search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1855780 - Generate INVALID_ENUM in ProvokingVertex for bad `mode`. r=gfx-reviewer...
[gecko.git] / caps / nsScriptSecurityManager.cpp
blobb245c3761c6428bfccc7494f8c95633ade799ec0
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "nsScriptSecurityManager.h"
8
9 #include "mozilla/ArrayUtils.h"
10 #include "mozilla/StaticPrefs_extensions.h"
11 #include "mozilla/StaticPrefs_security.h"
12 #include "mozilla/StoragePrincipalHelper.h"
13
14 #include "xpcpublic.h"
15 #include "XPCWrapper.h"
16 #include "nsILoadContext.h"
17 #include "nsIScriptObjectPrincipal.h"
18 #include "nsIScriptContext.h"
19 #include "nsIScriptError.h"
20 #include "nsINestedURI.h"
21 #include "nspr.h"
22 #include "nsJSPrincipals.h"
23 #include "mozilla/BasePrincipal.h"
24 #include "mozilla/ContentPrincipal.h"
25 #include "ExpandedPrincipal.h"
26 #include "SystemPrincipal.h"
27 #include "DomainPolicy.h"
28 #include "nsString.h"
29 #include "nsCRT.h"
30 #include "nsCRTGlue.h"
31 #include "nsContentSecurityUtils.h"
32 #include "nsDocShell.h"
33 #include "nsError.h"
34 #include "nsGlobalWindowInner.h"
35 #include "nsDOMCID.h"
36 #include "nsTextFormatter.h"
37 #include "nsIStringBundle.h"
38 #include "nsNetUtil.h"
39 #include "nsIEffectiveTLDService.h"
40 #include "nsDirectoryServiceDefs.h"
41 #include "nsIScriptGlobalObject.h"
42 #include "nsPIDOMWindow.h"
43 #include "nsIDocShell.h"
44 #include "nsIConsoleService.h"
45 #include "nsIOService.h"
46 #include "nsIContent.h"
47 #include "nsDOMJSUtils.h"
48 #include "nsAboutProtocolUtils.h"
49 #include "nsIClassInfo.h"
50 #include "nsIURIFixup.h"
51 #include "nsIURIMutator.h"
52 #include "nsIChromeRegistry.h"
53 #include "nsIResProtocolHandler.h"
54 #include "nsIContentSecurityPolicy.h"
55 #include "mozilla/Components.h"
56 #include "mozilla/Preferences.h"
57 #include "mozilla/dom/BindingUtils.h"
58 #include "mozilla/NullPrincipal.h"
59 #include <stdint.h>
60 #include "mozilla/dom/ContentChild.h"
61 #include "mozilla/dom/ContentParent.h"
62 #include "mozilla/dom/Exceptions.h"
63 #include "mozilla/dom/nsCSPContext.h"
64 #include "mozilla/dom/ScriptSettings.h"
65 #include "mozilla/ClearOnShutdown.h"
66 #include "mozilla/ExtensionPolicyService.h"
67 #include "mozilla/ResultExtensions.h"
68 #include "mozilla/StaticPtr.h"
69 #include "mozilla/dom/WorkerCommon.h"
70 #include "mozilla/dom/WorkerPrivate.h"
71 #include "nsContentUtils.h"
72 #include "nsJSUtils.h"
73 #include "nsILoadInfo.h"
74 #include "js/ColumnNumber.h" // JS::ColumnNumberOneOrigin
75
76 // This should be probably defined on some other place... but I couldn't find it
77 #define WEBAPPS_PERM_NAME "webapps-manage"
78
79 using namespace mozilla;
80 using namespace mozilla::dom;
81
82 StaticRefPtr<nsIIOService> nsScriptSecurityManager::sIOService;
83 std::atomic<bool> nsScriptSecurityManager::sStrictFileOriginPolicy = true;
84
85 namespace {
86
87 class BundleHelper {
88 public:
89 NS_INLINE_DECL_REFCOUNTING(BundleHelper)
90
91 static nsIStringBundle* GetOrCreate() {
92 MOZ_ASSERT(!sShutdown);
93
94 // Already shutting down. Nothing should require the use of the string
95 // bundle when shutting down.
96 if (sShutdown) {
97 return nullptr;
98 }
99
100 if (!sSelf) {
101 sSelf = new BundleHelper();
102 }
103
104 return sSelf->GetOrCreateInternal();
105 }
106
107 static void Shutdown() {
108 sSelf = nullptr;
109 sShutdown = true;
110 }
111
112 private:
113 ~BundleHelper() = default;
114
115 nsIStringBundle* GetOrCreateInternal() {
116 if (!mBundle) {
117 nsCOMPtr<nsIStringBundleService> bundleService =
118 mozilla::components::StringBundle::Service();
119 if (NS_WARN_IF(!bundleService)) {
120 return nullptr;
121 }
122
123 nsresult rv = bundleService->CreateBundle(
124 "chrome://global/locale/security/caps.properties",
125 getter_AddRefs(mBundle));
126 if (NS_WARN_IF(NS_FAILED(rv))) {
127 return nullptr;
128 }
129 }
130
131 return mBundle;
132 }
133
134 nsCOMPtr<nsIStringBundle> mBundle;
135
136 static StaticRefPtr<BundleHelper> sSelf;
137 static bool sShutdown;
138 };
139
140 StaticRefPtr<BundleHelper> BundleHelper::sSelf;
141 bool BundleHelper::sShutdown = false;
142
143 } // namespace
144
145 ///////////////////////////
146 // Convenience Functions //
147 ///////////////////////////
148
149 class nsAutoInPrincipalDomainOriginSetter {
150 public:
151 nsAutoInPrincipalDomainOriginSetter() { ++sInPrincipalDomainOrigin; }
152 ~nsAutoInPrincipalDomainOriginSetter() { --sInPrincipalDomainOrigin; }
153 static uint32_t sInPrincipalDomainOrigin;
154 };
155 uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin;
156
157 static nsresult GetOriginFromURI(nsIURI* aURI, nsACString& aOrigin) {
158 if (!aURI) {
159 return NS_ERROR_NULL_POINTER;
160 }
161 if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin > 1) {
162 // Allow a single recursive call to GetPrincipalDomainOrigin, since that
163 // might be happening on a different principal from the first call. But
164 // after that, cut off the recursion; it just indicates that something
165 // we're doing in this method causes us to reenter a security check here.
166 return NS_ERROR_NOT_AVAILABLE;
167 }
168
169 nsAutoInPrincipalDomainOriginSetter autoSetter;
170
171 nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
172 NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
173
174 nsAutoCString hostPort;
175
176 nsresult rv = uri->GetHostPort(hostPort);
177 if (NS_SUCCEEDED(rv)) {
178 nsAutoCString scheme;
179 rv = uri->GetScheme(scheme);
180 NS_ENSURE_SUCCESS(rv, rv);
181 aOrigin = scheme + "://"_ns + hostPort;
182 } else {
183 // Some URIs (e.g., nsSimpleURI) don't support host. Just
184 // get the full spec.
185 rv = uri->GetSpec(aOrigin);
186 NS_ENSURE_SUCCESS(rv, rv);
187 }
188
189 return NS_OK;
190 }
191
192 static nsresult GetPrincipalDomainOrigin(nsIPrincipal* aPrincipal,
193 nsACString& aOrigin) {
194 aOrigin.Truncate();
195 nsCOMPtr<nsIURI> uri;
196 aPrincipal->GetDomain(getter_AddRefs(uri));
197 nsresult rv = GetOriginFromURI(uri, aOrigin);
198 if (NS_SUCCEEDED(rv)) {
199 return rv;
200 }
201 // If there is no Domain fallback to the Principals Origin
202 return aPrincipal->GetOriginNoSuffix(aOrigin);
203 }
204
205 inline void SetPendingExceptionASCII(JSContext* cx, const char* aMsg) {
206 JS_ReportErrorASCII(cx, "%s", aMsg);
207 }
208
209 inline void SetPendingException(JSContext* cx, const char16_t* aMsg) {
210 NS_ConvertUTF16toUTF8 msg(aMsg);
211 JS_ReportErrorUTF8(cx, "%s", msg.get());
212 }
213
214 /* static */
215 bool nsScriptSecurityManager::SecurityCompareURIs(nsIURI* aSourceURI,
216 nsIURI* aTargetURI) {
217 return NS_SecurityCompareURIs(aSourceURI, aTargetURI,
218 sStrictFileOriginPolicy);
219 }
220
221 // SecurityHashURI is consistent with SecurityCompareURIs because
222 // NS_SecurityHashURI is consistent with NS_SecurityCompareURIs. See
223 // nsNetUtil.h.
224 uint32_t nsScriptSecurityManager::SecurityHashURI(nsIURI* aURI) {
225 return NS_SecurityHashURI(aURI);
226 }
227
228 /*
229 * GetChannelResultPrincipal will return the principal that the resource
230 * returned by this channel will use. For example, if the resource is in
231 * a sandbox, it will return the nullprincipal. If the resource is forced
232 * to inherit principal, it will return the principal of its parent. If
233 * the load doesn't require sandboxing or inheriting, it will return the same
234 * principal as GetChannelURIPrincipal. Namely the principal of the URI
235 * that is being loaded.
