| blob | c7c58a37dc01fa5f90c01bb04761f18e280477a2 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
37 // Helper function to identify protocols and content types not subject to CSP.
39 ExtContentPolicyType contentType =
42 // These content types are not subject to CSP content policy checks:
43 // TYPE_CSP_REPORT -- csp can't block csp reports
44 // TYPE_DOCUMENT -- used for frame-ancestors
48 }
50 // The three protocols: data:, blob: and filesystem: share the same
51 // protocol flag (URI_IS_LOCAL_RESOURCE) with other protocols,
52 // but those three protocols get special attention in CSP and
53 // are subject to CSP, hence we have to make sure those
54 // protocols are subject to CSP, see:
55 // http://www.w3.org/TR/CSP2/#source-list-guid-matching
59 }
61 // Finally we have to allowlist "about:" which does not fall into
62 // the category underneath and also "javascript:" which is not
63 // subject to CSP content loading rules.
66 }
68 // Please note that it should be possible for websites to
69 // allowlist their own protocol handlers with respect to CSP,
70 // hence we use protocol flags to accomplish that, but we also
71 // want resource:, chrome: and moz-icon to be subject to CSP
72 // (which also use URI_IS_LOCAL_RESOURCE).
73 // Exception to the rule are images, styles, and localization
74 // DTDs using a scheme of resource: or chrome:
79 nsAutoCString uriSpec;
81 // Exempt pdf.js from being subject to a page's CSP.
84 }
87 }
88 }
91 }
94 }
100 }
101 // all other protocols are subject To CSP.
103 }
111 }
116 nsresult rv =
124 }
126 // default decision, CSP can revise it if there's a policy to enforce
129 // No need to continue processing if CSP is disabled or if the protocol
130 // or type is *not* subject to CSP.
131 // Please note, the correct way to opt-out of CSP using a custom
132 // protocolHandler is to set one of the nsIProtocolHandler flags
133 // that are allowlistet in subjectToCSP()
136 }
138 // 1) Apply speculate CSP for preloads
144 // obtain the enforcement decision
151 // if the preload policy already denied the load, then there
152 // is no point in checking the real policy
158 }
159 }
160 }
162 // 2) Apply actual CSP to all loads. Please note that in case
163 // the csp should be overruled (e.g. by an ExpandedPrincipal)
164 // then loadinfo->GetCsp() returns that CSP instead of the
165 // document's CSP.
169 // Generally aOriginalURI denotes the URI before a redirect and hence
170 // will always be a nullptr here. Only exception are frame navigations
171 // which we want to treat as a redirect for the purpose of CSP reporting
172 // and in particular the `blocked-uri` in the CSP report where we want
173 // to report the prePath information.
175 ExtContentPolicyType extType =
181 nsAutoCString prePathStr;
186 }
188 // obtain the enforcement decision
197 }
200 }
202 }
204 /* nsIContentPolicy implementation */
205 NS_IMETHODIMP
209 }
211 NS_IMETHODIMP
217 }
224 }
226 // ShouldProcess is only relevant to TYPE_OBJECT, so let's convert the
227 // internal contentPolicyType to the mapping external one.
228 // If it is not TYPE_OBJECT, we can return at this point.
229 // Note that we should still pass the internal contentPolicyType
230 // (contentType) to ShouldLoad().
231 ExtContentPolicyType policyType =
237 }
240 }
242 /* nsIChannelEventSink implementation */
243 NS_IMETHODIMP
254 // Since this is an IPC'd channel we do not have access to the request
255 // context. In turn, we do not have an event target for policy violations.
256 // Enforce the CSP check in the content process where we have that info.
257 // We allow redirect checks to run for document loads via
258 // DocumentLoadListener, since these are fully supported and we don't
259 // expose the redirects to the content process. We can't do this for all
260 // request types yet because we don't serialize nsICSPEventListener.
263 }
264 }
266 // Don't do these checks if we're switching from DocumentChannel
267 // to a real channel. In that case, we should already have done
268 // the checks in the parent process. AsyncOnChannelRedirect
269 // isn't called in the content process if we switch process,
270 // so checking here would just hide bugs in the process switch
271 // cases.
274 }
282 /* Since redirecting channels don't call into nsIContentPolicy, we call our
283 * Content Policy implementation directly when redirects occur using the
284 * information set in the LoadInfo when channels are created.
285 *
286 * We check if the CSP permits this host for this type of load, if not,
287 * we cancel the load now.
288 */
295 }
301 }
304 }
307 }
313 // Check CSP navigate-to
314 // We need to enforce the CSP of the document that initiated the load,
315 // which is the CSP to inherit.
329 }
330 }
332 // No need to continue processing if CSP is disabled or if the protocol
333 // is *not* subject to CSP.
334 // Please note, the correct way to opt-out of CSP using a custom
335 // protocolHandler is to set one of the nsIProtocolHandler flags
336 // that are allowlistet in subjectToCSP()
340 }
343 nsresult rv =
349 /* On redirect, if the content policy is a preload type, rejecting the
350 * preload results in the load silently failing, so we pass true to
351 * the aSendViolationReports parameter. See Bug 1219453.
352 */
356 // 1) Apply speculative CSP for preloads
360 // Pass originalURI to indicate the redirect
369 // if the preload policy already denied the load, then there
370 // is no point in checking the real policy
374 }
375 }
376 }
378 // 2) Apply actual CSP to all loads
381 // Pass originalURI to indicate the redirect
391 }
392 }
395 }