toolkit/modules/RemotePageAccessManager.sys.mjs

   1 /* This Source Code Form is subject to the terms of the Mozilla Public
   2  * License, v. 2.0. If a copy of the MPL was not distributed with this
   3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   4
   5 /*
   6  * RemotePageAccessManager determines which RPM functions a given
   7  * about page is allowed to access. It does this based on a map from about
   8  * page URLs to allowed functions for that page/URL.
   9  *
  10  * An RPM function will be exported into the page only if it appears
  11  * in the access managers's accessMap for that page's uri.
  12  *
  13  * This module may be used from both the child and parent process.
  14  *
  15  * Please note that prefs that one wants to update need to be
  16  * explicitly allowed within AsyncPrefs.sys.mjs.
  17  */
  18 export let RemotePageAccessManager = {
  19   /* The accessMap lists the permissions that are allowed per page.
  20    * The structure should be of the following form:
  21    *   <URL> : {
  22    *     <function name>: [<keys>],
  23    *     ...
  24    *   }
  25    * For the page with given URL, permission is allowed for each
  26    * listed function with a matching key. The first argument to the
  27    * function must match one of the keys. If keys is an array with a
  28    * single asterisk element ["*"], then all values are permitted.
  29    */
  30   accessMap: {
  31     "about:certerror": {
  32       RPMSendAsyncMessage: [
  33         "Browser:EnableOnlineMode",
  34         "Browser:ResetSSLPreferences",
  35         "GetChangedCertPrefs",
  36         "Browser:OpenCaptivePortalPage",
  37         "Browser:SSLErrorGoBack",
  38         "Browser:PrimeMitm",
  39         "Browser:ResetEnterpriseRootsPref",
  40         "DisplayOfflineSupportPage",
  41       ],
  42       RPMRecordTelemetryEvent: ["*"],
  43       RPMAddMessageListener: ["*"],
  44       RPMRemoveMessageListener: ["*"],
  45       RPMGetFormatURLPref: ["app.support.baseURL"],
  46       RPMGetBoolPref: [
  47         "security.certerrors.mitm.priming.enabled",
  48         "security.certerrors.permanentOverride",
  49         "security.enterprise_roots.auto-enabled",
  50         "security.certerror.hideAddException",
  51         "network.trr.display_fallback_warning",
  52       ],
  53       RPMGetIntPref: [
  54         "security.dialog_enable_delay",
  55         "services.settings.clock_skew_seconds",
  56         "services.settings.last_update_seconds",
  57       ],
  58       RPMGetAppBuildID: ["*"],
  59       RPMGetInnerMostURI: ["*"],
  60       RPMIsWindowPrivate: ["*"],
  61       RPMAddToHistogram: ["*"],
  62     },
  63     "about:home": {
  64       RPMSendAsyncMessage: ["ActivityStream:ContentToMain"],
  65       RPMAddMessageListener: ["ActivityStream:MainToContent"],
  66     },
  67     "about:httpsonlyerror": {
  68       RPMGetFormatURLPref: ["app.support.baseURL"],
  69       RPMGetIntPref: ["security.dialog_enable_delay"],
  70       RPMSendAsyncMessage: ["goBack", "openInsecure"],
  71       RPMAddMessageListener: ["WWWReachable"],
  72       RPMTryPingSecureWWWLink: ["*"],
  73       RPMOpenSecureWWWLink: ["*"],
  74     },
  75     "about:certificate": {
  76       RPMSendQuery: ["getCertificates"],
  77     },
  78     "about:neterror": {
  79       RPMSendAsyncMessage: [
  80         "Browser:EnableOnlineMode",
  81         "Browser:ResetSSLPreferences",
  82         "GetChangedCertPrefs",
  83         "Browser:OpenCaptivePortalPage",
  84         "Browser:SSLErrorGoBack",
  85         "Browser:PrimeMitm",
  86         "Browser:ResetEnterpriseRootsPref",
  87         "ReportBlockingError",
  88         "DisplayOfflineSupportPage",
  89         "OpenTRRPreferences",
