search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1933479 - Add tab close button on hover to vertical tabs when sidebar is collapse...
[gecko.git] / caps / nsScriptSecurityManager.cpp
blob9979b9dfbcf19cadb6e85bdf5457276378852810
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "nsScriptSecurityManager.h"
8
9 #include "mozilla/ArrayUtils.h"
10 #include "mozilla/SourceLocation.h"
11 #include "mozilla/StaticPrefs_extensions.h"
12 #include "mozilla/StaticPrefs_security.h"
13 #include "mozilla/StoragePrincipalHelper.h"
14
15 #include "xpcpublic.h"
16 #include "XPCWrapper.h"
17 #include "nsILoadContext.h"
18 #include "nsIScriptObjectPrincipal.h"
19 #include "nsIScriptContext.h"
20 #include "nsIScriptError.h"
21 #include "nsINestedURI.h"
22 #include "nspr.h"
23 #include "nsJSPrincipals.h"
24 #include "mozilla/BasePrincipal.h"
25 #include "mozilla/ContentPrincipal.h"
26 #include "ExpandedPrincipal.h"
27 #include "SystemPrincipal.h"
28 #include "DomainPolicy.h"
29 #include "nsString.h"
30 #include "nsCRT.h"
31 #include "nsCRTGlue.h"
32 #include "nsContentSecurityUtils.h"
33 #include "nsDocShell.h"
34 #include "nsError.h"
35 #include "nsGlobalWindowInner.h"
36 #include "nsDOMCID.h"
37 #include "nsTextFormatter.h"
38 #include "nsIStringBundle.h"
39 #include "nsNetUtil.h"
40 #include "nsIEffectiveTLDService.h"
41 #include "nsDirectoryServiceDefs.h"
42 #include "nsIScriptGlobalObject.h"
43 #include "nsPIDOMWindow.h"
44 #include "nsIDocShell.h"
45 #include "nsIConsoleService.h"
46 #include "nsIOService.h"
47 #include "nsIContent.h"
48 #include "nsDOMJSUtils.h"
49 #include "nsAboutProtocolUtils.h"
50 #include "nsIClassInfo.h"
51 #include "nsIURIFixup.h"
52 #include "nsIURIMutator.h"
53 #include "nsIChromeRegistry.h"
54 #include "nsIResProtocolHandler.h"
55 #include "nsIContentSecurityPolicy.h"
56 #include "mozilla/Components.h"
57 #include "mozilla/Preferences.h"
58 #include "mozilla/dom/BindingUtils.h"
59 #include "mozilla/NullPrincipal.h"
60 #include <stdint.h>
61 #include "mozilla/dom/ContentChild.h"
62 #include "mozilla/dom/ContentParent.h"
63 #include "mozilla/dom/Exceptions.h"
64 #include "mozilla/dom/nsCSPContext.h"
65 #include "mozilla/dom/ScriptSettings.h"
66 #include "mozilla/ClearOnShutdown.h"
67 #include "mozilla/ExtensionPolicyService.h"
68 #include "mozilla/ResultExtensions.h"
69 #include "mozilla/StaticPtr.h"
70 #include "mozilla/dom/TrustedTypeUtils.h"
71 #include "mozilla/dom/WorkerCommon.h"
72 #include "mozilla/dom/WorkerPrivate.h"
73 #include "nsContentUtils.h"
74 #include "nsJSUtils.h"
75 #include "nsILoadInfo.h"
76 #include "js/ColumnNumber.h" // JS::ColumnNumberOneOrigin
77 #include "js/GCVector.h"
78 #include "js/Value.h"
79
80 // This should be probably defined on some other place... but I couldn't find it
81 #define WEBAPPS_PERM_NAME "webapps-manage"
82
83 using namespace mozilla;
84 using namespace mozilla::dom;
85
86 StaticRefPtr<nsIIOService> nsScriptSecurityManager::sIOService;
87 std::atomic<bool> nsScriptSecurityManager::sStrictFileOriginPolicy = true;
88
89 namespace {
90
91 class BundleHelper {
92 public:
93 NS_INLINE_DECL_REFCOUNTING(BundleHelper)
94
95 static nsIStringBundle* GetOrCreate() {
96 MOZ_ASSERT(!sShutdown);
97
98 // Already shutting down. Nothing should require the use of the string
99 // bundle when shutting down.
