search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1685680 [wpt PR 27099] - Add missing jsapi tests for wasm reference-types proposa...
[gecko.git] / caps / nsScriptSecurityManager.cpp
bloba0a35f33cacc4144b2bcee9bf2974952919840c8
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "nsScriptSecurityManager.h"
8
9 #include "mozilla/ArrayUtils.h"
10 #include "mozilla/StaticPrefs_extensions.h"
11 #include "mozilla/StaticPrefs_security.h"
12 #include "mozilla/StoragePrincipalHelper.h"
13
14 #include "xpcpublic.h"
15 #include "XPCWrapper.h"
16 #include "nsILoadContext.h"
17 #include "nsIScriptObjectPrincipal.h"
18 #include "nsIScriptContext.h"
19 #include "nsIScriptError.h"
20 #include "nsINestedURI.h"
21 #include "nspr.h"
22 #include "nsJSPrincipals.h"
23 #include "mozilla/BasePrincipal.h"
24 #include "ExpandedPrincipal.h"
25 #include "SystemPrincipal.h"
26 #include "DomainPolicy.h"
27 #include "nsString.h"
28 #include "nsCRT.h"
29 #include "nsCRTGlue.h"
30 #include "nsContentSecurityUtils.h"
31 #include "nsDocShell.h"
32 #include "nsError.h"
33 #include "nsGlobalWindowInner.h"
34 #include "nsDOMCID.h"
35 #include "nsTextFormatter.h"
36 #include "nsIStringBundle.h"
37 #include "nsNetUtil.h"
38 #include "nsIEffectiveTLDService.h"
39 #include "nsDirectoryServiceDefs.h"
40 #include "nsIScriptGlobalObject.h"
41 #include "nsPIDOMWindow.h"
42 #include "nsIDocShell.h"
43 #include "nsIConsoleService.h"
44 #include "nsIOService.h"
45 #include "nsIContent.h"
46 #include "nsDOMJSUtils.h"
47 #include "nsAboutProtocolUtils.h"
48 #include "nsIClassInfo.h"
49 #include "nsIURIFixup.h"
50 #include "nsIChromeRegistry.h"
51 #include "nsIResProtocolHandler.h"
52 #include "nsIContentSecurityPolicy.h"
53 #include "mozilla/Components.h"
54 #include "mozilla/Preferences.h"
55 #include "mozilla/dom/BindingUtils.h"
56 #include "mozilla/NullPrincipal.h"
57 #include <stdint.h>
58 #include "mozilla/dom/ContentChild.h"
59 #include "mozilla/dom/ContentParent.h"
60 #include "mozilla/dom/nsCSPContext.h"
61 #include "mozilla/dom/ScriptSettings.h"
62 #include "mozilla/ClearOnShutdown.h"
63 #include "mozilla/StaticPtr.h"
64 #include "mozilla/dom/WorkerCommon.h"
65 #include "mozilla/dom/WorkerPrivate.h"
66 #include "nsContentUtils.h"
67 #include "nsJSUtils.h"
68 #include "nsILoadInfo.h"
69
70 // This should be probably defined on some other place... but I couldn't find it
71 #define WEBAPPS_PERM_NAME "webapps-manage"
72
73 using namespace mozilla;
74 using namespace mozilla::dom;
75
76 nsIIOService* nsScriptSecurityManager::sIOService = nullptr;
77 bool nsScriptSecurityManager::sStrictFileOriginPolicy = true;
78
79 namespace {
80
81 class BundleHelper {
82 public:
83 NS_INLINE_DECL_REFCOUNTING(BundleHelper)
84
85 static nsIStringBundle* GetOrCreate() {
86 MOZ_ASSERT(!sShutdown);
87
88 // Already shutting down. Nothing should require the use of the string
89 // bundle when shutting down.
90 if (sShutdown) {
91 return nullptr;
92 }
93
94 if (!sSelf) {
95 sSelf = new BundleHelper();
96 }
97
98 return sSelf->GetOrCreateInternal();
99 }
100
101 static void Shutdown() {
102 sSelf = nullptr;
103 sShutdown = true;
104 }
105
106 private:
107 ~BundleHelper() = default;
108
109 nsIStringBundle* GetOrCreateInternal() {
110 if (!mBundle) {
111 nsCOMPtr<nsIStringBundleService> bundleService =
112 mozilla::services::GetStringBundleService();
113 if (NS_WARN_IF(!bundleService)) {
114 return nullptr;
115 }
116
117 nsresult rv = bundleService->CreateBundle(
118 "chrome://global/locale/security/caps.properties",
119 getter_AddRefs(mBundle));
120 if (NS_WARN_IF(NS_FAILED(rv))) {
121 return nullptr;
122 }
123 }
124
125 return mBundle;
126 }
127
128 nsCOMPtr<nsIStringBundle> mBundle;
129
130 static StaticRefPtr<BundleHelper> sSelf;
131 static bool sShutdown;
132 };
133
134 StaticRefPtr<BundleHelper> BundleHelper::sSelf;
135 bool BundleHelper::sShutdown = false;
136
137 } // namespace
138
139 ///////////////////////////
140 // Convenience Functions //
141 ///////////////////////////
142
143 class nsAutoInPrincipalDomainOriginSetter {
144 public:
145 nsAutoInPrincipalDomainOriginSetter() { ++sInPrincipalDomainOrigin; }
146 ~nsAutoInPrincipalDomainOriginSetter() { --sInPrincipalDomainOrigin; }
147 static uint32_t sInPrincipalDomainOrigin;
148 };
149 uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin;
150
151 static nsresult GetOriginFromURI(nsIURI* aURI, nsACString& aOrigin) {
152 if (!aURI) {
153 return NS_ERROR_NULL_POINTER;
154 }
155 if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin > 1) {
156 // Allow a single recursive call to GetPrincipalDomainOrigin, since that
157 // might be happening on a different principal from the first call. But
158 // after that, cut off the recursion; it just indicates that something
159 // we're doing in this method causes us to reenter a security check here.
160 return NS_ERROR_NOT_AVAILABLE;
161 }
162
163 nsAutoInPrincipalDomainOriginSetter autoSetter;
164
165 nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
166 NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
167
168 nsAutoCString hostPort;
169
170 nsresult rv = uri->GetHostPort(hostPort);
171 if (NS_SUCCEEDED(rv)) {
172 nsAutoCString scheme;
173 rv = uri->GetScheme(scheme);
174 NS_ENSURE_SUCCESS(rv, rv);
175 aOrigin = scheme + "://"_ns + hostPort;
176 } else {
177 // Some URIs (e.g., nsSimpleURI) don't support host. Just
178 // get the full spec.
179 rv = uri->GetSpec(aOrigin);
180 NS_ENSURE_SUCCESS(rv, rv);
181 }
182
183 return NS_OK;
184 }
185
186 static nsresult GetPrincipalDomainOrigin(nsIPrincipal* aPrincipal,
187 nsACString& aOrigin) {
188 aOrigin.Truncate();
189 nsCOMPtr<nsIURI> uri;
190 aPrincipal->GetDomain(getter_AddRefs(uri));
191 nsresult rv = GetOriginFromURI(uri, aOrigin);
192 if (NS_SUCCEEDED(rv)) {
193 return rv;
194 }
195 // If there is no Domain fallback to the Principals Origin
196 return aPrincipal->GetOriginNoSuffix(aOrigin);
197 }
198
199 inline void SetPendingExceptionASCII(JSContext* cx, const char* aMsg) {
200 JS_ReportErrorASCII(cx, "%s", aMsg);
201 }
202
203 inline void SetPendingException(JSContext* cx, const char16_t* aMsg) {
204 NS_ConvertUTF16toUTF8 msg(aMsg);
205 JS_ReportErrorUTF8(cx, "%s", msg.get());
206 }
207
208 /* static */
209 bool nsScriptSecurityManager::SecurityCompareURIs(nsIURI* aSourceURI,
210 nsIURI* aTargetURI) {
211 return NS_SecurityCompareURIs(aSourceURI, aTargetURI,
212 sStrictFileOriginPolicy);
213 }
214
215 // SecurityHashURI is consistent with SecurityCompareURIs because
216 // NS_SecurityHashURI is consistent with NS_SecurityCompareURIs. See
217 // nsNetUtil.h.
218 uint32_t nsScriptSecurityManager::SecurityHashURI(nsIURI* aURI) {
219 return NS_SecurityHashURI(aURI);
220 }
221
222 /*
223 * GetChannelResultPrincipal will return the principal that the resource
224 * returned by this channel will use. For example, if the resource is in
225 * a sandbox, it will return the nullprincipal. If the resource is forced
226 * to inherit principal, it will return the principal of its parent. If
227 * the load doesn't require sandboxing or inheriting, it will return the same
228 * principal as GetChannelURIPrincipal. Namely the principal of the URI
229 * that is being loaded.
