search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bumping manifests a=b2g-bump
[gecko.git] / caps / nsScriptSecurityManager.cpp
blob604670565d162e98f6c02e4e1a2b8127e55b443f
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* vim: set ts=4 et sw=4 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "nsScriptSecurityManager.h"
8
9 #include "mozilla/ArrayUtils.h"
10
11 #include "js/OldDebugAPI.h"
12 #include "xpcprivate.h"
13 #include "XPCWrapper.h"
14 #include "nsIAppsService.h"
15 #include "nsILoadContext.h"
16 #include "nsIServiceManager.h"
17 #include "nsIScriptObjectPrincipal.h"
18 #include "nsIScriptContext.h"
19 #include "nsIURL.h"
20 #include "nsINestedURI.h"
21 #include "nspr.h"
22 #include "nsJSPrincipals.h"
23 #include "nsSystemPrincipal.h"
24 #include "nsPrincipal.h"
25 #include "nsNullPrincipal.h"
26 #include "DomainPolicy.h"
27 #include "nsXPIDLString.h"
28 #include "nsCRT.h"
29 #include "nsCRTGlue.h"
30 #include "nsError.h"
31 #include "nsDOMCID.h"
32 #include "nsIXPConnect.h"
33 #include "nsTextFormatter.h"
34 #include "nsIStringBundle.h"
35 #include "nsNetUtil.h"
36 #include "nsIEffectiveTLDService.h"
37 #include "nsIProperties.h"
38 #include "nsDirectoryServiceDefs.h"
39 #include "nsIFile.h"
40 #include "nsIFileURL.h"
41 #include "nsIZipReader.h"
42 #include "nsIXPConnect.h"
43 #include "nsIScriptGlobalObject.h"
44 #include "nsPIDOMWindow.h"
45 #include "nsIDocShell.h"
46 #include "nsIPrompt.h"
47 #include "nsIWindowWatcher.h"
48 #include "nsIConsoleService.h"
49 #include "nsIJSRuntimeService.h"
50 #include "nsIObserverService.h"
51 #include "nsIContent.h"
52 #include "nsAutoPtr.h"
53 #include "nsDOMJSUtils.h"
54 #include "nsAboutProtocolUtils.h"
55 #include "nsIClassInfo.h"
56 #include "nsIURIFixup.h"
57 #include "nsCDefaultURIFixup.h"
58 #include "nsIChromeRegistry.h"
59 #include "nsIContentSecurityPolicy.h"
60 #include "nsIAsyncVerifyRedirectCallback.h"
61 #include "mozIApplication.h"
62 #include "mozilla/Preferences.h"
63 #include "mozilla/dom/BindingUtils.h"
64 #include <stdint.h>
65 #include "mozilla/dom/ScriptSettings.h"
66 #include "mozilla/ClearOnShutdown.h"
67 #include "mozilla/StaticPtr.h"
68 #include "nsContentUtils.h"
69 #include "nsJSUtils.h"
70 #include "nsILoadInfo.h"
71
72 // This should be probably defined on some other place... but I couldn't find it
73 #define WEBAPPS_PERM_NAME "webapps-manage"
74
75 using namespace mozilla;
76 using namespace mozilla::dom;
77
78 nsIIOService *nsScriptSecurityManager::sIOService = nullptr;
79 nsIStringBundle *nsScriptSecurityManager::sStrBundle = nullptr;
80 JSRuntime *nsScriptSecurityManager::sRuntime = 0;
81 bool nsScriptSecurityManager::sStrictFileOriginPolicy = true;
82
83 ///////////////////////////
84 // Convenience Functions //
85 ///////////////////////////
86
87 class nsAutoInPrincipalDomainOriginSetter {
88 public:
89 nsAutoInPrincipalDomainOriginSetter() {
90 ++sInPrincipalDomainOrigin;
91 }
92 ~nsAutoInPrincipalDomainOriginSetter() {
93 --sInPrincipalDomainOrigin;
94 }
95 static uint32_t sInPrincipalDomainOrigin;
96 };
97 uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin;
98
99 static
100 nsresult
101 GetOriginFromURI(nsIURI* aURI, nsACString& aOrigin)
102 {
103 if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin > 1) {
104 // Allow a single recursive call to GetPrincipalDomainOrigin, since that
105 // might be happening on a different principal from the first call. But
106 // after that, cut off the recursion; it just indicates that something
107 // we're doing in this method causes us to reenter a security check here.
108 return NS_ERROR_NOT_AVAILABLE;
109 }
110
111 nsAutoInPrincipalDomainOriginSetter autoSetter;
112
113 nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
114 NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
115
116 nsAutoCString hostPort;
117
118 nsresult rv = uri->GetHostPort(hostPort);
119 if (NS_SUCCEEDED(rv)) {
120 nsAutoCString scheme;
121 rv = uri->GetScheme(scheme);
122 NS_ENSURE_SUCCESS(rv, rv);
123 aOrigin = scheme + NS_LITERAL_CSTRING("://") + hostPort;
124 }
125 else {
126 // Some URIs (e.g., nsSimpleURI) don't support host. Just
127 // get the full spec.
128 rv = uri->GetSpec(aOrigin);
129 NS_ENSURE_SUCCESS(rv, rv);
130 }
131
132 return NS_OK;
133 }
134
135 static
136 nsresult
137 GetPrincipalDomainOrigin(nsIPrincipal* aPrincipal,
138 nsACString& aOrigin)
139 {
140
141 nsCOMPtr<nsIURI> uri;
142 aPrincipal->GetDomain(getter_AddRefs(uri));
143 if (!uri) {
144 aPrincipal->GetURI(getter_AddRefs(uri));
145 }
146 NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
147
148 return GetOriginFromURI(uri, aOrigin);
149 }
150
151 inline void SetPendingException(JSContext *cx, const char *aMsg)
152 {
153 JS_ReportError(cx, "%s", aMsg);
154 }
155
156 inline void SetPendingException(JSContext *cx, const char16_t *aMsg)
157 {
158 JS_ReportError(cx, "%hs", aMsg);
159 }
160
161 // Helper class to get stuff from the ClassInfo and not waste extra time with
162 // virtual method calls for things it has already gotten
163 class ClassInfoData
164 {
165 public:
166 ClassInfoData(nsIClassInfo *aClassInfo, const char *aName)
167 : mClassInfo(aClassInfo),
168 mName(const_cast<char *>(aName)),
169 mDidGetFlags(false),
170 mMustFreeName(false)
171 {
172 }
173
174 ~ClassInfoData()
175 {
176 if (mMustFreeName)
177 nsMemory::Free(mName);
178 }
179
180 uint32_t GetFlags()
181 {
182 if (!mDidGetFlags) {
183 if (mClassInfo) {
184 nsresult rv = mClassInfo->GetFlags(&mFlags);
185 if (NS_FAILED(rv)) {
186 mFlags = 0;
187 }
188 } else {
189 mFlags = 0;
190 }
191
192 mDidGetFlags = true;
193 }
194
195 return mFlags;
196 }
197
198 bool IsDOMClass()
199 {
200 return !!(GetFlags() & nsIClassInfo::DOM_OBJECT);
201 }
202
203 const char* GetName()
204 {
205 if (!mName) {
206 if (mClassInfo) {
207 mClassInfo->GetClassDescription(&mName);
208 }
209
210 if (mName) {
211 mMustFreeName = true;
212 } else {
213 mName = const_cast<char *>("UnnamedClass");
214 }
215 }
216
217 return mName;
218 }
219
220 private:
221 nsIClassInfo *mClassInfo; // WEAK
222 uint32_t mFlags;
223 char *mName;
224 bool mDidGetFlags;
225 bool mMustFreeName;
226 };
227
228 JSContext *
229 nsScriptSecurityManager::GetCurrentJSContext()
230 {
231 // Get JSContext from stack.
