1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* vim: set ts=4 et sw=4 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #include "nsScriptSecurityManager.h"
9 #include "mozilla/ArrayUtils.h"
11 #include "js/OldDebugAPI.h"
12 #include "xpcprivate.h"
13 #include "XPCWrapper.h"
14 #include "nsIAppsService.h"
15 #include "nsILoadContext.h"
16 #include "nsIServiceManager.h"
17 #include "nsIScriptObjectPrincipal.h"
18 #include "nsIScriptContext.h"
20 #include "nsINestedURI.h"
22 #include "nsJSPrincipals.h"
23 #include "nsSystemPrincipal.h"
24 #include "nsPrincipal.h"
25 #include "nsNullPrincipal.h"
26 #include "DomainPolicy.h"
27 #include "nsXPIDLString.h"
29 #include "nsCRTGlue.h"
32 #include "nsIXPConnect.h"
33 #include "nsTextFormatter.h"
34 #include "nsIStringBundle.h"
35 #include "nsNetUtil.h"
36 #include "nsIEffectiveTLDService.h"
37 #include "nsIProperties.h"
38 #include "nsDirectoryServiceDefs.h"
40 #include "nsIFileURL.h"
41 #include "nsIZipReader.h"
42 #include "nsIXPConnect.h"
43 #include "nsIScriptGlobalObject.h"
44 #include "nsPIDOMWindow.h"
45 #include "nsIDocShell.h"
46 #include "nsIPrompt.h"
47 #include "nsIWindowWatcher.h"
48 #include "nsIConsoleService.h"
49 #include "nsIJSRuntimeService.h"
50 #include "nsIObserverService.h"
51 #include "nsIContent.h"
52 #include "nsAutoPtr.h"
53 #include "nsDOMJSUtils.h"
54 #include "nsAboutProtocolUtils.h"
55 #include "nsIClassInfo.h"
56 #include "nsIURIFixup.h"
57 #include "nsCDefaultURIFixup.h"
58 #include "nsIChromeRegistry.h"
59 #include "nsIContentSecurityPolicy.h"
60 #include "nsIAsyncVerifyRedirectCallback.h"
61 #include "mozIApplication.h"
62 #include "mozilla/Preferences.h"
63 #include "mozilla/dom/BindingUtils.h"
65 #include "mozilla/dom/ScriptSettings.h"
66 #include "mozilla/ClearOnShutdown.h"
67 #include "mozilla/StaticPtr.h"
68 #include "nsContentUtils.h"
69 #include "nsJSUtils.h"
70 #include "nsILoadInfo.h"
72 // This should be probably defined on some other place... but I couldn't find it
73 #define WEBAPPS_PERM_NAME "webapps-manage"
75 using namespace mozilla
;
76 using namespace mozilla::dom
;
78 nsIIOService
*nsScriptSecurityManager::sIOService
= nullptr;
79 nsIStringBundle
*nsScriptSecurityManager::sStrBundle
= nullptr;
80 JSRuntime
*nsScriptSecurityManager::sRuntime
= 0;
81 bool nsScriptSecurityManager::sStrictFileOriginPolicy
= true;
83 ///////////////////////////
84 // Convenience Functions //
85 ///////////////////////////
87 class nsAutoInPrincipalDomainOriginSetter
{
89 nsAutoInPrincipalDomainOriginSetter() {
90 ++sInPrincipalDomainOrigin
;
92 ~nsAutoInPrincipalDomainOriginSetter() {
93 --sInPrincipalDomainOrigin
;
95 static uint32_t sInPrincipalDomainOrigin
;
97 uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin
;
101 GetOriginFromURI(nsIURI
* aURI
, nsACString
& aOrigin
)
103 if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin
> 1) {
104 // Allow a single recursive call to GetPrincipalDomainOrigin, since that
105 // might be happening on a different principal from the first call. But
106 // after that, cut off the recursion; it just indicates that something
107 // we're doing in this method causes us to reenter a security check here.
108 return NS_ERROR_NOT_AVAILABLE
;
111 nsAutoInPrincipalDomainOriginSetter autoSetter
;
113 nsCOMPtr
<nsIURI
> uri
= NS_GetInnermostURI(aURI
);
114 NS_ENSURE_TRUE(uri
, NS_ERROR_UNEXPECTED
);
116 nsAutoCString hostPort
;
118 nsresult rv
= uri
->GetHostPort(hostPort
);
119 if (NS_SUCCEEDED(rv
)) {
120 nsAutoCString scheme
;
121 rv
= uri
->GetScheme(scheme
);
122 NS_ENSURE_SUCCESS(rv
, rv
);
123 aOrigin
= scheme
+ NS_LITERAL_CSTRING("://") + hostPort
;
126 // Some URIs (e.g., nsSimpleURI) don't support host. Just
127 // get the full spec.
128 rv
= uri
->GetSpec(aOrigin
);
129 NS_ENSURE_SUCCESS(rv
, rv
);
137 GetPrincipalDomainOrigin(nsIPrincipal
* aPrincipal
,
141 nsCOMPtr
<nsIURI
> uri
;
142 aPrincipal
->GetDomain(getter_AddRefs(uri
));
144 aPrincipal
->GetURI(getter_AddRefs(uri
));
146 NS_ENSURE_TRUE(uri
, NS_ERROR_UNEXPECTED
);
148 return GetOriginFromURI(uri
, aOrigin
);
151 inline void SetPendingException(JSContext
*cx
, const char *aMsg
)
153 JS_ReportError(cx
, "%s", aMsg
);
156 inline void SetPendingException(JSContext
*cx
, const char16_t
*aMsg
)
158 JS_ReportError(cx
, "%hs", aMsg
);
161 // Helper class to get stuff from the ClassInfo and not waste extra time with
162 // virtual method calls for things it has already gotten
166 ClassInfoData(nsIClassInfo
*aClassInfo
, const char *aName
)
167 : mClassInfo(aClassInfo
),
168 mName(const_cast<char *>(aName
)),
177 nsMemory::Free(mName
);
184 nsresult rv
= mClassInfo
->GetFlags(&mFlags
);
200 return !!(GetFlags() & nsIClassInfo::DOM_OBJECT
);
203 const char* GetName()
207 mClassInfo
->GetClassDescription(&mName
);
211 mMustFreeName
= true;
213 mName
= const_cast<char *>("UnnamedClass");
221 nsIClassInfo
*mClassInfo
; // WEAK
229 nsScriptSecurityManager::GetCurrentJSContext()
231 // Get JSContext from stack.
232 return nsXPConnect::XPConnect()->GetCurrentJSContext();
236 nsScriptSecurityManager::GetSafeJSContext()
238 // Get JSContext from stack.
239 return nsXPConnect::XPConnect()->GetSafeJSContext();
244 nsScriptSecurityManager::SecurityCompareURIs(nsIURI
* aSourceURI
,
247 return NS_SecurityCompareURIs(aSourceURI
, aTargetURI
, sStrictFileOriginPolicy
);
250 // SecurityHashURI is consistent with SecurityCompareURIs because NS_SecurityHashURI
251 // is consistent with NS_SecurityCompareURIs. See nsNetUtil.h.