236 */
237 NS_IMETHODIMP
238 nsScriptSecurityManager::GetChannelResultPrincipal(nsIChannel* aChannel,
239 nsIPrincipal** aPrincipal) {
240 return GetChannelResultPrincipal(aChannel, aPrincipal,
241 /*aIgnoreSandboxing*/ false);
242 }
243
244 nsresult nsScriptSecurityManager::GetChannelResultPrincipalIfNotSandboxed(
245 nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
246 return GetChannelResultPrincipal(aChannel, aPrincipal,
247 /*aIgnoreSandboxing*/ true);
248 }
249
250 NS_IMETHODIMP
251 nsScriptSecurityManager::GetChannelResultStoragePrincipal(
252 nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
253 nsCOMPtr<nsIPrincipal> principal;
254 nsresult rv = GetChannelResultPrincipal(aChannel, getter_AddRefs(principal),
255 /*aIgnoreSandboxing*/ false);
256 if (NS_WARN_IF(NS_FAILED(rv) || !principal)) {
257 return rv;
258 }
259
260 if (!(principal->GetIsContentPrincipal())) {
261 // If for some reason we don't have a content principal here, just reuse our
262 // principal for the storage principal too, since attempting to create a
263 // storage principal would fail anyway.
264 principal.forget(aPrincipal);
265 return NS_OK;
266 }
267
268 return StoragePrincipalHelper::Create(
269 aChannel, principal, /* aForceIsolation */ false, aPrincipal);
270 }
271
272 NS_IMETHODIMP
273 nsScriptSecurityManager::GetChannelResultPrincipals(
274 nsIChannel* aChannel, nsIPrincipal** aPrincipal,
275 nsIPrincipal** aPartitionedPrincipal) {
276 nsresult rv = GetChannelResultPrincipal(aChannel, aPrincipal,
277 /*aIgnoreSandboxing*/ false);
278 if (NS_WARN_IF(NS_FAILED(rv))) {
279 return rv;
280 }
281
282 if (!(*aPrincipal)->GetIsContentPrincipal()) {
283 // If for some reason we don't have a content principal here, just reuse our
284 // principal for the storage principal too, since attempting to create a
285 // storage principal would fail anyway.
286 nsCOMPtr<nsIPrincipal> copy = *aPrincipal;
287 copy.forget(aPartitionedPrincipal);
288 return NS_OK;
289 }
290
291 return StoragePrincipalHelper::Create(
292 aChannel, *aPrincipal, /* aForceIsolation */ true, aPartitionedPrincipal);
293 }
294
295 nsresult nsScriptSecurityManager::GetChannelResultPrincipal(
296 nsIChannel* aChannel, nsIPrincipal** aPrincipal, bool aIgnoreSandboxing) {
297 MOZ_ASSERT(aChannel, "Must have channel!");
298
299 // Check whether we have an nsILoadInfo that says what we should do.
300 nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
301 if (loadInfo->GetForceInheritPrincipalOverruleOwner()) {
302 nsCOMPtr<nsIPrincipal> principalToInherit =
303 loadInfo->FindPrincipalToInherit(aChannel);
304 principalToInherit.forget(aPrincipal);
305 return NS_OK;
306 }
307
308 nsCOMPtr<nsISupports> owner;
309 aChannel->GetOwner(getter_AddRefs(owner));
310 if (owner) {
311 CallQueryInterface(owner, aPrincipal);
312 if (*aPrincipal) {
313 return NS_OK;
314 }
315 }
316
317 if (!aIgnoreSandboxing && loadInfo->GetLoadingSandboxed()) {
318 // Determine the unsandboxed result principal to use as this null
319 // principal's precursor. Ignore errors here, as the precursor isn't
320 // required.
321 nsCOMPtr<nsIPrincipal> precursor;
322 GetChannelResultPrincipal(aChannel, getter_AddRefs(precursor),
323 /*aIgnoreSandboxing*/ true);
324
325 // Construct a deterministic null principal URI from the precursor and the
326 // loadinfo's nullPrincipalID.
327 nsCOMPtr<nsIURI> nullPrincipalURI = NullPrincipal::CreateURI(
328 precursor, &loadInfo->GetSandboxedNullPrincipalID());
329
330 // Use the URI to construct the sandboxed result principal.
331 OriginAttributes attrs;
332 loadInfo->GetOriginAttributes(&attrs);
333 nsCOMPtr<nsIPrincipal> sandboxedPrincipal =
334 NullPrincipal::Create(attrs, nullPrincipalURI);
335 sandboxedPrincipal.forget(aPrincipal);
336 return NS_OK;
337 }
338
339 bool forceInherit = loadInfo->GetForceInheritPrincipal();
340 if (aIgnoreSandboxing && !forceInherit) {
341 // Check if SEC_FORCE_INHERIT_PRINCIPAL was dropped because of
342 // sandboxing:
343 if (loadInfo->GetLoadingSandboxed() &&
344 loadInfo->GetForceInheritPrincipalDropped()) {
345 forceInherit = true;
346 }
347 }
348 if (forceInherit) {
349 nsCOMPtr<nsIPrincipal> principalToInherit =
350 loadInfo->FindPrincipalToInherit(aChannel);
351 principalToInherit.forget(aPrincipal);
352 return NS_OK;
353 }
354
355 auto securityMode = loadInfo->GetSecurityMode();
356 // The data: inheritance flags should only apply to the initial load,
357 // not to loads that it might have redirected to.
358 if (loadInfo->RedirectChain().IsEmpty() &&
359 (securityMode ==
360 nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT ||
361 securityMode ==
362 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT ||
363 securityMode == nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT)) {
364 nsCOMPtr<nsIURI> uri;
365 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
366 NS_ENSURE_SUCCESS(rv, rv);
367
368 nsCOMPtr<nsIPrincipal> principalToInherit =
369 loadInfo->FindPrincipalToInherit(aChannel);
370 bool inheritForAboutBlank = loadInfo->GetAboutBlankInherits();
371
372 if (nsContentUtils::ChannelShouldInheritPrincipal(
373 principalToInherit, uri, inheritForAboutBlank, false)) {
374 principalToInherit.forget(aPrincipal);
375 return NS_OK;
376 }
377 }
378 return GetChannelURIPrincipal(aChannel, aPrincipal);
379 }
380
381 /* The principal of the URI that this channel is loading. This is never
382 * affected by things like sandboxed loads, or loads where we forcefully
383 * inherit the principal. Think of this as the principal of the server
384 * which this channel is loading from. Most callers should use
385 * GetChannelResultPrincipal instead of GetChannelURIPrincipal. Only
386 * call GetChannelURIPrincipal if you are sure that you want the
387 * principal that matches the uri, even in cases when the load is
388 * sandboxed or when the load could be a blob or data uri (i.e even when
389 * you encounter loads that may or may not be sandboxed and loads
390 * that may or may not inherit)."
391 */
392 NS_IMETHODIMP
393 nsScriptSecurityManager::GetChannelURIPrincipal(nsIChannel* aChannel,
394 nsIPrincipal** aPrincipal) {
395 MOZ_ASSERT(aChannel, "Must have channel!");
396
397 // Get the principal from the URI. Make sure this does the same thing
398 // as Document::Reset and PrototypeDocumentContentSink::Init.
399 nsCOMPtr<nsIURI> uri;
400 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
401 NS_ENSURE_SUCCESS(rv, rv);
402
403 nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
404
405 // Inherit the origin attributes from loadInfo.
406 // If this is a top-level document load, the origin attributes of the
407 // loadInfo will be set from nsDocShell::DoURILoad.
408 // For subresource loading, the origin attributes of the loadInfo is from
409 // its loadingPrincipal.
410 OriginAttributes attrs = loadInfo->GetOriginAttributes();
411
412 // If the URI is supposed to inherit the security context of whoever loads it,
413 // we shouldn't make a content principal for it, so instead return a null
414 // principal.
415 bool inheritsPrincipal = false;
416 rv = NS_URIChainHasFlags(uri,
417 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT,
418 &inheritsPrincipal);
419 if (NS_FAILED(rv) || inheritsPrincipal) {
420 // Find a precursor principal to credit for the load. This won't impact
421 // security checks, but makes tracking the source of related loads easier.
422 nsCOMPtr<nsIPrincipal> precursorPrincipal =
423 loadInfo->FindPrincipalToInherit(aChannel);
424 nsCOMPtr<nsIURI> nullPrincipalURI =
425 NullPrincipal::CreateURI(precursorPrincipal);
426 *aPrincipal = NullPrincipal::Create(attrs, nullPrincipalURI).take();
427 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
428 }
429
430 nsCOMPtr<nsIPrincipal> prin =
431 BasePrincipal::CreateContentPrincipal(uri, attrs);
432 prin.forget(aPrincipal);
433 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
434 }
435
436 /////////////////////////////
437 // nsScriptSecurityManager //
438 /////////////////////////////
439
440 ////////////////////////////////////
441 // Methods implementing ISupports //
442 ////////////////////////////////////
443 NS_IMPL_ISUPPORTS(nsScriptSecurityManager, nsIScriptSecurityManager)
444
445 ///////////////////////////////////////////////////
446 // Methods implementing nsIScriptSecurityManager //
447 ///////////////////////////////////////////////////
448
449 ///////////////// Security Checks /////////////////
450
451 bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
452 JSContext* cx, JS::RuntimeCode aKind, JS::Handle<JSString*> aCode) {
453 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
454
455 nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
456
457 // Check if Eval is allowed per firefox hardening policy
458 bool contextForbidsEval =
459 (subjectPrincipal->IsSystemPrincipal() || XRE_IsE10sParentProcess());
460 #if defined(ANDROID)
461 contextForbidsEval = false;
462 #endif
463
464 if (contextForbidsEval) {
465 nsAutoJSString scriptSample;
466 if (aKind == JS::RuntimeCode::JS &&
467 NS_WARN_IF(!scriptSample.init(cx, aCode))) {
468 return false;
469 }
470
471 if (!nsContentSecurityUtils::IsEvalAllowed(
472 cx, subjectPrincipal->IsSystemPrincipal(), scriptSample)) {
473 return false;
474 }
475 }
476
477 // Get the window, if any, corresponding to the current global
478 nsCOMPtr<nsIContentSecurityPolicy> csp;
479 if (nsGlobalWindowInner* win = xpc::CurrentWindowOrNull(cx)) {
480 csp = win->GetCsp();
481 }
482
483 if (!csp) {
484 // Get the CSP for addon sandboxes. If the principal is expanded and has a
485 // csp, we're probably in luck.