232 return nsXPConnect::XPConnect()->GetCurrentJSContext();
233 }
234
235 JSContext *
236 nsScriptSecurityManager::GetSafeJSContext()
237 {
238 // Get JSContext from stack.
239 return nsXPConnect::XPConnect()->GetSafeJSContext();
240 }
241
242 /* static */
243 bool
244 nsScriptSecurityManager::SecurityCompareURIs(nsIURI* aSourceURI,
245 nsIURI* aTargetURI)
246 {
247 return NS_SecurityCompareURIs(aSourceURI, aTargetURI, sStrictFileOriginPolicy);
248 }
249
250 // SecurityHashURI is consistent with SecurityCompareURIs because NS_SecurityHashURI
251 // is consistent with NS_SecurityCompareURIs. See nsNetUtil.h.
252 uint32_t
253 nsScriptSecurityManager::SecurityHashURI(nsIURI* aURI)
254 {
255 return NS_SecurityHashURI(aURI);
256 }
257
258 uint16_t
259 nsScriptSecurityManager::AppStatusForPrincipal(nsIPrincipal *aPrin)
260 {
261 uint32_t appId = aPrin->GetAppId();
262 bool inMozBrowser = aPrin->GetIsInBrowserElement();
263 NS_WARN_IF_FALSE(appId != nsIScriptSecurityManager::UNKNOWN_APP_ID,
264 "Asking for app status on a principal with an unknown app id");
265 // Installed apps have a valid app id (not NO_APP_ID or UNKNOWN_APP_ID)
266 // and they are not inside a mozbrowser.
267 if (appId == nsIScriptSecurityManager::NO_APP_ID ||
268 appId == nsIScriptSecurityManager::UNKNOWN_APP_ID || inMozBrowser)
269 {
270 return nsIPrincipal::APP_STATUS_NOT_INSTALLED;
271 }
272
273 nsCOMPtr<nsIAppsService> appsService = do_GetService(APPS_SERVICE_CONTRACTID);
274 NS_ENSURE_TRUE(appsService, nsIPrincipal::APP_STATUS_NOT_INSTALLED);
275
276 nsCOMPtr<mozIApplication> app;
277 appsService->GetAppByLocalId(appId, getter_AddRefs(app));
278 NS_ENSURE_TRUE(app, nsIPrincipal::APP_STATUS_NOT_INSTALLED);
279
280 uint16_t status = nsIPrincipal::APP_STATUS_INSTALLED;
281 NS_ENSURE_SUCCESS(app->GetAppStatus(&status),
282 nsIPrincipal::APP_STATUS_NOT_INSTALLED);
283
284 nsAutoCString origin;
285 NS_ENSURE_SUCCESS(aPrin->GetOrigin(getter_Copies(origin)),
286 nsIPrincipal::APP_STATUS_NOT_INSTALLED);
287 nsString appOrigin;
288 NS_ENSURE_SUCCESS(app->GetOrigin(appOrigin),
289 nsIPrincipal::APP_STATUS_NOT_INSTALLED);
290
291 // We go from string -> nsIURI -> origin to be sure we
292 // compare two punny-encoded origins.
293 nsCOMPtr<nsIURI> appURI;
294 NS_ENSURE_SUCCESS(NS_NewURI(getter_AddRefs(appURI), appOrigin),
295 nsIPrincipal::APP_STATUS_NOT_INSTALLED);
296
297 nsAutoCString appOriginPunned;
298 NS_ENSURE_SUCCESS(nsPrincipal::GetOriginForURI(appURI, getter_Copies(appOriginPunned)),
299 nsIPrincipal::APP_STATUS_NOT_INSTALLED);
300
301 if (!appOriginPunned.Equals(origin)) {
302 return nsIPrincipal::APP_STATUS_NOT_INSTALLED;
303 }
304
305 return status;
306
307 }
308
309 NS_IMETHODIMP
310 nsScriptSecurityManager::GetChannelPrincipal(nsIChannel* aChannel,
311 nsIPrincipal** aPrincipal)
312 {
313 NS_PRECONDITION(aChannel, "Must have channel!");
314 nsCOMPtr<nsISupports> owner;
315 aChannel->GetOwner(getter_AddRefs(owner));
316 if (owner) {
317 CallQueryInterface(owner, aPrincipal);
318 if (*aPrincipal) {
319 return NS_OK;
320 }
321 }
322
323 // Check whether we have an nsILoadInfo that says what we should do.
324 nsCOMPtr<nsILoadInfo> loadInfo;
325 aChannel->GetLoadInfo(getter_AddRefs(loadInfo));
326 if (loadInfo) {
327 if (loadInfo->GetLoadingSandboxed()) {
328 nsRefPtr<nsNullPrincipal> prin =
329 nsNullPrincipal::CreateWithInheritedAttributes(loadInfo->LoadingPrincipal());
330 NS_ENSURE_TRUE(prin, NS_ERROR_FAILURE);
331 prin.forget(aPrincipal);
332 return NS_OK;
333 }
334
335 if (loadInfo->GetForceInheritPrincipal()) {
336 NS_ADDREF(*aPrincipal = loadInfo->LoadingPrincipal());
337 return NS_OK;
338 }
339 }
340
341 // OK, get the principal from the URI. Make sure this does the same thing
342 // as nsDocument::Reset and XULDocument::StartDocumentLoad.
343 nsCOMPtr<nsIURI> uri;
344 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
345 NS_ENSURE_SUCCESS(rv, rv);
346
347
348 nsCOMPtr<nsILoadContext> loadContext;
349 NS_QueryNotificationCallbacks(aChannel, loadContext);
350
351 if (loadContext) {
352 return GetLoadContextCodebasePrincipal(uri, loadContext, aPrincipal);
353 }
354
355 return GetCodebasePrincipalInternal(uri, UNKNOWN_APP_ID,
356 /* isInBrowserElement */ false, aPrincipal);
357 }
358
359 NS_IMETHODIMP
360 nsScriptSecurityManager::IsSystemPrincipal(nsIPrincipal* aPrincipal,
361 bool* aIsSystem)
362 {
363 *aIsSystem = (aPrincipal == mSystemPrincipal);
364 return NS_OK;
365 }
366
367 /////////////////////////////
368 // nsScriptSecurityManager //
369 /////////////////////////////
370
371 ////////////////////////////////////
372 // Methods implementing ISupports //
373 ////////////////////////////////////
374 NS_IMPL_ISUPPORTS(nsScriptSecurityManager,
375 nsIScriptSecurityManager,
376 nsIChannelEventSink,
377 nsIObserver)
378
379 ///////////////////////////////////////////////////
380 // Methods implementing nsIScriptSecurityManager //
381 ///////////////////////////////////////////////////
382
383 ///////////////// Security Checks /////////////////
384
385 bool
386 nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(JSContext *cx)
387 {
388 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
389 nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
390 nsCOMPtr<nsIContentSecurityPolicy> csp;
391 nsresult rv = subjectPrincipal->GetCsp(getter_AddRefs(csp));
392 NS_ASSERTION(NS_SUCCEEDED(rv), "CSP: Failed to get CSP from principal.");
393
394 // don't do anything unless there's a CSP
395 if (!csp)
396 return true;
397
398 bool evalOK = true;
399 bool reportViolation = false;
400 rv = csp->GetAllowsEval(&reportViolation, &evalOK);
401
402 if (NS_FAILED(rv))
403 {
404 NS_WARNING("CSP: failed to get allowsEval");
405 return true; // fail open to not break sites.