253 nsScriptSecurityManager::SecurityHashURI(nsIURI
* aURI
)
255 return NS_SecurityHashURI(aURI
);
259 nsScriptSecurityManager::AppStatusForPrincipal(nsIPrincipal
*aPrin
)
261 uint32_t appId
= aPrin
->GetAppId();
262 bool inMozBrowser
= aPrin
->GetIsInBrowserElement();
263 NS_WARN_IF_FALSE(appId
!= nsIScriptSecurityManager::UNKNOWN_APP_ID
,
264 "Asking for app status on a principal with an unknown app id");
265 // Installed apps have a valid app id (not NO_APP_ID or UNKNOWN_APP_ID)
266 // and they are not inside a mozbrowser.
267 if (appId
== nsIScriptSecurityManager::NO_APP_ID
||
268 appId
== nsIScriptSecurityManager::UNKNOWN_APP_ID
|| inMozBrowser
)
270 return nsIPrincipal::APP_STATUS_NOT_INSTALLED
;
273 nsCOMPtr
<nsIAppsService
> appsService
= do_GetService(APPS_SERVICE_CONTRACTID
);
274 NS_ENSURE_TRUE(appsService
, nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
276 nsCOMPtr
<mozIApplication
> app
;
277 appsService
->GetAppByLocalId(appId
, getter_AddRefs(app
));
278 NS_ENSURE_TRUE(app
, nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
280 uint16_t status
= nsIPrincipal::APP_STATUS_INSTALLED
;
281 NS_ENSURE_SUCCESS(app
->GetAppStatus(&status
),
282 nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
284 nsAutoCString origin
;
285 NS_ENSURE_SUCCESS(aPrin
->GetOrigin(getter_Copies(origin
)),
286 nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
288 NS_ENSURE_SUCCESS(app
->GetOrigin(appOrigin
),
289 nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
291 // We go from string -> nsIURI -> origin to be sure we
292 // compare two punny-encoded origins.
293 nsCOMPtr
<nsIURI
> appURI
;
294 NS_ENSURE_SUCCESS(NS_NewURI(getter_AddRefs(appURI
), appOrigin
),
295 nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
297 nsAutoCString appOriginPunned
;
298 NS_ENSURE_SUCCESS(nsPrincipal::GetOriginForURI(appURI
, getter_Copies(appOriginPunned
)),
299 nsIPrincipal::APP_STATUS_NOT_INSTALLED
);
301 if (!appOriginPunned
.Equals(origin
)) {
302 return nsIPrincipal::APP_STATUS_NOT_INSTALLED
;
310 nsScriptSecurityManager::GetChannelPrincipal(nsIChannel
* aChannel
,
311 nsIPrincipal
** aPrincipal
)
313 NS_PRECONDITION(aChannel
, "Must have channel!");
314 nsCOMPtr
<nsISupports
> owner
;
315 aChannel
->GetOwner(getter_AddRefs(owner
));
317 CallQueryInterface(owner
, aPrincipal
);
323 // Check whether we have an nsILoadInfo that says what we should do.
324 nsCOMPtr
<nsILoadInfo
> loadInfo
;
325 aChannel
->GetLoadInfo(getter_AddRefs(loadInfo
));
327 if (loadInfo
->GetLoadingSandboxed()) {
328 nsRefPtr
<nsNullPrincipal
> prin
=
329 nsNullPrincipal::CreateWithInheritedAttributes(loadInfo
->LoadingPrincipal());
330 NS_ENSURE_TRUE(prin
, NS_ERROR_FAILURE
);
331 prin
.forget(aPrincipal
);
335 if (loadInfo
->GetForceInheritPrincipal()) {
336 NS_ADDREF(*aPrincipal
= loadInfo
->LoadingPrincipal());
341 // OK, get the principal from the URI. Make sure this does the same thing
342 // as nsDocument::Reset and XULDocument::StartDocumentLoad.
343 nsCOMPtr
<nsIURI
> uri
;
344 nsresult rv
= NS_GetFinalChannelURI(aChannel
, getter_AddRefs(uri
));
345 NS_ENSURE_SUCCESS(rv
, rv
);
348 nsCOMPtr
<nsILoadContext
> loadContext
;
349 NS_QueryNotificationCallbacks(aChannel
, loadContext
);
352 return GetLoadContextCodebasePrincipal(uri
, loadContext
, aPrincipal
);
355 return GetCodebasePrincipalInternal(uri
, UNKNOWN_APP_ID
,
356 /* isInBrowserElement */ false, aPrincipal
);
360 nsScriptSecurityManager::IsSystemPrincipal(nsIPrincipal
* aPrincipal
,
363 *aIsSystem
= (aPrincipal
== mSystemPrincipal
);
367 /////////////////////////////
368 // nsScriptSecurityManager //
369 /////////////////////////////
371 ////////////////////////////////////
372 // Methods implementing ISupports //
373 ////////////////////////////////////
374 NS_IMPL_ISUPPORTS(nsScriptSecurityManager
,
375 nsIScriptSecurityManager
,
379 ///////////////////////////////////////////////////
380 // Methods implementing nsIScriptSecurityManager //
381 ///////////////////////////////////////////////////
383 ///////////////// Security Checks /////////////////
386 nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(JSContext
*cx
)
388 MOZ_ASSERT(cx
== nsContentUtils::GetCurrentJSContext());
389 nsCOMPtr
<nsIPrincipal
> subjectPrincipal
= nsContentUtils::SubjectPrincipal();
390 nsCOMPtr
<nsIContentSecurityPolicy
> csp
;
391 nsresult rv
= subjectPrincipal
->GetCsp(getter_AddRefs(csp
));
392 NS_ASSERTION(NS_SUCCEEDED(rv
), "CSP: Failed to get CSP from principal.");
394 // don't do anything unless there's a CSP
399 bool reportViolation
= false;
400 rv
= csp
->GetAllowsEval(&reportViolation
, &evalOK
);
404 NS_WARNING("CSP: failed to get allowsEval");
405 return true; // fail open to not break sites.
408 if (reportViolation
) {
409 nsAutoString fileName
;
410 unsigned lineNum
= 0;
411 NS_NAMED_LITERAL_STRING(scriptSample
, "call to eval() or related function blocked by CSP");
413 JS::AutoFilename scriptFilename
;
414 if (JS::DescribeScriptedCaller(cx
, &scriptFilename
, &lineNum
)) {
415 if (const char *file
= scriptFilename
.get()) {
416 CopyUTF8toUTF16(nsDependentCString(file
), fileName
);
419 csp
->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL
,
432 nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals
*first
,
433 JSPrincipals
*second
)
435 return nsJSPrincipals::get(first
)->Subsumes(nsJSPrincipals::get(second
));
439 nsScriptSecurityManager::CheckSameOrigin(JSContext
* cx
,
442 MOZ_ASSERT_IF(cx
, cx
== nsContentUtils::GetCurrentJSContext());
444 // Get a principal from the context
445 nsIPrincipal
* sourcePrincipal
= nsContentUtils::SubjectPrincipal();
446 if (sourcePrincipal
== mSystemPrincipal
)
448 // This is a system (chrome) script, so allow access
452 // Get the original URI from the source principal.