486 auto* basePrin = BasePrincipal::Cast(subjectPrincipal);
487 // ContentScriptAddonPolicy means it is also an expanded principal, thus
488 // this is in a sandbox used as a content script.
489 if (basePrin->ContentScriptAddonPolicy()) {
490 basePrin->As<ExpandedPrincipal>()->GetCsp(getter_AddRefs(csp));
491 }
492 // don't do anything unless there's a CSP
493 if (!csp) {
494 return true;
495 }
496 }
497
498 nsCOMPtr<nsICSPEventListener> cspEventListener;
499 if (!NS_IsMainThread()) {
500 WorkerPrivate* workerPrivate =
501 mozilla::dom::GetWorkerPrivateFromContext(cx);
502 if (workerPrivate) {
503 cspEventListener = workerPrivate->CSPEventListener();
504 }
505 }
506
507 bool evalOK = true;
508 bool reportViolation = false;
509 if (aKind == JS::RuntimeCode::JS) {
510 nsresult rv = csp->GetAllowsEval(&reportViolation, &evalOK);
511 if (NS_FAILED(rv)) {
512 NS_WARNING("CSP: failed to get allowsEval");
513 return true; // fail open to not break sites.
514 }
515 } else {
516 if (NS_FAILED(csp->GetAllowsWasmEval(&reportViolation, &evalOK))) {
517 return false;
518 }
519 if (!evalOK) {
520 // Historically, CSP did not block WebAssembly in Firefox, and some
521 // add-ons use wasm and a stricter CSP. To avoid breaking them, ignore
522 // 'wasm-unsafe-eval' violations for MV2 extensions.
523 // TODO bug 1770909: remove this exception.
524 auto* addonPolicy = BasePrincipal::Cast(subjectPrincipal)->AddonPolicy();
525 if (addonPolicy && addonPolicy->ManifestVersion() == 2) {
526 reportViolation = true;
527 evalOK = true;
528 }
529 }
530 }
531
532 if (reportViolation) {
533 JS::AutoFilename scriptFilename;
534 nsAutoString fileName;
535 uint32_t lineNum = 0;
536 JS::ColumnNumberOneOrigin columnNum;
537 if (JS::DescribeScriptedCaller(cx, &scriptFilename, &lineNum, &columnNum)) {
538 if (const char* file = scriptFilename.get()) {
539 CopyUTF8toUTF16(nsDependentCString(file), fileName);
540 }
541 } else {
542 MOZ_ASSERT(!JS_IsExceptionPending(cx));
543 }
544
545 nsAutoJSString scriptSample;
546 if (aKind == JS::RuntimeCode::JS &&
547 NS_WARN_IF(!scriptSample.init(cx, aCode))) {
548 JS_ClearPendingException(cx);
549 return false;
550 }
551 uint16_t violationType =
552 aKind == JS::RuntimeCode::JS
553 ? nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL
554 : nsIContentSecurityPolicy::VIOLATION_TYPE_WASM_EVAL;
555 csp->LogViolationDetails(violationType,
556 nullptr, // triggering element
557 cspEventListener, fileName, scriptSample, lineNum,
558 columnNum.zeroOriginValue(), u""_ns, u""_ns);
559 }
560
561 return evalOK;
562 }
563
564 // static
565 bool nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals* first,
566 JSPrincipals* second) {
567 return nsJSPrincipals::get(first)->Subsumes(nsJSPrincipals::get(second));
568 }
569
570 NS_IMETHODIMP
571 nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI,
572 nsIURI* aTargetURI,
573 bool reportError,
574 bool aFromPrivateWindow) {
575 // Please note that aFromPrivateWindow is only 100% accurate if
576 // reportError is true.
577 if (!SecurityCompareURIs(aSourceURI, aTargetURI)) {
578 if (reportError) {
579 ReportError("CheckSameOriginError", aSourceURI, aTargetURI,
580 aFromPrivateWindow);
581 }
582 return NS_ERROR_DOM_BAD_URI;
583 }
584 return NS_OK;
585 }
586
587 NS_IMETHODIMP
588 nsScriptSecurityManager::CheckLoadURIFromScript(JSContext* cx, nsIURI* aURI) {
589 // Get principal of currently executing script.
590 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
591 nsIPrincipal* principal = nsContentUtils::SubjectPrincipal();
592 nsresult rv = CheckLoadURIWithPrincipal(
593 // Passing 0 for the window ID here is OK, because we will report a
594 // script-visible exception anyway.
595 principal, aURI, nsIScriptSecurityManager::STANDARD, 0);
596 if (NS_SUCCEEDED(rv)) {
597 // OK to load
598 return NS_OK;
599 }
600
601 // Report error.
602 nsAutoCString spec;
603 if (NS_FAILED(aURI->GetAsciiSpec(spec))) return NS_ERROR_FAILURE;
604 nsAutoCString msg("Access to '");
605 msg.Append(spec);
606 msg.AppendLiteral("' from script denied");
607 SetPendingExceptionASCII(cx, msg.get());
608 return NS_ERROR_DOM_BAD_URI;
609 }
610
611 /**
612 * Helper method to handle cases where a flag passed to
613 * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
614 * nsIProtocolHandler flags set.
615 * @return if success, access is allowed. Otherwise, deny access
616 */
617 static nsresult DenyAccessIfURIHasFlags(nsIURI* aURI, uint32_t aURIFlags) {
618 MOZ_ASSERT(aURI, "Must have URI!");
619
620 bool uriHasFlags;
621 nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &uriHasFlags);
622 NS_ENSURE_SUCCESS(rv, rv);
623
624 if (uriHasFlags) {
625 return NS_ERROR_DOM_BAD_URI;
626 }
627
628 return NS_OK;
629 }
630
631 static bool EqualOrSubdomain(nsIURI* aProbeArg, nsIURI* aBase) {
632 nsresult rv;
633 nsCOMPtr<nsIURI> probe = aProbeArg;
634
635 nsCOMPtr<nsIEffectiveTLDService> tldService =
636 do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
637 NS_ENSURE_TRUE(tldService, false);
638 while (true) {
639 if (nsScriptSecurityManager::SecurityCompareURIs(probe, aBase)) {
640 return true;
641 }
642
643 nsAutoCString host, newHost;
644 rv = probe->GetHost(host);
645 NS_ENSURE_SUCCESS(rv, false);
646
647 rv = tldService->GetNextSubDomain(host, newHost);
648 if (rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS) {
649 return false;
650 }
651 NS_ENSURE_SUCCESS(rv, false);
652 rv = NS_MutateURI(probe).SetHost(newHost).Finalize(probe);
653 NS_ENSURE_SUCCESS(rv, false);
654 }
655 }
656
657 NS_IMETHODIMP
658 nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
659 nsIURI* aTargetURI,
660 uint32_t aFlags,
661 uint64_t aInnerWindowID) {
662 MOZ_ASSERT(aPrincipal, "CheckLoadURIWithPrincipal must have a principal");
663
664 // If someone passes a flag that we don't understand, we should
665 // fail, because they may need a security check that we don't
666 // provide.
667 NS_ENSURE_FALSE(
668 aFlags &
669 ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
670 nsIScriptSecurityManager::ALLOW_CHROME |
671 nsIScriptSecurityManager::DISALLOW_SCRIPT |
672 nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL |
673 nsIScriptSecurityManager::DONT_REPORT_ERRORS),
674 NS_ERROR_UNEXPECTED);
675 NS_ENSURE_ARG_POINTER(aPrincipal);
676 NS_ENSURE_ARG_POINTER(aTargetURI);
677
678 // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
679 // would do such inheriting. That would be URIs that do not have their own
680 // security context. We do this even for the system principal.
681 if (aFlags & nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL) {
682 nsresult rv = DenyAccessIfURIHasFlags(
683 aTargetURI, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT);
684 NS_ENSURE_SUCCESS(rv, rv);
685 }
686
687 if (aPrincipal == mSystemPrincipal) {
688 // Allow access
689 return NS_OK;
690 }
691
692 nsCOMPtr<nsIURI> sourceURI;
693 auto* basePrin = BasePrincipal::Cast(aPrincipal);
694 basePrin->GetURI(getter_AddRefs(sourceURI));
695 if (!sourceURI) {
696 if (basePrin->Is<ExpandedPrincipal>()) {
697 // If the target addon is MV3 or the pref is on we require extension
698 // resources loaded from content to be listed in web_accessible_resources.
699 auto* targetPolicy =
700 ExtensionPolicyService::GetSingleton().GetByURL(aTargetURI);
701 bool contentAccessRequired =
702 targetPolicy &&
703 (targetPolicy->ManifestVersion() > 2 ||
704 StaticPrefs::extensions_content_web_accessible_enabled());
705 auto expanded = basePrin->As<ExpandedPrincipal>();
706 const auto& allowList = expanded->AllowList();
707 // Only report errors when all principals fail.
708 // With expanded principals, which are used by extension content scripts,
709 // we check only against non-extension principals for access to extension
710 // resource to enforce making those resources explicitly web accessible.
