1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #include "nsMixedContentBlocker.h"
9 #include "nsContentPolicyUtils.h"
10 #include "nsCSPContext.h"
11 #include "nsThreadUtils.h"
14 #include "nsDocShell.h"
15 #include "nsIWebProgressListener.h"
16 #include "nsContentUtils.h"
17 #include "mozilla/dom/BrowsingContext.h"
18 #include "mozilla/dom/WindowContext.h"
19 #include "mozilla/dom/Document.h"
20 #include "nsIChannel.h"
21 #include "nsIParentChannel.h"
22 #include "mozilla/Preferences.h"
23 #include "nsIScriptObjectPrincipal.h"
24 #include "nsIProtocolHandler.h"
25 #include "nsCharSeparatedTokenizer.h"
26 #include "nsISecureBrowserUI.h"
27 #include "nsIWebNavigation.h"
28 #include "nsLoadGroup.h"
29 #include "nsIScriptError.h"
31 #include "nsIChannelEventSink.h"
32 #include "nsNetUtil.h"
33 #include "nsAsyncRedirectVerifyHelper.h"
34 #include "mozilla/LoadInfo.h"
35 #include "nsISiteSecurityService.h"
37 #include "nsQueryObject.h"
39 #include "mozilla/BasePrincipal.h"
40 #include "mozilla/Logging.h"
41 #include "mozilla/StaticPrefs_dom.h"
42 #include "mozilla/StaticPrefs_fission.h"
43 #include "mozilla/StaticPrefs_security.h"
44 #include "mozilla/Telemetry.h"
45 #include "mozilla/dom/ContentChild.h"
46 #include "mozilla/ipc/URIUtils.h"
47 #include "mozilla/net/DNS.h"
48 #include "mozilla/net/DocumentLoadListener.h"
49 #include "mozilla/net/DocumentChannel.h"
51 #include "mozilla/dom/nsHTTPSOnlyUtils.h"
53 using namespace mozilla
;
54 using namespace mozilla::dom
;
56 static mozilla::LazyLogModule
sMCBLog("MCBLog");
58 enum nsMixedContentBlockerMessageType
{ eBlocked
= 0x00, eUserOverride
= 0x01 };
60 // Allowlist of hostnames that should be considered secure contexts even when
61 // served over http:// or ws://
62 nsCString
* nsMixedContentBlocker::sSecurecontextAllowlist
= nullptr;
63 bool nsMixedContentBlocker::sSecurecontextAllowlistCached
= false;
65 enum MixedContentHSTSState
{
66 MCB_HSTS_PASSIVE_NO_HSTS
= 0,
67 MCB_HSTS_PASSIVE_WITH_HSTS
= 1,
68 MCB_HSTS_ACTIVE_NO_HSTS
= 2,
69 MCB_HSTS_ACTIVE_WITH_HSTS
= 3
72 nsMixedContentBlocker::~nsMixedContentBlocker() = default;
74 NS_IMPL_ISUPPORTS(nsMixedContentBlocker
, nsIContentPolicy
, nsIChannelEventSink
)
76 static void LogMixedContentMessage(
77 MixedContentTypes aClassification
, nsIURI
* aContentLocation
,
78 uint64_t aInnerWindowID
, nsMixedContentBlockerMessageType aMessageType
,
79 nsIURI
* aRequestingLocation
,
80 const nsACString
& aOverruleMessageLookUpKeyWithThis
= ""_ns
) {
81 nsAutoCString messageCategory
;
82 uint32_t severityFlag
;
83 nsAutoCString messageLookupKey
;
85 if (aMessageType
== eBlocked
) {
86 severityFlag
= nsIScriptError::errorFlag
;
87 messageCategory
.AssignLiteral("Mixed Content Blocker");
88 if (aClassification
== eMixedDisplay
) {
89 messageLookupKey
.AssignLiteral("BlockMixedDisplayContent");
91 messageLookupKey
.AssignLiteral("BlockMixedActiveContent");
94 severityFlag
= nsIScriptError::warningFlag
;
95 messageCategory
.AssignLiteral("Mixed Content Message");
96 if (aClassification
== eMixedDisplay
) {
97 messageLookupKey
.AssignLiteral("LoadingMixedDisplayContent2");
99 messageLookupKey
.AssignLiteral("LoadingMixedActiveContent2");
103 // if the callee explicitly wants to use a special message for this
104 // console report, then we allow to overrule the default with the
105 // explicitly provided one here.
106 if (!aOverruleMessageLookUpKeyWithThis
.IsEmpty()) {
107 messageLookupKey
= aOverruleMessageLookUpKeyWithThis
;
110 nsAutoString localizedMsg
;
111 AutoTArray
<nsString
, 1> params
;
112 CopyUTF8toUTF16(aContentLocation
->GetSpecOrDefault(),
113 *params
.AppendElement());
114 nsContentUtils::FormatLocalizedString(nsContentUtils::eSECURITY_PROPERTIES
,
115 messageLookupKey
.get(), params
,
118 nsContentUtils::ReportToConsoleByWindowID(localizedMsg
, severityFlag
,
119 messageCategory
, aInnerWindowID
,
120 aRequestingLocation
);
123 /* nsIChannelEventSink implementation
124 * This code is called when a request is redirected.