453 // This has the effect of ignoring any change to document.domain
454 // which must be done to avoid DNS spoofing (bug 154930)
455 nsCOMPtr
<nsIURI
> sourceURI
;
456 sourcePrincipal
->GetDomain(getter_AddRefs(sourceURI
));
458 sourcePrincipal
->GetURI(getter_AddRefs(sourceURI
));
459 NS_ENSURE_TRUE(sourceURI
, NS_ERROR_FAILURE
);
463 if (!SecurityCompareURIs(sourceURI
, aTargetURI
))
465 ReportError(cx
, NS_LITERAL_STRING("CheckSameOriginError"), sourceURI
, aTargetURI
);
466 return NS_ERROR_DOM_BAD_URI
;
472 nsScriptSecurityManager::CheckSameOriginURI(nsIURI
* aSourceURI
,
476 if (!SecurityCompareURIs(aSourceURI
, aTargetURI
))
479 ReportError(nullptr, NS_LITERAL_STRING("CheckSameOriginError"),
480 aSourceURI
, aTargetURI
);
482 return NS_ERROR_DOM_BAD_URI
;
488 nsScriptSecurityManager::HashPrincipalByOrigin(nsIPrincipal
* aPrincipal
)
490 nsCOMPtr
<nsIURI
> uri
;
491 aPrincipal
->GetDomain(getter_AddRefs(uri
));
493 aPrincipal
->GetURI(getter_AddRefs(uri
));
494 return SecurityHashURI(uri
);
498 nsScriptSecurityManager::AppAttributesEqual(nsIPrincipal
* aFirst
,
499 nsIPrincipal
* aSecond
)
501 MOZ_ASSERT(aFirst
&& aSecond
, "Don't pass null pointers!");
503 uint32_t firstAppId
= nsIScriptSecurityManager::UNKNOWN_APP_ID
;
504 if (!aFirst
->GetUnknownAppId()) {
505 firstAppId
= aFirst
->GetAppId();
508 uint32_t secondAppId
= nsIScriptSecurityManager::UNKNOWN_APP_ID
;
509 if (!aSecond
->GetUnknownAppId()) {
510 secondAppId
= aSecond
->GetAppId();
513 return ((firstAppId
== secondAppId
) &&
514 (aFirst
->GetIsInBrowserElement() == aSecond
->GetIsInBrowserElement()));
518 nsScriptSecurityManager::CheckLoadURIFromScript(JSContext
*cx
, nsIURI
*aURI
)
520 // Get principal of currently executing script.
521 MOZ_ASSERT(cx
== nsContentUtils::GetCurrentJSContext());
522 nsIPrincipal
* principal
= nsContentUtils::SubjectPrincipal();
523 nsresult rv
= CheckLoadURIWithPrincipal(principal
, aURI
,
524 nsIScriptSecurityManager::STANDARD
);
525 if (NS_SUCCEEDED(rv
)) {
530 // See if we're attempting to load a file: URI. If so, let a
531 // UniversalXPConnect capability trump the above check.
534 if (NS_FAILED(aURI
->SchemeIs("file", &isFile
)) ||
535 NS_FAILED(aURI
->SchemeIs("resource", &isRes
)))
536 return NS_ERROR_FAILURE
;
539 if (nsContentUtils::IsCallerChrome())
545 if (NS_FAILED(aURI
->GetAsciiSpec(spec
)))
546 return NS_ERROR_FAILURE
;
547 nsAutoCString
msg("Access to '");
549 msg
.AppendLiteral("' from script denied");
550 SetPendingException(cx
, msg
.get());
551 return NS_ERROR_DOM_BAD_URI
;
555 * Helper method to handle cases where a flag passed to
556 * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
557 * nsIProtocolHandler flags set.
558 * @return if success, access is allowed. Otherwise, deny access
561 DenyAccessIfURIHasFlags(nsIURI
* aURI
, uint32_t aURIFlags
)
563 NS_PRECONDITION(aURI
, "Must have URI!");
567 NS_URIChainHasFlags(aURI
, aURIFlags
, &uriHasFlags
);
568 NS_ENSURE_SUCCESS(rv
, rv
);
571 return NS_ERROR_DOM_BAD_URI
;
578 EqualOrSubdomain(nsIURI
* aProbeArg
, nsIURI
* aBase
)
580 // Make a clone of the incoming URI, because we're going to mutate it.
581 nsCOMPtr
<nsIURI
> probe
;
582 nsresult rv
= aProbeArg
->Clone(getter_AddRefs(probe
));
583 NS_ENSURE_SUCCESS(rv
, false);
585 nsCOMPtr
<nsIEffectiveTLDService
> tldService
= do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID
);
586 NS_ENSURE_TRUE(tldService
, false);
588 if (nsScriptSecurityManager::SecurityCompareURIs(probe
, aBase
)) {
592 nsAutoCString host
, newHost
;
593 nsresult rv
= probe
->GetHost(host
);
594 NS_ENSURE_SUCCESS(rv
, false);
596 rv
= tldService
->GetNextSubDomain(host
, newHost
);
597 if (rv
== NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS
) {
600 NS_ENSURE_SUCCESS(rv
, false);
601 rv
= probe
->SetHost(newHost
);
602 NS_ENSURE_SUCCESS(rv
, false);
607 nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal
* aPrincipal
,
611 NS_PRECONDITION(aPrincipal
, "CheckLoadURIWithPrincipal must have a principal");
612 // If someone passes a flag that we don't understand, we should
613 // fail, because they may need a security check that we don't
615 NS_ENSURE_FALSE(aFlags
& ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT
|
616 nsIScriptSecurityManager::ALLOW_CHROME
|
617 nsIScriptSecurityManager::DISALLOW_SCRIPT
|
618 nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL
|
619 nsIScriptSecurityManager::DONT_REPORT_ERRORS
),
620 NS_ERROR_UNEXPECTED
);
621 NS_ENSURE_ARG_POINTER(aPrincipal
);
622 NS_ENSURE_ARG_POINTER(aTargetURI
);
624 // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
625 // would do such inheriting. That would be URIs that do not have their own
626 // security context. We do this even for the system principal.