406 }
407
408 if (reportViolation) {
409 nsAutoString fileName;
410 unsigned lineNum = 0;
411 NS_NAMED_LITERAL_STRING(scriptSample, "call to eval() or related function blocked by CSP");
412
413 JS::AutoFilename scriptFilename;
414 if (JS::DescribeScriptedCaller(cx, &scriptFilename, &lineNum)) {
415 if (const char *file = scriptFilename.get()) {
416 CopyUTF8toUTF16(nsDependentCString(file), fileName);
417 }
418 }
419 csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
420 fileName,
421 scriptSample,
422 lineNum,
423 EmptyString(),
424 EmptyString());
425 }
426
427 return evalOK;
428 }
429
430 // static
431 bool
432 nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals *first,
433 JSPrincipals *second)
434 {
435 return nsJSPrincipals::get(first)->Subsumes(nsJSPrincipals::get(second));
436 }
437
438 NS_IMETHODIMP
439 nsScriptSecurityManager::CheckSameOrigin(JSContext* cx,
440 nsIURI* aTargetURI)
441 {
442 MOZ_ASSERT_IF(cx, cx == nsContentUtils::GetCurrentJSContext());
443
444 // Get a principal from the context
445 nsIPrincipal* sourcePrincipal = nsContentUtils::SubjectPrincipal();
446 if (sourcePrincipal == mSystemPrincipal)
447 {
448 // This is a system (chrome) script, so allow access
449 return NS_OK;
450 }
451
452 // Get the original URI from the source principal.
453 // This has the effect of ignoring any change to document.domain
454 // which must be done to avoid DNS spoofing (bug 154930)
455 nsCOMPtr<nsIURI> sourceURI;
456 sourcePrincipal->GetDomain(getter_AddRefs(sourceURI));
457 if (!sourceURI) {
458 sourcePrincipal->GetURI(getter_AddRefs(sourceURI));
459 NS_ENSURE_TRUE(sourceURI, NS_ERROR_FAILURE);
460 }
461
462 // Compare origins
463 if (!SecurityCompareURIs(sourceURI, aTargetURI))
464 {
465 ReportError(cx, NS_LITERAL_STRING("CheckSameOriginError"), sourceURI, aTargetURI);
466 return NS_ERROR_DOM_BAD_URI;
467 }
468 return NS_OK;
469 }
470
471 NS_IMETHODIMP
472 nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI,
473 nsIURI* aTargetURI,
474 bool reportError)
475 {
476 if (!SecurityCompareURIs(aSourceURI, aTargetURI))
477 {
478 if (reportError) {
479 ReportError(nullptr, NS_LITERAL_STRING("CheckSameOriginError"),
480 aSourceURI, aTargetURI);
481 }
482 return NS_ERROR_DOM_BAD_URI;
483 }
484 return NS_OK;
485 }
486
487 /*static*/ uint32_t
488 nsScriptSecurityManager::HashPrincipalByOrigin(nsIPrincipal* aPrincipal)
489 {
490 nsCOMPtr<nsIURI> uri;
491 aPrincipal->GetDomain(getter_AddRefs(uri));
492 if (!uri)
493 aPrincipal->GetURI(getter_AddRefs(uri));
494 return SecurityHashURI(uri);
495 }
496
497 /* static */ bool
498 nsScriptSecurityManager::AppAttributesEqual(nsIPrincipal* aFirst,
499 nsIPrincipal* aSecond)
500 {
501 MOZ_ASSERT(aFirst && aSecond, "Don't pass null pointers!");
502
503 uint32_t firstAppId = nsIScriptSecurityManager::UNKNOWN_APP_ID;
504 if (!aFirst->GetUnknownAppId()) {
505 firstAppId = aFirst->GetAppId();
506 }
507
508 uint32_t secondAppId = nsIScriptSecurityManager::UNKNOWN_APP_ID;
509 if (!aSecond->GetUnknownAppId()) {
510 secondAppId = aSecond->GetAppId();
511 }
512
513 return ((firstAppId == secondAppId) &&
514 (aFirst->GetIsInBrowserElement() == aSecond->GetIsInBrowserElement()));
515 }
516
517 NS_IMETHODIMP
518 nsScriptSecurityManager::CheckLoadURIFromScript(JSContext *cx, nsIURI *aURI)
519 {
520 // Get principal of currently executing script.
521 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
522 nsIPrincipal* principal = nsContentUtils::SubjectPrincipal();
523 nsresult rv = CheckLoadURIWithPrincipal(principal, aURI,
524 nsIScriptSecurityManager::STANDARD);
525 if (NS_SUCCEEDED(rv)) {
526 // OK to load
527 return NS_OK;
528 }
529
530 // See if we're attempting to load a file: URI. If so, let a
531 // UniversalXPConnect capability trump the above check.
532 bool isFile = false;
533 bool isRes = false;
534 if (NS_FAILED(aURI->SchemeIs("file", &isFile)) ||
535 NS_FAILED(aURI->SchemeIs("resource", &isRes)))
536 return NS_ERROR_FAILURE;
537 if (isFile || isRes)
538 {
539 if (nsContentUtils::IsCallerChrome())
540 return NS_OK;
541 }
542
543 // Report error.
544 nsAutoCString spec;
545 if (NS_FAILED(aURI->GetAsciiSpec(spec)))
546 return NS_ERROR_FAILURE;
547 nsAutoCString msg("Access to '");
548 msg.Append(spec);
549 msg.AppendLiteral("' from script denied");
550 SetPendingException(cx, msg.get());
551 return NS_ERROR_DOM_BAD_URI;
552 }
553
554 /**
555 * Helper method to handle cases where a flag passed to
556 * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
557 * nsIProtocolHandler flags set.
558 * @return if success, access is allowed. Otherwise, deny access
559 */
560 static nsresult
561 DenyAccessIfURIHasFlags(nsIURI* aURI, uint32_t aURIFlags)
562 {
563 NS_PRECONDITION(aURI, "Must have URI!");
564
565 bool uriHasFlags;
566 nsresult rv =
567 NS_URIChainHasFlags(aURI, aURIFlags, &uriHasFlags);
568 NS_ENSURE_SUCCESS(rv, rv);
569
570 if (uriHasFlags) {
571 return NS_ERROR_DOM_BAD_URI;
572 }
573
574 return NS_OK;
575 }
576
577 static bool
578 EqualOrSubdomain(nsIURI* aProbeArg, nsIURI* aBase)
579 {
580 // Make a clone of the incoming URI, because we're going to mutate it.
581 nsCOMPtr<nsIURI> probe;
582 nsresult rv = aProbeArg->Clone(getter_AddRefs(probe));
583 NS_ENSURE_SUCCESS(rv, false);
584
585 nsCOMPtr<nsIEffectiveTLDService> tldService = do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
586 NS_ENSURE_TRUE(tldService, false);
587 while (true) {
588 if (nsScriptSecurityManager::SecurityCompareURIs(probe, aBase)) {
589 return true;
590 }
591
592 nsAutoCString host, newHost;
593 nsresult rv = probe->GetHost(host);
594 NS_ENSURE_SUCCESS(rv, false);
595
596 rv = tldService->GetNextSubDomain(host, newHost);
597 if (rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS) {
598 return false;
599 }
600 NS_ENSURE_SUCCESS(rv, false);
601 rv = probe->SetHost(newHost);
602 NS_ENSURE_SUCCESS(rv, false);
603 }
604 }
605
606 NS_IMETHODIMP
607 nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
608 nsIURI *aTargetURI,
609 uint32_t aFlags)
610 {
611 NS_PRECONDITION(aPrincipal, "CheckLoadURIWithPrincipal must have a principal");
612 // If someone passes a flag that we don't understand, we should
613 // fail, because they may need a security check that we don't
614 // provide.
615 NS_ENSURE_FALSE(aFlags & ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
616 nsIScriptSecurityManager::ALLOW_CHROME |
617 nsIScriptSecurityManager::DISALLOW_SCRIPT |
618 nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL |
619 nsIScriptSecurityManager::DONT_REPORT_ERRORS),
620 NS_ERROR_UNEXPECTED);
621 NS_ENSURE_ARG_POINTER(aPrincipal);
622 NS_ENSURE_ARG_POINTER(aTargetURI);
623
624 // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
625 // would do such inheriting. That would be URIs that do not have their own
626 // security context. We do this even for the system principal.