125 * We check the channel associated with the new uri is allowed to load
126 * in the current context
129 nsMixedContentBlocker::AsyncOnChannelRedirect(
130 nsIChannel
* aOldChannel
, nsIChannel
* aNewChannel
, uint32_t aFlags
,
131 nsIAsyncVerifyRedirectCallback
* aCallback
) {
132 mozilla::net::nsAsyncRedirectAutoCallback
autoCallback(aCallback
);
135 NS_ERROR("No channel when evaluating mixed content!");
136 return NS_ERROR_FAILURE
;
139 // If we are in the parent process in e10s, we don't have access to the
140 // document node, and hence ShouldLoad will fail when we try to get
141 // the docShell. If that's the case, ignore mixed content checks
142 // on redirects in the parent. Let the child check for mixed content.
143 nsCOMPtr
<nsIParentChannel
> is_ipc_channel
;
144 NS_QueryNotificationCallbacks(aNewChannel
, is_ipc_channel
);
145 RefPtr
<net::DocumentLoadListener
> docListener
=
146 do_QueryObject(is_ipc_channel
);
147 if (is_ipc_channel
&& !docListener
) {
151 // Don't do these checks if we're switching from DocumentChannel
152 // to a real channel. In that case, we should already have done
153 // the checks in the parent process. AsyncOnChannelRedirect
154 // isn't called in the content process if we switch process,
155 // so checking here would just hide bugs in the process switch
157 if (RefPtr
<net::DocumentChannel
> docChannel
= do_QueryObject(aOldChannel
)) {
162 nsCOMPtr
<nsIURI
> oldUri
;
163 rv
= aOldChannel
->GetURI(getter_AddRefs(oldUri
));
164 NS_ENSURE_SUCCESS(rv
, rv
);
166 nsCOMPtr
<nsIURI
> newUri
;
167 rv
= aNewChannel
->GetURI(getter_AddRefs(newUri
));
168 NS_ENSURE_SUCCESS(rv
, rv
);
170 // Get the loading Info from the old channel
171 nsCOMPtr
<nsILoadInfo
> loadInfo
= aOldChannel
->LoadInfo();
172 nsCOMPtr
<nsIPrincipal
> requestingPrincipal
= loadInfo
->GetLoadingPrincipal();
174 // Since we are calling shouldLoad() directly on redirects, we don't go
175 // through the code in nsContentPolicyUtils::NS_CheckContentLoadPolicy().
176 // Hence, we have to duplicate parts of it here.
177 if (requestingPrincipal
) {
178 // We check to see if the loadingPrincipal is systemPrincipal and return
180 if (requestingPrincipal
->IsSystemPrincipal()) {
185 int16_t decision
= REJECT_REQUEST
;
186 rv
= ShouldLoad(newUri
, loadInfo
, &decision
);
188 autoCallback
.DontCallback();
189 aOldChannel
->Cancel(NS_ERROR_DOM_BAD_URI
);
190 return NS_BINDING_FAILED
;
193 // If the channel is about to load mixed content, abort the channel
194 if (!NS_CP_ACCEPTED(decision
)) {
195 autoCallback
.DontCallback();
196 aOldChannel
->Cancel(NS_ERROR_DOM_BAD_URI
);
197 return NS_BINDING_FAILED
;
203 /* This version of ShouldLoad() is non-static and called by the Content Policy
204 * API and AsyncOnChannelRedirect(). See nsIContentPolicy::ShouldLoad()
205 * for detailed description of the parameters.
208 nsMixedContentBlocker::ShouldLoad(nsIURI
* aContentLocation
,
209 nsILoadInfo
* aLoadInfo
, int16_t* aDecision
) {
210 // We pass in false as the first parameter to ShouldLoad(), because the
211 // callers of this method don't know whether the load went through cached
212 // image redirects. This is handled by direct callers of the static
214 nsresult rv
= ShouldLoad(false, // aHadInsecureImageRedirect
215 aContentLocation
, aLoadInfo
, true, aDecision
);
217 if (*aDecision
== nsIContentPolicy::REJECT_REQUEST
) {
218 NS_SetRequestBlockingReason(aLoadInfo
,
219 nsILoadInfo::BLOCKING_REASON_MIXED_BLOCKED
);
225 bool nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackHost(
226 const nsACString
& aAsciiHost
) {
227 if (mozilla::net::IsLoopbackHostname(aAsciiHost
)) {
231 using namespace mozilla::net
;
233 if (NS_FAILED(addr
.InitFromString(aAsciiHost
))) {
238 // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy says
239 // we should only consider [::1]/128 as a potentially trustworthy IPv6
240 // address, whereas for IPv4 127.0.0.1/8 are considered as potentially
242 return addr
.IsLoopBackAddressWithoutIPv6Mapping();
245 bool nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(nsIURI
* aURL
) {
249 nsAutoCString asciiHost
;
250 nsresult rv
= aURL
->GetAsciiHost(asciiHost
);
251 NS_ENSURE_SUCCESS(rv
, false);
252 return IsPotentiallyTrustworthyLoopbackHost(asciiHost
);
255 /* Maybe we have a .onion URL. Treat it as trustworthy as well if
256 * `dom.securecontext.allowlist_onions` is `true`.