627 if (aFlags
& nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL
) {
629 DenyAccessIfURIHasFlags(aTargetURI
,
630 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT
);
631 NS_ENSURE_SUCCESS(rv
, rv
);
634 if (aPrincipal
== mSystemPrincipal
) {
639 nsCOMPtr
<nsIURI
> sourceURI
;
640 aPrincipal
->GetURI(getter_AddRefs(sourceURI
));
642 nsCOMPtr
<nsIExpandedPrincipal
> expanded
= do_QueryInterface(aPrincipal
);
644 nsTArray
< nsCOMPtr
<nsIPrincipal
> > *whiteList
;
645 expanded
->GetWhiteList(&whiteList
);
646 for (uint32_t i
= 0; i
< whiteList
->Length(); ++i
) {
647 nsresult rv
= CheckLoadURIWithPrincipal((*whiteList
)[i
],
650 if (NS_SUCCEEDED(rv
)) {
651 // Allow access if it succeeded with one of the white listed principals
655 // None of our whitelisted principals worked.
656 return NS_ERROR_DOM_BAD_URI
;
658 NS_ERROR("Non-system principals or expanded principal passed to CheckLoadURIWithPrincipal "
660 return NS_ERROR_UNEXPECTED
;
663 // Automatic loads are not allowed from certain protocols.
664 if (aFlags
& nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT
) {
666 DenyAccessIfURIHasFlags(sourceURI
,
667 nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT
);
668 NS_ENSURE_SUCCESS(rv
, rv
);
671 // If either URI is a nested URI, get the base URI
672 nsCOMPtr
<nsIURI
> sourceBaseURI
= NS_GetInnermostURI(sourceURI
);
673 nsCOMPtr
<nsIURI
> targetBaseURI
= NS_GetInnermostURI(aTargetURI
);
675 //-- get the target scheme
676 nsAutoCString targetScheme
;
677 nsresult rv
= targetBaseURI
->GetScheme(targetScheme
);
678 if (NS_FAILED(rv
)) return rv
;
680 //-- Some callers do not allow loading javascript:
681 if ((aFlags
& nsIScriptSecurityManager::DISALLOW_SCRIPT
) &&
682 targetScheme
.EqualsLiteral("javascript"))
684 return NS_ERROR_DOM_BAD_URI
;
687 NS_NAMED_LITERAL_STRING(errorTag
, "CheckLoadURIError");
688 bool reportErrors
= !(aFlags
& nsIScriptSecurityManager::DONT_REPORT_ERRORS
);
690 // Check for uris that are only loadable by principals that subsume them
692 rv
= NS_URIChainHasFlags(targetBaseURI
,
693 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS
,
695 NS_ENSURE_SUCCESS(rv
, rv
);
698 return aPrincipal
->CheckMayLoad(targetBaseURI
, true, false);
701 //-- get the source scheme
702 nsAutoCString sourceScheme
;
703 rv
= sourceBaseURI
->GetScheme(sourceScheme
);
704 if (NS_FAILED(rv
)) return rv
;
706 if (sourceScheme
.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME
)) {
707 // A null principal can target its own URI.
708 if (sourceURI
== aTargetURI
) {
712 else if (targetScheme
.Equals(sourceScheme
,
713 nsCaseInsensitiveCStringComparator()))
715 // every scheme can access another URI from the same scheme,
716 // as long as they don't represent null principals...
717 // Or they don't require an special permission to do so
721 rv
= NS_URIChainHasFlags(targetBaseURI
,
722 nsIProtocolHandler::URI_CROSS_ORIGIN_NEEDS_WEBAPPS_PERM
,
724 NS_ENSURE_SUCCESS(rv
, rv
);
727 // Let apps load the whitelisted theme resources even if they don't
728 // have the webapps-manage permission but have the themeable one.
729 // Resources from the theme origin are also allowed to load from
730 // the theme origin (eg. stylesheets using images from the theme).
731 auto themeOrigin
= Preferences::GetCString("b2g.theme.origin");
733 nsAutoCString targetOrigin
;
734 nsPrincipal::GetOriginForURI(targetBaseURI
, getter_Copies(targetOrigin
));
735 if (targetOrigin
.Equals(themeOrigin
)) {
736 nsAutoCString pOrigin
;
737 aPrincipal
->GetOrigin(getter_Copies(pOrigin
));
738 return nsContentUtils::IsExactSitePermAllow(aPrincipal
, "themeable") ||
739 pOrigin
.Equals(themeOrigin
)
740 ? NS_OK
: NS_ERROR_DOM_BAD_URI
;
743 // In this case, we allow opening only if the source and target URIS
744 // are on the same domain, or the opening URI has the webapps
746 if (!SecurityCompareURIs(sourceBaseURI
, targetBaseURI
) &&
747 !nsContentUtils::IsExactSitePermAllow(aPrincipal
, WEBAPPS_PERM_NAME
)) {
748 return NS_ERROR_DOM_BAD_URI
;
754 // If the schemes don't match, the policy is specified by the protocol
755 // flags on the target URI. Note that the order of policy checks here is
756 // very important! We start from most restrictive and work our way down.
757 // Note that since we're working with the innermost URI, we can just use
758 // the methods that work on chains of nested URIs and they will only look
759 // at the flags for our one URI.
761 // Check for system target URI
762 rv
= DenyAccessIfURIHasFlags(targetBaseURI
,
763 nsIProtocolHandler::URI_DANGEROUS_TO_LOAD
);
765 // Deny access, since the origin principal is not system
767 ReportError(nullptr, errorTag
, sourceURI
, aTargetURI
);
772 // Check for chrome target URI
773 rv
= NS_URIChainHasFlags(targetBaseURI
,
774 nsIProtocolHandler::URI_IS_UI_RESOURCE
,
776 NS_ENSURE_SUCCESS(rv
, rv
);
778 if (aFlags
& nsIScriptSecurityManager::ALLOW_CHROME
) {
780 // For now, don't change behavior for resource:// or moz-icon:// and
782 if (!targetScheme
.EqualsLiteral("chrome")) {
786 // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
787 // target if ALLOW_CHROME is set.
789 // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
790 // loads (since docshell loads run the loaded content with its origin
791 // principal). So we're effectively allowing resource://, chrome://,
792 // and moz-icon:// source URIs to load resource://, chrome://, and
793 // moz-icon:// files, so long as they're not loading it as a document.
794 bool sourceIsUIResource
;
795 rv
= NS_URIChainHasFlags(sourceBaseURI
,
796 nsIProtocolHandler::URI_IS_UI_RESOURCE
,
797 &sourceIsUIResource
);
798 NS_ENSURE_SUCCESS(rv
, rv
);
799 if (sourceIsUIResource
) {
803 // Allow the load only if the chrome package is whitelisted.
804 nsCOMPtr
<nsIXULChromeRegistry
> reg(do_GetService(
805 NS_CHROMEREGISTRY_CONTRACTID
));
807 bool accessAllowed
= false;
808 reg
->AllowContentToAccess(targetBaseURI
, &accessAllowed
);
815 // Special-case the hidden window: it's allowed to load
816 // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this.