230 */
231 NS_IMETHODIMP
232 nsScriptSecurityManager::GetChannelResultPrincipal(nsIChannel* aChannel,
233 nsIPrincipal** aPrincipal) {
234 return GetChannelResultPrincipal(aChannel, aPrincipal,
235 /*aIgnoreSandboxing*/ false);
236 }
237
238 nsresult nsScriptSecurityManager::GetChannelResultPrincipalIfNotSandboxed(
239 nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
240 return GetChannelResultPrincipal(aChannel, aPrincipal,
241 /*aIgnoreSandboxing*/ true);
242 }
243
244 NS_IMETHODIMP
245 nsScriptSecurityManager::GetChannelResultStoragePrincipal(
246 nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
247 nsCOMPtr<nsIPrincipal> principal;
248 nsresult rv = GetChannelResultPrincipal(aChannel, getter_AddRefs(principal),
249 /*aIgnoreSandboxing*/ false);
250 if (NS_WARN_IF(NS_FAILED(rv))) {
251 return rv;
252 }
253
254 return StoragePrincipalHelper::Create(
255 aChannel, principal, /* aForceIsolation */ false, aPrincipal);
256 }
257
258 NS_IMETHODIMP
259 nsScriptSecurityManager::GetChannelResultPrincipals(
260 nsIChannel* aChannel, nsIPrincipal** aPrincipal,
261 nsIPrincipal** aPartitionedPrincipal) {
262 nsresult rv = GetChannelResultPrincipal(aChannel, aPrincipal,
263 /*aIgnoreSandboxing*/ false);
264 if (NS_WARN_IF(NS_FAILED(rv))) {
265 return rv;
266 }
267
268 if (!(*aPrincipal)->GetIsContentPrincipal()) {
269 // If for some reason we don't have a content principal here, just reuse our
270 // principal for the storage principal too, since attempting to create a
271 // storage principal would fail anyway.
272 nsCOMPtr<nsIPrincipal> copy = *aPrincipal;
273 copy.forget(aPartitionedPrincipal);
274 return NS_OK;
275 }
276
277 return StoragePrincipalHelper::Create(
278 aChannel, *aPrincipal, /* aForceIsolation */ true, aPartitionedPrincipal);
279 }
280
281 nsresult nsScriptSecurityManager::GetChannelResultPrincipal(
282 nsIChannel* aChannel, nsIPrincipal** aPrincipal, bool aIgnoreSandboxing) {
283 MOZ_ASSERT(aChannel, "Must have channel!");
284
285 // Check whether we have an nsILoadInfo that says what we should do.
286 nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
287 if (loadInfo->GetForceInheritPrincipalOverruleOwner()) {
288 nsCOMPtr<nsIPrincipal> principalToInherit =
289 loadInfo->FindPrincipalToInherit(aChannel);
290 principalToInherit.forget(aPrincipal);
291 return NS_OK;
292 }
293
294 nsCOMPtr<nsISupports> owner;
295 aChannel->GetOwner(getter_AddRefs(owner));
296 if (owner) {
297 CallQueryInterface(owner, aPrincipal);
298 if (*aPrincipal) {
299 return NS_OK;
300 }
301 }
302
303 if (!aIgnoreSandboxing && loadInfo->GetLoadingSandboxed()) {
304 nsCOMPtr<nsIPrincipal> sandboxedLoadingPrincipal =
305 loadInfo->GetSandboxedLoadingPrincipal();
306 MOZ_ASSERT(sandboxedLoadingPrincipal);
307 sandboxedLoadingPrincipal.forget(aPrincipal);
308 return NS_OK;
309 }
310
311 bool forceInherit = loadInfo->GetForceInheritPrincipal();
312 if (aIgnoreSandboxing && !forceInherit) {
313 // Check if SEC_FORCE_INHERIT_PRINCIPAL was dropped because of
314 // sandboxing:
315 if (loadInfo->GetLoadingSandboxed() &&
316 loadInfo->GetForceInheritPrincipalDropped()) {
317 forceInherit = true;
318 }
319 }
320 if (forceInherit) {
321 nsCOMPtr<nsIPrincipal> principalToInherit =
322 loadInfo->FindPrincipalToInherit(aChannel);
323 principalToInherit.forget(aPrincipal);
324 return NS_OK;
325 }
326
327 auto securityMode = loadInfo->GetSecurityMode();
328 // The data: inheritance flags should only apply to the initial load,
329 // not to loads that it might have redirected to.
330 if (loadInfo->RedirectChain().IsEmpty() &&
331 (securityMode ==
332 nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT ||
333 securityMode ==
334 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT ||
335 securityMode == nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT)) {
336 nsCOMPtr<nsIURI> uri;
337 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
338 NS_ENSURE_SUCCESS(rv, rv);
339
340 nsCOMPtr<nsIPrincipal> principalToInherit =
341 loadInfo->FindPrincipalToInherit(aChannel);
342 bool inheritForAboutBlank = loadInfo->GetAboutBlankInherits();
343
344 if (nsContentUtils::ChannelShouldInheritPrincipal(
345 principalToInherit, uri, inheritForAboutBlank, false)) {
346 principalToInherit.forget(aPrincipal);
347 return NS_OK;
348 }
349 }
350 return GetChannelURIPrincipal(aChannel, aPrincipal);
351 }
352
353 /* The principal of the URI that this channel is loading. This is never
354 * affected by things like sandboxed loads, or loads where we forcefully
355 * inherit the principal. Think of this as the principal of the server
356 * which this channel is loading from. Most callers should use
357 * GetChannelResultPrincipal instead of GetChannelURIPrincipal. Only
358 * call GetChannelURIPrincipal if you are sure that you want the
359 * principal that matches the uri, even in cases when the load is
360 * sandboxed or when the load could be a blob or data uri (i.e even when
361 * you encounter loads that may or may not be sandboxed and loads
362 * that may or may not inherit)."
363 */
364 NS_IMETHODIMP
365 nsScriptSecurityManager::GetChannelURIPrincipal(nsIChannel* aChannel,
366 nsIPrincipal** aPrincipal) {
367 MOZ_ASSERT(aChannel, "Must have channel!");
368
369 // Get the principal from the URI. Make sure this does the same thing
370 // as Document::Reset and PrototypeDocumentContentSink::Init.
371 nsCOMPtr<nsIURI> uri;
372 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
373 NS_ENSURE_SUCCESS(rv, rv);
374
375 nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
376
377 // Inherit the origin attributes from loadInfo.
378 // If this is a top-level document load, the origin attributes of the
379 // loadInfo will be set from nsDocShell::DoURILoad.
380 // For subresource loading, the origin attributes of the loadInfo is from
381 // its loadingPrincipal.
382 OriginAttributes attrs = loadInfo->GetOriginAttributes();
383
384 nsCOMPtr<nsIPrincipal> prin =
385 BasePrincipal::CreateContentPrincipal(uri, attrs);
386 prin.forget(aPrincipal);
387 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
388 }
389
390 /////////////////////////////
391 // nsScriptSecurityManager //
392 /////////////////////////////
393
394 ////////////////////////////////////
395 // Methods implementing ISupports //
396 ////////////////////////////////////
397 NS_IMPL_ISUPPORTS(nsScriptSecurityManager, nsIScriptSecurityManager)
398
399 ///////////////////////////////////////////////////
400 // Methods implementing nsIScriptSecurityManager //
401 ///////////////////////////////////////////////////
402
403 ///////////////// Security Checks /////////////////
404
405 bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
406 JSContext* cx, JS::HandleString aCode) {
407 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
408
409 // Get the window, if any, corresponding to the current global
410 nsCOMPtr<nsIContentSecurityPolicy> csp;
411 if (nsGlobalWindowInner* win = xpc::CurrentWindowOrNull(cx)) {
412 csp = win->GetCsp();
413 }
414
415 nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
416 if (!csp) {
417 if (!StaticPrefs::extensions_content_script_csp_enabled()) {
418 return true;
419 }
420 // Get the CSP for addon sandboxes. If the principal is expanded and has a
421 // csp, we're probably in luck.
422 auto* basePrin = BasePrincipal::Cast(subjectPrincipal);
423 // ContentScriptAddonPolicy means it is also an expanded principal, thus
424 // this is in a sandbox used as a content script.