627 if (aFlags & nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL) {
628 nsresult rv =
629 DenyAccessIfURIHasFlags(aTargetURI,
630 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT);
631 NS_ENSURE_SUCCESS(rv, rv);
632 }
633
634 if (aPrincipal == mSystemPrincipal) {
635 // Allow access
636 return NS_OK;
637 }
638
639 nsCOMPtr<nsIURI> sourceURI;
640 aPrincipal->GetURI(getter_AddRefs(sourceURI));
641 if (!sourceURI) {
642 nsCOMPtr<nsIExpandedPrincipal> expanded = do_QueryInterface(aPrincipal);
643 if (expanded) {
644 nsTArray< nsCOMPtr<nsIPrincipal> > *whiteList;
645 expanded->GetWhiteList(&whiteList);
646 for (uint32_t i = 0; i < whiteList->Length(); ++i) {
647 nsresult rv = CheckLoadURIWithPrincipal((*whiteList)[i],
648 aTargetURI,
649 aFlags);
650 if (NS_SUCCEEDED(rv)) {
651 // Allow access if it succeeded with one of the white listed principals
652 return NS_OK;
653 }
654 }
655 // None of our whitelisted principals worked.
656 return NS_ERROR_DOM_BAD_URI;
657 }
658 NS_ERROR("Non-system principals or expanded principal passed to CheckLoadURIWithPrincipal "
659 "must have a URI!");
660 return NS_ERROR_UNEXPECTED;
661 }
662
663 // Automatic loads are not allowed from certain protocols.
664 if (aFlags & nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT) {
665 nsresult rv =
666 DenyAccessIfURIHasFlags(sourceURI,
667 nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT);
668 NS_ENSURE_SUCCESS(rv, rv);
669 }
670
671 // If either URI is a nested URI, get the base URI
672 nsCOMPtr<nsIURI> sourceBaseURI = NS_GetInnermostURI(sourceURI);
673 nsCOMPtr<nsIURI> targetBaseURI = NS_GetInnermostURI(aTargetURI);
674
675 //-- get the target scheme
676 nsAutoCString targetScheme;
677 nsresult rv = targetBaseURI->GetScheme(targetScheme);
678 if (NS_FAILED(rv)) return rv;
679
680 //-- Some callers do not allow loading javascript:
681 if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
682 targetScheme.EqualsLiteral("javascript"))
683 {
684 return NS_ERROR_DOM_BAD_URI;
685 }
686
687 NS_NAMED_LITERAL_STRING(errorTag, "CheckLoadURIError");
688 bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
689
690 // Check for uris that are only loadable by principals that subsume them
691 bool hasFlags;
692 rv = NS_URIChainHasFlags(targetBaseURI,
693 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
694 &hasFlags);
695 NS_ENSURE_SUCCESS(rv, rv);
696
697 if (hasFlags) {
698 return aPrincipal->CheckMayLoad(targetBaseURI, true, false);
699 }
700
701 //-- get the source scheme
702 nsAutoCString sourceScheme;
703 rv = sourceBaseURI->GetScheme(sourceScheme);
704 if (NS_FAILED(rv)) return rv;
705
706 if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
707 // A null principal can target its own URI.
708 if (sourceURI == aTargetURI) {
709 return NS_OK;
710 }
711 }
712 else if (targetScheme.Equals(sourceScheme,
713 nsCaseInsensitiveCStringComparator()))
714 {
715 // every scheme can access another URI from the same scheme,
716 // as long as they don't represent null principals...
717 // Or they don't require an special permission to do so
718 // See bug#773886
719
720 bool hasFlags;
721 rv = NS_URIChainHasFlags(targetBaseURI,
722 nsIProtocolHandler::URI_CROSS_ORIGIN_NEEDS_WEBAPPS_PERM,
723 &hasFlags);
724 NS_ENSURE_SUCCESS(rv, rv);
725
726 if (hasFlags) {
727 // Let apps load the whitelisted theme resources even if they don't
728 // have the webapps-manage permission but have the themeable one.
729 // Resources from the theme origin are also allowed to load from
730 // the theme origin (eg. stylesheets using images from the theme).
731 auto themeOrigin = Preferences::GetCString("b2g.theme.origin");
732 if (themeOrigin) {
733 nsAutoCString targetOrigin;
734 nsPrincipal::GetOriginForURI(targetBaseURI, getter_Copies(targetOrigin));
735 if (targetOrigin.Equals(themeOrigin)) {
736 nsAutoCString pOrigin;
737 aPrincipal->GetOrigin(getter_Copies(pOrigin));
738 return nsContentUtils::IsExactSitePermAllow(aPrincipal, "themeable") ||
739 pOrigin.Equals(themeOrigin)
740 ? NS_OK : NS_ERROR_DOM_BAD_URI;
741 }
742 }
743 // In this case, we allow opening only if the source and target URIS
744 // are on the same domain, or the opening URI has the webapps
745 // permision granted
746 if (!SecurityCompareURIs(sourceBaseURI, targetBaseURI) &&
747 !nsContentUtils::IsExactSitePermAllow(aPrincipal, WEBAPPS_PERM_NAME)) {
748 return NS_ERROR_DOM_BAD_URI;
749 }
750 }
751 return NS_OK;
752 }
753
754 // If the schemes don't match, the policy is specified by the protocol
755 // flags on the target URI. Note that the order of policy checks here is
756 // very important! We start from most restrictive and work our way down.
757 // Note that since we're working with the innermost URI, we can just use
758 // the methods that work on chains of nested URIs and they will only look
759 // at the flags for our one URI.
760
761 // Check for system target URI
762 rv = DenyAccessIfURIHasFlags(targetBaseURI,
763 nsIProtocolHandler::URI_DANGEROUS_TO_LOAD);
764 if (NS_FAILED(rv)) {
765 // Deny access, since the origin principal is not system
766 if (reportErrors) {
767 ReportError(nullptr, errorTag, sourceURI, aTargetURI);
768 }
769 return rv;
770 }
771
772 // Check for chrome target URI
773 rv = NS_URIChainHasFlags(targetBaseURI,
774 nsIProtocolHandler::URI_IS_UI_RESOURCE,
775 &hasFlags);
776 NS_ENSURE_SUCCESS(rv, rv);
777 if (hasFlags) {
778 if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
779
780 // For now, don't change behavior for resource:// or moz-icon:// and
781 // just allow them.
782 if (!targetScheme.EqualsLiteral("chrome")) {
783 return NS_OK;
784 }
785
786 // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
787 // target if ALLOW_CHROME is set.
788 //
789 // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
790 // loads (since docshell loads run the loaded content with its origin
791 // principal). So we're effectively allowing resource://, chrome://,
792 // and moz-icon:// source URIs to load resource://, chrome://, and
793 // moz-icon:// files, so long as they're not loading it as a document.
794 bool sourceIsUIResource;
795 rv = NS_URIChainHasFlags(sourceBaseURI,
796 nsIProtocolHandler::URI_IS_UI_RESOURCE,
797 &sourceIsUIResource);
798 NS_ENSURE_SUCCESS(rv, rv);
799 if (sourceIsUIResource) {
800 return NS_OK;
801 }
802
803 // Allow the load only if the chrome package is whitelisted.
804 nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(
805 NS_CHROMEREGISTRY_CONTRACTID));
806 if (reg) {
807 bool accessAllowed = false;
808 reg->AllowContentToAccess(targetBaseURI, &accessAllowed);
809 if (accessAllowed) {
810 return NS_OK;
811 }
812 }
813 }
814
815 // Special-case the hidden window: it's allowed to load
816 // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this.
817 nsAutoCString sourceSpec;
818 if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) &&
819 sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
820 return NS_OK;
821 }
822
823 if (reportErrors) {
824 ReportError(nullptr, errorTag, sourceURI, aTargetURI);
825 }
826 return NS_ERROR_DOM_BAD_URI;
827 }
828
829 // Check for target URI pointing to a file
830 rv = NS_URIChainHasFlags(targetBaseURI,
831 nsIProtocolHandler::URI_IS_LOCAL_FILE,
832 &hasFlags);
833 NS_ENSURE_SUCCESS(rv, rv);
834 if (hasFlags) {
835 // Allow domains that were whitelisted in the prefs. In 99.9% of cases,
836 // this array is empty.