817 nsAutoCString sourceSpec
;
818 if (NS_SUCCEEDED(sourceBaseURI
->GetSpec(sourceSpec
)) &&
819 sourceSpec
.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
824 ReportError(nullptr, errorTag
, sourceURI
, aTargetURI
);
826 return NS_ERROR_DOM_BAD_URI
;
829 // Check for target URI pointing to a file
830 rv
= NS_URIChainHasFlags(targetBaseURI
,
831 nsIProtocolHandler::URI_IS_LOCAL_FILE
,
833 NS_ENSURE_SUCCESS(rv
, rv
);
835 // Allow domains that were whitelisted in the prefs. In 99.9% of cases,
836 // this array is empty.
837 for (size_t i
= 0; i
< mFileURIWhitelist
.Length(); ++i
) {
838 if (EqualOrSubdomain(sourceURI
, mFileURIWhitelist
[i
])) {
843 // resource: and chrome: are equivalent, securitywise
844 // That's bogus!! Fix this. But watch out for
845 // the view-source stylesheet?
847 rv
= NS_URIChainHasFlags(sourceURI
,
848 nsIProtocolHandler::URI_IS_UI_RESOURCE
,
850 NS_ENSURE_SUCCESS(rv
, rv
);
851 if (sourceIsChrome
) {
856 ReportError(nullptr, errorTag
, sourceURI
, aTargetURI
);
858 return NS_ERROR_DOM_BAD_URI
;
861 // OK, everyone is allowed to load this, since unflagged handlers are
862 // deprecated but treated as URI_LOADABLE_BY_ANYONE. But check whether we
863 // need to warn. At some point we'll want to make this warning into an
864 // error and treat unflagged handlers as URI_DANGEROUS_TO_LOAD.
865 rv
= NS_URIChainHasFlags(targetBaseURI
,
866 nsIProtocolHandler::URI_LOADABLE_BY_ANYONE
,
868 NS_ENSURE_SUCCESS(rv
, rv
);
870 nsXPIDLString message
;
871 NS_ConvertASCIItoUTF16
ucsTargetScheme(targetScheme
);
872 const char16_t
* formatStrings
[] = { ucsTargetScheme
.get() };
874 FormatStringFromName(MOZ_UTF16("ProtocolFlagError"),
876 ArrayLength(formatStrings
),
877 getter_Copies(message
));
878 if (NS_SUCCEEDED(rv
)) {
879 nsCOMPtr
<nsIConsoleService
> console(
880 do_GetService("@mozilla.org/consoleservice;1"));
881 NS_ENSURE_TRUE(console
, NS_ERROR_FAILURE
);
883 console
->LogStringMessage(message
.get());
891 nsScriptSecurityManager::ReportError(JSContext
* cx
, const nsAString
& messageTag
,
892 nsIURI
* aSource
, nsIURI
* aTarget
)
895 NS_ENSURE_TRUE(aSource
&& aTarget
, NS_ERROR_NULL_POINTER
);
897 // Get the source URL spec
898 nsAutoCString sourceSpec
;
899 rv
= aSource
->GetAsciiSpec(sourceSpec
);
900 NS_ENSURE_SUCCESS(rv
, rv
);
902 // Get the target URL spec
903 nsAutoCString targetSpec
;
904 rv
= aTarget
->GetAsciiSpec(targetSpec
);
905 NS_ENSURE_SUCCESS(rv
, rv
);
907 // Localize the error message
908 nsXPIDLString message
;
909 NS_ConvertASCIItoUTF16
ucsSourceSpec(sourceSpec
);
910 NS_ConvertASCIItoUTF16
ucsTargetSpec(targetSpec
);
911 const char16_t
*formatStrings
[] = { ucsSourceSpec
.get(), ucsTargetSpec
.get() };
912 rv
= sStrBundle
->FormatStringFromName(PromiseFlatString(messageTag
).get(),
914 ArrayLength(formatStrings
),
915 getter_Copies(message
));
916 NS_ENSURE_SUCCESS(rv
, rv
);
918 // If a JS context was passed in, set a JS exception.
919 // Otherwise, print the error message directly to the JS console
920 // and to standard output
923 SetPendingException(cx
, message
.get());
925 else // Print directly to the console
927 nsCOMPtr
<nsIConsoleService
> console(
928 do_GetService("@mozilla.org/consoleservice;1"));
929 NS_ENSURE_TRUE(console
, NS_ERROR_FAILURE
);
931 console
->LogStringMessage(message
.get());
937 nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(nsIPrincipal
* aPrincipal
,
938 const nsACString
& aTargetURIStr
,
942 nsCOMPtr
<nsIURI
> target
;
943 rv
= NS_NewURI(getter_AddRefs(target
), aTargetURIStr
,
944 nullptr, nullptr, sIOService
);
945 NS_ENSURE_SUCCESS(rv
, rv
);
947 rv
= CheckLoadURIWithPrincipal(aPrincipal
, target
, aFlags
);
948 if (rv
== NS_ERROR_DOM_BAD_URI
) {
949 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
953 NS_ENSURE_SUCCESS(rv
, rv
);
955 // Now start testing fixup -- since aTargetURIStr is a string, not
956 // an nsIURI, we may well end up fixing it up before loading.
957 // Note: This needs to stay in sync with the nsIURIFixup api.
958 nsCOMPtr
<nsIURIFixup
> fixup
= do_GetService(NS_URIFIXUP_CONTRACTID
);
964 nsIURIFixup::FIXUP_FLAG_NONE
,
965 nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS
,
966 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP
,
967 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI
,
968 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP
|
969 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI
972 for (uint32_t i
= 0; i
< ArrayLength(flags
); ++i
) {
973 rv
= fixup
->CreateFixupURI(aTargetURIStr
, flags
[i
], nullptr,
974 getter_AddRefs(target
));
975 NS_ENSURE_SUCCESS(rv
, rv
);
977 rv
= CheckLoadURIWithPrincipal(aPrincipal
, target
, aFlags
);
978 if (rv
== NS_ERROR_DOM_BAD_URI
) {
979 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
983 NS_ENSURE_SUCCESS(rv
, rv
);
990 nsScriptSecurityManager::ScriptAllowed(JSObject
*aGlobal
)
993 MOZ_ASSERT(JS_IsGlobalObject(aGlobal
) || js::IsOuterObject(aGlobal
));
995 // Check the bits on the compartment private.
996 return xpc::Scriptability::Get(aGlobal
).Allowed();
999 ///////////////// Principals ///////////////////////
1002 nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal
**result
)
1004 NS_ADDREF(*result
= mSystemPrincipal
);
1010 nsScriptSecurityManager::CreateCodebasePrincipal(nsIURI
* aURI
, uint32_t aAppId
,
1012 nsIPrincipal
**result
)
1014 // I _think_ it's safe to not create null principals here based on aURI.
