1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 * Content policy implementation that prevents all loads of images,
9 * subframes, etc from documents loaded as data (eg documents loaded
10 * via XMLHttpRequest).
13 #include "nsContentPolicyUtils.h"
14 #include "nsContentUtils.h"
15 #include "nsDataDocumentContentPolicy.h"
16 #include "nsNetUtil.h"
17 #include "nsIProtocolHandler.h"
18 #include "nsScriptSecurityManager.h"
19 #include "mozilla/dom/Document.h"
20 #include "mozilla/ScopeExit.h"
24 using namespace mozilla
;
26 NS_IMPL_ISUPPORTS(nsDataDocumentContentPolicy
, nsIContentPolicy
)
28 // Helper method for ShouldLoad()
29 // Checks a URI for the given flags. Returns true if the URI has the flags,
30 // and false if not (or if we weren't able to tell).
31 static bool HasFlags(nsIURI
* aURI
, uint32_t aURIFlags
) {
33 nsresult rv
= NS_URIChainHasFlags(aURI
, aURIFlags
, &hasFlags
);
34 return NS_SUCCEEDED(rv
) && hasFlags
;
37 // If you change DataDocumentContentPolicy, make sure to check that
38 // CHECK_PRINCIPAL_AND_DATA in nsContentPolicyUtils is still valid.
39 // nsContentPolicyUtils may not pass all the parameters to ShouldLoad.
41 nsDataDocumentContentPolicy::ShouldLoad(nsIURI
* aContentLocation
,
42 nsILoadInfo
* aLoadInfo
,
43 const nsACString
& aMimeGuess
,
45 auto setBlockingReason
= mozilla::MakeScopeExit([&]() {
46 if (NS_CP_REJECTED(*aDecision
)) {
47 NS_SetRequestBlockingReason(
48 aLoadInfo
, nsILoadInfo::BLOCKING_REASON_CONTENT_POLICY_DATA_DOCUMENT
);
52 ExtContentPolicyType contentType
= aLoadInfo
->GetExternalContentPolicyType();
53 nsCOMPtr
<nsISupports
> requestingContext
= aLoadInfo
->GetLoadingContext();
55 *aDecision
= nsIContentPolicy::ACCEPT
;
56 // Look for the document. In most cases, requestingContext is a node.
57 nsCOMPtr
<mozilla::dom::Document
> doc
;
58 nsCOMPtr
<nsINode
> node
= do_QueryInterface(requestingContext
);
60 doc
= node
->OwnerDoc();
62 if (nsCOMPtr
<nsPIDOMWindowOuter
> window
=
63 do_QueryInterface(requestingContext
)) {
64 doc
= window
->GetDoc();
68 // DTDs are always OK to load
69 if (!doc
|| contentType
== ExtContentPolicy::TYPE_DTD
) {
73 if (doc
->IsLoadedAsData()) {
75 if (!doc
->IsStaticDocument()) {
76 // If not a print/print preview doc, then nothing else is allowed for
80 // Let static (print/print preview) documents to load fonts and
82 switch (contentType
) {
83 case ExtContentPolicy::TYPE_IMAGE
:
84 case ExtContentPolicy::TYPE_IMAGESET
:
85 case ExtContentPolicy::TYPE_FONT
:
86 case ExtContentPolicy::TYPE_UA_FONT
:
87 // This one is a bit sketchy, but nsObjectLoadingContent takes care of
88 // only getting here if it is an image.
89 case ExtContentPolicy::TYPE_OBJECT
:
97 *aDecision
= nsIContentPolicy::REJECT_TYPE
;
102 mozilla::dom::Document
* docToCheckForImage
= doc
->GetDisplayDocument();
103 if (!docToCheckForImage
) {
104 docToCheckForImage
= doc
;
107 if (docToCheckForImage
->IsBeingUsedAsImage()) {
108 // We only allow SVG images to load content from URIs that are local and
109 // also satisfy one of the following conditions:
110 // - URI inherits security context, e.g. data URIs
112 // - URI loadable by subsumers, e.g. blob URIs
113 // Any URI that doesn't meet these requirements will be rejected below.
114 if (!(HasFlags(aContentLocation
,
115 nsIProtocolHandler::URI_IS_LOCAL_RESOURCE
) &&
116 (HasFlags(aContentLocation
,
117 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT
) ||
118 HasFlags(aContentLocation
,
119 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS
)))) {
120 *aDecision
= nsIContentPolicy::REJECT_TYPE
;
122 // Report error, if we can.
124 nsIPrincipal
* requestingPrincipal
= node
->NodePrincipal();
125 nsAutoCString sourceSpec
;
126 requestingPrincipal
->GetAsciiSpec(sourceSpec
);
127 nsAutoCString targetSpec
;
128 aContentLocation
->GetAsciiSpec(targetSpec
);
129 nsScriptSecurityManager::ReportError(
130 "ExternalDataError", sourceSpec
, targetSpec
,
131 requestingPrincipal
->OriginAttributesRef().mPrivateBrowsingId
> 0);
133 } else if ((contentType
== ExtContentPolicy::TYPE_IMAGE
||
134 contentType
== ExtContentPolicy::TYPE_IMAGESET
) &&
135 doc
->GetDocumentURI()) {
136 // Check for (& disallow) recursive image-loads
137 bool isRecursiveLoad
;
138 nsresult rv
= aContentLocation
->EqualsExceptRef(doc
->GetDocumentURI(),
140 if (NS_FAILED(rv
) || isRecursiveLoad
) {
141 NS_WARNING("Refusing to recursively load image");
142 *aDecision
= nsIContentPolicy::REJECT_TYPE
;
148 // Allow all loads for non-resource documents
149 if (!doc
->IsResourceDoc()) {
153 // For resource documents, blacklist some load types
154 if (contentType
== ExtContentPolicy::TYPE_OBJECT
||
155 contentType
== ExtContentPolicy::TYPE_DOCUMENT
||
156 contentType
== ExtContentPolicy::TYPE_SUBDOCUMENT
||
157 contentType
== ExtContentPolicy::TYPE_SCRIPT
||
158 contentType
== ExtContentPolicy::TYPE_XSLT
||
159 contentType
== ExtContentPolicy::TYPE_FETCH
||
160 contentType
== ExtContentPolicy::TYPE_WEB_MANIFEST
) {
161 *aDecision
= nsIContentPolicy::REJECT_TYPE
;
164 // If you add more restrictions here, make sure to check that
165 // CHECK_PRINCIPAL_AND_DATA in nsContentPolicyUtils is still valid.
166 // nsContentPolicyUtils may not pass all the parameters to ShouldLoad
172 nsDataDocumentContentPolicy::ShouldProcess(nsIURI
* aContentLocation
,
173 nsILoadInfo
* aLoadInfo
,
174 const nsACString
& aMimeGuess
,
175 int16_t* aDecision
) {
176 return ShouldLoad(aContentLocation
, aLoadInfo
, aMimeGuess
, aDecision
);