425 if (basePrin->ContentScriptAddonPolicy()) {
426 basePrin->As<ExpandedPrincipal>()->GetCsp(getter_AddRefs(csp));
427 }
428 // don't do anything unless there's a CSP
429 if (!csp) {
430 return true;
431 }
432 }
433
434 nsCOMPtr<nsICSPEventListener> cspEventListener;
435 if (!NS_IsMainThread()) {
436 WorkerPrivate* workerPrivate =
437 mozilla::dom::GetWorkerPrivateFromContext(cx);
438 if (workerPrivate) {
439 cspEventListener = workerPrivate->CSPEventListener();
440 }
441 }
442
443 bool evalOK = true;
444 bool reportViolation = false;
445 nsresult rv = csp->GetAllowsEval(&reportViolation, &evalOK);
446
447 // A little convoluted. We want the scriptSample for a) reporting a violation
448 // or b) passing it to AssertEvalNotUsingSystemPrincipal or c) we're in the
449 // parent process. So do the work to get it if either of those cases is true.
450 nsAutoJSString scriptSample;
451 if (reportViolation || subjectPrincipal->IsSystemPrincipal() ||
452 XRE_IsE10sParentProcess()) {
453 if (NS_WARN_IF(!scriptSample.init(cx, aCode))) {
454 JS_ClearPendingException(cx);
455 return false;
456 }
457 }
458
459 #if !defined(ANDROID)
460 if (!nsContentSecurityUtils::IsEvalAllowed(
461 cx, subjectPrincipal->IsSystemPrincipal(), scriptSample)) {
462 return false;
463 }
464 #endif
465
466 if (NS_FAILED(rv)) {
467 NS_WARNING("CSP: failed to get allowsEval");
468 return true; // fail open to not break sites.
469 }
470
471 if (reportViolation) {
472 JS::AutoFilename scriptFilename;
473 nsAutoString fileName;
474 unsigned lineNum = 0;
475 unsigned columnNum = 0;
476 if (JS::DescribeScriptedCaller(cx, &scriptFilename, &lineNum, &columnNum)) {
477 if (const char* file = scriptFilename.get()) {
478 CopyUTF8toUTF16(nsDependentCString(file), fileName);
479 }
480 } else {
481 MOZ_ASSERT(!JS_IsExceptionPending(cx));
482 }
483 csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
484 nullptr, // triggering element
485 cspEventListener, fileName, scriptSample, lineNum,
486 columnNum, u""_ns, u""_ns);
487 }
488
489 return evalOK;
490 }
491
492 // static
493 bool nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals* first,
494 JSPrincipals* second) {
495 return nsJSPrincipals::get(first)->Subsumes(nsJSPrincipals::get(second));
496 }
497
498 NS_IMETHODIMP
499 nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI,
500 nsIURI* aTargetURI,
501 bool reportError,
502 bool aFromPrivateWindow) {
503 // Please note that aFromPrivateWindow is only 100% accurate if
504 // reportError is true.
505 if (!SecurityCompareURIs(aSourceURI, aTargetURI)) {
506 if (reportError) {
507 ReportError("CheckSameOriginError", aSourceURI, aTargetURI,
508 aFromPrivateWindow);
509 }
510 return NS_ERROR_DOM_BAD_URI;
511 }
512 return NS_OK;
513 }
514
515 NS_IMETHODIMP
516 nsScriptSecurityManager::CheckLoadURIFromScript(JSContext* cx, nsIURI* aURI) {
517 // Get principal of currently executing script.
518 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
519 nsIPrincipal* principal = nsContentUtils::SubjectPrincipal();
520 nsresult rv = CheckLoadURIWithPrincipal(
521 // Passing 0 for the window ID here is OK, because we will report a
522 // script-visible exception anyway.
523 principal, aURI, nsIScriptSecurityManager::STANDARD, 0);
524 if (NS_SUCCEEDED(rv)) {
525 // OK to load
526 return NS_OK;
527 }
528
529 // Report error.
530 nsAutoCString spec;
531 if (NS_FAILED(aURI->GetAsciiSpec(spec))) return NS_ERROR_FAILURE;
532 nsAutoCString msg("Access to '");
533 msg.Append(spec);
534 msg.AppendLiteral("' from script denied");
535 SetPendingExceptionASCII(cx, msg.get());
536 return NS_ERROR_DOM_BAD_URI;
537 }
538
539 /**
540 * Helper method to handle cases where a flag passed to
541 * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
542 * nsIProtocolHandler flags set.
543 * @return if success, access is allowed. Otherwise, deny access
544 */
545 static nsresult DenyAccessIfURIHasFlags(nsIURI* aURI, uint32_t aURIFlags) {
546 MOZ_ASSERT(aURI, "Must have URI!");
547
548 bool uriHasFlags;
549 nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &uriHasFlags);
550 NS_ENSURE_SUCCESS(rv, rv);
551
552 if (uriHasFlags) {
553 return NS_ERROR_DOM_BAD_URI;
554 }
555
556 return NS_OK;
557 }
558
559 static bool EqualOrSubdomain(nsIURI* aProbeArg, nsIURI* aBase) {
560 nsresult rv;
561 nsCOMPtr<nsIURI> probe = aProbeArg;
562
563 nsCOMPtr<nsIEffectiveTLDService> tldService =
564 do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
565 NS_ENSURE_TRUE(tldService, false);
566 while (true) {
567 if (nsScriptSecurityManager::SecurityCompareURIs(probe, aBase)) {
568 return true;
569 }
570
571 nsAutoCString host, newHost;
572 rv = probe->GetHost(host);
573 NS_ENSURE_SUCCESS(rv, false);
574
575 rv = tldService->GetNextSubDomain(host, newHost);
576 if (rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS) {
577 return false;
578 }
579 NS_ENSURE_SUCCESS(rv, false);
580 rv = NS_MutateURI(probe).SetHost(newHost).Finalize(probe);
581 NS_ENSURE_SUCCESS(rv, false);
582 }
583 }
584
585 NS_IMETHODIMP
586 nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
587 nsIURI* aTargetURI,
588 uint32_t aFlags,
589 uint64_t aInnerWindowID) {
590 MOZ_ASSERT(aPrincipal, "CheckLoadURIWithPrincipal must have a principal");
591
592 // If someone passes a flag that we don't understand, we should
593 // fail, because they may need a security check that we don't
594 // provide.
595 NS_ENSURE_FALSE(
596 aFlags &
597 ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
598 nsIScriptSecurityManager::ALLOW_CHROME |
599 nsIScriptSecurityManager::DISALLOW_SCRIPT |
600 nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL |
601 nsIScriptSecurityManager::DONT_REPORT_ERRORS),
602 NS_ERROR_UNEXPECTED);
603 NS_ENSURE_ARG_POINTER(aPrincipal);
604 NS_ENSURE_ARG_POINTER(aTargetURI);
605
606 // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
607 // would do such inheriting. That would be URIs that do not have their own
608 // security context. We do this even for the system principal.
609 if (aFlags & nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL) {
610 nsresult rv = DenyAccessIfURIHasFlags(
611 aTargetURI, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT);
612 NS_ENSURE_SUCCESS(rv, rv);
613 }
614
615 if (aPrincipal == mSystemPrincipal) {
616 // Allow access
617 return NS_OK;
618 }
619
620 nsCOMPtr<nsIURI> sourceURI;
621 auto* basePrin = BasePrincipal::Cast(aPrincipal);
622 basePrin->GetURI(getter_AddRefs(sourceURI));
623 if (!sourceURI) {
624 if (basePrin->Is<ExpandedPrincipal>()) {
625 auto expanded = basePrin->As<ExpandedPrincipal>();
626 for (auto& prin : expanded->AllowList()) {
627 nsresult rv =
628 CheckLoadURIWithPrincipal(prin, aTargetURI, aFlags, aInnerWindowID);
629 if (NS_SUCCEEDED(rv)) {
630 // Allow access if it succeeded with one of the allowlisted principals
631 return NS_OK;
632 }
633 }
634 // None of our allowlisted principals worked.
635 return NS_ERROR_DOM_BAD_URI;
636 }
637 NS_ERROR(
638 "Non-system principals or expanded principal passed to "
639 "CheckLoadURIWithPrincipal "
640 "must have a URI!");
641 return NS_ERROR_UNEXPECTED;
642 }
643
644 // Automatic loads are not allowed from certain protocols.
