netwerk/cookie/CookieJarSettings.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef mozilla_net_CookieJarSettings_h
   8 #define mozilla_net_CookieJarSettings_h
   9
  10 #include "mozilla/Maybe.h"
  11
  12 #include "nsICookieJarSettings.h"
  13 #include "nsTArray.h"
  14
  15 #define COOKIEJARSETTINGS_CONTRACTID "@mozilla.org/cookieJarSettings;1"
  16 // 4ce234f1-52e8-47a9-8c8d-b02f815733c7
  17 #define COOKIEJARSETTINGS_CID                        \
  18   {                                                  \
  19     0x4ce234f1, 0x52e8, 0x47a9, {                    \
  20       0x8c, 0x8d, 0xb0, 0x2f, 0x81, 0x57, 0x33, 0xc7 \
  21     }                                                \
  22   }
  23
  24 class nsIPermission;
  25
  26 namespace mozilla {
  27 namespace net {
  28
  29 class CookieJarSettingsArgs;
  30
  31 /**
  32  * CookieJarSettings
  33  * ~~~~~~~~~~~~~~
  34  *
  35  * CookieJarSettings is a snapshot of the cookie jar's configurations in a
  36  * precise moment of time, such as the cookie policy and cookie permissions.
  37  * This object is used by top-level documents to have a consistent cookie jar
  38  * configuration also in case the user changes it. New configurations will apply
  39  * only to new top-level documents.
  40  *
  41  * CookieJarSettings creation
  42  * ~~~~~~~~~~~~~~~~~~~~~~~
  43  *
  44  * CookieJarSettings is created when the top-level document's nsIChannel's
  45  * nsILoadInfo is constructed. Any sub-resource and any sub-document inherits it
  46  * from that nsILoadInfo. Also dedicated workers and their resources inherit it
  47  * from the parent document.
  48  *
  49  * SharedWorkers and ServiceWorkers have their own CookieJarSettings because
  50  * they don't have a single parent document (SharedWorkers could have more than
  51  * one, ServiceWorkers have none).
  52  *
  53  * In Chrome code, we have a new CookieJarSettings when we download resources
  54  * via 'Save-as...' and we also have a new CookieJarSettings for favicon
  55  * downloading.
  56  *
  57  * Content-scripts WebExtensions also have their own CookieJarSettings because
  58  * they don't have a direct access to the document they are running into.
  59  *
  60  * Anything else will have a special CookieJarSettings which blocks everything
  61  * (CookieJarSettings::GetBlockingAll()) by forcing BEHAVIOR_REJECT as policy.
  62  * When this happens, that context will not have access to the cookie jar and no
  63  * cookies are sent or received.
  64  *
  65  * Propagation of CookieJarSettings
  66  * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  67  *
  68  * CookieJarSettings are shared inside the same top-level document via its
  69  * nsIChannel's nsILoadInfo.  This is done automatically if you pass a nsINode
  70  * to NS_NewChannel(), and it must be done manually if you use a different
  71  * channel constructor. For instance, this happens for any worker networking
  72  * operation.
  73  *
  74  * We use the same CookieJarSettings for any resource belonging to the top-level
  75  * document even if cross-origin. This makes the browser behave consistently a
  76  * scenario where A loads B which loads A again, and cookie policy/permission
  77  * changes in the meantime.
  78  *
  79  * Cookie Permissions propagation
  80  * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  81  *
  82  * CookieJarSettings populates the known cookie permissions only when required.
  83  * Initially the list is empty, but when CookieJarSettings::CookiePermission()
  84  * is called, the requested permission is stored in the internal list if it
  85  * doesn't exist yet.
  86  *
  87  * This is actually nice because it relies on the permission propagation from
  88  * parent to content process. No extra IPC is required.
  89  *
  90  * Note that we store permissions with UNKNOWN_ACTION values too because they
  91  * can be set after the loading of the top-level document and we don't want to
  92  * return a different value when this happens.
  93  *
  94  * Use of CookieJarSettings
  95  * ~~~~~~~~~~~~~~~~~~~~~
  96  *
  97  * In theory, there should not be direct access to cookie permissions or
  98  * cookieBehavior pref. Everything should pass through CookieJarSettings.