1015 // At least all the callers would do the right thing in those cases, as far
1016 // as I can tell. --bz
1018 nsCOMPtr
<nsIURIWithPrincipal
> uriPrinc
= do_QueryInterface(aURI
);
1020 nsCOMPtr
<nsIPrincipal
> principal
;
1021 uriPrinc
->GetPrincipal(getter_AddRefs(principal
));
1022 if (!principal
|| principal
== mSystemPrincipal
) {
1023 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID
, result
);
1026 principal
.forget(result
);
1031 nsRefPtr
<nsPrincipal
> codebase
= new nsPrincipal();
1033 return NS_ERROR_OUT_OF_MEMORY
;
1035 nsresult rv
= codebase
->Init(aURI
, aAppId
, aInMozBrowser
);
1039 NS_ADDREF(*result
= codebase
);
1045 nsScriptSecurityManager::GetSimpleCodebasePrincipal(nsIURI
* aURI
,
1046 nsIPrincipal
** aPrincipal
)
1048 return GetCodebasePrincipalInternal(aURI
,
1049 nsIScriptSecurityManager::UNKNOWN_APP_ID
,
1054 nsScriptSecurityManager::GetNoAppCodebasePrincipal(nsIURI
* aURI
,
1055 nsIPrincipal
** aPrincipal
)
1057 return GetCodebasePrincipalInternal(aURI
, nsIScriptSecurityManager::NO_APP_ID
,
1062 nsScriptSecurityManager::GetCodebasePrincipal(nsIURI
* aURI
,
1063 nsIPrincipal
** aPrincipal
)
1065 return GetNoAppCodebasePrincipal(aURI
, aPrincipal
);
1069 nsScriptSecurityManager::GetAppCodebasePrincipal(nsIURI
* aURI
,
1072 nsIPrincipal
** aPrincipal
)
1074 NS_ENSURE_TRUE(aAppId
!= nsIScriptSecurityManager::UNKNOWN_APP_ID
,
1075 NS_ERROR_INVALID_ARG
);
1077 return GetCodebasePrincipalInternal(aURI
, aAppId
, aInMozBrowser
, aPrincipal
);
1081 nsScriptSecurityManager::
1082 GetLoadContextCodebasePrincipal(nsIURI
* aURI
,
1083 nsILoadContext
* aLoadContext
,
1084 nsIPrincipal
** aPrincipal
)
1087 aLoadContext
->GetAppId(&appId
);
1088 bool isInBrowserElement
;
1089 aLoadContext
->GetIsInBrowserElement(&isInBrowserElement
);
1090 return GetCodebasePrincipalInternal(aURI
,
1097 nsScriptSecurityManager::GetDocShellCodebasePrincipal(nsIURI
* aURI
,
1098 nsIDocShell
* aDocShell
,
1099 nsIPrincipal
** aPrincipal
)
1101 return GetCodebasePrincipalInternal(aURI
,
1102 aDocShell
->GetAppId(),
1103 aDocShell
->GetIsInBrowserElement(),
1108 nsScriptSecurityManager::GetCodebasePrincipalInternal(nsIURI
*aURI
,
1111 nsIPrincipal
**result
)
1113 NS_ENSURE_ARG(aURI
);
1115 bool inheritsPrincipal
;
1117 NS_URIChainHasFlags(aURI
,
1118 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT
,
1119 &inheritsPrincipal
);
1120 if (NS_FAILED(rv
) || inheritsPrincipal
) {
1121 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID
, result
);
1124 nsCOMPtr
<nsIPrincipal
> principal
;
1125 rv
= CreateCodebasePrincipal(aURI
, aAppId
, aInMozBrowser
,
1126 getter_AddRefs(principal
));
1127 NS_ENSURE_SUCCESS(rv
, rv
);
1128 NS_IF_ADDREF(*result
= principal
);
1135 nsScriptSecurityManager::doGetObjectPrincipal(JSObject
*aObj
)
1137 JSCompartment
*compartment
= js::GetObjectCompartment(aObj
);
1138 JSPrincipals
*principals
= JS_GetCompartmentPrincipals(compartment
);
1139 return nsJSPrincipals::get(principals
);
1143 nsScriptSecurityManager::CanCreateWrapper(JSContext
*cx
,
1146 nsIClassInfo
*aClassInfo
)
1148 // XXX Special case for nsIXPCException ?
1149 ClassInfoData objClassInfo
= ClassInfoData(aClassInfo
, nullptr);
1150 if (objClassInfo
.IsDOMClass())
1155 // We give remote-XUL whitelisted domains a free pass here. See bug 932906.
1156 if (!xpc::AllowContentXBLScope(js::GetContextCompartment(cx
)))
1161 if (nsContentUtils::IsCallerChrome())
1166 //-- Access denied, report an error
1167 NS_ConvertUTF8toUTF16
strName("CreateWrapperDenied");
1168 nsAutoCString origin
;
1169 nsIPrincipal
* subjectPrincipal
= nsContentUtils::SubjectPrincipal();
1170 GetPrincipalDomainOrigin(subjectPrincipal
, origin
);
1171 NS_ConvertUTF8toUTF16
originUnicode(origin
);
1172 NS_ConvertUTF8toUTF16
classInfoName(objClassInfo
.GetName());
1173 const char16_t
* formatStrings
[] = {
1174 classInfoName
.get(),
1177 uint32_t length
= ArrayLength(formatStrings
);
1178 if (originUnicode
.IsEmpty()) {
1181 strName
.AppendLiteral("ForOrigin");
1183 nsXPIDLString errorMsg
;
1184 nsresult rv
= sStrBundle
->FormatStringFromName(strName
.get(),
1187 getter_Copies(errorMsg
));
1188 NS_ENSURE_SUCCESS(rv
, rv
);
1190 SetPendingException(cx
, errorMsg
.get());
1191 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED
;
1195 nsScriptSecurityManager::CanCreateInstance(JSContext
*cx
,
1198 if (nsContentUtils::IsCallerChrome()) {
1202 //-- Access denied, report an error
1203 nsAutoCString
errorMsg("Permission denied to create instance of class. CID=");
1204 char cidStr
[NSID_LENGTH
];
1205 aCID
.ToProvidedString(cidStr
);
1206 errorMsg
.Append(cidStr
);
1207 SetPendingException(cx
, errorMsg
.get());
1208 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED
;
1212 nsScriptSecurityManager::CanGetService(JSContext
*cx
,
1215 if (nsContentUtils::IsCallerChrome()) {
1219 //-- Access denied, report an error
1220 nsAutoCString
errorMsg("Permission denied to get service. CID=");
1221 char cidStr
[NSID_LENGTH
];
1222 aCID
.ToProvidedString(cidStr
);
1223 errorMsg
.Append(cidStr
);
1224 SetPendingException(cx
, errorMsg
.get());
1225 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED
;
1228 /////////////////////////////////////////////
1229 // Method implementing nsIChannelEventSink //
1230 /////////////////////////////////////////////
1232 nsScriptSecurityManager::AsyncOnChannelRedirect(nsIChannel
* oldChannel
,
1233 nsIChannel