645 if (aFlags &
646 nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT) {
647 nsresult rv = DenyAccessIfURIHasFlags(
648 sourceURI,
649 nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT);
650 NS_ENSURE_SUCCESS(rv, rv);
651 }
652
653 // If either URI is a nested URI, get the base URI
654 nsCOMPtr<nsIURI> sourceBaseURI = NS_GetInnermostURI(sourceURI);
655 nsCOMPtr<nsIURI> targetBaseURI = NS_GetInnermostURI(aTargetURI);
656
657 //-- get the target scheme
658 nsAutoCString targetScheme;
659 nsresult rv = targetBaseURI->GetScheme(targetScheme);
660 if (NS_FAILED(rv)) return rv;
661
662 //-- Some callers do not allow loading javascript:
663 if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
664 targetScheme.EqualsLiteral("javascript")) {
665 return NS_ERROR_DOM_BAD_URI;
666 }
667
668 // Check for uris that are only loadable by principals that subsume them
669 bool targetURIIsLoadableBySubsumers = false;
670 rv = NS_URIChainHasFlags(targetBaseURI,
671 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
672 &targetURIIsLoadableBySubsumers);
673 NS_ENSURE_SUCCESS(rv, rv);
674
675 if (targetURIIsLoadableBySubsumers) {
676 // check nothing else in the URI chain has flags that prevent
677 // access:
678 rv = CheckLoadURIFlags(
679 sourceURI, aTargetURI, sourceBaseURI, targetBaseURI, aFlags,
680 aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0,
681 aInnerWindowID);
682 NS_ENSURE_SUCCESS(rv, rv);
683 // Check the principal is allowed to load the target.
684 if (aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS) {
685 return aPrincipal->CheckMayLoad(targetBaseURI, false);
686 }
687 return aPrincipal->CheckMayLoadWithReporting(targetBaseURI, false,
688 aInnerWindowID);
689 }
690
691 //-- get the source scheme
692 nsAutoCString sourceScheme;
693 rv = sourceBaseURI->GetScheme(sourceScheme);
694 if (NS_FAILED(rv)) return rv;
695
696 if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
697 // A null principal can target its own URI.
698 if (sourceURI == aTargetURI) {
699 return NS_OK;
700 }
701 } else if (sourceScheme.EqualsIgnoreCase("file") &&
702 targetScheme.EqualsIgnoreCase("moz-icon")) {
703 // exception for file: linking to moz-icon://.ext?size=...
704 // Note that because targetScheme is the base (innermost) URI scheme,
705 // this does NOT allow file -> moz-icon:file:///... links.
706 // This is intentional.
707 return NS_OK;
708 }
709
710 // Check for webextension
711 bool targetURIIsLoadableByExtensions = false;
712 rv = NS_URIChainHasFlags(aTargetURI,
713 nsIProtocolHandler::URI_LOADABLE_BY_EXTENSIONS,
714 &targetURIIsLoadableByExtensions);
715 NS_ENSURE_SUCCESS(rv, rv);
716
717 if (targetURIIsLoadableByExtensions &&
718 BasePrincipal::Cast(aPrincipal)->AddonPolicy()) {
719 return NS_OK;
720 }
721
722 // If we get here, check all the schemes can link to each other, from the top
723 // down:
724 nsCOMPtr<nsIURI> currentURI = sourceURI;
725 nsCOMPtr<nsIURI> currentOtherURI = aTargetURI;
726
727 bool denySameSchemeLinks = false;
728 rv = NS_URIChainHasFlags(aTargetURI,
729 nsIProtocolHandler::URI_SCHEME_NOT_SELF_LINKABLE,
730 &denySameSchemeLinks);
731 if (NS_FAILED(rv)) return rv;
732
733 while (currentURI && currentOtherURI) {
734 nsAutoCString scheme, otherScheme;
735 currentURI->GetScheme(scheme);
736 currentOtherURI->GetScheme(otherScheme);
737
738 bool schemesMatch =
739 scheme.Equals(otherScheme, nsCaseInsensitiveCStringComparator);
740 bool isSamePage = false;
741 // about: URIs are special snowflakes.
742 if (scheme.EqualsLiteral("about") && schemesMatch) {
743 nsAutoCString moduleName, otherModuleName;
744 // about: pages can always link to themselves:
745 isSamePage =
746 NS_SUCCEEDED(NS_GetAboutModuleName(currentURI, moduleName)) &&
747 NS_SUCCEEDED(
748 NS_GetAboutModuleName(currentOtherURI, otherModuleName)) &&
749 moduleName.Equals(otherModuleName);
750 if (!isSamePage) {
751 // We will have allowed the load earlier if the source page has
752 // system principal. So we know the source has a content
753 // principal, and it's trying to link to something else.
754 // Linkable about: pages are always reachable, even if we hit
755 // the CheckLoadURIFlags call below.
756 // We punch only 1 other hole: iff the source is unlinkable,
757 // we let them link to other pages explicitly marked SAFE
758 // for content. This avoids world-linkable about: pages linking
759 // to non-world-linkable about: pages.
760 nsCOMPtr<nsIAboutModule> module, otherModule;
761 bool knowBothModules =
762 NS_SUCCEEDED(
763 NS_GetAboutModule(currentURI, getter_AddRefs(module))) &&
764 NS_SUCCEEDED(NS_GetAboutModule(currentOtherURI,
765 getter_AddRefs(otherModule)));
766 uint32_t aboutModuleFlags = 0;
767 uint32_t otherAboutModuleFlags = 0;
768 knowBothModules =
769 knowBothModules &&
770 NS_SUCCEEDED(module->GetURIFlags(currentURI, &aboutModuleFlags)) &&
771 NS_SUCCEEDED(otherModule->GetURIFlags(currentOtherURI,
772 &otherAboutModuleFlags));
773 if (knowBothModules) {
774 isSamePage = !(aboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) &&
775 (otherAboutModuleFlags &
776 nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT);
777 if (isSamePage &&
778 otherAboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) {
779 // XXXgijs: this is a hack. The target will be nested
780 // (with innerURI of moz-safe-about:whatever), and
781 // the source isn't, so we won't pass if we finish
782 // the loop. We *should* pass, though, so return here.
783 // This hack can go away when bug 1228118 is fixed.
784 return NS_OK;
785 }
786 }
787 }
788 } else {
789 bool equalExceptRef = false;
790 rv = currentURI->EqualsExceptRef(currentOtherURI, &equalExceptRef);
791 isSamePage = NS_SUCCEEDED(rv) && equalExceptRef;
792 }
793
794 // If schemes are not equal, or they're equal but the target URI
795 // is different from the source URI and doesn't always allow linking
796 // from the same scheme, check if the URI flags of the current target
797 // URI allow the current source URI to link to it.
798 // The policy is specified by the protocol flags on both URIs.
799 if (!schemesMatch || (denySameSchemeLinks && !isSamePage)) {
800 return CheckLoadURIFlags(
801 currentURI, currentOtherURI, sourceBaseURI, targetBaseURI, aFlags,
802 aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0,
803 aInnerWindowID);
804 }
805 // Otherwise... check if we can nest another level:
806 nsCOMPtr<nsINestedURI> nestedURI = do_QueryInterface(currentURI);
807 nsCOMPtr<nsINestedURI> nestedOtherURI = do_QueryInterface(currentOtherURI);
808
809 // If schemes match and neither URI is nested further, we're OK.
810 if (!nestedURI && !nestedOtherURI) {
811 return NS_OK;
812 }
813 // If one is nested and the other isn't, something is wrong.
814 if (!nestedURI != !nestedOtherURI) {
815 return NS_ERROR_DOM_BAD_URI;
816 }
817 // Otherwise, both should be nested and we'll go through the loop again.
818 nestedURI->GetInnerURI(getter_AddRefs(currentURI));
819 nestedOtherURI->GetInnerURI(getter_AddRefs(currentOtherURI));
820 }
821
822 // We should never get here. We should always return from inside the loop.
823 return NS_ERROR_DOM_BAD_URI;
824 }
825
826 /**
827 * Helper method to check whether the target URI and its innermost ("base") URI
828 * has protocol flags that should stop it from being loaded by the source URI
829 * (and/or the source URI's innermost ("base") URI), taking into account any
830 * nsIScriptSecurityManager flags originally passed to
831 * CheckLoadURIWithPrincipal and friends.
832 *
833 * @return if success, access is allowed. Otherwise, deny access
834 */
835 nsresult nsScriptSecurityManager::CheckLoadURIFlags(
836 nsIURI* aSourceURI, nsIURI* aTargetURI, nsIURI* aSourceBaseURI,
837 nsIURI* aTargetBaseURI, uint32_t aFlags, bool aFromPrivateWindow,
838 uint64_t aInnerWindowID) {
839 // Note that the order of policy checks here is very important!