258 bool nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(nsIURI
* aURL
) {
259 if (!StaticPrefs::dom_securecontext_allowlist_onions()) {
264 nsresult rv
= aURL
->GetHost(host
);
265 NS_ENSURE_SUCCESS(rv
, false);
266 return StringEndsWith(host
, ".onion"_ns
);
270 void nsMixedContentBlocker::OnPrefChange(const char* aPref
, void* aClosure
) {
271 MOZ_ASSERT(NS_IsMainThread());
272 MOZ_ASSERT(!strcmp(aPref
, "dom.securecontext.allowlist"));
273 Preferences::GetCString("dom.securecontext.allowlist",
274 *sSecurecontextAllowlist
);
278 void nsMixedContentBlocker::GetSecureContextAllowList(nsACString
& aList
) {
279 MOZ_ASSERT(NS_IsMainThread());
280 if (!sSecurecontextAllowlistCached
) {
281 MOZ_ASSERT(!sSecurecontextAllowlist
);
282 sSecurecontextAllowlistCached
= true;
283 sSecurecontextAllowlist
= new nsCString();
284 Preferences::RegisterCallbackAndCall(OnPrefChange
,
285 "dom.securecontext.allowlist");
287 aList
= *sSecurecontextAllowlist
;
291 void nsMixedContentBlocker::Shutdown() {
292 if (sSecurecontextAllowlist
) {
293 delete sSecurecontextAllowlist
;
294 sSecurecontextAllowlist
= nullptr;
298 bool nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(nsIURI
* aURI
) {
299 // The following implements:
300 // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
302 nsAutoCString scheme
;
303 nsresult rv
= aURI
->GetScheme(scheme
);
308 // Blobs are expected to inherit their principal so we don't expect to have
309 // a content principal with scheme 'blob' here. We can't assert that though
310 // since someone could mess with a non-blob URI to give it that scheme.
311 NS_WARNING_ASSERTION(!scheme
.EqualsLiteral("blob"),
312 "IsOriginPotentiallyTrustworthy ignoring blob scheme");
314 // According to the specification, the user agent may choose to extend the
315 // trust to other, vendor-specific URL schemes. We use this for "resource:",
316 // which is technically a substituting protocol handler that is not limited to
317 // local resource mapping, but in practice is never mapped remotely as this
318 // would violate assumptions a lot of code makes.
319 // We use nsIProtocolHandler flags to determine which protocols we consider a
320 // priori authenticated.
321 bool aPrioriAuthenticated
= false;
322 if (NS_FAILED(NS_URIChainHasFlags(
323 aURI
, nsIProtocolHandler::URI_IS_POTENTIALLY_TRUSTWORTHY
,
324 &aPrioriAuthenticated
))) {
328 if (aPrioriAuthenticated
) {
333 rv
= aURI
->GetHost(host
);
338 if (IsPotentiallyTrustworthyLoopbackURL(aURI
)) {
342 // If a host is not considered secure according to the default algorithm, then
343 // check to see if it has been allowlisted by the user. We only apply this
344 // allowlist for network resources, i.e., those with scheme "http" or "ws".
345 // The pref should contain a comma-separated list of hostnames.
347 if (!scheme
.EqualsLiteral("http") && !scheme
.EqualsLiteral("ws")) {
351 nsAutoCString allowlist
;
352 GetSecureContextAllowList(allowlist
);
353 for (const nsACString
& allowedHost
:
354 nsCCharSeparatedTokenizer(allowlist
, ',').ToRange()) {
355 if (host
.Equals(allowedHost
)) {
360 // Maybe we have a .onion URL. Treat it as trustworthy as well if
361 // `dom.securecontext.allowlist_onions` is `true`.
362 if (nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(aURI
)) {
369 bool nsMixedContentBlocker::IsUpgradableContentType(nsContentPolicyType aType
,
370 bool aConsiderPrefs
) {
371 MOZ_ASSERT(NS_IsMainThread());
373 if (aConsiderPrefs
&&
374 !StaticPrefs::security_mixed_content_upgrade_display_content()) {
379 case nsIContentPolicy::TYPE_INTERNAL_IMAGE
:
380 case nsIContentPolicy::TYPE_INTERNAL_IMAGE_PRELOAD
:
381 return !aConsiderPrefs
||
383 security_mixed_content_upgrade_display_content_image();
384 case nsIContentPolicy::TYPE_INTERNAL_AUDIO
:
385 return !aConsiderPrefs
||
387 security_mixed_content_upgrade_display_content_audio();
388 case nsIContentPolicy::TYPE_INTERNAL_VIDEO
:
389 return !aConsiderPrefs
||
391 security_mixed_content_upgrade_display_content_video();
398 * Return the URI of the precusor principal or the URI of aPrincipal if there is
401 static already_AddRefed
<nsIURI
> GetPrincipalURIOrPrecursorPrincipalURI(
402 nsIPrincipal
* aPrincipal
) {
403 nsCOMPtr
<nsIPrincipal
> precursorPrincipal
=
404 aPrincipal
->GetPrecursorPrincipal();
407 if (precursorPrincipal
) {
408 MOZ_ASSERT(aPrincipal
->GetIsNullPrincipal(),
409 "Only Null Principals should have a Precursor Principal");
413 return precursorPrincipal
? precursorPrincipal
->GetURI()
414 : aPrincipal
->GetURI();
417 /* Static version of ShouldLoad() that contains all the Mixed Content Blocker
418 * logic. Called from non-static ShouldLoad().