837 for (size_t i = 0; i < mFileURIWhitelist.Length(); ++i) {
838 if (EqualOrSubdomain(sourceURI, mFileURIWhitelist[i])) {
839 return NS_OK;
840 }
841 }
842
843 // resource: and chrome: are equivalent, securitywise
844 // That's bogus!! Fix this. But watch out for
845 // the view-source stylesheet?
846 bool sourceIsChrome;
847 rv = NS_URIChainHasFlags(sourceURI,
848 nsIProtocolHandler::URI_IS_UI_RESOURCE,
849 &sourceIsChrome);
850 NS_ENSURE_SUCCESS(rv, rv);
851 if (sourceIsChrome) {
852 return NS_OK;
853 }
854
855 if (reportErrors) {
856 ReportError(nullptr, errorTag, sourceURI, aTargetURI);
857 }
858 return NS_ERROR_DOM_BAD_URI;
859 }
860
861 // OK, everyone is allowed to load this, since unflagged handlers are
862 // deprecated but treated as URI_LOADABLE_BY_ANYONE. But check whether we
863 // need to warn. At some point we'll want to make this warning into an
864 // error and treat unflagged handlers as URI_DANGEROUS_TO_LOAD.
865 rv = NS_URIChainHasFlags(targetBaseURI,
866 nsIProtocolHandler::URI_LOADABLE_BY_ANYONE,
867 &hasFlags);
868 NS_ENSURE_SUCCESS(rv, rv);
869 if (!hasFlags) {
870 nsXPIDLString message;
871 NS_ConvertASCIItoUTF16 ucsTargetScheme(targetScheme);
872 const char16_t* formatStrings[] = { ucsTargetScheme.get() };
873 rv = sStrBundle->
874 FormatStringFromName(MOZ_UTF16("ProtocolFlagError"),
875 formatStrings,
876 ArrayLength(formatStrings),
877 getter_Copies(message));
878 if (NS_SUCCEEDED(rv)) {
879 nsCOMPtr<nsIConsoleService> console(
880 do_GetService("@mozilla.org/consoleservice;1"));
881 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
882
883 console->LogStringMessage(message.get());
884 }
885 }
886
887 return NS_OK;
888 }
889
890 nsresult
891 nsScriptSecurityManager::ReportError(JSContext* cx, const nsAString& messageTag,
892 nsIURI* aSource, nsIURI* aTarget)
893 {
894 nsresult rv;
895 NS_ENSURE_TRUE(aSource && aTarget, NS_ERROR_NULL_POINTER);
896
897 // Get the source URL spec
898 nsAutoCString sourceSpec;
899 rv = aSource->GetAsciiSpec(sourceSpec);
900 NS_ENSURE_SUCCESS(rv, rv);
901
902 // Get the target URL spec
903 nsAutoCString targetSpec;
904 rv = aTarget->GetAsciiSpec(targetSpec);
905 NS_ENSURE_SUCCESS(rv, rv);
906
907 // Localize the error message
908 nsXPIDLString message;
909 NS_ConvertASCIItoUTF16 ucsSourceSpec(sourceSpec);
910 NS_ConvertASCIItoUTF16 ucsTargetSpec(targetSpec);
911 const char16_t *formatStrings[] = { ucsSourceSpec.get(), ucsTargetSpec.get() };
912 rv = sStrBundle->FormatStringFromName(PromiseFlatString(messageTag).get(),
913 formatStrings,
914 ArrayLength(formatStrings),
915 getter_Copies(message));
916 NS_ENSURE_SUCCESS(rv, rv);
917
918 // If a JS context was passed in, set a JS exception.
919 // Otherwise, print the error message directly to the JS console
920 // and to standard output
921 if (cx)
922 {
923 SetPendingException(cx, message.get());
924 }
925 else // Print directly to the console
926 {
927 nsCOMPtr<nsIConsoleService> console(
928 do_GetService("@mozilla.org/consoleservice;1"));
929 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
930
931 console->LogStringMessage(message.get());
932 }
933 return NS_OK;
934 }
935
936 NS_IMETHODIMP
937 nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(nsIPrincipal* aPrincipal,
938 const nsACString& aTargetURIStr,
939 uint32_t aFlags)
940 {
941 nsresult rv;
942 nsCOMPtr<nsIURI> target;
943 rv = NS_NewURI(getter_AddRefs(target), aTargetURIStr,
944 nullptr, nullptr, sIOService);
945 NS_ENSURE_SUCCESS(rv, rv);
946
947 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags);
948 if (rv == NS_ERROR_DOM_BAD_URI) {
949 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
950 // return values.
951 return rv;
952 }
953 NS_ENSURE_SUCCESS(rv, rv);
954
955 // Now start testing fixup -- since aTargetURIStr is a string, not
956 // an nsIURI, we may well end up fixing it up before loading.
957 // Note: This needs to stay in sync with the nsIURIFixup api.
958 nsCOMPtr<nsIURIFixup> fixup = do_GetService(NS_URIFIXUP_CONTRACTID);
959 if (!fixup) {
960 return rv;
961 }
962
963 uint32_t flags[] = {
964 nsIURIFixup::FIXUP_FLAG_NONE,
965 nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS,
966 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP,
967 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI,
968 nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP |
969 nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI
970 };
971
972 for (uint32_t i = 0; i < ArrayLength(flags); ++i) {
973 rv = fixup->CreateFixupURI(aTargetURIStr, flags[i], nullptr,
974 getter_AddRefs(target));
975 NS_ENSURE_SUCCESS(rv, rv);
976
977 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags);
978 if (rv == NS_ERROR_DOM_BAD_URI) {
979 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
980 // return values.
981 return rv;
982 }
983 NS_ENSURE_SUCCESS(rv, rv);
984 }
985
986 return rv;
987 }
988
989 bool
990 nsScriptSecurityManager::ScriptAllowed(JSObject *aGlobal)
991 {
992 MOZ_ASSERT(aGlobal);
993 MOZ_ASSERT(JS_IsGlobalObject(aGlobal) || js::IsOuterObject(aGlobal));
994
995 // Check the bits on the compartment private.
996 return xpc::Scriptability::Get(aGlobal).Allowed();
997 }
998
999 ///////////////// Principals ///////////////////////
1000
1001 NS_IMETHODIMP
1002 nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal **result)
1003 {
1004 NS_ADDREF(*result = mSystemPrincipal);
1005
1006 return NS_OK;
1007 }
1008
1009 nsresult
1010 nsScriptSecurityManager::CreateCodebasePrincipal(nsIURI* aURI, uint32_t aAppId,
1011 bool aInMozBrowser,
1012 nsIPrincipal **result)
1013 {
1014 // I _think_ it's safe to not create null principals here based on aURI.