100 if (sShutdown) {
101 return nullptr;
102 }
103
104 if (!sSelf) {
105 sSelf = new BundleHelper();
106 }
107
108 return sSelf->GetOrCreateInternal();
109 }
110
111 static void Shutdown() {
112 sSelf = nullptr;
113 sShutdown = true;
114 }
115
116 private:
117 ~BundleHelper() = default;
118
119 nsIStringBundle* GetOrCreateInternal() {
120 if (!mBundle) {
121 nsCOMPtr<nsIStringBundleService> bundleService =
122 mozilla::components::StringBundle::Service();
123 if (NS_WARN_IF(!bundleService)) {
124 return nullptr;
125 }
126
127 nsresult rv = bundleService->CreateBundle(
128 "chrome://global/locale/security/caps.properties",
129 getter_AddRefs(mBundle));
130 if (NS_WARN_IF(NS_FAILED(rv))) {
131 return nullptr;
132 }
133 }
134
135 return mBundle;
136 }
137
138 nsCOMPtr<nsIStringBundle> mBundle;
139
140 static StaticRefPtr<BundleHelper> sSelf;
141 static bool sShutdown;
142 };
143
144 StaticRefPtr<BundleHelper> BundleHelper::sSelf;
145 bool BundleHelper::sShutdown = false;
146
147 } // namespace
148
149 ///////////////////////////
150 // Convenience Functions //
151 ///////////////////////////
152
153 class nsAutoInPrincipalDomainOriginSetter {
154 public:
155 nsAutoInPrincipalDomainOriginSetter() { ++sInPrincipalDomainOrigin; }
156 ~nsAutoInPrincipalDomainOriginSetter() { --sInPrincipalDomainOrigin; }
157 static uint32_t sInPrincipalDomainOrigin;
158 };
159 uint32_t nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin;
160
161 static nsresult GetOriginFromURI(nsIURI* aURI, nsACString& aOrigin) {
162 if (!aURI) {
163 return NS_ERROR_NULL_POINTER;
164 }
165 if (nsAutoInPrincipalDomainOriginSetter::sInPrincipalDomainOrigin > 1) {
166 // Allow a single recursive call to GetPrincipalDomainOrigin, since that
167 // might be happening on a different principal from the first call. But
168 // after that, cut off the recursion; it just indicates that something
169 // we're doing in this method causes us to reenter a security check here.
170 return NS_ERROR_NOT_AVAILABLE;
171 }
172
173 nsAutoInPrincipalDomainOriginSetter autoSetter;
174
175 nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
176 NS_ENSURE_TRUE(uri, NS_ERROR_UNEXPECTED);
177
178 nsAutoCString hostPort;
179
180 nsresult rv = uri->GetHostPort(hostPort);
181 if (NS_SUCCEEDED(rv)) {
182 nsAutoCString scheme;
183 rv = uri->GetScheme(scheme);
184 NS_ENSURE_SUCCESS(rv, rv);
185 aOrigin = scheme + "://"_ns + hostPort;
186 } else {
187 // Some URIs (e.g., nsSimpleURI) don't support host. Just
188 // get the full spec.
189 rv = uri->GetSpec(aOrigin);
190 NS_ENSURE_SUCCESS(rv, rv);
191 }
192
193 return NS_OK;
194 }
195
196 static nsresult GetPrincipalDomainOrigin(nsIPrincipal* aPrincipal,
197 nsACString& aOrigin) {
198 aOrigin.Truncate();
199 nsCOMPtr<nsIURI> uri;
200 aPrincipal->GetDomain(getter_AddRefs(uri));
201 nsresult rv = GetOriginFromURI(uri, aOrigin);
202 if (NS_SUCCEEDED(rv)) {
203 return rv;
204 }
205 // If there is no Domain fallback to the Principals Origin
206 return aPrincipal->GetOriginNoSuffix(aOrigin);
207 }
208
209 inline void SetPendingExceptionASCII(JSContext* cx, const char* aMsg) {
210 JS_ReportErrorASCII(cx, "%s", aMsg);
211 }
212
213 inline void SetPendingException(JSContext* cx, const char16_t* aMsg) {
214 NS_ConvertUTF16toUTF8 msg(aMsg);
215 JS_ReportErrorUTF8(cx, "%s", msg.get());
216 }
217
218 /* static */
219 bool nsScriptSecurityManager::SecurityCompareURIs(nsIURI* aSourceURI,
220 nsIURI* aTargetURI) {
221 return NS_SecurityCompareURIs(aSourceURI, aTargetURI,
222 sStrictFileOriginPolicy);
223 }
224
225 // SecurityHashURI is consistent with SecurityCompareURIs because
226 // NS_SecurityHashURI is consistent with NS_SecurityCompareURIs. See
227 // nsNetUtil.h.
228 uint32_t nsScriptSecurityManager::SecurityHashURI(nsIURI* aURI) {
229 return NS_SecurityHashURI(aURI);
230 }
231
232 bool nsScriptSecurityManager::IsHttpOrHttpsAndCrossOrigin(nsIURI* aUriA,
233 nsIURI* aUriB) {
234 if (!aUriA || (!net::SchemeIsHTTP(aUriA) && !net::SchemeIsHTTPS(aUriA)) ||
235 !aUriB || (!net::SchemeIsHTTP(aUriB) && !net::SchemeIsHTTPS(aUriB))) {
236 return false;
237 }
238 if (!SecurityCompareURIs(aUriA, aUriB)) {
239 return true;
240 }
241 return false;
242 }
243
244 /*
245 * GetChannelResultPrincipal will return the principal that the resource
246 * returned by this channel will use. For example, if the resource is in
247 * a sandbox, it will return the nullprincipal. If the resource is forced
248 * to inherit principal, it will return the principal of its parent. If
249 * the load doesn't require sandboxing or inheriting, it will return the same
250 * principal as GetChannelURIPrincipal. Namely the principal of the URI
251 * that is being loaded.