  90       ],
  91       RPMCheckAlternateHostAvailable: ["*"],
  92       RPMRecordTelemetryEvent: [
  93         "security.doh.neterror",
  94         "security.ui.tlserror",
  95       ],
  96       RPMAddMessageListener: ["*"],
  97       RPMRemoveMessageListener: ["*"],
  98       RPMGetFormatURLPref: [
  99         "app.support.baseURL",
 100         "network.trr_ui.skip_reason_learn_more_url",
 101       ],
 102       RPMGetBoolPref: [
 103         "security.certerror.hideAddException",
 104         "security.xfocsp.errorReporting.automatic",
 105         "security.xfocsp.errorReporting.enabled",
 106         "network.trr.display_fallback_warning",
 107       ],
 108       RPMSetPref: [
 109         "security.xfocsp.errorReporting.automatic",
 110         "network.trr.display_fallback_warning",
 111       ],
 112       RPMAddToHistogram: ["*"],
 113       RPMGetInnerMostURI: ["*"],
 114       RPMGetHttpResponseHeader: ["*"],
 115       RPMIsTRROnlyFailure: ["*"],
 116       RPMIsFirefox: ["*"],
 117       RPMIsNativeFallbackFailure: ["*"],
 118       RPMGetTRRSkipReason: ["*"],
 119       RPMGetTRRDomain: ["*"],
 120       RPMIsSiteSpecificTRRError: ["*"],
 121       RPMSetTRRDisabledLoadFlags: ["*"],
 122       RPMSendQuery: ["Browser:AddTRRExcludedDomain"],
 123       RPMGetIntPref: ["network.trr.mode"],
 124     },
 125     "about:newtab": {
 126       RPMSendAsyncMessage: ["ActivityStream:ContentToMain"],
 127       RPMAddMessageListener: ["ActivityStream:MainToContent"],
 128     },
 129     "about:pocket-saved": {
 130       RPMSendAsyncMessage: ["*"],
 131       RPMAddMessageListener: ["*"],
 132       RPMRemoveMessageListener: ["*"],
 133       RPMGetStringPref: ["extensions.pocket.site"],
 134     },
 135     "about:pocket-signup": {
 136       RPMSendAsyncMessage: ["*"],
 137       RPMAddMessageListener: ["*"],
 138       RPMRemoveMessageListener: ["*"],
 139       RPMGetStringPref: ["extensions.pocket.site"],
 140     },
 141     "about:pocket-home": {
 142       RPMSendAsyncMessage: ["*"],
 143       RPMAddMessageListener: ["*"],
 144       RPMRemoveMessageListener: ["*"],
 145       RPMGetStringPref: ["extensions.pocket.site"],
 146     },
 147     "about:pocket-style-guide": {
 148       RPMSendAsyncMessage: ["*"],
 149       RPMAddMessageListener: ["*"],
 150       RPMRemoveMessageListener: ["*"],
 151     },
 152     "about:privatebrowsing": {
 153       RPMSendAsyncMessage: [
 154         "OpenPrivateWindow",
 155         "SearchBannerDismissed",
 156         "OpenSearchPreferences",
 157         "SearchHandoff",
 158       ],
 159       RPMSendQuery: [
 160         "IsPromoBlocked",
 161         "ShouldShowSearchBanner",
 162         "ShouldShowPromo",
 163         "SpecialMessageActionDispatch",
 164       ],
 165       RPMAddMessageListener: ["*"],
 166       RPMRemoveMessageListener: ["*"],
 167       RPMGetFormatURLPref: [
 168         "app.support.baseURL",
 169         "browser.privatebrowsing.vpnpromourl",
 170       ],
 171       RPMIsWindowPrivate: ["*"],
 172       RPMGetBoolPref: ["browser.privatebrowsing.felt-privacy-v1"],
 173     },
 174     "about:protections": {
 175       RPMSendAsyncMessage: [
 176         "OpenContentBlockingPreferences",
 177         "OpenAboutLogins",
 178         "OpenSyncPreferences",
 179         "ClearMonitorCache",
 180         "RecordEntryPoint",
 181       ],
 182       RPMSendQuery: [
 183         "FetchUserLoginsData",
 184         "FetchMonitorData",
 185         "FetchContentBlockingEvents",
 186         "FetchMobileDeviceConnected",
 187         "GetShowProxyCard",
 188         "FetchEntryPoint",
 189         "FetchVPNSubStatus",
 190         "FetchShowVPNCard",
 191       ],
 192       RPMAddMessageListener: ["*"],
 193       RPMRemoveMessageListener: ["*"],