1015 // At least all the callers would do the right thing in those cases, as far
1016 // as I can tell. --bz
1017
1018 nsCOMPtr<nsIURIWithPrincipal> uriPrinc = do_QueryInterface(aURI);
1019 if (uriPrinc) {
1020 nsCOMPtr<nsIPrincipal> principal;
1021 uriPrinc->GetPrincipal(getter_AddRefs(principal));
1022 if (!principal || principal == mSystemPrincipal) {
1023 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID, result);
1024 }
1025
1026 principal.forget(result);
1027
1028 return NS_OK;
1029 }
1030
1031 nsRefPtr<nsPrincipal> codebase = new nsPrincipal();
1032 if (!codebase)
1033 return NS_ERROR_OUT_OF_MEMORY;
1034
1035 nsresult rv = codebase->Init(aURI, aAppId, aInMozBrowser);
1036 if (NS_FAILED(rv))
1037 return rv;
1038
1039 NS_ADDREF(*result = codebase);
1040
1041 return NS_OK;
1042 }
1043
1044 NS_IMETHODIMP
1045 nsScriptSecurityManager::GetSimpleCodebasePrincipal(nsIURI* aURI,
1046 nsIPrincipal** aPrincipal)
1047 {
1048 return GetCodebasePrincipalInternal(aURI,
1049 nsIScriptSecurityManager::UNKNOWN_APP_ID,
1050 false, aPrincipal);
1051 }
1052
1053 NS_IMETHODIMP
1054 nsScriptSecurityManager::GetNoAppCodebasePrincipal(nsIURI* aURI,
1055 nsIPrincipal** aPrincipal)
1056 {
1057 return GetCodebasePrincipalInternal(aURI, nsIScriptSecurityManager::NO_APP_ID,
1058 false, aPrincipal);
1059 }
1060
1061 NS_IMETHODIMP
1062 nsScriptSecurityManager::GetCodebasePrincipal(nsIURI* aURI,
1063 nsIPrincipal** aPrincipal)
1064 {
1065 return GetNoAppCodebasePrincipal(aURI, aPrincipal);
1066 }
1067
1068 NS_IMETHODIMP
1069 nsScriptSecurityManager::GetAppCodebasePrincipal(nsIURI* aURI,
1070 uint32_t aAppId,
1071 bool aInMozBrowser,
1072 nsIPrincipal** aPrincipal)
1073 {
1074 NS_ENSURE_TRUE(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID,
1075 NS_ERROR_INVALID_ARG);
1076
1077 return GetCodebasePrincipalInternal(aURI, aAppId, aInMozBrowser, aPrincipal);
1078 }
1079
1080 NS_IMETHODIMP
1081 nsScriptSecurityManager::
1082 GetLoadContextCodebasePrincipal(nsIURI* aURI,
1083 nsILoadContext* aLoadContext,
1084 nsIPrincipal** aPrincipal)
1085 {
1086 uint32_t appId;
1087 aLoadContext->GetAppId(&appId);
1088 bool isInBrowserElement;
1089 aLoadContext->GetIsInBrowserElement(&isInBrowserElement);
1090 return GetCodebasePrincipalInternal(aURI,
1091 appId,
1092 isInBrowserElement,
1093 aPrincipal);
1094 }
1095
1096 NS_IMETHODIMP
1097 nsScriptSecurityManager::GetDocShellCodebasePrincipal(nsIURI* aURI,
1098 nsIDocShell* aDocShell,
1099 nsIPrincipal** aPrincipal)
1100 {
1101 return GetCodebasePrincipalInternal(aURI,
1102 aDocShell->GetAppId(),
1103 aDocShell->GetIsInBrowserElement(),
1104 aPrincipal);
1105 }
1106
1107 nsresult
1108 nsScriptSecurityManager::GetCodebasePrincipalInternal(nsIURI *aURI,
1109 uint32_t aAppId,
1110 bool aInMozBrowser,
1111 nsIPrincipal **result)
1112 {
1113 NS_ENSURE_ARG(aURI);
1114
1115 bool inheritsPrincipal;
1116 nsresult rv =
1117 NS_URIChainHasFlags(aURI,
1118 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT,
1119 &inheritsPrincipal);
1120 if (NS_FAILED(rv) || inheritsPrincipal) {
1121 return CallCreateInstance(NS_NULLPRINCIPAL_CONTRACTID, result);
1122 }
1123
1124 nsCOMPtr<nsIPrincipal> principal;
1125 rv = CreateCodebasePrincipal(aURI, aAppId, aInMozBrowser,
1126 getter_AddRefs(principal));
1127 NS_ENSURE_SUCCESS(rv, rv);
1128 NS_IF_ADDREF(*result = principal);
1129
1130 return NS_OK;
1131 }
1132
1133 // static
1134 nsIPrincipal*
1135 nsScriptSecurityManager::doGetObjectPrincipal(JSObject *aObj)
1136 {
1137 JSCompartment *compartment = js::GetObjectCompartment(aObj);
1138 JSPrincipals *principals = JS_GetCompartmentPrincipals(compartment);
1139 return nsJSPrincipals::get(principals);
1140 }
1141
1142 NS_IMETHODIMP
1143 nsScriptSecurityManager::CanCreateWrapper(JSContext *cx,
1144 const nsIID &aIID,
1145 nsISupports *aObj,
1146 nsIClassInfo *aClassInfo)
1147 {
1148 // XXX Special case for nsIXPCException ?
1149 ClassInfoData objClassInfo = ClassInfoData(aClassInfo, nullptr);
1150 if (objClassInfo.IsDOMClass())
1151 {
1152 return NS_OK;
1153 }
1154
1155 // We give remote-XUL whitelisted domains a free pass here. See bug 932906.
1156 if (!xpc::AllowContentXBLScope(js::GetContextCompartment(cx)))
1157 {
1158 return NS_OK;
1159 }
1160
1161 if (nsContentUtils::IsCallerChrome())
1162 {
1163 return NS_OK;
1164 }
1165
1166 //-- Access denied, report an error
1167 NS_ConvertUTF8toUTF16 strName("CreateWrapperDenied");
1168 nsAutoCString origin;
1169 nsIPrincipal* subjectPrincipal = nsContentUtils::SubjectPrincipal();
1170 GetPrincipalDomainOrigin(subjectPrincipal, origin);
1171 NS_ConvertUTF8toUTF16 originUnicode(origin);
1172 NS_ConvertUTF8toUTF16 classInfoName(objClassInfo.GetName());
1173 const char16_t* formatStrings[] = {
1174 classInfoName.get(),
1175 originUnicode.get()
1176 };
1177 uint32_t length = ArrayLength(formatStrings);
1178 if (originUnicode.IsEmpty()) {
1179 --length;
1180 } else {
1181 strName.AppendLiteral("ForOrigin");
1182 }
1183 nsXPIDLString errorMsg;
1184 nsresult rv = sStrBundle->FormatStringFromName(strName.get(),
1185 formatStrings,
1186 length,
1187 getter_Copies(errorMsg));
1188 NS_ENSURE_SUCCESS(rv, rv);
1189
1190 SetPendingException(cx, errorMsg.get());
1191 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1192 }
1193
1194 NS_IMETHODIMP
1195 nsScriptSecurityManager::CanCreateInstance(JSContext *cx,
1196 const nsCID &aCID)
1197 {
1198 if (nsContentUtils::IsCallerChrome()) {
1199 return NS_OK;
1200 }
1201
1202 //-- Access denied, report an error
1203 nsAutoCString errorMsg("Permission denied to create instance of class. CID=");
1204 char cidStr[NSID_LENGTH];
1205 aCID.ToProvidedString(cidStr);
1206 errorMsg.Append(cidStr);
1207 SetPendingException(cx, errorMsg.get());
1208 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1209 }
1210
1211 NS_IMETHODIMP
1212 nsScriptSecurityManager::CanGetService(JSContext *cx,
1213 const nsCID &aCID)
1214 {
1215 if (nsContentUtils::IsCallerChrome()) {
1216 return NS_OK;
1217 }
1218
1219 //-- Access denied, report an error
1220 nsAutoCString errorMsg("Permission denied to get service. CID=");
1221 char cidStr[NSID_LENGTH];
1222 aCID.ToProvidedString(cidStr);
1223 errorMsg.Append(cidStr);
1224 SetPendingException(cx, errorMsg.get());
1225 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1226 }
1227
1228 /////////////////////////////////////////////