252 */
253 NS_IMETHODIMP
254 nsScriptSecurityManager::GetChannelResultPrincipal(nsIChannel* aChannel,
255 nsIPrincipal** aPrincipal) {
256 return GetChannelResultPrincipal(aChannel, aPrincipal,
257 /*aIgnoreSandboxing*/ false);
258 }
259
260 nsresult nsScriptSecurityManager::GetChannelResultPrincipalIfNotSandboxed(
261 nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
262 return GetChannelResultPrincipal(aChannel, aPrincipal,
263 /*aIgnoreSandboxing*/ true);
264 }
265
266 NS_IMETHODIMP
267 nsScriptSecurityManager::GetChannelResultStoragePrincipal(
268 nsIChannel* aChannel, nsIPrincipal** aPrincipal) {
269 nsCOMPtr<nsIPrincipal> principal;
270 nsresult rv = GetChannelResultPrincipal(aChannel, getter_AddRefs(principal),
271 /*aIgnoreSandboxing*/ false);
272 if (NS_WARN_IF(NS_FAILED(rv) || !principal)) {
273 return rv;
274 }
275
276 if (!(principal->GetIsContentPrincipal())) {
277 // If for some reason we don't have a content principal here, just reuse our
278 // principal for the storage principal too, since attempting to create a
279 // storage principal would fail anyway.
280 principal.forget(aPrincipal);
281 return NS_OK;
282 }
283
284 return StoragePrincipalHelper::Create(
285 aChannel, principal, /* aForceIsolation */ false, aPrincipal);
286 }
287
288 NS_IMETHODIMP
289 nsScriptSecurityManager::GetChannelResultPrincipals(
290 nsIChannel* aChannel, nsIPrincipal** aPrincipal,
291 nsIPrincipal** aPartitionedPrincipal) {
292 nsresult rv = GetChannelResultPrincipal(aChannel, aPrincipal,
293 /*aIgnoreSandboxing*/ false);
294 if (NS_WARN_IF(NS_FAILED(rv))) {
295 return rv;
296 }
297
298 if (!(*aPrincipal)->GetIsContentPrincipal()) {
299 // If for some reason we don't have a content principal here, just reuse our
300 // principal for the storage principal too, since attempting to create a
301 // storage principal would fail anyway.
302 nsCOMPtr<nsIPrincipal> copy = *aPrincipal;
303 copy.forget(aPartitionedPrincipal);
304 return NS_OK;
305 }
306
307 return StoragePrincipalHelper::Create(
308 aChannel, *aPrincipal, /* aForceIsolation */ true, aPartitionedPrincipal);
309 }
310
311 nsresult nsScriptSecurityManager::GetChannelResultPrincipal(
312 nsIChannel* aChannel, nsIPrincipal** aPrincipal, bool aIgnoreSandboxing) {
313 MOZ_ASSERT(aChannel, "Must have channel!");
314
315 // Check whether we have an nsILoadInfo that says what we should do.
316 nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
317 if (loadInfo->GetForceInheritPrincipalOverruleOwner()) {
318 nsCOMPtr<nsIPrincipal> principalToInherit =
319 loadInfo->FindPrincipalToInherit(aChannel);
320 principalToInherit.forget(aPrincipal);
321 return NS_OK;
322 }
323
324 nsCOMPtr<nsISupports> owner;
325 aChannel->GetOwner(getter_AddRefs(owner));
326 if (owner) {
327 CallQueryInterface(owner, aPrincipal);
328 if (*aPrincipal) {
329 return NS_OK;
330 }
331 }
332
333 if (!aIgnoreSandboxing && loadInfo->GetLoadingSandboxed()) {
334 // Determine the unsandboxed result principal to use as this null
335 // principal's precursor. Ignore errors here, as the precursor isn't
336 // required.
337 nsCOMPtr<nsIPrincipal> precursor;
338 GetChannelResultPrincipal(aChannel, getter_AddRefs(precursor),
339 /*aIgnoreSandboxing*/ true);
340
341 // Construct a deterministic null principal URI from the precursor and the
342 // loadinfo's nullPrincipalID.
343 nsCOMPtr<nsIURI> nullPrincipalURI = NullPrincipal::CreateURI(
344 precursor, &loadInfo->GetSandboxedNullPrincipalID());
345
346 // Use the URI to construct the sandboxed result principal.