711 uint32_t flags = aFlags | nsIScriptSecurityManager::DONT_REPORT_ERRORS;
712 for (size_t i = 0; i < allowList.Length() - 1; i++) {
713 if (contentAccessRequired &&
714 BasePrincipal::Cast(allowList[i])->AddonPolicy()) {
715 continue;
716 }
717 nsresult rv = CheckLoadURIWithPrincipal(allowList[i], aTargetURI, flags,
718 aInnerWindowID);
719 if (NS_SUCCEEDED(rv)) {
720 // Allow access if it succeeded with one of the allowlisted principals
721 return NS_OK;
722 }
723 }
724
725 if (contentAccessRequired &&
726 BasePrincipal::Cast(allowList.LastElement())->AddonPolicy()) {
727 bool reportErrors =
728 !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
729 if (reportErrors) {
730 ReportError("CheckLoadURI", sourceURI, aTargetURI,
731 allowList.LastElement()
732 ->OriginAttributesRef()
733 .mPrivateBrowsingId > 0,
734 aInnerWindowID);
735 }
736 return NS_ERROR_DOM_BAD_URI;
737 }
738 // Report errors (if requested) for the last principal.
739 return CheckLoadURIWithPrincipal(allowList.LastElement(), aTargetURI,
740 aFlags, aInnerWindowID);
741 }
742 NS_ERROR(
743 "Non-system principals or expanded principal passed to "
744 "CheckLoadURIWithPrincipal "
745 "must have a URI!");
746 return NS_ERROR_UNEXPECTED;
747 }
748
749 // Automatic loads are not allowed from certain protocols.
750 if (aFlags &
751 nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT) {
752 nsresult rv = DenyAccessIfURIHasFlags(
753 sourceURI,
754 nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT);
755 NS_ENSURE_SUCCESS(rv, rv);
756 }
757
758 // If either URI is a nested URI, get the base URI
759 nsCOMPtr<nsIURI> sourceBaseURI = NS_GetInnermostURI(sourceURI);
760 nsCOMPtr<nsIURI> targetBaseURI = NS_GetInnermostURI(aTargetURI);
761
762 //-- get the target scheme
763 nsAutoCString targetScheme;
764 nsresult rv = targetBaseURI->GetScheme(targetScheme);
765 if (NS_FAILED(rv)) return rv;
766
767 //-- Some callers do not allow loading javascript:
768 if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
769 targetScheme.EqualsLiteral("javascript")) {
770 return NS_ERROR_DOM_BAD_URI;
771 }
772
773 // Check for uris that are only loadable by principals that subsume them
774 bool targetURIIsLoadableBySubsumers = false;
775 rv = NS_URIChainHasFlags(targetBaseURI,
776 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
777 &targetURIIsLoadableBySubsumers);
778 NS_ENSURE_SUCCESS(rv, rv);
779
780 if (targetURIIsLoadableBySubsumers) {
781 // check nothing else in the URI chain has flags that prevent
782 // access:
783 rv = CheckLoadURIFlags(
784 sourceURI, aTargetURI, sourceBaseURI, targetBaseURI, aFlags,
785 aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0,
786 aInnerWindowID);
787 NS_ENSURE_SUCCESS(rv, rv);
788 // Check the principal is allowed to load the target.
789 if (aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS) {
790 return aPrincipal->CheckMayLoad(targetBaseURI, false);
791 }
792 return aPrincipal->CheckMayLoadWithReporting(targetBaseURI, false,
793 aInnerWindowID);
794 }
795
796 //-- get the source scheme
797 nsAutoCString sourceScheme;
798 rv = sourceBaseURI->GetScheme(sourceScheme);
799 if (NS_FAILED(rv)) return rv;
800
801 if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
802 // A null principal can target its own URI.
803 if (sourceURI == aTargetURI) {
804 return NS_OK;
805 }
806 } else if (sourceScheme.EqualsIgnoreCase("file") &&
807 targetScheme.EqualsIgnoreCase("moz-icon")) {
808 // exception for file: linking to moz-icon://.ext?size=...
809 // Note that because targetScheme is the base (innermost) URI scheme,
810 // this does NOT allow file -> moz-icon:file:///... links.
811 // This is intentional.
812 return NS_OK;
813 }
814
815 // Check for webextension
816 bool targetURIIsLoadableByExtensions = false;
817 rv = NS_URIChainHasFlags(aTargetURI,
818 nsIProtocolHandler::URI_LOADABLE_BY_EXTENSIONS,
819 &targetURIIsLoadableByExtensions);
820 NS_ENSURE_SUCCESS(rv, rv);
821
822 if (targetURIIsLoadableByExtensions &&
823 BasePrincipal::Cast(aPrincipal)->AddonPolicy()) {
824 return NS_OK;
825 }
826
827 // If we get here, check all the schemes can link to each other, from the top
828 // down:
829 nsCOMPtr<nsIURI> currentURI = sourceURI;
830 nsCOMPtr<nsIURI> currentOtherURI = aTargetURI;
831
832 bool denySameSchemeLinks = false;
833 rv = NS_URIChainHasFlags(aTargetURI,
834 nsIProtocolHandler::URI_SCHEME_NOT_SELF_LINKABLE,
835 &denySameSchemeLinks);
836 if (NS_FAILED(rv)) return rv;
837
838 while (currentURI && currentOtherURI) {
839 nsAutoCString scheme, otherScheme;
840 currentURI->GetScheme(scheme);
841 currentOtherURI->GetScheme(otherScheme);
842
843 bool schemesMatch =
844 scheme.Equals(otherScheme, nsCaseInsensitiveCStringComparator);
845 bool isSamePage = false;
846 bool isExtensionMismatch = false;
847 // about: URIs are special snowflakes.
848 if (scheme.EqualsLiteral("about") && schemesMatch) {
849 nsAutoCString moduleName, otherModuleName;
850 // about: pages can always link to themselves:
851 isSamePage =
852 NS_SUCCEEDED(NS_GetAboutModuleName(currentURI, moduleName)) &&
853 NS_SUCCEEDED(
854 NS_GetAboutModuleName(currentOtherURI, otherModuleName)) &&
855 moduleName.Equals(otherModuleName);
856 if (!isSamePage) {
857 // We will have allowed the load earlier if the source page has
858 // system principal. So we know the source has a content
859 // principal, and it's trying to link to something else.
860 // Linkable about: pages are always reachable, even if we hit
861 // the CheckLoadURIFlags call below.
862 // We punch only 1 other hole: iff the source is unlinkable,
863 // we let them link to other pages explicitly marked SAFE
864 // for content. This avoids world-linkable about: pages linking
865 // to non-world-linkable about: pages.
866 nsCOMPtr<nsIAboutModule> module, otherModule;
867 bool knowBothModules =
868 NS_SUCCEEDED(
869 NS_GetAboutModule(currentURI, getter_AddRefs(module))) &&
870 NS_SUCCEEDED(NS_GetAboutModule(currentOtherURI,
871 getter_AddRefs(otherModule)));
872 uint32_t aboutModuleFlags = 0;
873 uint32_t otherAboutModuleFlags = 0;
874 knowBothModules =
875 knowBothModules &&
876 NS_SUCCEEDED(module->GetURIFlags(currentURI, &aboutModuleFlags)) &&
877 NS_SUCCEEDED(otherModule->GetURIFlags(currentOtherURI,
878 &otherAboutModuleFlags));
879 if (knowBothModules) {
880 isSamePage = !(aboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) &&
881 (otherAboutModuleFlags &
882 nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT);
883 if (isSamePage &&
884 otherAboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) {
885 // XXXgijs: this is a hack. The target will be nested
886 // (with innerURI of moz-safe-about:whatever), and
887 // the source isn't, so we won't pass if we finish
888 // the loop. We *should* pass, though, so return here.
889 // This hack can go away when bug 1228118 is fixed.
890 return NS_OK;
891 }
892 }
893 }
894 } else if (schemesMatch && scheme.EqualsLiteral("moz-extension")) {
895 // If it is not the same exension, we want to ensure we end up
896 // calling CheckLoadURIFlags
897 nsAutoCString host, otherHost;
898 currentURI->GetHost(host);
899 currentOtherURI->GetHost(otherHost);
900 isExtensionMismatch = !host.Equals(otherHost);
901 } else {
902 bool equalExceptRef = false;
903 rv = currentURI->EqualsExceptRef(currentOtherURI, &equalExceptRef);
904 isSamePage = NS_SUCCEEDED(rv) && equalExceptRef;
905 }
906
907 // If schemes are not equal, or they're equal but the target URI
908 // is different from the source URI and doesn't always allow linking
909 // from the same scheme, or this is two different extensions, check
910 // if the URI flags of the current target URI allow the current
911 // source URI to link to it.
912 // The policy is specified by the protocol flags on both URIs.
913 if (!schemesMatch || (denySameSchemeLinks && !isSamePage) ||
914 isExtensionMismatch) {
915 return CheckLoadURIFlags(
916 currentURI, currentOtherURI, sourceBaseURI, targetBaseURI, aFlags,
917 aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0,
918 aInnerWindowID);
919 }
920 // Otherwise... check if we can nest another level:
921 nsCOMPtr<nsINestedURI> nestedURI = do_QueryInterface(currentURI);
922 nsCOMPtr<nsINestedURI> nestedOtherURI = do_QueryInterface(currentOtherURI);
923
924 // If schemes match and neither URI is nested further, we're OK.
925 if (!nestedURI && !nestedOtherURI) {
926 return NS_OK;
927 }
928 // If one is nested and the other isn't, something is wrong.