840 // We start from most restrictive and work our way down.
841 bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
842 const char* errorTag = "CheckLoadURIError";
843
844 nsAutoCString targetScheme;
845 nsresult rv = aTargetBaseURI->GetScheme(targetScheme);
846 if (NS_FAILED(rv)) return rv;
847
848 // Check for system target URI
849 rv = DenyAccessIfURIHasFlags(aTargetURI,
850 nsIProtocolHandler::URI_DANGEROUS_TO_LOAD);
851 if (NS_FAILED(rv)) {
852 // Deny access, since the origin principal is not system
853 if (reportErrors) {
854 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
855 aInnerWindowID);
856 }
857 return rv;
858 }
859
860 // Used by ExtensionProtocolHandler to prevent loading extension resources
861 // in private contexts if the extension does not have permission.
862 if (aFromPrivateWindow) {
863 rv = DenyAccessIfURIHasFlags(
864 aTargetURI, nsIProtocolHandler::URI_DISALLOW_IN_PRIVATE_CONTEXT);
865 if (NS_FAILED(rv)) {
866 if (reportErrors) {
867 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
868 aInnerWindowID);
869 }
870 return rv;
871 }
872 }
873
874 // Check for chrome target URI
875 bool targetURIIsUIResource = false;
876 rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_UI_RESOURCE,
877 &targetURIIsUIResource);
878 NS_ENSURE_SUCCESS(rv, rv);
879 if (targetURIIsUIResource) {
880 // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
881 // loads (since docshell loads run the loaded content with its origin
882 // principal). We are effectively allowing resource:// and chrome://
883 // URIs to load as long as they are content accessible and as long
884 // they're not loading it as a document.
885 if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
886 bool sourceIsUIResource = false;
887 rv = NS_URIChainHasFlags(aSourceBaseURI,
888 nsIProtocolHandler::URI_IS_UI_RESOURCE,
889 &sourceIsUIResource);
890 NS_ENSURE_SUCCESS(rv, rv);
891 if (sourceIsUIResource) {
892 // TODO Bug 1654488: Remove pref in CheckLoadURIFlags which
893 // allows all UI resources to load
894 if (StaticPrefs::
895 security_caps_allow_uri_is_ui_resource_in_checkloaduriflags()) {
896 return NS_OK;
897 }
898 // Special case for moz-icon URIs loaded by a local resources like
899 // e.g. chrome: or resource:
900 if (targetScheme.EqualsLiteral("moz-icon")) {
901 return NS_OK;
902 }
903 }
904
905 if (targetScheme.EqualsLiteral("resource")) {
906 if (StaticPrefs::security_all_resource_uri_content_accessible()) {
907 return NS_OK;
908 }
909
910 nsCOMPtr<nsIProtocolHandler> ph;
911 rv = sIOService->GetProtocolHandler("resource", getter_AddRefs(ph));
912 NS_ENSURE_SUCCESS(rv, rv);
913 if (!ph) {
914 return NS_ERROR_DOM_BAD_URI;
915 }
916
917 nsCOMPtr<nsIResProtocolHandler> rph = do_QueryInterface(ph);
918 if (!rph) {
919 return NS_ERROR_DOM_BAD_URI;
920 }
921
922 bool accessAllowed = false;
923 rph->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
924 if (accessAllowed) {
925 return NS_OK;
926 }
927 } else if (targetScheme.EqualsLiteral("chrome")) {
928 // Allow the load only if the chrome package is allowlisted.
929 nsCOMPtr<nsIXULChromeRegistry> reg(
930 do_GetService(NS_CHROMEREGISTRY_CONTRACTID));
931 if (reg) {
932 bool accessAllowed = false;
933 reg->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
934 if (accessAllowed) {
935 return NS_OK;
936 }
937 }
938 } else if (targetScheme.EqualsLiteral("moz-page-thumb")) {
939 if (XRE_IsParentProcess()) {
940 return NS_OK;
941 }
942
943 auto& remoteType = dom::ContentChild::GetSingleton()->GetRemoteType();
944 if (remoteType == PRIVILEGEDABOUT_REMOTE_TYPE) {
945 return NS_OK;
946 }
947 }
948 }
949
950 if (reportErrors) {
951 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
952 aInnerWindowID);
953 }
954 return NS_ERROR_DOM_BAD_URI;
955 }
956
957 // Check for target URI pointing to a file
958 bool targetURIIsLocalFile = false;
959 rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_LOCAL_FILE,
960 &targetURIIsLocalFile);
961 NS_ENSURE_SUCCESS(rv, rv);
962 if (targetURIIsLocalFile) {
963 // Allow domains that were allowlisted in the prefs. In 99.9% of cases,
964 // this array is empty.
965 bool isAllowlisted;
966 MOZ_ALWAYS_SUCCEEDS(InFileURIAllowlist(aSourceURI, &isAllowlisted));
967 if (isAllowlisted) {
968 return NS_OK;
969 }
970
971 // Allow chrome://
972 if (aSourceBaseURI->SchemeIs("chrome")) {
973 return NS_OK;
974 }
975
976 // Nothing else.
977 if (reportErrors) {
978 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
979 aInnerWindowID);
980 }
981 return NS_ERROR_DOM_BAD_URI;
982 }
983
984 #ifdef DEBUG
985 {
986 // Everyone is allowed to load this. The case URI_LOADABLE_BY_SUBSUMERS
987 // is handled by the caller which is just delegating to us as a helper.
988 bool hasSubsumersFlag = false;
989 NS_URIChainHasFlags(aTargetBaseURI,
990 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
991 &hasSubsumersFlag);
992 bool hasLoadableByAnyone = false;
993 NS_URIChainHasFlags(aTargetBaseURI,
994 nsIProtocolHandler::URI_LOADABLE_BY_ANYONE,
995 &hasLoadableByAnyone);
996 MOZ_ASSERT(hasLoadableByAnyone || hasSubsumersFlag,
997 "why do we get here and do not have any of the two flags set?");
998 }
999 #endif
1000
1001 return NS_OK;
1002 }
1003
1004 nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1005 const nsACString& aSourceSpec,
1006 const nsACString& aTargetSpec,
1007 bool aFromPrivateWindow,
1008 uint64_t aInnerWindowID) {
1009 if (aSourceSpec.IsEmpty() || aTargetSpec.IsEmpty()) {
1010 return NS_OK;
1011 }
1012
1013 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1014 if (NS_WARN_IF(!bundle)) {
1015 return NS_OK;
1016 }
1017
1018 // Localize the error message
1019 nsAutoString message;
1020 AutoTArray<nsString, 2> formatStrings;
1021 CopyASCIItoUTF16(aSourceSpec, *formatStrings.AppendElement());
1022 CopyASCIItoUTF16(aTargetSpec, *formatStrings.AppendElement());
1023 nsresult rv =
1024 bundle->FormatStringFromName(aMessageTag, formatStrings, message);
1025 NS_ENSURE_SUCCESS(rv, rv);
1026
1027 nsCOMPtr<nsIConsoleService> console(
1028 do_GetService(NS_CONSOLESERVICE_CONTRACTID));
1029 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
1030 nsCOMPtr<nsIScriptError> error(do_CreateInstance(NS_SCRIPTERROR_CONTRACTID));
1031 NS_ENSURE_TRUE(error, NS_ERROR_FAILURE);
1032
1033 // using category of "SOP" so we can link to MDN
1034 if (aInnerWindowID != 0) {
1035 rv = error->InitWithWindowID(
1036 message, u""_ns, u""_ns, 0, 0, nsIScriptError::errorFlag, "SOP"_ns,
1037 aInnerWindowID, true /* From chrome context */);
1038 } else {
1039 rv = error->Init(message, u""_ns, u""_ns, 0, 0, nsIScriptError::errorFlag,
1040 "SOP", aFromPrivateWindow, true /* From chrome context */);
1041 }
1042 NS_ENSURE_SUCCESS(rv, rv);
1043 console->LogMessage(error);
1044 return NS_OK;
1045 }
1046
1047 nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1048 nsIURI* aSource, nsIURI* aTarget,
1049 bool aFromPrivateWindow,
1050 uint64_t aInnerWindowID) {
1051 NS_ENSURE_TRUE(aSource && aTarget, NS_ERROR_NULL_POINTER);
1052
1053 // Get the source URL spec
1054 nsAutoCString sourceSpec;
1055 nsresult rv = aSource->GetAsciiSpec(sourceSpec);
1056 NS_ENSURE_SUCCESS(rv, rv);
1057
1058 // Get the target URL spec
1059 nsAutoCString targetSpec;
1060 rv = aTarget->GetAsciiSpec(targetSpec);
1061 NS_ENSURE_SUCCESS(rv, rv);
1062
1063 return ReportError(aMessageTag, sourceSpec, targetSpec, aFromPrivateWindow,
1064 aInnerWindowID);
1065 }
1066
1067 NS_IMETHODIMP
1068 nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(
1069 nsIPrincipal* aPrincipal, const nsACString& aTargetURIStr,
1070 uint32_t aFlags) {
1071 nsresult rv;
1072 nsCOMPtr<nsIURI> target;
1073 rv = NS_NewURI(getter_AddRefs(target), aTargetURIStr);
1074 NS_ENSURE_SUCCESS(rv, rv);
1075
1076 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1077 if (rv == NS_ERROR_DOM_BAD_URI) {
1078 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1079 // return values.