347 OriginAttributes attrs;
348 loadInfo->GetOriginAttributes(&attrs);
349 nsCOMPtr<nsIPrincipal> sandboxedPrincipal =
350 NullPrincipal::Create(attrs, nullPrincipalURI);
351 sandboxedPrincipal.forget(aPrincipal);
352 return NS_OK;
353 }
354
355 bool forceInherit = loadInfo->GetForceInheritPrincipal();
356 if (aIgnoreSandboxing && !forceInherit) {
357 // Check if SEC_FORCE_INHERIT_PRINCIPAL was dropped because of
358 // sandboxing:
359 if (loadInfo->GetLoadingSandboxed() &&
360 loadInfo->GetForceInheritPrincipalDropped()) {
361 forceInherit = true;
362 }
363 }
364 if (forceInherit) {
365 nsCOMPtr<nsIPrincipal> principalToInherit =
366 loadInfo->FindPrincipalToInherit(aChannel);
367 principalToInherit.forget(aPrincipal);
368 return NS_OK;
369 }
370
371 auto securityMode = loadInfo->GetSecurityMode();
372 // The data: inheritance flags should only apply to the initial load,
373 // not to loads that it might have redirected to.
374 if (loadInfo->RedirectChain().IsEmpty() &&
375 (securityMode ==
376 nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT ||
377 securityMode ==
378 nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT ||
379 securityMode == nsILoadInfo::SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT)) {
380 nsCOMPtr<nsIURI> uri;
381 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
382 NS_ENSURE_SUCCESS(rv, rv);
383
384 nsCOMPtr<nsIPrincipal> principalToInherit =
385 loadInfo->FindPrincipalToInherit(aChannel);
386 bool inheritForAboutBlank = loadInfo->GetAboutBlankInherits();
387
388 if (nsContentUtils::ChannelShouldInheritPrincipal(
389 principalToInherit, uri, inheritForAboutBlank, false)) {
390 principalToInherit.forget(aPrincipal);
391 return NS_OK;
392 }
393 }
394 return GetChannelURIPrincipal(aChannel, aPrincipal);
395 }
396
397 /* The principal of the URI that this channel is loading. This is never
398 * affected by things like sandboxed loads, or loads where we forcefully
399 * inherit the principal. Think of this as the principal of the server
400 * which this channel is loading from. Most callers should use
401 * GetChannelResultPrincipal instead of GetChannelURIPrincipal. Only
402 * call GetChannelURIPrincipal if you are sure that you want the
403 * principal that matches the uri, even in cases when the load is
404 * sandboxed or when the load could be a blob or data uri (i.e even when
405 * you encounter loads that may or may not be sandboxed and loads
406 * that may or may not inherit)."
407 */
408 NS_IMETHODIMP
409 nsScriptSecurityManager::GetChannelURIPrincipal(nsIChannel* aChannel,
410 nsIPrincipal** aPrincipal) {
411 MOZ_ASSERT(aChannel, "Must have channel!");
412
413 // Get the principal from the URI. Make sure this does the same thing
414 // as Document::Reset and PrototypeDocumentContentSink::Init.
415 nsCOMPtr<nsIURI> uri;
416 nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
417 NS_ENSURE_SUCCESS(rv, rv);
418
419 nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
420
421 // Inherit the origin attributes from loadInfo.
422 // If this is a top-level document load, the origin attributes of the
423 // loadInfo will be set from nsDocShell::DoURILoad.
424 // For subresource loading, the origin attributes of the loadInfo is from
425 // its loadingPrincipal.
426 OriginAttributes attrs = loadInfo->GetOriginAttributes();
427
428 // If the URI is supposed to inherit the security context of whoever loads it,
429 // we shouldn't make a content principal for it, so instead return a null
430 // principal.
431 bool inheritsPrincipal = false;
432 rv = NS_URIChainHasFlags(uri,
433 nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT,
434 &inheritsPrincipal);
435 if (NS_FAILED(rv) || inheritsPrincipal) {
436 // Find a precursor principal to credit for the load. This won't impact
437 // security checks, but makes tracking the source of related loads easier.