1229 // Method implementing nsIChannelEventSink //
1230 /////////////////////////////////////////////
1231 NS_IMETHODIMP
1232 nsScriptSecurityManager::AsyncOnChannelRedirect(nsIChannel* oldChannel,
1233 nsIChannel* newChannel,
1234 uint32_t redirFlags,
1235 nsIAsyncVerifyRedirectCallback *cb)
1236 {
1237 nsCOMPtr<nsIPrincipal> oldPrincipal;
1238 GetChannelPrincipal(oldChannel, getter_AddRefs(oldPrincipal));
1239
1240 nsCOMPtr<nsIURI> newURI;
1241 newChannel->GetURI(getter_AddRefs(newURI));
1242 nsCOMPtr<nsIURI> newOriginalURI;
1243 newChannel->GetOriginalURI(getter_AddRefs(newOriginalURI));
1244
1245 NS_ENSURE_STATE(oldPrincipal && newURI && newOriginalURI);
1246
1247 const uint32_t flags =
1248 nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
1249 nsIScriptSecurityManager::DISALLOW_SCRIPT;
1250 nsresult rv = CheckLoadURIWithPrincipal(oldPrincipal, newURI, flags);
1251 if (NS_SUCCEEDED(rv) && newOriginalURI != newURI) {
1252 rv = CheckLoadURIWithPrincipal(oldPrincipal, newOriginalURI, flags);
1253 }
1254
1255 if (NS_FAILED(rv))
1256 return rv;
1257
1258 cb->OnRedirectVerifyCallback(NS_OK);
1259 return NS_OK;
1260 }
1261
1262
1263 /////////////////////////////////////
1264 // Method implementing nsIObserver //
1265 /////////////////////////////////////
1266 const char sJSEnabledPrefName[] = "javascript.enabled";
1267 const char sFileOriginPolicyPrefName[] =
1268 "security.fileuri.strict_origin_policy";
1269
1270 static const char* kObservedPrefs[] = {
1271 sJSEnabledPrefName,
1272 sFileOriginPolicyPrefName,
1273 "capability.policy.",
1274 nullptr
1275 };
1276
1277
1278 NS_IMETHODIMP
1279 nsScriptSecurityManager::Observe(nsISupports* aObject, const char* aTopic,
1280 const char16_t* aMessage)
1281 {
1282 ScriptSecurityPrefChanged();
1283 return NS_OK;
1284 }
1285
1286 /////////////////////////////////////////////
1287 // Constructor, Destructor, Initialization //
1288 /////////////////////////////////////////////
1289 nsScriptSecurityManager::nsScriptSecurityManager(void)
1290 : mPrefInitialized(false)
1291 , mIsJavaScriptEnabled(false)
1292 {
1293 static_assert(sizeof(intptr_t) == sizeof(void*),
1294 "intptr_t and void* have different lengths on this platform. "
1295 "This may cause a security failure with the SecurityLevel union.");
1296 }
1297
1298 nsresult nsScriptSecurityManager::Init()
1299 {
1300 nsresult rv = CallGetService(NS_IOSERVICE_CONTRACTID, &sIOService);
1301 NS_ENSURE_SUCCESS(rv, rv);
1302
1303 InitPrefs();
1304
1305 nsCOMPtr<nsIStringBundleService> bundleService =
1306 mozilla::services::GetStringBundleService();
1307 if (!bundleService)
1308 return NS_ERROR_FAILURE;
1309
1310 rv = bundleService->CreateBundle("chrome://global/locale/security/caps.properties", &sStrBundle);
1311 NS_ENSURE_SUCCESS(rv, rv);
1312
1313 // Create our system principal singleton
1314 nsRefPtr<nsSystemPrincipal> system = new nsSystemPrincipal();
1315 NS_ENSURE_TRUE(system, NS_ERROR_OUT_OF_MEMORY);
1316
1317 mSystemPrincipal = system;
1318
1319 //-- Register security check callback in the JS engine
1320 // Currently this is used to control access to function.caller
1321 rv = nsXPConnect::XPConnect()->GetRuntime(&sRuntime);
1322 NS_ENSURE_SUCCESS(rv, rv);
1323
1324 static const JSSecurityCallbacks securityCallbacks = {
1325 ContentSecurityPolicyPermitsJSAction,
1326 JSPrincipalsSubsume,
1327 };
1328
1329 MOZ_ASSERT(!JS_GetSecurityCallbacks(sRuntime));
1330 JS_SetSecurityCallbacks(sRuntime, &securityCallbacks);
1331 JS_InitDestroyPrincipalsCallback(sRuntime, nsJSPrincipals::Destroy);
1332
1333 JS_SetTrustedPrincipals(sRuntime, system);
1334
1335 return NS_OK;
1336 }
1337
1338 static StaticRefPtr<nsScriptSecurityManager> gScriptSecMan;
1339
1340 nsScriptSecurityManager::~nsScriptSecurityManager(void)
1341 {
1342 Preferences::RemoveObservers(this, kObservedPrefs);
1343 if (mDomainPolicy)
1344 mDomainPolicy->Deactivate();
1345 MOZ_ASSERT(!mDomainPolicy);
1346 }
1347
1348 void
1349 nsScriptSecurityManager::Shutdown()
1350 {
1351 if (sRuntime) {
1352 JS_SetSecurityCallbacks(sRuntime, nullptr);
1353 JS_SetTrustedPrincipals(sRuntime, nullptr);
1354 sRuntime = nullptr;
1355 }
1356
1357 NS_IF_RELEASE(sIOService);
1358 NS_IF_RELEASE(sStrBundle);
1359 }
1360
1361 nsScriptSecurityManager *
1362 nsScriptSecurityManager::GetScriptSecurityManager()
1363 {
1364 return gScriptSecMan;
1365 }
1366
1367 /* static */ void
1368 nsScriptSecurityManager::InitStatics()
1369 {
1370 nsRefPtr<nsScriptSecurityManager> ssManager = new nsScriptSecurityManager();
1371 nsresult rv = ssManager->Init();
1372 if (NS_FAILED(rv)) {
1373 MOZ_CRASH();
1374 }
1375
1376 ClearOnShutdown(&gScriptSecMan);
1377 gScriptSecMan = ssManager;
1378 }
1379
1380 // Currently this nsGenericFactory constructor is used only from FastLoad
1381 // (XPCOM object deserialization) code, when "creating" the system principal
1382 // singleton.
1383 nsSystemPrincipal *
1384 nsScriptSecurityManager::SystemPrincipalSingletonConstructor()
1385 {
1386 nsIPrincipal *sysprin = nullptr;
1387 if (gScriptSecMan)
1388 NS_ADDREF(sysprin = gScriptSecMan->mSystemPrincipal);
1389 return static_cast<nsSystemPrincipal*>(sysprin);
1390 }
1391
1392 struct IsWhitespace {
1393 static bool Test(char aChar) { return NS_IsAsciiWhitespace(aChar); };
1394 };
1395 struct IsWhitespaceOrComma {
1396 static bool Test(char aChar) { return aChar == ',' || NS_IsAsciiWhitespace(aChar); };
1397 };
1398
1399 template <typename Predicate>
1400 uint32_t SkipPast(const nsCString& str, uint32_t base)
1401 {
1402 while (base < str.Length() && Predicate::Test(str[base])) {
1403 ++base;
1404 }
1405 return base;
1406 }
1407
1408 template <typename Predicate>
1409 uint32_t SkipUntil(const nsCString& str, uint32_t base)
1410 {
1411 while (base < str.Length() && !Predicate::Test(str[base])) {
1412 ++base;
1413 }
1414 return base;
1415 }
1416
1417 inline void
1418 nsScriptSecurityManager::ScriptSecurityPrefChanged()
1419 {
1420 MOZ_ASSERT(mPrefInitialized);
1421 mIsJavaScriptEnabled =
1422 Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
1423 sStrictFileOriginPolicy =
1424 Preferences::GetBool(sFileOriginPolicyPrefName, false);
1425
1426 //
1427 // Rebuild the set of principals for which we allow file:// URI loads. This
1428 // implements a small subset of an old pref-based CAPS people that people
1429 // have come to depend on. See bug 995943.