420 nsresult
nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect
,
421 nsIURI
* aContentLocation
,
422 nsILoadInfo
* aLoadInfo
,
424 int16_t* aDecision
) {
425 // Asserting that we are on the main thread here and hence do not have to lock
426 // and unlock security.mixed_content.block_active_content and
427 // security.mixed_content.block_display_content before reading/writing to
429 MOZ_ASSERT(NS_IsMainThread());
431 if (MOZ_UNLIKELY(MOZ_LOG_TEST(sMCBLog
, LogLevel::Verbose
))) {
432 nsAutoCString asciiUrl
;
433 aContentLocation
->GetAsciiSpec(asciiUrl
);
434 MOZ_LOG(sMCBLog
, LogLevel::Verbose
, ("shouldLoad:"));
435 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
436 (" - contentLocation: %s", asciiUrl
.get()));
439 nsContentPolicyType internalContentType
=
440 aLoadInfo
->InternalContentPolicyType();
441 nsCOMPtr
<nsIPrincipal
> loadingPrincipal
= aLoadInfo
->GetLoadingPrincipal();
442 nsCOMPtr
<nsIPrincipal
> triggeringPrincipal
= aLoadInfo
->TriggeringPrincipal();
444 if (MOZ_UNLIKELY(MOZ_LOG_TEST(sMCBLog
, LogLevel::Verbose
))) {
445 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
446 (" - internalContentPolicyType: %s",
447 NS_CP_ContentTypeName(internalContentType
)));
449 if (loadingPrincipal
!= nullptr) {
450 nsAutoCString loadingPrincipalAsciiUrl
;
451 loadingPrincipal
->GetAsciiSpec(loadingPrincipalAsciiUrl
);
452 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
453 (" - loadingPrincipal: %s", loadingPrincipalAsciiUrl
.get()));
455 MOZ_LOG(sMCBLog
, LogLevel::Verbose
, (" - loadingPrincipal: (nullptr)"));
458 nsAutoCString triggeringPrincipalAsciiUrl
;
459 triggeringPrincipal
->GetAsciiSpec(triggeringPrincipalAsciiUrl
);
460 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
461 (" - triggeringPrincipal: %s", triggeringPrincipalAsciiUrl
.get()));
464 RefPtr
<WindowContext
> requestingWindow
=
465 WindowContext::GetById(aLoadInfo
->GetInnerWindowID());
467 bool isPreload
= nsContentUtils::IsPreloadType(internalContentType
);
469 // The content policy type that we receive may be an internal type for
470 // scripts. Let's remember if we have seen a worker type, and reset it to the
471 // external type in all cases right now.
473 internalContentType
== nsIContentPolicy::TYPE_INTERNAL_WORKER
||
474 internalContentType
==
475 nsIContentPolicy::TYPE_INTERNAL_WORKER_STATIC_MODULE
||
476 internalContentType
== nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER
||
477 internalContentType
== nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER
;
478 ExtContentPolicyType contentType
=
479 nsContentUtils::InternalContentPolicyTypeToExternal(internalContentType
);
481 // Assume active (high risk) content and blocked by default
482 MixedContentTypes classification
= eMixedScript
;
483 // Make decision to block/reject by default
484 *aDecision
= REJECT_REQUEST
;
486 // Notes on non-obvious decisions:
488 // TYPE_DTD: A DTD can contain entity definitions that expand to scripts.
490 // TYPE_FONT: The TrueType hinting mechanism is basically a scripting
491 // language that gets interpreted by the operating system's font rasterizer.
492 // Mixed content web fonts are relatively uncommon, and we can can fall back
493 // to built-in fonts with minimal disruption in almost all cases.
495 // TYPE_OBJECT_SUBREQUEST could actually be either active content (e.g. a
496 // script that a plugin will execute) or display content (e.g. Flash video
497 // content). Until we have a way to determine active vs passive content
498 // from plugin requests (bug 836352), we will treat this as passive content.
499 // This is to prevent false positives from causing users to become
500 // desensitized to the mixed content blocker.
502 // TYPE_CSP_REPORT: High-risk because they directly leak information about
503 // the content of the page, and because blocking them does not have any
504 // negative effect on the page loading.
506 // TYPE_PING: Ping requests are POSTS, not GETs like images and media.
507 // Also, PING requests have no bearing on the rendering or operation of
508 // the page when used as designed, so even though they are lower risk than
509 // scripts, blocking them is basically risk-free as far as compatibility is
512 // TYPE_STYLESHEET: XSLT stylesheets can insert scripts. CSS positioning
513 // and other advanced CSS features can possibly be exploited to cause
514 // spoofing attacks (e.g. make a "grant permission" button look like a
515 // "refuse permission" button).