438 nsCOMPtr<nsIPrincipal> precursorPrincipal =
439 loadInfo->FindPrincipalToInherit(aChannel);
440 nsCOMPtr<nsIURI> nullPrincipalURI =
441 NullPrincipal::CreateURI(precursorPrincipal);
442 *aPrincipal = NullPrincipal::Create(attrs, nullPrincipalURI).take();
443 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
444 }
445
446 nsCOMPtr<nsIPrincipal> prin =
447 BasePrincipal::CreateContentPrincipal(uri, attrs);
448 prin.forget(aPrincipal);
449 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
450 }
451
452 /////////////////////////////
453 // nsScriptSecurityManager //
454 /////////////////////////////
455
456 ////////////////////////////////////
457 // Methods implementing ISupports //
458 ////////////////////////////////////
459 NS_IMPL_ISUPPORTS(nsScriptSecurityManager, nsIScriptSecurityManager)
460
461 ///////////////////////////////////////////////////
462 // Methods implementing nsIScriptSecurityManager //
463 ///////////////////////////////////////////////////
464
465 ///////////////// Security Checks /////////////////
466
467 bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
468 JSContext* cx, JS::RuntimeCode aKind, JS::Handle<JSString*> aCodeString,
469 JS::CompilationType aCompilationType,
470 JS::Handle<JS::StackGCVector<JSString*>> aParameterStrings,
471 JS::Handle<JSString*> aBodyString,
472 JS::Handle<JS::StackGCVector<JS::Value>> aParameterArgs,
473 JS::Handle<JS::Value> aBodyArg, bool* aOutCanCompileStrings) {
474 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
475
476 nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
477
478 if (aKind == JS::RuntimeCode::JS) {
479 ErrorResult error;
480 bool areArgumentsTrusted = TrustedTypeUtils::
481 AreArgumentsTrustedForEnsureCSPDoesNotBlockStringCompilation(
482 cx, aCodeString, aCompilationType, aParameterStrings, aBodyString,
483 aParameterArgs, aBodyArg, error);
484 if (error.MaybeSetPendingException(cx)) {
485 return false;
486 }
487 if (!areArgumentsTrusted) {
488 *aOutCanCompileStrings = false;
489 return true;
490 }
491 }
492
493 // Check if Eval is allowed per firefox hardening policy
494 bool contextForbidsEval =
495 (subjectPrincipal->IsSystemPrincipal() || XRE_IsE10sParentProcess());
496 #if defined(ANDROID)
497 contextForbidsEval = false;
498 #endif
499
500 if (contextForbidsEval) {
501 nsAutoJSString scriptSample;
502 if (aKind == JS::RuntimeCode::JS &&
503 NS_WARN_IF(!scriptSample.init(cx, aCodeString))) {
504 return false;
505 }
506
507 if (!nsContentSecurityUtils::IsEvalAllowed(
508 cx, subjectPrincipal->IsSystemPrincipal(), scriptSample)) {
509 *aOutCanCompileStrings = false;
510 return true;
511 }
512 }
513
514 // Get the window, if any, corresponding to the current global
515 nsCOMPtr<nsIContentSecurityPolicy> csp;
516 if (nsGlobalWindowInner* win = xpc::CurrentWindowOrNull(cx)) {
517 csp = win->GetCsp();
518 }
519
520 if (!csp) {
521 // Get the CSP for addon sandboxes. If the principal is expanded and has a
522 // csp, we're probably in luck.
523 auto* basePrin = BasePrincipal::Cast(subjectPrincipal);
524 // TODO bug 1548468: Move CSP off ExpandedPrincipal.
525 if (basePrin->Is<ExpandedPrincipal>()) {
526 basePrin->As<ExpandedPrincipal>()->GetCsp(getter_AddRefs(csp));
527 }
528 // don't do anything unless there's a CSP
529 if (!csp) {
530 *aOutCanCompileStrings = true;
531 return true;
532 }
533 }
534
535 nsCOMPtr<nsICSPEventListener> cspEventListener;
536 if (!NS_IsMainThread()) {
537 WorkerPrivate* workerPrivate =
538 mozilla::dom::GetWorkerPrivateFromContext(cx);
539 if (workerPrivate) {
540 cspEventListener = workerPrivate->CSPEventListener();
541 }
542 }
543
544 bool evalOK = true;
545 bool reportViolation = false;
546 if (aKind == JS::RuntimeCode::JS) {
547 nsresult rv = csp->GetAllowsEval(&reportViolation, &evalOK);
548 if (NS_FAILED(rv)) {
549 NS_WARNING("CSP: failed to get allowsEval");
550 *aOutCanCompileStrings = true; // fail open to not break sites.
551 return true;
552 }
553 } else {
554 if (NS_FAILED(csp->GetAllowsWasmEval(&reportViolation, &evalOK))) {
555 return false;
556 }
557 if (!evalOK) {
558 // Historically, CSP did not block WebAssembly in Firefox, and some
559 // add-ons use wasm and a stricter CSP. To avoid breaking them, ignore
560 // 'wasm-unsafe-eval' violations for MV2 extensions.
561 // TODO bug 1770909: remove this exception.