* newChannel
,
1234 uint32_t redirFlags
,
1235 nsIAsyncVerifyRedirectCallback
*cb
)
1237 nsCOMPtr
<nsIPrincipal
> oldPrincipal
;
1238 GetChannelPrincipal(oldChannel
, getter_AddRefs(oldPrincipal
));
1240 nsCOMPtr
<nsIURI
> newURI
;
1241 newChannel
->GetURI(getter_AddRefs(newURI
));
1242 nsCOMPtr
<nsIURI
> newOriginalURI
;
1243 newChannel
->GetOriginalURI(getter_AddRefs(newOriginalURI
));
1245 NS_ENSURE_STATE(oldPrincipal
&& newURI
&& newOriginalURI
);
1247 const uint32_t flags
=
1248 nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT
|
1249 nsIScriptSecurityManager::DISALLOW_SCRIPT
;
1250 nsresult rv
= CheckLoadURIWithPrincipal(oldPrincipal
, newURI
, flags
);
1251 if (NS_SUCCEEDED(rv
) && newOriginalURI
!= newURI
) {
1252 rv
= CheckLoadURIWithPrincipal(oldPrincipal
, newOriginalURI
, flags
);
1258 cb
->OnRedirectVerifyCallback(NS_OK
);
1263 /////////////////////////////////////
1264 // Method implementing nsIObserver //
1265 /////////////////////////////////////
1266 const char sJSEnabledPrefName
[] = "javascript.enabled";
1267 const char sFileOriginPolicyPrefName
[] =
1268 "security.fileuri.strict_origin_policy";
1270 static const char* kObservedPrefs
[] = {
1272 sFileOriginPolicyPrefName
,
1273 "capability.policy.",
1279 nsScriptSecurityManager::Observe(nsISupports
* aObject
, const char* aTopic
,
1280 const char16_t
* aMessage
)
1282 ScriptSecurityPrefChanged();
1286 /////////////////////////////////////////////
1287 // Constructor, Destructor, Initialization //
1288 /////////////////////////////////////////////
1289 nsScriptSecurityManager::nsScriptSecurityManager(void)
1290 : mPrefInitialized(false)
1291 , mIsJavaScriptEnabled(false)
1293 static_assert(sizeof(intptr_t) == sizeof(void*),
1294 "intptr_t and void* have different lengths on this platform. "
1295 "This may cause a security failure with the SecurityLevel union.");
1298 nsresult
nsScriptSecurityManager::Init()
1300 nsresult rv
= CallGetService(NS_IOSERVICE_CONTRACTID
, &sIOService
);
1301 NS_ENSURE_SUCCESS(rv
, rv
);
1305 nsCOMPtr
<nsIStringBundleService
> bundleService
=
1306 mozilla::services::GetStringBundleService();
1308 return NS_ERROR_FAILURE
;
1310 rv
= bundleService
->CreateBundle("chrome://global/locale/security/caps.properties", &sStrBundle
);
1311 NS_ENSURE_SUCCESS(rv
, rv
);
1313 // Create our system principal singleton
1314 nsRefPtr
<nsSystemPrincipal
> system
= new nsSystemPrincipal();
1315 NS_ENSURE_TRUE(system
, NS_ERROR_OUT_OF_MEMORY
);
1317 mSystemPrincipal
= system
;
1319 //-- Register security check callback in the JS engine
1320 // Currently this is used to control access to function.caller
1321 rv
= nsXPConnect::XPConnect()->GetRuntime(&sRuntime
);
1322 NS_ENSURE_SUCCESS(rv
, rv
);
1324 static const JSSecurityCallbacks securityCallbacks
= {
1325 ContentSecurityPolicyPermitsJSAction
,
1326 JSPrincipalsSubsume
,
1329 MOZ_ASSERT(!JS_GetSecurityCallbacks(sRuntime
));
1330 JS_SetSecurityCallbacks(sRuntime
, &securityCallbacks
);
1331 JS_InitDestroyPrincipalsCallback(sRuntime
, nsJSPrincipals::Destroy
);
1333 JS_SetTrustedPrincipals(sRuntime
, system
);
1338 static StaticRefPtr
<nsScriptSecurityManager
> gScriptSecMan
;
1340 nsScriptSecurityManager::~nsScriptSecurityManager(void)
1342 Preferences::RemoveObservers(this, kObservedPrefs
);
1344 mDomainPolicy
->Deactivate();
1345 MOZ_ASSERT(!mDomainPolicy
);
1349 nsScriptSecurityManager::Shutdown()
1352 JS_SetSecurityCallbacks(sRuntime
, nullptr);
1353 JS_SetTrustedPrincipals(sRuntime
, nullptr);
1357 NS_IF_RELEASE(sIOService
);
1358 NS_IF_RELEASE(sStrBundle
);
1361 nsScriptSecurityManager
*
1362 nsScriptSecurityManager::GetScriptSecurityManager()
1364 return gScriptSecMan
;
1368 nsScriptSecurityManager::InitStatics()
1370 nsRefPtr
<nsScriptSecurityManager
> ssManager
= new nsScriptSecurityManager();
1371 nsresult rv
= ssManager
->Init();
1372 if (NS_FAILED(rv
)) {
1376 ClearOnShutdown(&gScriptSecMan
);
1377 gScriptSecMan
= ssManager
;
1380 // Currently this nsGenericFactory constructor is used only from FastLoad
1381 // (XPCOM object deserialization) code, when "creating" the system principal
1384 nsScriptSecurityManager::SystemPrincipalSingletonConstructor()
1386 nsIPrincipal
*sysprin
= nullptr;
1388 NS_ADDREF(sysprin
= gScriptSecMan
->mSystemPrincipal
);
1389 return static_cast<nsSystemPrincipal
*>(sysprin
);
1392 struct IsWhitespace
{
1393 static bool Test(char aChar
) { return NS_IsAsciiWhitespace(aChar
); };
1395 struct IsWhitespaceOrComma
{
1396 static bool Test(char aChar
) { return aChar
== ',' || NS_IsAsciiWhitespace(aChar
); };
1399 template <typename Predicate
>
1400 uint32_t SkipPast(const nsCString
& str
, uint32_t base
)
1402 while (base
< str
.Length() && Predicate::Test(str
[base
])) {
1408 template <typename Predicate
>
1409 uint32_t SkipUntil(const nsCString
& str
, uint32_t base
)
1411 while (base
< str
.Length() && !Predicate::Test(str
[base
])) {
1418 nsScriptSecurityManager::ScriptSecurityPrefChanged()
1420 MOZ_ASSERT(mPrefInitialized
);
1421 mIsJavaScriptEnabled
=
1422 Preferences::GetBool(sJSEnabledPrefName
, mIsJavaScriptEnabled
);
1423 sStrictFileOriginPolicy
=
1424 Preferences::GetBool(sFileOriginPolicyPrefName
, false);
1427 // Rebuild the set of principals for which we allow file:// URI loads. This
1428 // implements a small subset of an old pref-based CAPS people that people
1429 // have come to depend on. See bug 995943.