517 // TYPE_BEACON: Beacon requests are similar to TYPE_PING, and are blocked by
520 // TYPE_WEBSOCKET: The Websockets API requires browsers to
521 // reject mixed-content websockets: "If secure is false but the origin of
522 // the entry script has a scheme component that is itself a secure protocol,
523 // e.g. HTTPS, then throw a SecurityError exception." We already block mixed
524 // content websockets within the websockets implementation, so we don't need
525 // to do any blocking here, nor do we need to provide a way to undo or
526 // override the blocking. Websockets without TLS are very flaky anyway in the
527 // face of many HTTP-aware proxies. Compared to passive content, there is
528 // additional risk that the script using WebSockets will disclose sensitive
529 // information from the HTTPS page and/or eval (directly or indirectly)
532 // TYPE_XMLHTTPREQUEST: XHR requires either same origin or CORS, so most
533 // mixed-content XHR will already be blocked by that check. This will also
534 // block HTTPS-to-HTTP XHR with CORS. The same security concerns mentioned
535 // above for WebSockets apply to XHR, and XHR should have the same security
536 // properties as WebSockets w.r.t. mixed content. XHR's handling of redirects
537 // amplifies these concerns.
539 // TYPE_PROXIED_WEBRTC_MEDIA: Ordinarily, webrtc uses low-level sockets for
540 // peer-to-peer media, which bypasses this code entirely. However, when a
541 // web proxy is being used, the TCP and TLS webrtc connections are routed
542 // through the web proxy (using HTTP CONNECT), which causes these connections
543 // to be checked. We just skip mixed content blocking in that case.
545 switch (contentType
) {
546 // The top-level document cannot be mixed content by definition
547 case ExtContentPolicy::TYPE_DOCUMENT
:
550 // Creating insecure websocket connections in a secure page is blocked
551 // already in the websocket constructor. We don't need to check the blocking
552 // here and we don't want to un-block
553 case ExtContentPolicy::TYPE_WEBSOCKET
:
557 // TYPE_SAVEAS_DOWNLOAD: Save-link-as feature is used to download a
559 // without involving a docShell. This kind of loading must be
560 // allowed, if not disabled in the preferences.
561 // Creating insecure connections for a save-as link download is
562 // acceptable. This download is completely disconnected from the docShell,
563 // but still using the same loading principal.
565 case ExtContentPolicy::TYPE_SAVEAS_DOWNLOAD
:
570 // It does not make sense to subject webrtc media connections to mixed
571 // content blocking, since those connections are peer-to-peer and will
572 // therefore almost never match the origin.
573 case ExtContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA
:
577 // Static display content is considered moderate risk for mixed content so
578 // these will be blocked according to the mixed display preference
579 case ExtContentPolicy::TYPE_IMAGE
:
580 case ExtContentPolicy::TYPE_MEDIA
:
581 classification
= eMixedDisplay
;
583 case ExtContentPolicy::TYPE_OBJECT_SUBREQUEST
:
584 if (StaticPrefs::security_mixed_content_block_object_subrequest()) {
585 classification
= eMixedScript
;
587 classification
= eMixedDisplay
;
591 // Active content (or content with a low value/risk-of-blocking ratio)
592 // that has been explicitly evaluated; listed here for documentation
593 // purposes and to avoid the assertion and warning for the default case.
594 case ExtContentPolicy::TYPE_BEACON
:
595 case ExtContentPolicy::TYPE_CSP_REPORT
:
596 case ExtContentPolicy::TYPE_DTD
:
597 case ExtContentPolicy::TYPE_FETCH
:
598 case ExtContentPolicy::TYPE_FONT
:
599 case ExtContentPolicy::TYPE_UA_FONT
:
600 case ExtContentPolicy::TYPE_IMAGESET
:
601 case ExtContentPolicy::TYPE_OBJECT
:
602 case ExtContentPolicy::TYPE_SCRIPT
:
603 case ExtContentPolicy::TYPE_STYLESHEET
:
604 case ExtContentPolicy::TYPE_SUBDOCUMENT
:
605 case ExtContentPolicy::TYPE_PING
:
606 case ExtContentPolicy::TYPE_WEB_MANIFEST
:
607 case ExtContentPolicy::TYPE_XMLHTTPREQUEST
:
608 case ExtContentPolicy::TYPE_XSLT
:
609 case ExtContentPolicy::TYPE_OTHER
:
610 case ExtContentPolicy::TYPE_SPECULATIVE
:
611 case ExtContentPolicy::TYPE_WEB_TRANSPORT
:
612 case ExtContentPolicy::TYPE_WEB_IDENTITY
:
615 case ExtContentPolicy::TYPE_INVALID
:
616 MOZ_ASSERT(false, "Mixed content of unknown type");
617 // Do not add default: so that compilers can catch the missing case.
620 // Make sure to get the URI the load started with. No need to check
621 // outer schemes because all the wrapping pseudo protocols inherit the
622 // security properties of the actual network request represented
623 // by the innerMost URL.
624 nsCOMPtr
<nsIURI
> innerContentLocation
= NS_GetInnermostURI(aContentLocation
);
625 if (!innerContentLocation
) {
626 NS_ERROR("Can't get innerURI from aContentLocation");
627 *aDecision
= REJECT_REQUEST
;
628 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
629 (" -> decision: Request will be rejected because the innermost "
635 // TYPE_IMAGE redirects are cached based on the original URI, not the final
636 // destination and hence cache hits for images may not have the correct
637 // innerContentLocation. Check if the cached hit went through an http
638 // redirect, and if it did, we can't treat this as a secure subresource.