562 auto* addonPolicy = BasePrincipal::Cast(subjectPrincipal)->AddonPolicy();
563 if (addonPolicy && addonPolicy->ManifestVersion() == 2) {
564 reportViolation = true;
565 evalOK = true;
566 }
567 }
568 }
569
570 if (reportViolation) {
571 auto caller = JSCallingLocation::Get(cx);
572 nsAutoJSString scriptSample;
573 if (aKind == JS::RuntimeCode::JS &&
574 NS_WARN_IF(!scriptSample.init(cx, aCodeString))) {
575 return false;
576 }
577 uint16_t violationType =
578 aKind == JS::RuntimeCode::JS
579 ? nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL
580 : nsIContentSecurityPolicy::VIOLATION_TYPE_WASM_EVAL;
581 csp->LogViolationDetails(violationType,
582 nullptr, // triggering element
583 cspEventListener, caller.FileName(), scriptSample,
584 caller.mLine, caller.mColumn, u""_ns, u""_ns);
585 }
586
587 *aOutCanCompileStrings = evalOK;
588 return true;
589 }
590
591 // static
592 bool nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals* first,
593 JSPrincipals* second) {
594 return nsJSPrincipals::get(first)->Subsumes(nsJSPrincipals::get(second));
595 }
596
597 NS_IMETHODIMP
598 nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI,
599 nsIURI* aTargetURI,
600 bool reportError,
601 bool aFromPrivateWindow) {
602 // Please note that aFromPrivateWindow is only 100% accurate if
603 // reportError is true.
604 if (!SecurityCompareURIs(aSourceURI, aTargetURI)) {
605 if (reportError) {
606 ReportError("CheckSameOriginError", aSourceURI, aTargetURI,
607 aFromPrivateWindow);
608 }
609 return NS_ERROR_DOM_BAD_URI;
610 }
611 return NS_OK;
612 }
613
614 NS_IMETHODIMP
615 nsScriptSecurityManager::CheckLoadURIFromScript(JSContext* cx, nsIURI* aURI) {
616 // Get principal of currently executing script.
617 MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
618 nsIPrincipal* principal = nsContentUtils::SubjectPrincipal();
619 nsresult rv = CheckLoadURIWithPrincipal(
620 // Passing 0 for the window ID here is OK, because we will report a
621 // script-visible exception anyway.
622 principal, aURI, nsIScriptSecurityManager::STANDARD, 0);
623 if (NS_SUCCEEDED(rv)) {
624 // OK to load
625 return NS_OK;
626 }
627
628 // Report error.
629 nsAutoCString spec;
630 if (NS_FAILED(aURI->GetAsciiSpec(spec))) return NS_ERROR_FAILURE;
631 nsAutoCString msg("Access to '");
632 msg.Append(spec);
633 msg.AppendLiteral("' from script denied");
634 SetPendingExceptionASCII(cx, msg.get());
635 return NS_ERROR_DOM_BAD_URI;
636 }
637
638 /**
639 * Helper method to handle cases where a flag passed to
640 * CheckLoadURIWithPrincipal means denying loading if the given URI has certain
641 * nsIProtocolHandler flags set.
642 * @return if success, access is allowed. Otherwise, deny access
643 */
644 static nsresult DenyAccessIfURIHasFlags(nsIURI* aURI, uint32_t aURIFlags) {
645 MOZ_ASSERT(aURI, "Must have URI!");
646
647 bool uriHasFlags;
648 nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &uriHasFlags);
649 NS_ENSURE_SUCCESS(rv, rv);
650
651 if (uriHasFlags) {
652 return NS_ERROR_DOM_BAD_URI;
653 }
654
655 return NS_OK;
656 }
657
658 static bool EqualOrSubdomain(nsIURI* aProbeArg, nsIURI* aBase) {
659 nsresult rv;
660 nsCOMPtr<nsIURI> probe = aProbeArg;
661
662 nsCOMPtr<nsIEffectiveTLDService> tldService =
663 do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
664 NS_ENSURE_TRUE(tldService, false);
665 while (true) {
666 if (nsScriptSecurityManager::SecurityCompareURIs(probe, aBase)) {
667 return true;
668 }
669
670 nsAutoCString host, newHost;
671 rv = probe->GetHost(host);
672 NS_ENSURE_SUCCESS(rv, false);
673
674 rv = tldService->GetNextSubDomain(host, newHost);
675 if (rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS) {
676 return false;
677 }
678 NS_ENSURE_SUCCESS(rv, false);
679 rv = NS_MutateURI(probe).SetHost(newHost).Finalize(probe);
680 NS_ENSURE_SUCCESS(rv, false);
681 }
682 }
683
684 NS_IMETHODIMP
685 nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
686 nsIURI* aTargetURI,
687 uint32_t aFlags,
688 uint64_t aInnerWindowID) {
689 MOZ_ASSERT(aPrincipal, "CheckLoadURIWithPrincipal must have a principal");
690
691 // If someone passes a flag that we don't understand, we should
692 // fail, because they may need a security check that we don't
693 // provide.
694 NS_ENSURE_FALSE(
695 aFlags &
696 ~(nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
697 nsIScriptSecurityManager::ALLOW_CHROME |
698 nsIScriptSecurityManager::DISALLOW_SCRIPT |
699 nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL |
700 nsIScriptSecurityManager::DONT_REPORT_ERRORS),
701 NS_ERROR_UNEXPECTED);
702 NS_ENSURE_ARG_POINTER(aPrincipal);
703 NS_ENSURE_ARG_POINTER(aTargetURI);
704
705 // If DISALLOW_INHERIT_PRINCIPAL is set, we prevent loading of URIs which
706 // would do such inheriting. That would be URIs that do not have their own
707 // security context. We do this even for the system principal.