  99  *
 100  * A reference to CookieJarSettings can be obtained from
 101  * nsILoadInfo::GetCookieJarSettings(), from Document::CookieJarSettings() and
 102  * from the WorkerPrivate::CookieJarSettings().
 103  *
 104  * CookieJarSettings is thread-safe, but the permission list must be touched
 105  * only on the main-thread.
 106  *
 107  * Testing
 108  * ~~~~~~~
 109  *
 110  * If you need to test the changing of cookie policy or a cookie permission, you
 111  * need to workaround CookieJarSettings. This can be done opening a new window
 112  * and running the test into that new global.
 113  */
 114
 115 /**
 116  * Class that provides an nsICookieJarSettings implementation.
 117  */
 118 class CookieJarSettings final : public nsICookieJarSettings {
 119  public:
 120   typedef nsTArray<RefPtr<nsIPermission>> CookiePermissionList;
 121
 122   NS_DECL_THREADSAFE_ISUPPORTS
 123   NS_DECL_NSICOOKIEJARSETTINGS
 124   NS_DECL_NSISERIALIZABLE
 125
 126   static already_AddRefed<nsICookieJarSettings> GetBlockingAll(
 127       bool aShouldResistFingerprinting);
 128
 129   enum CreateMode { eRegular, ePrivate };
 130
 131   static already_AddRefed<nsICookieJarSettings> Create(
 132       CreateMode aMode, bool aShouldResistFingerprinting);
 133
 134   static already_AddRefed<nsICookieJarSettings> Create(
 135       nsIPrincipal* aPrincipal);
 136
 137   // This function should be only called for XPCOM. You should never use this
 138   // for other purposes.
 139   static already_AddRefed<nsICookieJarSettings> CreateForXPCOM();
 140
 141   static already_AddRefed<nsICookieJarSettings> Create(
 142       uint32_t aCookieBehavior, const nsAString& aPartitionKey,
 143       bool aIsFirstPartyIsolated, bool aIsOnContentBlockingAllowList,
 144       bool aShouldResistFingerprinting);
 145
 146   static CookieJarSettings* Cast(nsICookieJarSettings* aCS) {
 147     return static_cast<CookieJarSettings*>(aCS);
 148   }
 149
 150   void Serialize(CookieJarSettingsArgs& aData);
 151
 152   static void Deserialize(const CookieJarSettingsArgs& aData,
 153                           nsICookieJarSettings** aCookieJarSettings);
 154
 155   void Merge(const CookieJarSettingsArgs& aData);
 156
 157   // We don't want to send this object from parent to child process if there are
 158   // no reasons. HasBeenChanged() returns true if the object has changed its
 159   // internal state and it must be sent beck to the content process.
 160   bool HasBeenChanged() const { return mToBeMerged; }
 161
 162   void UpdateIsOnContentBlockingAllowList(nsIChannel* aChannel);
 163
 164   void SetPartitionKey(nsIURI* aURI, bool aForeignByAncestorContext);
 165   void SetPartitionKey(const nsAString& aPartitionKey) {
 166     mPartitionKey = aPartitionKey;
 167   }
 168   const nsAString& GetPartitionKey() { return mPartitionKey; };
 169
 170   void UpdatePartitionKeyForDocumentLoadedByChannel(nsIChannel* aChannel);
 171
 172   void SetFingerprintingRandomizationKey(const nsTArray<uint8_t>& aKey) {
 173     mFingerprintingRandomKey.reset();
 174
 175     mFingerprintingRandomKey.emplace(aKey.Clone());
 176   }
 177
 178   // Utility function to test if the passed cookiebahvior is
 179   // BEHAVIOR_REJECT_TRACKER, BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN or
 180   // BEHAVIOR_REJECT_FOREIGN when
 181   // network.cookie.rejectForeignWithExceptions.enabled pref is set to true.
 182   static bool IsRejectThirdPartyContexts(uint32_t aCookieBehavior);
 183
 184   void SetTopLevelWindowContextId(uint64_t aId) {
 185     mTopLevelWindowContextId = aId;
 186   }
 187   uint64_t GetTopLevelWindowContextId() { return mTopLevelWindowContextId; }
 188
 189  private:
 190   enum State {
 191     // No cookie permissions are allowed to be stored in this object.