929 if (!nestedURI != !nestedOtherURI) {
930 return NS_ERROR_DOM_BAD_URI;
931 }
932 // Otherwise, both should be nested and we'll go through the loop again.
933 nestedURI->GetInnerURI(getter_AddRefs(currentURI));
934 nestedOtherURI->GetInnerURI(getter_AddRefs(currentOtherURI));
935 }
936
937 // We should never get here. We should always return from inside the loop.
938 return NS_ERROR_DOM_BAD_URI;
939 }
940
941 /**
942 * Helper method to check whether the target URI and its innermost ("base") URI
943 * has protocol flags that should stop it from being loaded by the source URI
944 * (and/or the source URI's innermost ("base") URI), taking into account any
945 * nsIScriptSecurityManager flags originally passed to
946 * CheckLoadURIWithPrincipal and friends.
947 *
948 * @return if success, access is allowed. Otherwise, deny access
949 */
950 nsresult nsScriptSecurityManager::CheckLoadURIFlags(
951 nsIURI* aSourceURI, nsIURI* aTargetURI, nsIURI* aSourceBaseURI,
952 nsIURI* aTargetBaseURI, uint32_t aFlags, bool aFromPrivateWindow,
953 uint64_t aInnerWindowID) {
954 // Note that the order of policy checks here is very important!
955 // We start from most restrictive and work our way down.
956 bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
957 const char* errorTag = "CheckLoadURIError";
958
959 nsAutoCString targetScheme;
960 nsresult rv = aTargetBaseURI->GetScheme(targetScheme);
961 if (NS_FAILED(rv)) return rv;
962
963 // Check for system target URI. Regular (non web accessible) extension
964 // URIs will also have URI_DANGEROUS_TO_LOAD.
965 rv = DenyAccessIfURIHasFlags(aTargetURI,
966 nsIProtocolHandler::URI_DANGEROUS_TO_LOAD);
967 if (NS_FAILED(rv)) {
968 // Deny access, since the origin principal is not system
969 if (reportErrors) {
970 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
971 aInnerWindowID);
972 }
973 return rv;
974 }
975
976 // Used by ExtensionProtocolHandler to prevent loading extension resources
977 // in private contexts if the extension does not have permission.
978 if (aFromPrivateWindow) {
979 rv = DenyAccessIfURIHasFlags(
980 aTargetURI, nsIProtocolHandler::URI_DISALLOW_IN_PRIVATE_CONTEXT);
981 if (NS_FAILED(rv)) {
982 if (reportErrors) {
983 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
984 aInnerWindowID);
985 }
986 return rv;
987 }
988 }
989
990 // If MV3 Extension uris are web accessible they have
991 // WEBEXT_URI_WEB_ACCESSIBLE.
992 bool maybeWebAccessible = false;
993 NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::WEBEXT_URI_WEB_ACCESSIBLE,
994 &maybeWebAccessible);
995 NS_ENSURE_SUCCESS(rv, rv);
996 if (maybeWebAccessible) {
997 bool isWebAccessible = false;
998 rv = ExtensionPolicyService::GetSingleton().SourceMayLoadExtensionURI(
999 aSourceURI, aTargetURI, &isWebAccessible);
1000 if (NS_SUCCEEDED(rv) && isWebAccessible) {
1001 return NS_OK;
1002 }
1003 if (reportErrors) {
1004 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
1005 aInnerWindowID);
1006 }
1007 return NS_ERROR_DOM_BAD_URI;
1008 }
1009
1010 // Check for chrome target URI
1011 bool targetURIIsUIResource = false;
1012 rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_UI_RESOURCE,
1013 &targetURIIsUIResource);
1014 NS_ENSURE_SUCCESS(rv, rv);
1015 if (targetURIIsUIResource) {
1016 // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
1017 // loads (since docshell loads run the loaded content with its origin
1018 // principal). We are effectively allowing resource:// and chrome://
1019 // URIs to load as long as they are content accessible and as long
1020 // they're not loading it as a document.
1021 if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
1022 bool sourceIsUIResource = false;
1023 rv = NS_URIChainHasFlags(aSourceBaseURI,
1024 nsIProtocolHandler::URI_IS_UI_RESOURCE,
1025 &sourceIsUIResource);
1026 NS_ENSURE_SUCCESS(rv, rv);
1027 if (sourceIsUIResource) {
1028 // Special case for moz-icon URIs loaded by a local resources like
1029 // e.g. chrome: or resource:
1030 if (targetScheme.EqualsLiteral("moz-icon")) {
1031 return NS_OK;
1032 }
1033 }
1034
1035 if (targetScheme.EqualsLiteral("resource")) {
1036 if (StaticPrefs::security_all_resource_uri_content_accessible()) {
1037 return NS_OK;
1038 }
1039
1040 nsCOMPtr<nsIProtocolHandler> ph;
1041 rv = sIOService->GetProtocolHandler("resource", getter_AddRefs(ph));
1042 NS_ENSURE_SUCCESS(rv, rv);
1043 if (!ph) {
1044 return NS_ERROR_DOM_BAD_URI;
1045 }
1046
1047 nsCOMPtr<nsIResProtocolHandler> rph = do_QueryInterface(ph);
1048 if (!rph) {
1049 return NS_ERROR_DOM_BAD_URI;
1050 }
1051
1052 bool accessAllowed = false;
1053 rph->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
1054 if (accessAllowed) {
1055 return NS_OK;
1056 }
1057 } else if (targetScheme.EqualsLiteral("chrome")) {
1058 // Allow the load only if the chrome package is allowlisted.
1059 nsCOMPtr<nsIXULChromeRegistry> reg(
1060 do_GetService(NS_CHROMEREGISTRY_CONTRACTID));
1061 if (reg) {
1062 bool accessAllowed = false;
1063 reg->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
1064 if (accessAllowed) {
1065 return NS_OK;
1066 }
1067 }
1068 } else if (targetScheme.EqualsLiteral("moz-page-thumb") ||
1069 targetScheme.EqualsLiteral("page-icon")) {
1070 if (XRE_IsParentProcess()) {
1071 return NS_OK;
1072 }
1073
1074 auto& remoteType = dom::ContentChild::GetSingleton()->GetRemoteType();
1075 if (remoteType == PRIVILEGEDABOUT_REMOTE_TYPE) {
1076 return NS_OK;
1077 }
1078 }
1079 }
1080
1081 if (reportErrors) {
1082 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
1083 aInnerWindowID);
1084 }
1085 return NS_ERROR_DOM_BAD_URI;
1086 }
1087
1088 // Check for target URI pointing to a file
1089 bool targetURIIsLocalFile = false;
1090 rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_LOCAL_FILE,
1091 &targetURIIsLocalFile);
1092 NS_ENSURE_SUCCESS(rv, rv);
1093 if (targetURIIsLocalFile) {
1094 // Allow domains that were allowlisted in the prefs. In 99.9% of cases,
1095 // this array is empty.
1096 bool isAllowlisted;
1097 MOZ_ALWAYS_SUCCEEDS(InFileURIAllowlist(aSourceURI, &isAllowlisted));
1098 if (isAllowlisted) {
1099 return NS_OK;
1100 }
1101
1102 // Allow chrome://
1103 if (aSourceBaseURI->SchemeIs("chrome")) {
1104 return NS_OK;
1105 }
1106
1107 // Nothing else.
1108 if (reportErrors) {
1109 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
1110 aInnerWindowID);
1111 }
1112 return NS_ERROR_DOM_BAD_URI;
1113 }
1114
1115 #ifdef DEBUG
1116 {
1117 // Everyone is allowed to load this. The case URI_LOADABLE_BY_SUBSUMERS
1118 // is handled by the caller which is just delegating to us as a helper.