639 if (!aHadInsecureImageRedirect
&&
640 URISafeToBeLoadedInSecureContext(innerContentLocation
)) {
646 * Most likely aLoadingPrincipal reflects the security context of the owning
647 * document for this mixed content check. There are cases where that is not
648 * true, hence we have to we process requests in the following order:
649 * 1) If the load is triggered by the SystemPrincipal, we allow the load.
650 * Content scripts from addon code do provide aTriggeringPrincipal, which
651 * is an ExpandedPrincipal. If encountered, we allow the load.
652 * 2) If aLoadingPrincipal does not yield to a requestingLocation, then we
653 * fall back to querying the requestingLocation from aTriggeringPrincipal.
654 * 3) If we still end up not having a requestingLocation, we reject the load.
657 // 1) Check if the load was triggered by the system (SystemPrincipal) or
658 // a content script from addons code (ExpandedPrincipal) in which case the
659 // load is not subject to mixed content blocking.
660 if (triggeringPrincipal
) {
661 if (triggeringPrincipal
->IsSystemPrincipal()) {
665 nsCOMPtr
<nsIExpandedPrincipal
> expanded
=
666 do_QueryInterface(triggeringPrincipal
);
673 // 2) If aLoadingPrincipal does not provide a requestingLocation, then
674 // we fall back to to querying the requestingLocation from
675 // aTriggeringPrincipal.
676 nsCOMPtr
<nsIURI
> requestingLocation
=
677 GetPrincipalURIOrPrecursorPrincipalURI(loadingPrincipal
);
678 if (!requestingLocation
) {
680 GetPrincipalURIOrPrecursorPrincipalURI(triggeringPrincipal
);
683 // 3) Giving up. We still don't have a requesting location, therefore we can't
684 // tell if this is a mixed content load. Deny to be safe.
685 if (!requestingLocation
) {
686 *aDecision
= REJECT_REQUEST
;
687 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
688 (" -> decision: Request will be rejected because no requesting "
694 // Check the parent scheme. If it is not an HTTPS page then mixed content
695 // restrictions do not apply.
696 nsCOMPtr
<nsIURI
> innerRequestingLocation
=
697 NS_GetInnermostURI(requestingLocation
);
698 if (!innerRequestingLocation
) {
699 NS_ERROR("Can't get innerURI from requestingLocation");
700 *aDecision
= REJECT_REQUEST
;
701 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
702 (" -> decision: Request will be rejected because the innermost "
704 "requesting location could be gathered."));
708 bool parentIsHttps
= innerRequestingLocation
->SchemeIs("https");
709 if (!parentIsHttps
) {
711 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
712 (" -> decision: Request will be allowed because the requesting "
713 "location is not using "
718 // Disallow mixed content loads for workers, shared workers and service
721 // For workers, we can assume that we're mixed content at this point, since
722 // the parent is https, and the protocol associated with
723 // innerContentLocation doesn't map to the secure URI flags checked above.
724 // Assert this for sanity's sake
726 bool isHttpsScheme
= innerContentLocation
->SchemeIs("https");
727 MOZ_ASSERT(!isHttpsScheme
);
729 *aDecision
= REJECT_REQUEST
;
730 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
731 (" -> decision: Request will be rejected, trying to load a worker "
732 "from an insecure origin."));
736 bool isHttpScheme
= innerContentLocation
->SchemeIs("http");
737 if (isHttpScheme
&& IsPotentiallyTrustworthyOrigin(innerContentLocation
)) {
742 // Check if https-only mode upgrades this later anyway
743 if (nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(aLoadInfo
)) {
748 // The page might have set the CSP directive 'upgrade-insecure-requests'. In
749 // such a case allow the http: load to succeed with the promise that the
750 // channel will get upgraded to https before fetching any data from the
751 // netwerk. Please see: nsHttpChannel::Connect()
753 // Please note that the CSP directive 'upgrade-insecure-requests' only applies
754 // to http: and ws: (for websockets). Websockets are not subject to mixed
755 // content blocking since insecure websockets are not allowed within secure
756 // pages. Hence, we only have to check against http: here. Skip mixed content
757 // blocking if the subresource load uses http: and the CSP directive
758 // 'upgrade-insecure-requests' is present on the page.
760 // Carve-out: if we're in the parent and we're loading media, e.g. through
761 // webbrowserpersist, don't reject it if we can't find a docshell.
762 if (XRE_IsParentProcess() && !requestingWindow
&&
763 (contentType
== ExtContentPolicy::TYPE_IMAGE
||
764 contentType
== ExtContentPolicy::TYPE_MEDIA
)) {
768 // Otherwise, we must have a window
769 NS_ENSURE_TRUE(requestingWindow
, NS_OK
);
771 if (isHttpScheme
&& aLoadInfo
->GetUpgradeInsecureRequests()) {
776 // Allow http: mixed content if we are choosing to upgrade them when the
777 // pref "security.mixed_content.upgrade_display_content" is true.
778 // This behaves like GetUpgradeInsecureRequests above in that the channel will
779 // be upgraded to https before fetching any data from the netwerk.
781 bool isUpgradableContentType
=
782 IsUpgradableContentType(internalContentType
, /* aConsiderPrefs */ true);
783 if (isUpgradableContentType
) {
789 // The page might have set the CSP directive 'block-all-mixed-content' which
790 // should block not only active mixed content loads but in fact all mixed
791 // content loads, see https://www.w3.org/TR/mixed-content/#strict-checking
792 // Block all non secure loads in case the CSP directive is present. Please
793 // note that at this point we already know, based on |schemeSecure| that the
794 // load is not secure, so we can bail out early at this point.