1430 //
1431
1432 mFileURIWhitelist.Clear();
1433 auto policies = mozilla::Preferences::GetCString("capability.policy.policynames");
1434 for (uint32_t base = SkipPast<IsWhitespaceOrComma>(policies, 0), bound = 0;
1435 base < policies.Length();
1436 base = SkipPast<IsWhitespaceOrComma>(policies, bound))
1437 {
1438 // Grab the current policy name.
1439 bound = SkipUntil<IsWhitespaceOrComma>(policies, base);
1440 auto policyName = Substring(policies, base, bound - base);
1441
1442 // Figure out if this policy allows loading file:// URIs. If not, we can skip it.
1443 nsCString checkLoadURIPrefName = NS_LITERAL_CSTRING("capability.policy.") +
1444 policyName +
1445 NS_LITERAL_CSTRING(".checkloaduri.enabled");
1446 if (!Preferences::GetString(checkLoadURIPrefName.get()).LowerCaseEqualsLiteral("allaccess")) {
1447 continue;
1448 }
1449
1450 // Grab the list of domains associated with this policy.
1451 nsCString domainPrefName = NS_LITERAL_CSTRING("capability.policy.") +
1452 policyName +
1453 NS_LITERAL_CSTRING(".sites");
1454 auto siteList = Preferences::GetCString(domainPrefName.get());
1455 AddSitesToFileURIWhitelist(siteList);
1456 }
1457 }
1458
1459 void
1460 nsScriptSecurityManager::AddSitesToFileURIWhitelist(const nsCString& aSiteList)
1461 {
1462 for (uint32_t base = SkipPast<IsWhitespace>(aSiteList, 0), bound = 0;
1463 base < aSiteList.Length();
1464 base = SkipPast<IsWhitespace>(aSiteList, bound))
1465 {
1466 // Grab the current site.
1467 bound = SkipUntil<IsWhitespace>(aSiteList, base);
1468 nsAutoCString site(Substring(aSiteList, base, bound - base));
1469
1470 // Check if the URI is schemeless. If so, add both http and https.
1471 nsAutoCString unused;
1472 if (NS_FAILED(sIOService->ExtractScheme(site, unused))) {
1473 AddSitesToFileURIWhitelist(NS_LITERAL_CSTRING("http://") + site);
1474 AddSitesToFileURIWhitelist(NS_LITERAL_CSTRING("https://") + site);
1475 continue;
1476 }
1477
1478 // Convert it to a URI and add it to our list.
1479 nsCOMPtr<nsIURI> uri;
1480 nsresult rv = NS_NewURI(getter_AddRefs(uri), site, nullptr, nullptr, sIOService);
1481 if (NS_SUCCEEDED(rv)) {
1482 mFileURIWhitelist.AppendElement(uri);
1483 } else {
1484 nsCOMPtr<nsIConsoleService> console(do_GetService("@mozilla.org/consoleservice;1"));
1485 if (console) {
1486 nsAutoString msg = NS_LITERAL_STRING("Unable to to add site to file:// URI whitelist: ") +
1487 NS_ConvertASCIItoUTF16(site);
1488 console->LogStringMessage(msg.get());
1489 }
1490 }
1491 }
1492 }
1493
1494 nsresult
1495 nsScriptSecurityManager::InitPrefs()
1496 {
1497 nsIPrefBranch* branch = Preferences::GetRootBranch();
1498 NS_ENSURE_TRUE(branch, NS_ERROR_FAILURE);
1499
1500 mPrefInitialized = true;
1501
1502 // Set the initial value of the "javascript.enabled" prefs
1503 ScriptSecurityPrefChanged();
1504
1505 // set observer callbacks in case the value of the prefs change
1506 Preferences::AddStrongObservers(this, kObservedPrefs);
1507
1508 return NS_OK;
1509 }
1510
1511 namespace mozilla {
1512
1513 void
1514 GetJarPrefix(uint32_t aAppId, bool aInMozBrowser, nsACString& aJarPrefix)
1515 {
1516 MOZ_ASSERT(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID);
1517
1518 if (aAppId == nsIScriptSecurityManager::UNKNOWN_APP_ID) {
1519 aAppId = nsIScriptSecurityManager::NO_APP_ID;
1520 }
1521
1522 aJarPrefix.Truncate();
1523
1524 // Fallback.
1525 if (aAppId == nsIScriptSecurityManager::NO_APP_ID && !aInMozBrowser) {
1526 return;
1527 }
1528
1529 // aJarPrefix = appId + "+" + { 't', 'f' } + "+";
1530 aJarPrefix.AppendInt(aAppId);
1531 aJarPrefix.Append('+');
1532 aJarPrefix.Append(aInMozBrowser ? 't' : 'f');
1533 aJarPrefix.Append('+');
1534
1535 return;
1536 }
1537
1538 } // namespace mozilla
1539
1540 NS_IMETHODIMP
1541 nsScriptSecurityManager::GetJarPrefix(uint32_t aAppId,
1542 bool aInMozBrowser,
1543 nsACString& aJarPrefix)
1544 {
1545 MOZ_ASSERT(aAppId != nsIScriptSecurityManager::UNKNOWN_APP_ID);
1546
1547 mozilla::GetJarPrefix(aAppId, aInMozBrowser, aJarPrefix);
1548 return NS_OK;
1549 }
1550
1551 NS_IMETHODIMP
1552 nsScriptSecurityManager::GetDomainPolicyActive(bool *aRv)
1553 {
1554 *aRv = !!mDomainPolicy;
1555 return NS_OK;
1556 }
1557
1558 NS_IMETHODIMP
1559 nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy** aRv)
1560 {
1561 // We only allow one domain policy at a time. The holder of the previous
1562 // policy must explicitly deactivate it first.
1563 if (mDomainPolicy) {
1564 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1565 }
1566
1567 mDomainPolicy = new DomainPolicy();
1568 nsCOMPtr<nsIDomainPolicy> ptr = mDomainPolicy;
1569 ptr.forget(aRv);
1570 return NS_OK;
1571 }
1572
1573 // Intentionally non-scriptable. Script must have a reference to the
1574 // nsIDomainPolicy to deactivate it.
1575 void
1576 nsScriptSecurityManager::DeactivateDomainPolicy()
1577 {
1578 mDomainPolicy = nullptr;
1579 }
1580
1581 NS_IMETHODIMP
1582 nsScriptSecurityManager::PolicyAllowsScript(nsIURI* aURI, bool *aRv)
1583 {
1584 nsresult rv;
1585
1586 // Compute our rule. If we don't have any domain policy set up that might
1587 // provide exceptions to this rule, we're done.
1588 *aRv = mIsJavaScriptEnabled;
1589 if (!mDomainPolicy) {
1590 return NS_OK;
1591 }
1592
1593 // We have a domain policy. Grab the appropriate set of exceptions to the
1594 // rule (either the blacklist or the whitelist, depending on whether script
1595 // is enabled or disabled by default).
1596 nsCOMPtr<nsIDomainSet> exceptions;
1597 nsCOMPtr<nsIDomainSet> superExceptions;
1598 if (*aRv) {
1599 mDomainPolicy->GetBlacklist(getter_AddRefs(exceptions));
1600 mDomainPolicy->GetSuperBlacklist(getter_AddRefs(superExceptions));
1601 } else {
1602 mDomainPolicy->GetWhitelist(getter_AddRefs(exceptions));
1603 mDomainPolicy->GetSuperWhitelist(getter_AddRefs(superExceptions));
1604 }
1605
1606 bool contains;
1607 rv = exceptions->Contains(aURI, &contains);
1608 NS_ENSURE_SUCCESS(rv, rv);
1609 if (contains) {
1610 *aRv = !*aRv;
1611 return NS_OK;
1612 }
1613 rv = superExceptions->ContainsSuperDomain(aURI, &contains);
1614 NS_ENSURE_SUCCESS(rv, rv);
1615 if (contains) {
1616 *aRv = !*aRv;
1617 }
1618
1619 return NS_OK;
1620 }