1119 bool hasSubsumersFlag = false;
1120 NS_URIChainHasFlags(aTargetBaseURI,
1121 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
1122 &hasSubsumersFlag);
1123 bool hasLoadableByAnyone = false;
1124 NS_URIChainHasFlags(aTargetBaseURI,
1125 nsIProtocolHandler::URI_LOADABLE_BY_ANYONE,
1126 &hasLoadableByAnyone);
1127 MOZ_ASSERT(hasLoadableByAnyone || hasSubsumersFlag,
1128 "why do we get here and do not have any of the two flags set?");
1129 }
1130 #endif
1131
1132 return NS_OK;
1133 }
1134
1135 nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1136 const nsACString& aSourceSpec,
1137 const nsACString& aTargetSpec,
1138 bool aFromPrivateWindow,
1139 uint64_t aInnerWindowID) {
1140 if (aSourceSpec.IsEmpty() || aTargetSpec.IsEmpty()) {
1141 return NS_OK;
1142 }
1143
1144 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1145 if (NS_WARN_IF(!bundle)) {
1146 return NS_OK;
1147 }
1148
1149 // Localize the error message
1150 nsAutoString message;
1151 AutoTArray<nsString, 2> formatStrings;
1152 CopyASCIItoUTF16(aSourceSpec, *formatStrings.AppendElement());
1153 CopyASCIItoUTF16(aTargetSpec, *formatStrings.AppendElement());
1154 nsresult rv =
1155 bundle->FormatStringFromName(aMessageTag, formatStrings, message);
1156 NS_ENSURE_SUCCESS(rv, rv);
1157
1158 nsCOMPtr<nsIConsoleService> console(
1159 do_GetService(NS_CONSOLESERVICE_CONTRACTID));
1160 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
1161 nsCOMPtr<nsIScriptError> error(do_CreateInstance(NS_SCRIPTERROR_CONTRACTID));
1162 NS_ENSURE_TRUE(error, NS_ERROR_FAILURE);
1163
1164 // using category of "SOP" so we can link to MDN
1165 if (aInnerWindowID != 0) {
1166 rv = error->InitWithWindowID(
1167 message, u""_ns, u""_ns, 0, 0, nsIScriptError::errorFlag, "SOP"_ns,
1168 aInnerWindowID, true /* From chrome context */);
1169 } else {
1170 rv = error->Init(message, u""_ns, u""_ns, 0, 0, nsIScriptError::errorFlag,
1171 "SOP"_ns, aFromPrivateWindow,
1172 true /* From chrome context */);
1173 }
1174 NS_ENSURE_SUCCESS(rv, rv);
1175 console->LogMessage(error);
1176 return NS_OK;
1177 }
1178
1179 nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1180 nsIURI* aSource, nsIURI* aTarget,
1181 bool aFromPrivateWindow,
1182 uint64_t aInnerWindowID) {
1183 NS_ENSURE_TRUE(aSource && aTarget, NS_ERROR_NULL_POINTER);
1184
1185 // Get the source URL spec
1186 nsAutoCString sourceSpec;
1187 nsresult rv = aSource->GetAsciiSpec(sourceSpec);
1188 NS_ENSURE_SUCCESS(rv, rv);
1189
1190 // Get the target URL spec
1191 nsAutoCString targetSpec;
1192 rv = aTarget->GetAsciiSpec(targetSpec);
1193 NS_ENSURE_SUCCESS(rv, rv);
1194
1195 return ReportError(aMessageTag, sourceSpec, targetSpec, aFromPrivateWindow,
1196 aInnerWindowID);
1197 }
1198
1199 NS_IMETHODIMP
1200 nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(
1201 nsIPrincipal* aPrincipal, const nsACString& aTargetURIStr,
1202 uint32_t aFlags) {
1203 nsresult rv;
1204 nsCOMPtr<nsIURI> target;
1205 rv = NS_NewURI(getter_AddRefs(target), aTargetURIStr);
1206 NS_ENSURE_SUCCESS(rv, rv);
1207
1208 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1209 if (rv == NS_ERROR_DOM_BAD_URI) {
1210 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1211 // return values.
1212 return rv;
1213 }
1214 NS_ENSURE_SUCCESS(rv, rv);
1215
1216 // Now start testing fixup -- since aTargetURIStr is a string, not
1217 // an nsIURI, we may well end up fixing it up before loading.
1218 // Note: This needs to stay in sync with the nsIURIFixup api.
1219 nsCOMPtr<nsIURIFixup> fixup = components::URIFixup::Service();
1220 if (!fixup) {
1221 return rv;
1222 }
1223
1224 // URIFixup's keyword and alternate flags can only fixup to http/https, so we
1225 // can skip testing them. This simplifies our life because this code can be
1226 // invoked from the content process where the search service would not be
1227 // available.
1228 uint32_t flags[] = {nsIURIFixup::FIXUP_FLAG_NONE,
1229 nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS};
1230 for (uint32_t i = 0; i < ArrayLength(flags); ++i) {
1231 uint32_t fixupFlags = flags[i];
1232 if (aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0) {
1233 fixupFlags |= nsIURIFixup::FIXUP_FLAG_PRIVATE_CONTEXT;
1234 }
1235 nsCOMPtr<nsIURIFixupInfo> fixupInfo;
1236 rv = fixup->GetFixupURIInfo(aTargetURIStr, fixupFlags,
1237 getter_AddRefs(fixupInfo));
1238 NS_ENSURE_SUCCESS(rv, rv);
1239 rv = fixupInfo->GetPreferredURI(getter_AddRefs(target));
1240 NS_ENSURE_SUCCESS(rv, rv);
1241
1242 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1243 if (rv == NS_ERROR_DOM_BAD_URI) {
1244 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1245 // return values.
1246 return rv;
1247 }
1248 NS_ENSURE_SUCCESS(rv, rv);
1249 }
1250
1251 return rv;
1252 }
1253
1254 NS_IMETHODIMP
1255 nsScriptSecurityManager::CheckLoadURIWithPrincipalFromJS(
1256 nsIPrincipal* aPrincipal, nsIURI* aTargetURI, uint32_t aFlags,
1257 uint64_t aInnerWindowID, JSContext* aCx) {
1258 MOZ_ASSERT(aPrincipal,
1259 "CheckLoadURIWithPrincipalFromJS must have a principal");
1260 NS_ENSURE_ARG_POINTER(aPrincipal);
1261 NS_ENSURE_ARG_POINTER(aTargetURI);
1262
1263 nsresult rv =
1264 CheckLoadURIWithPrincipal(aPrincipal, aTargetURI, aFlags, aInnerWindowID);
1265 if (NS_FAILED(rv)) {
1266 nsAutoCString uriStr;
1267 Unused << aTargetURI->GetSpec(uriStr);
1268
1269 nsAutoCString message("Load of ");
1270 message.Append(uriStr);
1271
1272 nsAutoCString principalStr;
1273 Unused << aPrincipal->GetSpec(principalStr);
1274 if (!principalStr.IsEmpty()) {
1275 message.AppendPrintf(" from %s", principalStr.get());
1276 }
1277
1278 message.Append(" denied");
1279
1280 dom::Throw(aCx, rv, message);
1281 }
1282
1283 return rv;
1284 }
1285
1286 NS_IMETHODIMP
1287 nsScriptSecurityManager::CheckLoadURIStrWithPrincipalFromJS(
1288 nsIPrincipal* aPrincipal, const nsACString& aTargetURIStr, uint32_t aFlags,
1289 JSContext* aCx) {
1290 nsCOMPtr<nsIURI> targetURI;
1291 MOZ_TRY(NS_NewURI(getter_AddRefs(targetURI), aTargetURIStr));
1292
1293 return CheckLoadURIWithPrincipalFromJS(aPrincipal, targetURI, aFlags, 0, aCx);
1294 }
1295
1296 NS_IMETHODIMP
1297 nsScriptSecurityManager::InFileURIAllowlist(nsIURI* aUri, bool* aResult) {
1298 MOZ_ASSERT(aUri);
1299 MOZ_ASSERT(aResult);
1300
1301 *aResult = false;
1302 for (nsIURI* uri : EnsureFileURIAllowlist()) {
1303 if (EqualOrSubdomain(aUri, uri)) {
1304 *aResult = true;
1305 return NS_OK;
1306 }
1307 }
1308
1309 return NS_OK;
1310 }
1311
1312 ///////////////// Principals ///////////////////////
1313
1314 NS_IMETHODIMP
1315 nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal** result) {
1316 NS_ADDREF(*result = mSystemPrincipal);
1317
1318 return NS_OK;
1319 }
1320
1321 NS_IMETHODIMP
1322 nsScriptSecurityManager::CreateContentPrincipal(
1323 nsIURI* aURI, JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1324 nsIPrincipal** aPrincipal) {
1325 OriginAttributes attrs;
1326 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1327 return NS_ERROR_INVALID_ARG;
1328 }
1329 nsCOMPtr<nsIPrincipal> prin =
1330 BasePrincipal::CreateContentPrincipal(aURI, attrs);
1331 prin.forget(aPrincipal);
1332 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1333 }
1334
1335 NS_IMETHODIMP
1336 nsScriptSecurityManager::CreateContentPrincipalFromOrigin(
1337 const nsACString& aOrigin, nsIPrincipal** aPrincipal) {
1338 if (StringBeginsWith(aOrigin, "["_ns)) {
1339 return NS_ERROR_INVALID_ARG;
1340 }
1341
1342 if (StringBeginsWith(aOrigin,
1343 nsLiteralCString(NS_NULLPRINCIPAL_SCHEME ":"))) {
1344 return NS_ERROR_INVALID_ARG;
1345 }
1346
1347 nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(aOrigin);
1348 prin.forget(aPrincipal);
1349 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1350 }
1351
1352 NS_IMETHODIMP
1353 nsScriptSecurityManager::PrincipalToJSON(nsIPrincipal* aPrincipal,
1354 nsACString& aJSON) {
1355 aJSON.Truncate();
1356 if (!aPrincipal) {
1357 return NS_ERROR_FAILURE;
1358 }
1359
1360 BasePrincipal::Cast(aPrincipal)->ToJSON(aJSON);
1361
1362 if (aJSON.IsEmpty()) {
1363 return NS_ERROR_FAILURE;
1364 }
1365
1366 return NS_OK;
1367 }
1368
1369 NS_IMETHODIMP
1370 nsScriptSecurityManager::JSONToPrincipal(const nsACString& aJSON,
1371 nsIPrincipal** aPrincipal) {
1372 if (aJSON.IsEmpty()) {
1373 return NS_ERROR_FAILURE;
1374 }
1375
1376 nsCOMPtr<nsIPrincipal> principal = BasePrincipal::FromJSON(aJSON);
1377
1378 if (!principal) {
1379 return NS_ERROR_FAILURE;
1380 }
1381
1382 principal.forget(aPrincipal);
1383 return NS_OK;
1384 }
1385
1386 NS_IMETHODIMP
1387 nsScriptSecurityManager::CreateNullPrincipal(
1388 JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1389 nsIPrincipal** aPrincipal) {
1390 OriginAttributes attrs;
1391 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1392 return NS_ERROR_INVALID_ARG;
1393 }
1394 nsCOMPtr<nsIPrincipal> prin = NullPrincipal::Create(attrs);
1395 prin.forget(aPrincipal);
1396 return NS_OK;
1397 }
1398
1399 NS_IMETHODIMP
1400 nsScriptSecurityManager::GetLoadContextContentPrincipal(
1401 nsIURI* aURI, nsILoadContext* aLoadContext, nsIPrincipal** aPrincipal) {
1402 NS_ENSURE_STATE(aLoadContext);
1403 OriginAttributes docShellAttrs;
1404 aLoadContext->GetOriginAttributes(docShellAttrs);
1405
1406 nsCOMPtr<nsIPrincipal> prin =
1407 BasePrincipal::CreateContentPrincipal(aURI, docShellAttrs);
1408 prin.forget(aPrincipal);
1409 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1410 }
1411
1412 NS_IMETHODIMP
1413 nsScriptSecurityManager::GetDocShellContentPrincipal(
1414 nsIURI* aURI, nsIDocShell* aDocShell, nsIPrincipal** aPrincipal) {
1415 nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(
1416 aURI, nsDocShell::Cast(aDocShell)->GetOriginAttributes());
1417 prin.forget(aPrincipal);
1418 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1419 }
1420
1421 NS_IMETHODIMP
1422 nsScriptSecurityManager::PrincipalWithOA(
1423 nsIPrincipal* aPrincipal, JS::Handle<JS::Value> aOriginAttributes,
1424 JSContext* aCx, nsIPrincipal** aReturnPrincipal) {
1425 if (!aPrincipal) {
1426 return NS_OK;
1427 }
1428 if (aPrincipal->GetIsContentPrincipal()) {
1429 OriginAttributes attrs;
1430 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1431 return NS_ERROR_INVALID_ARG;
1432 }
1433 auto* contentPrincipal = static_cast<ContentPrincipal*>(aPrincipal);
1434 RefPtr<ContentPrincipal> copy =
1435 new ContentPrincipal(contentPrincipal, attrs);
1436 NS_ENSURE_TRUE(copy, NS_ERROR_FAILURE);
1437 copy.forget(aReturnPrincipal);
1438 } else {
1439 // We do this for null principals, system principals (both fine)
1440 // ... and expanded principals, where we should probably do something
1441 // cleverer, but I also don't think we care too much.