708 if (aFlags & nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL) {
709 nsresult rv = DenyAccessIfURIHasFlags(
710 aTargetURI, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT);
711 NS_ENSURE_SUCCESS(rv, rv);
712 }
713
714 if (aPrincipal == mSystemPrincipal) {
715 // Allow access
716 return NS_OK;
717 }
718
719 nsCOMPtr<nsIURI> sourceURI;
720 auto* basePrin = BasePrincipal::Cast(aPrincipal);
721 basePrin->GetURI(getter_AddRefs(sourceURI));
722 if (!sourceURI) {
723 if (basePrin->Is<ExpandedPrincipal>()) {
724 // If the target addon is MV3 or the pref is on we require extension
725 // resources loaded from content to be listed in web_accessible_resources.
726 auto* targetPolicy =
727 ExtensionPolicyService::GetSingleton().GetByURL(aTargetURI);
728 bool contentAccessRequired =
729 targetPolicy &&
730 (targetPolicy->ManifestVersion() > 2 ||
731 StaticPrefs::extensions_content_web_accessible_enabled());
732 auto expanded = basePrin->As<ExpandedPrincipal>();
733 const auto& allowList = expanded->AllowList();
734 // Only report errors when all principals fail.
735 // With expanded principals, which are used by extension content scripts,
736 // we check only against non-extension principals for access to extension
737 // resource to enforce making those resources explicitly web accessible.
738 uint32_t flags = aFlags | nsIScriptSecurityManager::DONT_REPORT_ERRORS;
739 for (size_t i = 0; i < allowList.Length() - 1; i++) {
740 if (contentAccessRequired &&
741 BasePrincipal::Cast(allowList[i])->AddonPolicy()) {
742 continue;
743 }
744 nsresult rv = CheckLoadURIWithPrincipal(allowList[i], aTargetURI, flags,
745 aInnerWindowID);
746 if (NS_SUCCEEDED(rv)) {
747 // Allow access if it succeeded with one of the allowlisted principals
748 return NS_OK;
749 }
750 }
751
752 if (contentAccessRequired &&
753 BasePrincipal::Cast(allowList.LastElement())->AddonPolicy()) {
754 bool reportErrors =
755 !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
756 if (reportErrors) {
757 ReportError("CheckLoadURI", sourceURI, aTargetURI,
758 allowList.LastElement()
759 ->OriginAttributesRef()
760 .IsPrivateBrowsing(),
761 aInnerWindowID);
762 }
763 return NS_ERROR_DOM_BAD_URI;
764 }
765 // Report errors (if requested) for the last principal.
766 return CheckLoadURIWithPrincipal(allowList.LastElement(), aTargetURI,
767 aFlags, aInnerWindowID);
768 }
769 NS_ERROR(
770 "Non-system principals or expanded principal passed to "
771 "CheckLoadURIWithPrincipal "
772 "must have a URI!");
773 return NS_ERROR_UNEXPECTED;
774 }
775
776 // Automatic loads are not allowed from certain protocols.
777 if (aFlags &
778 nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT) {
779 nsresult rv = DenyAccessIfURIHasFlags(
780 sourceURI,
781 nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT);
782 NS_ENSURE_SUCCESS(rv, rv);
783 }
784
785 // If either URI is a nested URI, get the base URI
786 nsCOMPtr<nsIURI> sourceBaseURI = NS_GetInnermostURI(sourceURI);
787 nsCOMPtr<nsIURI> targetBaseURI = NS_GetInnermostURI(aTargetURI);
788
789 //-- get the target scheme
790 nsAutoCString targetScheme;
791 nsresult rv = targetBaseURI->GetScheme(targetScheme);
792 if (NS_FAILED(rv)) return rv;
793
794 //-- Some callers do not allow loading javascript:
795 if ((aFlags & nsIScriptSecurityManager::DISALLOW_SCRIPT) &&
796 targetScheme.EqualsLiteral("javascript")) {
797 return NS_ERROR_DOM_BAD_URI;
798 }
799
800 // Check for uris that are only loadable by principals that subsume them
801 bool targetURIIsLoadableBySubsumers = false;
802 rv = NS_URIChainHasFlags(targetBaseURI,
803 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
804 &targetURIIsLoadableBySubsumers);
805 NS_ENSURE_SUCCESS(rv, rv);
806
807 if (targetURIIsLoadableBySubsumers) {
808 // check nothing else in the URI chain has flags that prevent
809 // access:
810 rv = CheckLoadURIFlags(
811 sourceURI, aTargetURI, sourceBaseURI, targetBaseURI, aFlags,
812 aPrincipal->OriginAttributesRef().IsPrivateBrowsing(), aInnerWindowID);
813 NS_ENSURE_SUCCESS(rv, rv);
814 // Check the principal is allowed to load the target.