1080 return rv;
1081 }
1082 NS_ENSURE_SUCCESS(rv, rv);
1083
1084 // Now start testing fixup -- since aTargetURIStr is a string, not
1085 // an nsIURI, we may well end up fixing it up before loading.
1086 // Note: This needs to stay in sync with the nsIURIFixup api.
1087 nsCOMPtr<nsIURIFixup> fixup = components::URIFixup::Service();
1088 if (!fixup) {
1089 return rv;
1090 }
1091
1092 // URIFixup's keyword and alternate flags can only fixup to http/https, so we
1093 // can skip testing them. This simplifies our life because this code can be
1094 // invoked from the content process where the search service would not be
1095 // available.
1096 uint32_t flags[] = {nsIURIFixup::FIXUP_FLAG_NONE,
1097 nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS};
1098 for (uint32_t i = 0; i < ArrayLength(flags); ++i) {
1099 uint32_t fixupFlags = flags[i];
1100 if (aPrincipal->OriginAttributesRef().mPrivateBrowsingId > 0) {
1101 fixupFlags |= nsIURIFixup::FIXUP_FLAG_PRIVATE_CONTEXT;
1102 }
1103 nsCOMPtr<nsIURIFixupInfo> fixupInfo;
1104 rv = fixup->GetFixupURIInfo(aTargetURIStr, fixupFlags,
1105 getter_AddRefs(fixupInfo));
1106 NS_ENSURE_SUCCESS(rv, rv);
1107 rv = fixupInfo->GetPreferredURI(getter_AddRefs(target));
1108 NS_ENSURE_SUCCESS(rv, rv);
1109
1110 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1111 if (rv == NS_ERROR_DOM_BAD_URI) {
1112 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1113 // return values.
1114 return rv;
1115 }
1116 NS_ENSURE_SUCCESS(rv, rv);
1117 }
1118
1119 return rv;
1120 }
1121
1122 NS_IMETHODIMP
1123 nsScriptSecurityManager::InFileURIAllowlist(nsIURI* aUri, bool* aResult) {
1124 MOZ_ASSERT(aUri);
1125 MOZ_ASSERT(aResult);
1126
1127 *aResult = false;
1128 for (nsIURI* uri : EnsureFileURIAllowlist()) {
1129 if (EqualOrSubdomain(aUri, uri)) {
1130 *aResult = true;
1131 return NS_OK;
1132 }
1133 }
1134
1135 return NS_OK;
1136 }
1137
1138 ///////////////// Principals ///////////////////////
1139
1140 NS_IMETHODIMP
1141 nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal** result) {
1142 NS_ADDREF(*result = mSystemPrincipal);
1143
1144 return NS_OK;
1145 }
1146
1147 NS_IMETHODIMP
1148 nsScriptSecurityManager::CreateContentPrincipal(
1149 nsIURI* aURI, JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1150 nsIPrincipal** aPrincipal) {
1151 OriginAttributes attrs;
1152 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1153 return NS_ERROR_INVALID_ARG;
1154 }
1155 nsCOMPtr<nsIPrincipal> prin =
1156 BasePrincipal::CreateContentPrincipal(aURI, attrs);
1157 prin.forget(aPrincipal);
1158 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1159 }
1160
1161 NS_IMETHODIMP
1162 nsScriptSecurityManager::CreateContentPrincipalFromOrigin(
1163 const nsACString& aOrigin, nsIPrincipal** aPrincipal) {
1164 if (StringBeginsWith(aOrigin, "["_ns)) {
1165 return NS_ERROR_INVALID_ARG;
1166 }
1167
1168 if (StringBeginsWith(aOrigin,
1169 nsLiteralCString(NS_NULLPRINCIPAL_SCHEME ":"))) {
1170 return NS_ERROR_INVALID_ARG;
1171 }
1172
1173 nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(aOrigin);
1174 prin.forget(aPrincipal);
1175 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1176 }
1177
1178 NS_IMETHODIMP
1179 nsScriptSecurityManager::PrincipalToJSON(nsIPrincipal* aPrincipal,
1180 nsACString& aJSON) {
1181 aJSON.Truncate();
1182 if (!aPrincipal) {
1183 return NS_ERROR_FAILURE;
1184 }
1185
1186 BasePrincipal::Cast(aPrincipal)->ToJSON(aJSON);
1187
1188 if (aJSON.IsEmpty()) {
1189 return NS_ERROR_FAILURE;
1190 }
1191
1192 return NS_OK;
1193 }
1194
1195 NS_IMETHODIMP
1196 nsScriptSecurityManager::JSONToPrincipal(const nsACString& aJSON,
1197 nsIPrincipal** aPrincipal) {
1198 if (aJSON.IsEmpty()) {
1199 return NS_ERROR_FAILURE;
1200 }
1201
1202 nsCOMPtr<nsIPrincipal> principal = BasePrincipal::FromJSON(aJSON);
1203
1204 if (!principal) {
1205 return NS_ERROR_FAILURE;
1206 }
1207
1208 principal.forget(aPrincipal);
1209 return NS_OK;
1210 }
1211
1212 NS_IMETHODIMP
1213 nsScriptSecurityManager::CreateNullPrincipal(
1214 JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1215 nsIPrincipal** aPrincipal) {
1216 OriginAttributes attrs;
1217 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1218 return NS_ERROR_INVALID_ARG;
1219 }
1220 nsCOMPtr<nsIPrincipal> prin = NullPrincipal::Create(attrs);
1221 prin.forget(aPrincipal);
1222 return NS_OK;
1223 }
1224
1225 NS_IMETHODIMP
1226 nsScriptSecurityManager::GetLoadContextContentPrincipal(
1227 nsIURI* aURI, nsILoadContext* aLoadContext, nsIPrincipal** aPrincipal) {
1228 NS_ENSURE_STATE(aLoadContext);
1229 OriginAttributes docShellAttrs;
1230 aLoadContext->GetOriginAttributes(docShellAttrs);
1231
1232 nsCOMPtr<nsIPrincipal> prin =
1233 BasePrincipal::CreateContentPrincipal(aURI, docShellAttrs);
1234 prin.forget(aPrincipal);
1235 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1236 }
1237
1238 NS_IMETHODIMP
1239 nsScriptSecurityManager::GetDocShellContentPrincipal(
1240 nsIURI* aURI, nsIDocShell* aDocShell, nsIPrincipal** aPrincipal) {
1241 nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(
1242 aURI, nsDocShell::Cast(aDocShell)->GetOriginAttributes());
1243 prin.forget(aPrincipal);
1244 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1245 }
1246
1247 NS_IMETHODIMP
1248 nsScriptSecurityManager::PrincipalWithOA(
1249 nsIPrincipal* aPrincipal, JS::Handle<JS::Value> aOriginAttributes,
1250 JSContext* aCx, nsIPrincipal** aReturnPrincipal) {
1251 if (!aPrincipal) {
1252 return NS_OK;
1253 }
1254 if (aPrincipal->GetIsContentPrincipal()) {
1255 OriginAttributes attrs;
1256 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1257 return NS_ERROR_INVALID_ARG;
1258 }
1259 RefPtr<ContentPrincipal> copy = new ContentPrincipal();
1260 auto* contentPrincipal = static_cast<ContentPrincipal*>(aPrincipal);
1261 nsresult rv = copy->Init(contentPrincipal, attrs);
1262 NS_ENSURE_SUCCESS(rv, rv);
1263 copy.forget(aReturnPrincipal);
1264 } else {
1265 // We do this for null principals, system principals (both fine)
1266 // ... and expanded principals, where we should probably do something
1267 // cleverer, but I also don't think we care too much.