1442 nsCOMPtr<nsIPrincipal> prin = aPrincipal;
1443 prin.forget(aReturnPrincipal);
1444 }
1445
1446 return *aReturnPrincipal ? NS_OK : NS_ERROR_FAILURE;
1447 }
1448
1449 NS_IMETHODIMP
1450 nsScriptSecurityManager::CanCreateWrapper(JSContext* cx, const nsIID& aIID,
1451 nsISupports* aObj,
1452 nsIClassInfo* aClassInfo) {
1453 // XXX Special case for Exception ?
1454
1455 // We give remote-XUL allowlisted domains a free pass here. See bug 932906.
1456 JS::Rooted<JS::Realm*> contextRealm(cx, JS::GetCurrentRealmOrNull(cx));
1457 MOZ_RELEASE_ASSERT(contextRealm);
1458 if (!xpc::AllowContentXBLScope(contextRealm)) {
1459 return NS_OK;
1460 }
1461
1462 if (nsContentUtils::IsCallerChrome()) {
1463 return NS_OK;
1464 }
1465
1466 //-- Access denied, report an error
1467 nsAutoCString originUTF8;
1468 nsIPrincipal* subjectPrincipal = nsContentUtils::SubjectPrincipal();
1469 GetPrincipalDomainOrigin(subjectPrincipal, originUTF8);
1470 NS_ConvertUTF8toUTF16 originUTF16(originUTF8);
1471 nsAutoCString classInfoNameUTF8;
1472 if (aClassInfo) {
1473 aClassInfo->GetClassDescription(classInfoNameUTF8);
1474 }
1475 if (classInfoNameUTF8.IsEmpty()) {
1476 classInfoNameUTF8.AssignLiteral("UnnamedClass");
1477 }
1478
1479 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1480 if (NS_WARN_IF(!bundle)) {
1481 return NS_OK;
1482 }
1483
1484 NS_ConvertUTF8toUTF16 classInfoUTF16(classInfoNameUTF8);
1485 nsresult rv;
1486 nsAutoString errorMsg;
1487 if (originUTF16.IsEmpty()) {
1488 AutoTArray<nsString, 1> formatStrings = {classInfoUTF16};
1489 rv = bundle->FormatStringFromName("CreateWrapperDenied", formatStrings,
1490 errorMsg);
1491 } else {
1492 AutoTArray<nsString, 2> formatStrings = {classInfoUTF16, originUTF16};
1493 rv = bundle->FormatStringFromName("CreateWrapperDeniedForOrigin",
1494 formatStrings, errorMsg);
1495 }
1496 NS_ENSURE_SUCCESS(rv, rv);
1497
1498 SetPendingException(cx, errorMsg.get());
1499 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1500 }
1501
1502 NS_IMETHODIMP
1503 nsScriptSecurityManager::CanCreateInstance(JSContext* cx, const nsCID& aCID) {
1504 if (nsContentUtils::IsCallerChrome()) {
1505 return NS_OK;
1506 }
1507
1508 //-- Access denied, report an error
1509 nsAutoCString errorMsg("Permission denied to create instance of class. CID=");
1510 char cidStr[NSID_LENGTH];
1511 aCID.ToProvidedString(cidStr);
1512 errorMsg.Append(cidStr);
1513 SetPendingExceptionASCII(cx, errorMsg.get());
1514 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1515 }
1516
1517 NS_IMETHODIMP
1518 nsScriptSecurityManager::CanGetService(JSContext* cx, const nsCID& aCID) {
1519 if (nsContentUtils::IsCallerChrome()) {
1520 return NS_OK;
1521 }
1522
1523 //-- Access denied, report an error
1524 nsAutoCString errorMsg("Permission denied to get service. CID=");
1525 char cidStr[NSID_LENGTH];
1526 aCID.ToProvidedString(cidStr);
1527 errorMsg.Append(cidStr);
1528 SetPendingExceptionASCII(cx, errorMsg.get());
1529 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1530 }
1531
1532 const char sJSEnabledPrefName[] = "javascript.enabled";
1533 const char sFileOriginPolicyPrefName[] =
1534 "security.fileuri.strict_origin_policy";
1535
1536 static const char* kObservedPrefs[] = {sJSEnabledPrefName,
1537 sFileOriginPolicyPrefName,
1538 "capability.policy.", nullptr};
1539
1540 /////////////////////////////////////////////
1541 // Constructor, Destructor, Initialization //
1542 /////////////////////////////////////////////
1543 nsScriptSecurityManager::nsScriptSecurityManager(void)
1544 : mPrefInitialized(false), mIsJavaScriptEnabled(false) {
1545 static_assert(
1546 sizeof(intptr_t) == sizeof(void*),
1547 "intptr_t and void* have different lengths on this platform. "
1548 "This may cause a security failure with the SecurityLevel union.");
1549 }
1550
1551 nsresult nsScriptSecurityManager::Init() {
1552 nsresult rv;
1553 RefPtr<nsIIOService> io = mozilla::components::IO::Service(&rv);
1554 if (NS_FAILED(rv)) {
1555 return rv;
1556 }
1557 sIOService = std::move(io);
1558 InitPrefs();
1559
1560 // Create our system principal singleton
1561 mSystemPrincipal = SystemPrincipal::Init();
1562
1563 return NS_OK;
1564 }
1565
1566 void nsScriptSecurityManager::InitJSCallbacks(JSContext* aCx) {
1567 //-- Register security check callback in the JS engine
1568 // Currently this is used to control access to function.caller
1569
1570 static const JSSecurityCallbacks securityCallbacks = {
1571 ContentSecurityPolicyPermitsJSAction,
1572 JSPrincipalsSubsume,
1573 };
1574
1575 MOZ_ASSERT(!JS_GetSecurityCallbacks(aCx));
1576 JS_SetSecurityCallbacks(aCx, &securityCallbacks);
1577 JS_InitDestroyPrincipalsCallback(aCx, nsJSPrincipals::Destroy);
1578
1579 JS_SetTrustedPrincipals(aCx, BasePrincipal::Cast(mSystemPrincipal));
1580 }
1581
1582 /* static */
1583 void nsScriptSecurityManager::ClearJSCallbacks(JSContext* aCx) {
1584 JS_SetSecurityCallbacks(aCx, nullptr);
1585 JS_SetTrustedPrincipals(aCx, nullptr);
1586 }
1587
1588 static StaticRefPtr<nsScriptSecurityManager> gScriptSecMan;
1589
1590 nsScriptSecurityManager::~nsScriptSecurityManager(void) {
1591 Preferences::UnregisterPrefixCallbacks(
1592 nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1593 if (mDomainPolicy) {
1594 mDomainPolicy->Deactivate();
1595 }
1596 // ContentChild might hold a reference to the domain policy,
1597 // and it might release it only after the security manager is
1598 // gone. But we can still assert this for the main process.
1599 MOZ_ASSERT_IF(XRE_IsParentProcess(), !mDomainPolicy);
1600 }
1601
1602 void nsScriptSecurityManager::Shutdown() {
1603 sIOService = nullptr;
1604 BundleHelper::Shutdown();
1605 SystemPrincipal::Shutdown();
1606 }
1607
1608 nsScriptSecurityManager* nsScriptSecurityManager::GetScriptSecurityManager() {
1609 return gScriptSecMan;
1610 }
1611
1612 /* static */
1613 void nsScriptSecurityManager::InitStatics() {
1614 RefPtr<nsScriptSecurityManager> ssManager = new nsScriptSecurityManager();
1615 nsresult rv = ssManager->Init();
1616 if (NS_FAILED(rv)) {
1617 MOZ_CRASH("ssManager->Init() failed");
1618 }
1619
1620 ClearOnShutdown(&gScriptSecMan);
1621 gScriptSecMan = ssManager;
1622 }
1623
1624 // Currently this nsGenericFactory constructor is used only from FastLoad
1625 // (XPCOM object deserialization) code, when "creating" the system principal
1626 // singleton.