 192     eFixed,
 193
 194     // Cookie permissions can be stored in case they are unknown when they are
 195     // asked or when they are sent from the parent process.
 196     eProgressive,
 197   };
 198
 199   CookieJarSettings(uint32_t aCookieBehavior, bool aIsFirstPartyIsolated,
 200                     bool aShouldResistFingerprinting, State aState);
 201   ~CookieJarSettings();
 202
 203   uint32_t mCookieBehavior;
 204   bool mIsFirstPartyIsolated;
 205   CookiePermissionList mCookiePermissions;
 206   bool mIsOnContentBlockingAllowList;
 207   bool mIsOnContentBlockingAllowListUpdated;
 208   nsString mPartitionKey;
 209
 210   State mState;
 211
 212   bool mToBeMerged;
 213
 214   // DO NOT USE THIS MEMBER TO CHECK IF YOU SHOULD RESIST FINGERPRINTING.
 215   // USE THE nsContentUtils::ShouldResistFingerprinting() METHODS ONLY.
 216   //
 217   // As we move to fine-grained RFP control, we want to support per-domain
 218   // exemptions from ResistFingerprinting. Specifically the behavior should be
 219   // as such:
 220   //
 221   // Top-Level Document is on an Exempted Domain
 222   //    - RFP is disabled.
 223   //
 224   // Top-Level Document on an Exempted Domain embedding a non-exempted
 225   // cross-origin iframe
 226   //    - RFP in the iframe is enabled (NOT exempted). (**)
 227   //
 228   // Top-Level Document on an Exempted Domain embedding an exempted cross-origin
 229   // iframe
 230   //    - RFP in the iframe is disabled (exempted).
 231   //
 232   // Top-Level Document on a Non-Exempted Domain
 233   //    - RFP is enabled (NOT exempted).
 234   //
 235   // Top-Level Document on a Non-Exempted Domain embeds an exempted cross-origin
 236   // iframe
 237   //    - RFP in the iframe is enabled (NOT exempted). (*)
 238   //
 239   // Exempted Document (top-level or iframe) contacts any cross-origin domain
 240   //   (exempted or non-exempted)
 241   //    - RFP is disabled (exempted) for the request
 242   //
 243   // Non-Exempted Document (top-level or iframe) contacts any cross-origin
 244   // domain
 245   //   (exempted or non-exempted)
 246   //    - RFP is enabled (NOT exempted) for the request
 247   //
 248   // This boolean on CookieJarSettings will enable us to apply the most
 249   //   difficult rule, marked in (*). (It is difficult because the
 250   //   subdocument's loadinfo will look like it should be exempted.)
 251   // However if we trusted this member blindly, it would not correctly apply
 252   //   the one marked with (**). (Because it would inherit an exemption into
 253   //   a subdocument that should not be exempted.)
 254   // To handle this case, we only trust a CookieJar's ShouldRFP value if it
 255   //   says we should resist fingerprinting. If it says that we  _should not_,
 256   //   we continue and check the channel's URI or LoadInfo and if
 257   //   the domain specified there is not an exempted domain, enforce RFP anyway.
 258   //   This all occurrs in the nscontentUtils::ShouldResistFingerprinting
 259   //   functions which you should be using.
 260   bool mShouldResistFingerprinting;
 261
 262   // The key used to generate the random noise for randomizing the browser
 263   // fingerprint. The key is decided by the session key and the top-level site.
 264   // So, the browse fingerprint will look different to the same tracker
 265   // under different top-level sites. Also, the fingerprint will change as
 266   // browsing session changes. This can prevent trackers to identify individuals
 267   // by using browser fingerprints.
 268   Maybe<nsTArray<uint8_t>> mFingerprintingRandomKey;
 269
 270   // This field caches the top level window context id when loading the top
 271   // level document.
 272   uint64_t mTopLevelWindowContextId;
 273 };
 274
 275 }  // namespace net
 276 }  // namespace mozilla
 277
 278 #endif  // mozilla_net_CookieJarSettings_h