1432 mFileURIWhitelist
.Clear();
1433 auto policies
= mozilla::Preferences::GetCString("capability.policy.policynames");
1434 for (uint32_t base
= SkipPast
<IsWhitespaceOrComma
>(policies
, 0), bound
= 0;
1435 base
< policies
.Length();
1436 base
= SkipPast
<IsWhitespaceOrComma
>(policies
, bound
))
1438 // Grab the current policy name.
1439 bound
= SkipUntil
<IsWhitespaceOrComma
>(policies
, base
);
1440 auto policyName
= Substring(policies
, base
, bound
- base
);
1442 // Figure out if this policy allows loading file:// URIs. If not, we can skip it.
1443 nsCString checkLoadURIPrefName
= NS_LITERAL_CSTRING("capability.policy.") +
1445 NS_LITERAL_CSTRING(".checkloaduri.enabled");
1446 if (!Preferences::GetString(checkLoadURIPrefName
.get()).LowerCaseEqualsLiteral("allaccess")) {
1450 // Grab the list of domains associated with this policy.
1451 nsCString domainPrefName
= NS_LITERAL_CSTRING("capability.policy.") +
1453 NS_LITERAL_CSTRING(".sites");
1454 auto siteList
= Preferences::GetCString(domainPrefName
.get());
1455 AddSitesToFileURIWhitelist(siteList
);
1460 nsScriptSecurityManager::AddSitesToFileURIWhitelist(const nsCString
& aSiteList
)
1462 for (uint32_t base
= SkipPast
<IsWhitespace
>(aSiteList
, 0), bound
= 0;
1463 base
< aSiteList
.Length();
1464 base
= SkipPast
<IsWhitespace
>(aSiteList
, bound
))
1466 // Grab the current site.
1467 bound
= SkipUntil
<IsWhitespace
>(aSiteList
, base
);
1468 nsAutoCString
site(Substring(aSiteList
, base
, bound
- base
));
1470 // Check if the URI is schemeless. If so, add both http and https.
1471 nsAutoCString unused
;
1472 if (NS_FAILED(sIOService
->ExtractScheme(site
, unused
))) {
1473 AddSitesToFileURIWhitelist(NS_LITERAL_CSTRING("http://") + site
);
1474 AddSitesToFileURIWhitelist(NS_LITERAL_CSTRING("https://") + site
);
1478 // Convert it to a URI and add it to our list.
1479 nsCOMPtr
<nsIURI
> uri
;
1480 nsresult rv
= NS_NewURI(getter_AddRefs(uri
), site
, nullptr, nullptr, sIOService
);
1481 if (NS_SUCCEEDED(rv
)) {
1482 mFileURIWhitelist
.AppendElement(uri
);
1484 nsCOMPtr
<nsIConsoleService
> console(do_GetService("@mozilla.org/consoleservice;1"));
1486 nsAutoString msg
= NS_LITERAL_STRING("Unable to to add site to file:// URI whitelist: ") +
1487 NS_ConvertASCIItoUTF16(site
);
1488 console
->LogStringMessage(msg
.get());
1495 nsScriptSecurityManager::InitPrefs()
1497 nsIPrefBranch
* branch
= Preferences::GetRootBranch();
1498 NS_ENSURE_TRUE(branch
, NS_ERROR_FAILURE
);
1500 mPrefInitialized
= true;
1502 // Set the initial value of the "javascript.enabled" prefs
1503 ScriptSecurityPrefChanged();
1505 // set observer callbacks in case the value of the prefs change
1506 Preferences::AddStrongObservers(this, kObservedPrefs
);
1514 GetJarPrefix(uint32_t aAppId
, bool aInMozBrowser
, nsACString
& aJarPrefix
)
1516 MOZ_ASSERT(aAppId
!= nsIScriptSecurityManager::UNKNOWN_APP_ID
);
1518 if (aAppId
== nsIScriptSecurityManager::UNKNOWN_APP_ID
) {
1519 aAppId
= nsIScriptSecurityManager::NO_APP_ID
;
1522 aJarPrefix
.Truncate();
1525 if (aAppId
== nsIScriptSecurityManager::NO_APP_ID
&& !aInMozBrowser
) {
1529 // aJarPrefix = appId + "+" + { 't', 'f' } + "+";
1530 aJarPrefix
.AppendInt(aAppId
);
1531 aJarPrefix
.Append('+');
1532 aJarPrefix
.Append(aInMozBrowser
? 't' : 'f');
1533 aJarPrefix
.Append('+');
1538 } // namespace mozilla
1541 nsScriptSecurityManager::GetJarPrefix(uint32_t aAppId
,
1543 nsACString
& aJarPrefix
)
1545 MOZ_ASSERT(aAppId
!= nsIScriptSecurityManager::UNKNOWN_APP_ID
);
1547 mozilla::GetJarPrefix(aAppId
, aInMozBrowser
, aJarPrefix
);
1552 nsScriptSecurityManager::GetDomainPolicyActive(bool *aRv
)
1554 *aRv
= !!mDomainPolicy
;
1559 nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy
** aRv
)
1561 // We only allow one domain policy at a time. The holder of the previous
1562 // policy must explicitly deactivate it first.
1563 if (mDomainPolicy
) {
1564 return NS_ERROR_SERVICE_NOT_AVAILABLE
;
1567 mDomainPolicy
= new DomainPolicy();
1568 nsCOMPtr
<nsIDomainPolicy
> ptr
= mDomainPolicy
;
1573 // Intentionally non-scriptable. Script must have a reference to the
1574 // nsIDomainPolicy to deactivate it.
1576 nsScriptSecurityManager::DeactivateDomainPolicy()
1578 mDomainPolicy
= nullptr;
1582 nsScriptSecurityManager::PolicyAllowsScript(nsIURI
* aURI
, bool *aRv
)
1586 // Compute our rule. If we don't have any domain policy set up that might
1587 // provide exceptions to this rule, we're done.
1588 *aRv
= mIsJavaScriptEnabled
;
1589 if (!mDomainPolicy
) {
1593 // We have a domain policy. Grab the appropriate set of exceptions to the
1594 // rule (either the blacklist or the whitelist, depending on whether script
1595 // is enabled or disabled by default).
1596 nsCOMPtr
<nsIDomainSet
> exceptions
;
1597 nsCOMPtr
<nsIDomainSet
> superExceptions
;
1599 mDomainPolicy
->GetBlacklist(getter_AddRefs(exceptions
));
1600 mDomainPolicy
->GetSuperBlacklist(getter_AddRefs(superExceptions
));
1602 mDomainPolicy
->GetWhitelist(getter_AddRefs(exceptions
));
1603 mDomainPolicy
->GetSuperWhitelist(getter_AddRefs(superExceptions
));
1607 rv
= exceptions
->Contains(aURI
, &contains
);
1608 NS_ENSURE_SUCCESS(rv
, rv
);
1613 rv
= superExceptions
->ContainsSuperDomain(aURI
, &contains
);
1614 NS_ENSURE_SUCCESS(rv
, rv
);