1627 already_AddRefed<SystemPrincipal>
1628 nsScriptSecurityManager::SystemPrincipalSingletonConstructor() {
1629 if (gScriptSecMan)
1630 return do_AddRef(gScriptSecMan->mSystemPrincipal)
1631 .downcast<SystemPrincipal>();
1632 return nullptr;
1633 }
1634
1635 struct IsWhitespace {
1636 static bool Test(char aChar) { return NS_IsAsciiWhitespace(aChar); };
1637 };
1638 struct IsWhitespaceOrComma {
1639 static bool Test(char aChar) {
1640 return aChar == ',' || NS_IsAsciiWhitespace(aChar);
1641 };
1642 };
1643
1644 template <typename Predicate>
1645 uint32_t SkipPast(const nsCString& str, uint32_t base) {
1646 while (base < str.Length() && Predicate::Test(str[base])) {
1647 ++base;
1648 }
1649 return base;
1650 }
1651
1652 template <typename Predicate>
1653 uint32_t SkipUntil(const nsCString& str, uint32_t base) {
1654 while (base < str.Length() && !Predicate::Test(str[base])) {
1655 ++base;
1656 }
1657 return base;
1658 }
1659
1660 // static
1661 void nsScriptSecurityManager::ScriptSecurityPrefChanged(const char* aPref,
1662 void* aSelf) {
1663 static_cast<nsScriptSecurityManager*>(aSelf)->ScriptSecurityPrefChanged(
1664 aPref);
1665 }
1666
1667 inline void nsScriptSecurityManager::ScriptSecurityPrefChanged(
1668 const char* aPref) {
1669 MOZ_ASSERT(mPrefInitialized);
1670 mIsJavaScriptEnabled =
1671 Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
1672 sStrictFileOriginPolicy =
1673 Preferences::GetBool(sFileOriginPolicyPrefName, false);
1674 mFileURIAllowlist.reset();
1675 }
1676
1677 void nsScriptSecurityManager::AddSitesToFileURIAllowlist(
1678 const nsCString& aSiteList) {
1679 for (uint32_t base = SkipPast<IsWhitespace>(aSiteList, 0), bound = 0;
1680 base < aSiteList.Length();
1681 base = SkipPast<IsWhitespace>(aSiteList, bound)) {
1682 // Grab the current site.
1683 bound = SkipUntil<IsWhitespace>(aSiteList, base);
1684 nsAutoCString site(Substring(aSiteList, base, bound - base));
1685
1686 // Check if the URI is schemeless. If so, add both http and https.
1687 nsAutoCString unused;
1688 if (NS_FAILED(sIOService->ExtractScheme(site, unused))) {
1689 AddSitesToFileURIAllowlist("http://"_ns + site);
1690 AddSitesToFileURIAllowlist("https://"_ns + site);
1691 continue;
1692 }
1693
1694 // Convert it to a URI and add it to our list.
1695 nsCOMPtr<nsIURI> uri;
1696 nsresult rv = NS_NewURI(getter_AddRefs(uri), site);
1697 if (NS_SUCCEEDED(rv)) {
1698 mFileURIAllowlist.ref().AppendElement(uri);
1699 } else {
1700 nsCOMPtr<nsIConsoleService> console(
1701 do_GetService("@mozilla.org/consoleservice;1"));
1702 if (console) {
1703 nsAutoString msg =
1704 u"Unable to to add site to file:// URI allowlist: "_ns +
1705 NS_ConvertASCIItoUTF16(site);
1706 console->LogStringMessage(msg.get());
1707 }
1708 }
1709 }
1710 }
1711
1712 nsresult nsScriptSecurityManager::InitPrefs() {
1713 nsIPrefBranch* branch = Preferences::GetRootBranch();
1714 NS_ENSURE_TRUE(branch, NS_ERROR_FAILURE);
1715
1716 mPrefInitialized = true;
1717
1718 // Set the initial value of the "javascript.enabled" prefs
1719 ScriptSecurityPrefChanged();
1720
1721 // set observer callbacks in case the value of the prefs change
1722 Preferences::RegisterPrefixCallbacks(
1723 nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1724
1725 return NS_OK;
1726 }
1727
1728 NS_IMETHODIMP
1729 nsScriptSecurityManager::GetDomainPolicyActive(bool* aRv) {
1730 *aRv = !!mDomainPolicy;
1731 return NS_OK;
1732 }
1733
1734 NS_IMETHODIMP
1735 nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy** aRv) {
1736 if (!XRE_IsParentProcess()) {
1737 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1738 }
1739
1740 return ActivateDomainPolicyInternal(aRv);
1741 }
1742
1743 NS_IMETHODIMP
1744 nsScriptSecurityManager::ActivateDomainPolicyInternal(nsIDomainPolicy** aRv) {
1745 // We only allow one domain policy at a time. The holder of the previous
1746 // policy must explicitly deactivate it first.
1747 if (mDomainPolicy) {
1748 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1749 }
1750
1751 mDomainPolicy = new DomainPolicy();
1752 nsCOMPtr<nsIDomainPolicy> ptr = mDomainPolicy;
1753 ptr.forget(aRv);
1754 return NS_OK;
1755 }
1756
1757 // Intentionally non-scriptable. Script must have a reference to the
1758 // nsIDomainPolicy to deactivate it.
1759 void nsScriptSecurityManager::DeactivateDomainPolicy() {
1760 mDomainPolicy = nullptr;
1761 }
1762
1763 void nsScriptSecurityManager::CloneDomainPolicy(DomainPolicyClone* aClone) {
1764 MOZ_ASSERT(aClone);
1765 if (mDomainPolicy) {
1766 mDomainPolicy->CloneDomainPolicy(aClone);
1767 } else {
1768 aClone->active() = false;
1769 }
1770 }
1771
1772 NS_IMETHODIMP
1773 nsScriptSecurityManager::PolicyAllowsScript(nsIURI* aURI, bool* aRv) {
1774 nsresult rv;
1775
1776 // Compute our rule. If we don't have any domain policy set up that might
1777 // provide exceptions to this rule, we're done.
1778 *aRv = mIsJavaScriptEnabled;
1779 if (!mDomainPolicy) {
1780 return NS_OK;
1781 }
1782
1783 // We have a domain policy. Grab the appropriate set of exceptions to the
1784 // rule (either the blocklist or the allowlist, depending on whether script
1785 // is enabled or disabled by default).
1786 nsCOMPtr<nsIDomainSet> exceptions;
1787 nsCOMPtr<nsIDomainSet> superExceptions;
1788 if (*aRv) {
1789 mDomainPolicy->GetBlocklist(getter_AddRefs(exceptions));
1790 mDomainPolicy->GetSuperBlocklist(getter_AddRefs(superExceptions));
1791 } else {
1792 mDomainPolicy->GetAllowlist(getter_AddRefs(exceptions));
1793 mDomainPolicy->GetSuperAllowlist(getter_AddRefs(superExceptions));
1794 }
1795
1796 bool contains;
1797 rv = exceptions->Contains(aURI, &contains);
1798 NS_ENSURE_SUCCESS(rv, rv);
1799 if (contains) {
1800 *aRv = !*aRv;
1801 return NS_OK;
1802 }
1803 rv = superExceptions->ContainsSuperDomain(aURI, &contains);
1804 NS_ENSURE_SUCCESS(rv, rv);
1805 if (contains) {
1806 *aRv = !*aRv;
1807 }
1808
1809 return NS_OK;
1810 }
1811
1812 const nsTArray<nsCOMPtr<nsIURI>>&
1813 nsScriptSecurityManager::EnsureFileURIAllowlist() {
1814 if (mFileURIAllowlist.isSome()) {
1815 return mFileURIAllowlist.ref();
1816 }
1817
1818 //
1819 // Rebuild the set of principals for which we allow file:// URI loads. This
1820 // implements a small subset of an old pref-based CAPS people that people
1821 // have come to depend on. See bug 995943.
1822 //
1823
1824 mFileURIAllowlist.emplace();
1825 nsAutoCString policies;
1826 mozilla::Preferences::GetCString("capability.policy.policynames", policies);
1827 for (uint32_t base = SkipPast<IsWhitespaceOrComma>(policies, 0), bound = 0;
1828 base < policies.Length();
1829 base = SkipPast<IsWhitespaceOrComma>(policies, bound)) {
1830 // Grab the current policy name.
1831 bound = SkipUntil<IsWhitespaceOrComma>(policies, base);
1832 auto policyName = Substring(policies, base, bound - base);
1833
1834 // Figure out if this policy allows loading file:// URIs. If not, we can
1835 // skip it.
1836 nsCString checkLoadURIPrefName =
1837 "capability.policy."_ns + policyName + ".checkloaduri.enabled"_ns;
1838 nsAutoString value;
1839 nsresult rv = Preferences::GetString(checkLoadURIPrefName.get(), value);
1840 if (NS_FAILED(rv) || !value.LowerCaseEqualsLiteral("allaccess")) {
1841 continue;
1842 }
1843
1844 // Grab the list of domains associated with this policy.
1845 nsCString domainPrefName =
1846 "capability.policy."_ns + policyName + ".sites"_ns;
1847 nsAutoCString siteList;
1848 Preferences::GetCString(domainPrefName.get(), siteList);
1849 AddSitesToFileURIAllowlist(siteList);
1850 }
1851
1852 return mFileURIAllowlist.ref();
1853 }