1268 nsCOMPtr<nsIPrincipal> prin = aPrincipal;
1269 prin.forget(aReturnPrincipal);
1270 }
1271
1272 return *aReturnPrincipal ? NS_OK : NS_ERROR_FAILURE;
1273 }
1274
1275 NS_IMETHODIMP
1276 nsScriptSecurityManager::CanCreateWrapper(JSContext* cx, const nsIID& aIID,
1277 nsISupports* aObj,
1278 nsIClassInfo* aClassInfo) {
1279 // XXX Special case for Exception ?
1280
1281 // We give remote-XUL allowlisted domains a free pass here. See bug 932906.
1282 JS::Rooted<JS::Realm*> contextRealm(cx, JS::GetCurrentRealmOrNull(cx));
1283 MOZ_RELEASE_ASSERT(contextRealm);
1284 if (!xpc::AllowContentXBLScope(contextRealm)) {
1285 return NS_OK;
1286 }
1287
1288 if (nsContentUtils::IsCallerChrome()) {
1289 return NS_OK;
1290 }
1291
1292 //-- Access denied, report an error
1293 nsAutoCString originUTF8;
1294 nsIPrincipal* subjectPrincipal = nsContentUtils::SubjectPrincipal();
1295 GetPrincipalDomainOrigin(subjectPrincipal, originUTF8);
1296 NS_ConvertUTF8toUTF16 originUTF16(originUTF8);
1297 nsAutoCString classInfoNameUTF8;
1298 if (aClassInfo) {
1299 aClassInfo->GetClassDescription(classInfoNameUTF8);
1300 }
1301 if (classInfoNameUTF8.IsEmpty()) {
1302 classInfoNameUTF8.AssignLiteral("UnnamedClass");
1303 }
1304
1305 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1306 if (NS_WARN_IF(!bundle)) {
1307 return NS_OK;
1308 }
1309
1310 NS_ConvertUTF8toUTF16 classInfoUTF16(classInfoNameUTF8);
1311 nsresult rv;
1312 nsAutoString errorMsg;
1313 if (originUTF16.IsEmpty()) {
1314 AutoTArray<nsString, 1> formatStrings = {classInfoUTF16};
1315 rv = bundle->FormatStringFromName("CreateWrapperDenied", formatStrings,
1316 errorMsg);
1317 } else {
1318 AutoTArray<nsString, 2> formatStrings = {classInfoUTF16, originUTF16};
1319 rv = bundle->FormatStringFromName("CreateWrapperDeniedForOrigin",
1320 formatStrings, errorMsg);
1321 }
1322 NS_ENSURE_SUCCESS(rv, rv);
1323
1324 SetPendingException(cx, errorMsg.get());
1325 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1326 }
1327
1328 NS_IMETHODIMP
1329 nsScriptSecurityManager::CanCreateInstance(JSContext* cx, const nsCID& aCID) {
1330 if (nsContentUtils::IsCallerChrome()) {
1331 return NS_OK;
1332 }
1333
1334 //-- Access denied, report an error
1335 nsAutoCString errorMsg("Permission denied to create instance of class. CID=");
1336 char cidStr[NSID_LENGTH];
1337 aCID.ToProvidedString(cidStr);
1338 errorMsg.Append(cidStr);
1339 SetPendingExceptionASCII(cx, errorMsg.get());
1340 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1341 }
1342
1343 NS_IMETHODIMP
1344 nsScriptSecurityManager::CanGetService(JSContext* cx, const nsCID& aCID) {
1345 if (nsContentUtils::IsCallerChrome()) {
1346 return NS_OK;
1347 }
1348
1349 //-- Access denied, report an error
1350 nsAutoCString errorMsg("Permission denied to get service. CID=");
1351 char cidStr[NSID_LENGTH];
1352 aCID.ToProvidedString(cidStr);
1353 errorMsg.Append(cidStr);
1354 SetPendingExceptionASCII(cx, errorMsg.get());
1355 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1356 }
1357
1358 const char sJSEnabledPrefName[] = "javascript.enabled";
1359 const char sFileOriginPolicyPrefName[] =
1360 "security.fileuri.strict_origin_policy";
1361
1362 static const char* kObservedPrefs[] = {sJSEnabledPrefName,
1363 sFileOriginPolicyPrefName,
1364 "capability.policy.", nullptr};
1365
1366 /////////////////////////////////////////////
1367 // Constructor, Destructor, Initialization //
1368 /////////////////////////////////////////////
1369 nsScriptSecurityManager::nsScriptSecurityManager(void)
1370 : mPrefInitialized(false), mIsJavaScriptEnabled(false) {
1371 static_assert(
1372 sizeof(intptr_t) == sizeof(void*),
1373 "intptr_t and void* have different lengths on this platform. "
1374 "This may cause a security failure with the SecurityLevel union.");
1375 }
1376
1377 nsresult nsScriptSecurityManager::Init() {
1378 nsresult rv = CallGetService(NS_IOSERVICE_CONTRACTID, &sIOService);
1379 NS_ENSURE_SUCCESS(rv, rv);
1380
1381 InitPrefs();
1382
1383 // Create our system principal singleton
1384 RefPtr<SystemPrincipal> system = SystemPrincipal::Create();
1385
1386 mSystemPrincipal = system;
1387
1388 return NS_OK;
1389 }
1390
1391 void nsScriptSecurityManager::InitJSCallbacks(JSContext* aCx) {
1392 //-- Register security check callback in the JS engine
1393 // Currently this is used to control access to function.caller
1394
1395 static const JSSecurityCallbacks securityCallbacks = {
1396 ContentSecurityPolicyPermitsJSAction,
1397 JSPrincipalsSubsume,
1398 };
1399
1400 MOZ_ASSERT(!JS_GetSecurityCallbacks(aCx));
1401 JS_SetSecurityCallbacks(aCx, &securityCallbacks);
1402 JS_InitDestroyPrincipalsCallback(aCx, nsJSPrincipals::Destroy);
1403
1404 JS_SetTrustedPrincipals(aCx, BasePrincipal::Cast(mSystemPrincipal));
1405 }
1406
1407 /* static */
1408 void nsScriptSecurityManager::ClearJSCallbacks(JSContext* aCx) {
1409 JS_SetSecurityCallbacks(aCx, nullptr);
1410 JS_SetTrustedPrincipals(aCx, nullptr);
1411 }
1412
1413 static StaticRefPtr<nsScriptSecurityManager> gScriptSecMan;
1414
1415 nsScriptSecurityManager::~nsScriptSecurityManager(void) {
1416 Preferences::UnregisterPrefixCallbacks(
1417 nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1418 if (mDomainPolicy) {
1419 mDomainPolicy->Deactivate();
1420 }
1421 // ContentChild might hold a reference to the domain policy,
1422 // and it might release it only after the security manager is
1423 // gone. But we can still assert this for the main process.
1424 MOZ_ASSERT_IF(XRE_IsParentProcess(), !mDomainPolicy);
1425 }
1426
1427 void nsScriptSecurityManager::Shutdown() {
1428 NS_IF_RELEASE(sIOService);
1429 BundleHelper::Shutdown();
1430 }
1431
1432 nsScriptSecurityManager* nsScriptSecurityManager::GetScriptSecurityManager() {
1433 return gScriptSecMan;
1434 }
1435
1436 /* static */
1437 void nsScriptSecurityManager::InitStatics() {
1438 RefPtr<nsScriptSecurityManager> ssManager = new nsScriptSecurityManager();
1439 nsresult rv = ssManager->Init();
1440 if (NS_FAILED(rv)) {
1441 MOZ_CRASH("ssManager->Init() failed");
1442 }
1443
1444 ClearOnShutdown(&gScriptSecMan);
1445 gScriptSecMan = ssManager;
1446 }
1447
1448 // Currently this nsGenericFactory constructor is used only from FastLoad
1449 // (XPCOM object deserialization) code, when "creating" the system principal
1450 // singleton.
