this point we know that the request is mixed content, and the only
854 // question is whether we block it. Record telemetry at this point as to
855 // whether HSTS would have fixed things by making the content location
856 // into an HTTPS URL.
857 //
858 // Note that we count this for redirects as well as primary requests. This
859 // will cause some degree of double-counting, especially when mixed content
860 // is not blocked (e.g., for images). For more detail, see:
861 // https://bugzilla.mozilla.org/show_bug.cgi?id=1198572#c19
862 //
863 // We do not count requests aHadInsecureImageRedirect=true, since these are
864 // just an artifact of the image caching system.
869 originAttributes);
871 // Ask the parent process to do the same call
876 originAttributes);
877 }
878 }
879 }
881 // set hasMixedContentObjectSubrequest on this object if necessary
883 aReportError) {
890 messageLookUpKey);
891 }
892 }
895 // If the content is display content, and the pref says display content should
896 // be blocked, block it.
899 allowMixedContent) {
901 // User has overriden the pref and the root is not https;
902 // mixed display content was allowed on an https subframe.
908 "display "
909 "content (blocked by pref "
912 }
915 // If the content is active content, and the pref says active content should
916 // be blocked, block it unless the user has choosen to override the pref
918 allowMixedContent) {
920 // User has already overriden the pref and the root is not https;
921 // mixed active content was allowed on an https subframe.
924 // User has not overriden the pref by Disabling protection. Reject the
925 // request and update the security state.
929 "active "
930 "content (blocked by pref "
932 // The user has not overriden the pref, so make sure they still have an
933 // option by calling nativeDocShell which will invoke the doorhanger
935 }
936 }
938 // To avoid duplicate errors on the console, we do not report blocked
939 // preloads to the console.
943 ? eBlocked
945 requestingLocation);
946 }
948 // Notify the top WindowContext of the flags we've computed, and it
949 // will handle updating any relevant security UI.
952 }
955 /* Returns a bool if the URI can be loaded as a sub resource safely.
956 *
957 * Check Protocol Flags to determine if scheme is safe to load:
958 * URI_DOES_NOT_RETURN_DATA - e.g.
959 * "mailto"
960 * URI_IS_LOCAL_RESOURCE - e.g.
961 * "data",
962 * "resource",
963 * "moz-icon"
964 * URI_INHERITS_SECURITY_CONTEXT - e.g.
965 * "javascript"
966 * URI_IS_POTENTIALLY_TRUSTWORTHY - e.g.
967 * "https",
968 * "moz-safe-about"
969 *
970 */
987 }
998 }
1000 NS_IMETHODIMP
1005 // aContentLocation may be null when a plugin is loading without an
1006 // associated URI resource
1011 }
1017 }
1020 }
1022 // Record information on when HSTS would have made mixed content not mixed
1023 // content (regardless of whether it was actually blocked)
1026 // This method must only be called in the parent, because
1027 // nsSiteSecurityService is only available in the parent
1031 }
1034 nsresult rv;
1039 }
1043 }
1045 // states: would upgrade, would prime, hsts info cached
1046 // active, passive
1047 //
1051 MCB_HSTS_PASSIVE_NO_HSTS);
1054 MCB_HSTS_PASSIVE_WITH_HSTS);
1055 }
1059 MCB_HSTS_ACTIVE_NO_HSTS);
1062 MCB_HSTS_ACTIVE_WITH_HSTS);
1063 }
1064 }
1065 }