 194       RPMSetPref: [
 195         "browser.contentblocking.report.show_mobile_app",
 196         "browser.contentblocking.report.hide_vpn_banner",
 197       ],
 198       RPMGetBoolPref: [
 199         "browser.contentblocking.report.lockwise.enabled",
 200         "browser.contentblocking.report.monitor.enabled",
 201         "privacy.fingerprintingProtection",
 202         "privacy.socialtracking.block_cookies.enabled",
 203         "browser.contentblocking.report.proxy.enabled",
 204         "privacy.trackingprotection.cryptomining.enabled",
 205         "privacy.trackingprotection.fingerprinting.enabled",
 206         "privacy.trackingprotection.enabled",
 207         "privacy.trackingprotection.socialtracking.enabled",
 208         "browser.contentblocking.report.show_mobile_app",
 209         "browser.contentblocking.report.hide_vpn_banner",
 210         "browser.vpn_promo.enabled",
 211       ],
 212       RPMGetStringPref: [
 213         "browser.contentblocking.category",
 214         "browser.contentblocking.report.monitor.url",
 215         "browser.contentblocking.report.monitor.sign_in_url",
 216         "browser.contentblocking.report.manage_devices.url",
 217         "browser.contentblocking.report.proxy_extension.url",
 218         "browser.contentblocking.report.lockwise.mobile-android.url",
 219         "browser.contentblocking.report.lockwise.mobile-ios.url",
 220         "browser.contentblocking.report.mobile-ios.url",
 221         "browser.contentblocking.report.mobile-android.url",
 222         "browser.contentblocking.report.vpn.url",
 223         "browser.contentblocking.report.vpn-promo.url",
 224         "browser.contentblocking.report.vpn-android.url",
 225         "browser.contentblocking.report.vpn-ios.url",
 226       ],
 227       RPMGetIntPref: ["network.cookie.cookieBehavior"],
 228       RPMGetFormatURLPref: [
 229         "browser.contentblocking.report.monitor.how_it_works.url",
 230         "browser.contentblocking.report.lockwise.how_it_works.url",
 231         "browser.contentblocking.report.monitor.preferences_url",
 232         "browser.contentblocking.report.monitor.home_page_url",
 233         "browser.contentblocking.report.social.url",
 234         "browser.contentblocking.report.cookie.url",
 235         "browser.contentblocking.report.tracker.url",
 236         "browser.contentblocking.report.fingerprinter.url",
 237         "browser.contentblocking.report.cryptominer.url",
 238       ],
 239       RPMRecordTelemetryEvent: ["*"],
 240     },
 241     "about:shoppingsidebar": {
 242       RPMSetPref: [
 243         "browser.shopping.experience2023.optedIn",
 244         "browser.shopping.experience2023.active",
 245         "browser.shopping.experience2023.ads.userEnabled",
 246         "browser.shopping.experience2023.sidebarClosedCount",
 247         "browser.shopping.experience2023.showKeepSidebarClosedMessage",
 248         "browser.shopping.experience2023.autoOpen.userEnabled",
 249       ],
 250       RPMGetFormatURLPref: ["app.support.baseURL"],
 251       RPMGetIntPref: ["browser.shopping.experience2023.sidebarClosedCount"],
 252       RPMGetBoolPref: [
 253         "browser.shopping.experience2023.showKeepSidebarClosedMessage",
 254       ],
 255     },
 256     "about:tabcrashed": {
 257       RPMSendAsyncMessage: ["Load", "closeTab", "restoreTab", "restoreAll"],
 258       RPMAddMessageListener: ["*"],
 259       RPMRemoveMessageListener: ["*"],
 260     },
 261     "about:welcome": {
 262       RPMSendAsyncMessage: ["ActivityStream:ContentToMain"],
 263       RPMAddMessageListener: ["ActivityStream:MainToContent"],
 264     },
 265   },
 266
 267   /**
 268    * Check if access is allowed to the given feature for a given document.