795 if (aLoadInfo
->GetBlockAllMixedContent()) {
796 // log a message to the console before returning.
798 nsresult rv
= aContentLocation
->GetSpec(spec
);
799 NS_ENSURE_SUCCESS(rv
, rv
);
801 AutoTArray
<nsString
, 1> params
;
802 CopyUTF8toUTF16(spec
, *params
.AppendElement());
804 CSP_LogLocalizedStr("blockAllMixedContent", params
,
805 u
""_ns
, // aSourceFile
806 u
""_ns
, // aScriptSample
809 nsIScriptError::errorFlag
, "blockAllMixedContent"_ns
,
810 requestingWindow
->Id(),
811 !!aLoadInfo
->GetOriginAttributes().mPrivateBrowsingId
);
812 *aDecision
= REJECT_REQUEST
;
814 sMCBLog
, LogLevel::Verbose
,
815 (" -> decision: Request will be rejected because the CSP directive "
816 "'block-all-mixed-content' was set while trying to load data from "
817 "a non-secure origin."));
821 // Determine if the rootDoc is https and if the user decided to allow Mixed
823 WindowContext
* topWC
= requestingWindow
->TopWindowContext();
824 bool rootHasSecureConnection
= topWC
->GetIsSecure();
825 bool allowMixedContent
= topWC
->GetAllowMixedContent();
827 // When navigating an iframe, the iframe may be https but its parents may not
828 // be. Check the parents to see if any of them are https. If none of the
829 // parents are https, allow the load.
830 if (contentType
== ExtContentPolicyType::TYPE_SUBDOCUMENT
&&
831 !rootHasSecureConnection
&& !parentIsHttps
) {
832 bool httpsParentExists
= false;
834 RefPtr
<WindowContext
> curWindow
= requestingWindow
;
835 while (!httpsParentExists
&& curWindow
) {
836 httpsParentExists
= curWindow
->GetIsSecure();
837 curWindow
= curWindow
->GetParentWindowContext();
840 if (!httpsParentExists
) {
841 *aDecision
= nsIContentPolicy::ACCEPT
;
846 OriginAttributes originAttributes
;
847 if (loadingPrincipal
) {
848 originAttributes
= loadingPrincipal
->OriginAttributesRef();
849 } else if (triggeringPrincipal
) {
850 originAttributes
= triggeringPrincipal
->OriginAttributesRef();
853 // At this point we know that the request is mixed content, and the only
854 // question is whether we block it. Record telemetry at this point as to
855 // whether HSTS would have fixed things by making the content location
856 // into an HTTPS URL.
858 // Note that we count this for redirects as well as primary requests. This
859 // will cause some degree of double-counting, especially when mixed content
860 // is not blocked (e.g., for images). For more detail, see:
861 // https://bugzilla.mozilla.org/show_bug.cgi?id=1198572#c19
863 // We do not count requests aHadInsecureImageRedirect=true, since these are
864 // just an artifact of the image caching system.
865 bool active
= (classification
== eMixedScript
);
866 if (!aHadInsecureImageRedirect
) {
867 if (XRE_IsParentProcess()) {
868 AccumulateMixedContentHSTS(innerContentLocation
, active
,
871 // Ask the parent process to do the same call
872 mozilla::dom::ContentChild
* cc
=
873 mozilla::dom::ContentChild::GetSingleton();
875 cc
->SendAccumulateMixedContentHSTS(innerContentLocation
, active
,
881 // set hasMixedContentObjectSubrequest on this object if necessary
882 if (contentType
== ExtContentPolicyType::TYPE_OBJECT_SUBREQUEST
&&
884 if (!StaticPrefs::security_mixed_content_block_object_subrequest()) {
885 nsAutoCString
messageLookUpKey(
886 "LoadingMixedDisplayObjectSubrequestDeprecation");
888 LogMixedContentMessage(classification
, aContentLocation
, topWC
->Id(),
889 eUserOverride
, requestingLocation
,
894 uint32_t newState
= 0;
895 // If the content is display content, and the pref says display content should
896 // be blocked, block it.
897 if (classification
== eMixedDisplay
) {
898 if (!StaticPrefs::security_mixed_content_block_display_content() ||
900 *aDecision
= nsIContentPolicy::ACCEPT
;
901 // User has overriden the pref and the root is not https;
902 // mixed display content was allowed on an https subframe.
903 newState
|= nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT
;
905 *aDecision
= nsIContentPolicy::REJECT_REQUEST
;
906 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
907 (" -> decision: Request will be rejected because the content is "
909 "content (blocked by pref "
910 "security.mixed_content.block_display_content)."));
911 newState
|= nsIWebProgressListener::STATE_BLOCKED_MIXED_DISPLAY_CONTENT
;
914 MOZ_ASSERT(classification
== eMixedScript
);
915 // If the content is active content, and the pref says active content should
916 // be blocked, block it unless the user has choosen to override the pref
917 if (!StaticPrefs::security_mixed_content_block_active_content() ||
919 *aDecision
= nsIContentPolicy::ACCEPT
;
920 // User has already overriden the pref and the root is not https;
921 // mixed active content was allowed on an https subframe.