1451 already_AddRefed<SystemPrincipal>
1452 nsScriptSecurityManager::SystemPrincipalSingletonConstructor() {
1453 if (gScriptSecMan)
1454 return do_AddRef(gScriptSecMan->mSystemPrincipal)
1455 .downcast<SystemPrincipal>();
1456 return nullptr;
1457 }
1458
1459 struct IsWhitespace {
1460 static bool Test(char aChar) { return NS_IsAsciiWhitespace(aChar); };
1461 };
1462 struct IsWhitespaceOrComma {
1463 static bool Test(char aChar) {
1464 return aChar == ',' || NS_IsAsciiWhitespace(aChar);
1465 };
1466 };
1467
1468 template <typename Predicate>
1469 uint32_t SkipPast(const nsCString& str, uint32_t base) {
1470 while (base < str.Length() && Predicate::Test(str[base])) {
1471 ++base;
1472 }
1473 return base;
1474 }
1475
1476 template <typename Predicate>
1477 uint32_t SkipUntil(const nsCString& str, uint32_t base) {
1478 while (base < str.Length() && !Predicate::Test(str[base])) {
1479 ++base;
1480 }
1481 return base;
1482 }
1483
1484 // static
1485 void nsScriptSecurityManager::ScriptSecurityPrefChanged(const char* aPref,
1486 void* aSelf) {
1487 static_cast<nsScriptSecurityManager*>(aSelf)->ScriptSecurityPrefChanged(
1488 aPref);
1489 }
1490
1491 inline void nsScriptSecurityManager::ScriptSecurityPrefChanged(
1492 const char* aPref) {
1493 MOZ_ASSERT(mPrefInitialized);
1494 mIsJavaScriptEnabled =
1495 Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
1496 sStrictFileOriginPolicy =
1497 Preferences::GetBool(sFileOriginPolicyPrefName, false);
1498 mFileURIAllowlist.reset();
1499 }
1500
1501 void nsScriptSecurityManager::AddSitesToFileURIAllowlist(
1502 const nsCString& aSiteList) {
1503 for (uint32_t base = SkipPast<IsWhitespace>(aSiteList, 0), bound = 0;
1504 base < aSiteList.Length();
1505 base = SkipPast<IsWhitespace>(aSiteList, bound)) {
1506 // Grab the current site.
1507 bound = SkipUntil<IsWhitespace>(aSiteList, base);
1508 nsAutoCString site(Substring(aSiteList, base, bound - base));
1509
1510 // Check if the URI is schemeless. If so, add both http and https.
1511 nsAutoCString unused;
1512 if (NS_FAILED(sIOService->ExtractScheme(site, unused))) {
1513 AddSitesToFileURIAllowlist("http://"_ns + site);
1514 AddSitesToFileURIAllowlist("https://"_ns + site);
1515 continue;
1516 }
1517
1518 // Convert it to a URI and add it to our list.
1519 nsCOMPtr<nsIURI> uri;
1520 nsresult rv = NS_NewURI(getter_AddRefs(uri), site);
1521 if (NS_SUCCEEDED(rv)) {
1522 mFileURIAllowlist.ref().AppendElement(uri);
1523 } else {
1524 nsCOMPtr<nsIConsoleService> console(
1525 do_GetService("@mozilla.org/consoleservice;1"));
1526 if (console) {
1527 nsAutoString msg =
1528 u"Unable to to add site to file:// URI allowlist: "_ns +
1529 NS_ConvertASCIItoUTF16(site);
1530 console->LogStringMessage(msg.get());
1531 }
1532 }
1533 }
1534 }
1535
1536 nsresult nsScriptSecurityManager::InitPrefs() {
1537 nsIPrefBranch* branch = Preferences::GetRootBranch();
1538 NS_ENSURE_TRUE(branch, NS_ERROR_FAILURE);
1539
1540 mPrefInitialized = true;
1541
1542 // Set the initial value of the "javascript.enabled" prefs
1543 ScriptSecurityPrefChanged();
1544
1545 // set observer callbacks in case the value of the prefs change
1546 Preferences::RegisterPrefixCallbacks(
1547 nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1548
1549 return NS_OK;
1550 }
1551
1552 NS_IMETHODIMP
1553 nsScriptSecurityManager::GetDomainPolicyActive(bool* aRv) {
1554 *aRv = !!mDomainPolicy;
1555 return NS_OK;
1556 }
1557
1558 NS_IMETHODIMP
1559 nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy** aRv) {
1560 if (!XRE_IsParentProcess()) {
1561 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1562 }
1563
1564 return ActivateDomainPolicyInternal(aRv);
1565 }
1566
1567 NS_IMETHODIMP
1568 nsScriptSecurityManager::ActivateDomainPolicyInternal(nsIDomainPolicy** aRv) {
1569 // We only allow one domain policy at a time. The holder of the previous
1570 // policy must explicitly deactivate it first.
1571 if (mDomainPolicy) {
1572 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1573 }
1574
1575 mDomainPolicy = new DomainPolicy();
1576 nsCOMPtr<nsIDomainPolicy> ptr = mDomainPolicy;
1577 ptr.forget(aRv);
1578 return NS_OK;
1579 }
1580
1581 // Intentionally non-scriptable. Script must have a reference to the
1582 // nsIDomainPolicy to deactivate it.
1583 void nsScriptSecurityManager::DeactivateDomainPolicy() {
1584 mDomainPolicy = nullptr;
1585 }
1586
1587 void nsScriptSecurityManager::CloneDomainPolicy(DomainPolicyClone* aClone) {
1588 MOZ_ASSERT(aClone);
1589 if (mDomainPolicy) {
1590 mDomainPolicy->CloneDomainPolicy(aClone);
1591 } else {
1592 aClone->active() = false;
1593 }
1594 }
1595
1596 NS_IMETHODIMP
1597 nsScriptSecurityManager::PolicyAllowsScript(nsIURI* aURI, bool* aRv) {
1598 nsresult rv;
1599
1600 // Compute our rule. If we don't have any domain policy set up that might
1601 // provide exceptions to this rule, we're done.
1602 *aRv = mIsJavaScriptEnabled;
1603 if (!mDomainPolicy) {
1604 return NS_OK;
1605 }
1606
1607 // We have a domain policy. Grab the appropriate set of exceptions to the
1608 // rule (either the blocklist or the allowlist, depending on whether script
1609 // is enabled or disabled by default).
1610 nsCOMPtr<nsIDomainSet> exceptions;
1611 nsCOMPtr<nsIDomainSet> superExceptions;
1612 if (*aRv) {
1613 mDomainPolicy->GetBlocklist(getter_AddRefs(exceptions));
1614 mDomainPolicy->GetSuperBlocklist(getter_AddRefs(superExceptions));
1615 } else {
1616 mDomainPolicy->GetAllowlist(getter_AddRefs(exceptions));
1617 mDomainPolicy->GetSuperAllowlist(getter_AddRefs(superExceptions));
1618 }
1619
1620 bool contains;
1621 rv = exceptions->Contains(aURI, &contains);
1622 NS_ENSURE_SUCCESS(rv, rv);
1623 if (contains) {
1624 *aRv = !*aRv;
1625 return NS_OK;
1626 }
1627 rv = superExceptions->ContainsSuperDomain(aURI, &contains);
1628 NS_ENSURE_SUCCESS(rv, rv);
1629 if (contains) {
1630 *aRv = !*aRv;
1631 }
1632
1633 return NS_OK;
1634 }
1635
1636 const nsTArray<nsCOMPtr<nsIURI>>&
1637 nsScriptSecurityManager::EnsureFileURIAllowlist() {
1638 if (mFileURIAllowlist.isSome()) {
1639 return mFileURIAllowlist.ref();
1640 }
1641
1642 //
1643 // Rebuild the set of principals for which we allow file:// URI loads. This
1644 // implements a small subset of an old pref-based CAPS people that people
1645 // have come to depend on. See bug 995943.
1646 //
1647
1648 mFileURIAllowlist.emplace();
1649 nsAutoCString policies;
1650 mozilla::Preferences::GetCString("capability.policy.policynames", policies);
1651 for (uint32_t base = SkipPast<IsWhitespaceOrComma>(policies, 0), bound = 0;
1652 base < policies.Length();
1653 base = SkipPast<IsWhitespaceOrComma>(policies, bound)) {
1654 // Grab the current policy name.
1655 bound = SkipUntil<IsWhitespaceOrComma>(policies, base);
1656 auto policyName = Substring(policies, base, bound - base);
1657
1658 // Figure out if this policy allows loading file:// URIs. If not, we can
1659 // skip it.
1660 nsCString checkLoadURIPrefName =
1661 "capability.policy."_ns + policyName + ".checkloaduri.enabled"_ns;
1662 nsAutoString value;
1663 nsresult rv = Preferences::GetString(checkLoadURIPrefName.get(), value);
1664 if (NS_FAILED(rv) || !value.LowerCaseEqualsLiteral("allaccess")) {
1665 continue;
1666 }
1667
1668 // Grab the list of domains associated with this policy.
1669 nsCString domainPrefName =
1670 "capability.policy."_ns + policyName + ".sites"_ns;
1671 nsAutoCString siteList;
1672 Preferences::GetCString(domainPrefName.get(), siteList);
1673 AddSitesToFileURIAllowlist(siteList);
1674 }
1675
1676 return mFileURIAllowlist.ref();
1677 }