 269    * This should be called from within the child process.
 270    *
 271    * The feature within the accessMap must list the given aValue, for access to
 272    * be granted.
 273    *
 274    * @param aDocument child process document to call from
 275    * @param aFeature to feature to check access to
 276    * @param aValue value that must be included with that feature's allow list
 277    * @returns true if access is allowed or false otherwise
 278    */
 279   checkAllowAccess(aDocument, aFeature, aValue) {
 280     let principal = aDocument.nodePrincipal;
 281     // if there is no content principal; deny access
 282     if (!principal) {
 283       return false;
 284     }
 285
 286     return this.checkAllowAccessWithPrincipal(
 287       principal,
 288       aFeature,
 289       aValue,
 290       aDocument
 291     );
 292   },
 293
 294   /**
 295    * Check if access is allowed to the given feature for a given principal.
 296    * This may be called from within the child or parent process.
 297    *
 298    * The feature within the accessMap must list the given aValue, for access to
 299    * be granted.
 300    *
 301    * In the parent process, the passed-in document is expected to be null.
 302    *
 303    * @param aPrincipal principal being called from
 304    * @param aFeature to feature to check access to
 305    * @param aValue value that must be included with that feature's allow list
 306    * @param aDocument optional child process document to call from
 307    * @returns true if access is allowed or false otherwise
 308    */
 309   checkAllowAccessWithPrincipal(aPrincipal, aFeature, aValue, aDocument) {
 310     let accessMapForFeature = this.checkAllowAccessToFeature(
 311       aPrincipal,
 312       aFeature,
 313       aDocument
 314     );
 315     if (!accessMapForFeature) {
 316       console.error(
 317         "RemotePageAccessManager does not allow access to Feature: ",
 318         aFeature,
 319         " for: ",
 320         aDocument.location
 321       );
 322
 323       return false;
 324     }
 325
 326     // If the actual value is in the allow list for that feature;
 327     // allow access
 328     if (accessMapForFeature.includes(aValue) || accessMapForFeature[0] == "*") {
 329       return true;
 330     }
 331
 332     return false;
 333   },
 334
 335   /**
 336    * Check if a particular feature can be accessed without checking for a
 337    * specific feature value.
 338    *
 339    * @param aPrincipal principal being called from
 340    * @param aFeature to feature to check access to
 341    * @param aDocument optional child process document to call from
 342    * @returns non-null allow list if access is allowed or null otherwise
 343    */
 344   checkAllowAccessToFeature(aPrincipal, aFeature, aDocument) {
 345     let spec;
 346     if (!aPrincipal.isContentPrincipal) {
 347       // For the sake of remote pages, when the principal has no uri,
 348       // we want to access the "real" document URI directly, e.g. if the
 349       // about: page is sandboxed.
 350       if (!aDocument) {
 351         return null;
 352       }
 353       if (!aDocument.documentURIObject.schemeIs("about")) {
 354         return null;
 355       }
 356       spec =
 357         aDocument.documentURIObject.prePath +
 358         aDocument.documentURIObject.filePath;
 359     } else {
 360       if (!aPrincipal.schemeIs("about")) {
 361         return null;
 362       }
 363       spec = aPrincipal.prePath + aPrincipal.filePath;
 364     }
 365
 366     // Check if there is an entry for that requestying URI in the accessMap;
 367     // if not, deny access.
 368     let accessMapForURI = this.accessMap[spec];
 369     if (!accessMapForURI) {
 370       return null;
 371     }
 372
 373     // Check if the feature is allowed to be accessed for that URI;
 374     // if not, deny access.
 375     return accessMapForURI[aFeature];
 376   },
 377
 378   /**
 379    * This function adds a new page to the access map, but can only
 380    * be used in a test environment.
 381    */
 382   addPage(aUrl, aFunctionMap) {
 383     if (!Cu.isInAutomation) {
 384       throw new Error("Cannot only modify privileges during testing");
 385     }
 386
 387     if (aUrl in this.accessMap) {
 388       throw new Error("Cannot modify privileges of existing page");
 389     }
 390
 391     this.accessMap[aUrl] = aFunctionMap;
 392   },
 393 };