922 newState
|= nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT
;
924 // User has not overriden the pref by Disabling protection. Reject the
925 // request and update the security state.
926 *aDecision
= nsIContentPolicy::REJECT_REQUEST
;
927 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
928 (" -> decision: Request will be rejected because the content is "
930 "content (blocked by pref "
931 "security.mixed_content.block_active_content)."));
932 // The user has not overriden the pref, so make sure they still have an
933 // option by calling nativeDocShell which will invoke the doorhanger
934 newState
|= nsIWebProgressListener::STATE_BLOCKED_MIXED_ACTIVE_CONTENT
;
938 // To avoid duplicate errors on the console, we do not report blocked
939 // preloads to the console.
940 if (!isPreload
&& aReportError
) {
941 LogMixedContentMessage(classification
, aContentLocation
, topWC
->Id(),
942 (*aDecision
== nsIContentPolicy::REJECT_REQUEST
)
948 // Notify the top WindowContext of the flags we've computed, and it
949 // will handle updating any relevant security UI.
950 topWC
->AddSecurityState(newState
);
954 bool nsMixedContentBlocker::URISafeToBeLoadedInSecureContext(nsIURI
* aURI
) {
955 /* Returns a bool if the URI can be loaded as a sub resource safely.
957 * Check Protocol Flags to determine if scheme is safe to load:
958 * URI_DOES_NOT_RETURN_DATA - e.g.
960 * URI_IS_LOCAL_RESOURCE - e.g.
964 * URI_INHERITS_SECURITY_CONTEXT - e.g.
966 * URI_IS_POTENTIALLY_TRUSTWORTHY - e.g.
971 bool schemeLocal
= false;
972 bool schemeNoReturnData
= false;
973 bool schemeInherits
= false;
974 bool schemeSecure
= false;
975 if (NS_FAILED(NS_URIChainHasFlags(
976 aURI
, nsIProtocolHandler::URI_IS_LOCAL_RESOURCE
, &schemeLocal
)) ||
977 NS_FAILED(NS_URIChainHasFlags(
978 aURI
, nsIProtocolHandler::URI_DOES_NOT_RETURN_DATA
,
979 &schemeNoReturnData
)) ||
980 NS_FAILED(NS_URIChainHasFlags(
981 aURI
, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT
,
983 NS_FAILED(NS_URIChainHasFlags(
984 aURI
, nsIProtocolHandler::URI_IS_POTENTIALLY_TRUSTWORTHY
,
989 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
990 (" - URISafeToBeLoadedInSecureContext:"));
991 MOZ_LOG(sMCBLog
, LogLevel::Verbose
, (" - schemeLocal: %i", schemeLocal
));
992 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
993 (" - schemeNoReturnData: %i", schemeNoReturnData
));
994 MOZ_LOG(sMCBLog
, LogLevel::Verbose
,
995 (" - schemeInherits: %i", schemeInherits
));
996 MOZ_LOG(sMCBLog
, LogLevel::Verbose
, (" - schemeSecure: %i", schemeSecure
));
997 return (schemeLocal
|| schemeNoReturnData
|| schemeInherits
|| schemeSecure
);
1001 nsMixedContentBlocker::ShouldProcess(nsIURI
* aContentLocation
,
1002 nsILoadInfo
* aLoadInfo
,
1003 int16_t* aDecision
) {
1004 if (!aContentLocation
) {
1005 // aContentLocation may be null when a plugin is loading without an
1006 // associated URI resource
1007 if (aLoadInfo
->GetExternalContentPolicyType() ==
1008 ExtContentPolicyType::TYPE_OBJECT
) {
1009 *aDecision
= ACCEPT
;
1013 NS_SetRequestBlockingReason(aLoadInfo
,
1014 nsILoadInfo::BLOCKING_REASON_MIXED_BLOCKED
);
1015 *aDecision
= REJECT_REQUEST
;
1016 return NS_ERROR_FAILURE
;
1019 return ShouldLoad(aContentLocation
, aLoadInfo
, aDecision
);
1022 // Record information on when HSTS would have made mixed content not mixed
1023 // content (regardless of whether it was actually blocked)
1024 void nsMixedContentBlocker::AccumulateMixedContentHSTS(
1025 nsIURI
* aURI
, bool aActive
, const OriginAttributes
& aOriginAttributes
) {
1026 // This method must only be called in the parent, because
1027 // nsSiteSecurityService is only available in the parent
1028 if (!XRE_IsParentProcess()) {
1035 nsCOMPtr
<nsISiteSecurityService
> sss
=
1036 do_GetService(NS_SSSERVICE_CONTRACTID
, &rv
);
1037 if (NS_FAILED(rv
)) {
1040 rv
= sss
->IsSecureURI(aURI
, aOriginAttributes
, &hsts
);
1041 if (NS_FAILED(rv
)) {
1045 // states: would upgrade, would prime, hsts info cached
1050 Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS
,
1051 MCB_HSTS_PASSIVE_NO_HSTS
);
1053 Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS
,
1054 MCB_HSTS_PASSIVE_WITH_HSTS
);
1058 Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS
,
1059 MCB_HSTS_ACTIVE_NO_HSTS
);
1061 Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS
,
1062 MCB_HSTS_ACTIVE_WITH_HSTS
);