815 if (aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS) {
816 return aPrincipal->CheckMayLoad(targetBaseURI, false);
817 }
818 return aPrincipal->CheckMayLoadWithReporting(targetBaseURI, false,
819 aInnerWindowID);
820 }
821
822 //-- get the source scheme
823 nsAutoCString sourceScheme;
824 rv = sourceBaseURI->GetScheme(sourceScheme);
825 if (NS_FAILED(rv)) return rv;
826
827 if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
828 // A null principal can target its own URI.
829 if (sourceURI == aTargetURI) {
830 return NS_OK;
831 }
832 } else if (sourceScheme.EqualsIgnoreCase("file") &&
833 targetScheme.EqualsIgnoreCase("moz-icon")) {
834 // exception for file: linking to moz-icon://.ext?size=...
835 // Note that because targetScheme is the base (innermost) URI scheme,
836 // this does NOT allow file -> moz-icon:file:///... links.
837 // This is intentional.
838 return NS_OK;
839 }
840
841 // Check for webextension
842 bool targetURIIsLoadableByExtensions = false;
843 rv = NS_URIChainHasFlags(aTargetURI,
844 nsIProtocolHandler::URI_LOADABLE_BY_EXTENSIONS,
845 &targetURIIsLoadableByExtensions);
846 NS_ENSURE_SUCCESS(rv, rv);
847
848 if (targetURIIsLoadableByExtensions &&
849 BasePrincipal::Cast(aPrincipal)->AddonPolicy()) {
850 return NS_OK;
851 }
852
853 // If we get here, check all the schemes can link to each other, from the top
854 // down:
855 nsCOMPtr<nsIURI> currentURI = sourceURI;
856 nsCOMPtr<nsIURI> currentOtherURI = aTargetURI;
857
858 bool denySameSchemeLinks = false;
859 rv = NS_URIChainHasFlags(aTargetURI,
860 nsIProtocolHandler::URI_SCHEME_NOT_SELF_LINKABLE,
861 &denySameSchemeLinks);
862 if (NS_FAILED(rv)) return rv;
863
864 while (currentURI && currentOtherURI) {
865 nsAutoCString scheme, otherScheme;
866 currentURI->GetScheme(scheme);
867 currentOtherURI->GetScheme(otherScheme);
868
869 bool schemesMatch =
870 scheme.Equals(otherScheme, nsCaseInsensitiveCStringComparator);
871 bool isSamePage = false;
872 bool isExtensionMismatch = false;
873 // about: URIs are special snowflakes.
874 if (scheme.EqualsLiteral("about") && schemesMatch) {
875 nsAutoCString moduleName, otherModuleName;
876 // about: pages can always link to themselves:
877 isSamePage =
878 NS_SUCCEEDED(NS_GetAboutModuleName(currentURI, moduleName)) &&
879 NS_SUCCEEDED(
880 NS_GetAboutModuleName(currentOtherURI, otherModuleName)) &&
881 moduleName.Equals(otherModuleName);
882 if (!isSamePage) {
883 // We will have allowed the load earlier if the source page has
884 // system principal. So we know the source has a content
885 // principal, and it's trying to link to something else.
886 // Linkable about: pages are always reachable, even if we hit
887 // the CheckLoadURIFlags call below.
888 // We punch only 1 other hole: iff the source is unlinkable,
889 // we let them link to other pages explicitly marked SAFE
890 // for content. This avoids world-linkable about: pages linking
891 // to non-world-linkable about: pages.
892 nsCOMPtr<nsIAboutModule> module, otherModule;
893 bool knowBothModules =
894 NS_SUCCEEDED(
895 NS_GetAboutModule(currentURI, getter_AddRefs(module))) &&
896 NS_SUCCEEDED(NS_GetAboutModule(currentOtherURI,
897 getter_AddRefs(otherModule)));
898 uint32_t aboutModuleFlags = 0;
899 uint32_t otherAboutModuleFlags = 0;
900 knowBothModules =
901 knowBothModules &&
902 NS_SUCCEEDED(module->GetURIFlags(currentURI, &aboutModuleFlags)) &&
903 NS_SUCCEEDED(otherModule->GetURIFlags(currentOtherURI,
904 &otherAboutModuleFlags));
905 if (knowBothModules) {
906 isSamePage = !(aboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) &&
907 (otherAboutModuleFlags &
908 nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT);
909 if (isSamePage &&
910 otherAboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) {
911 // XXXgijs: this is a hack. The target will be nested
912 // (with innerURI of moz-safe-about:whatever), and
913 // the source isn't, so we won't pass if we finish
914 // the loop. We *should* pass, though, so return here.
915 // This hack can go away when bug 1228118 is fixed.
916 return NS_OK;
917 }
918 }
919 }
920 } else if (schemesMatch && scheme.EqualsLiteral("moz-extension")) {
921 // If it is not the same exension, we want to ensure we end up
922 // calling CheckLoadURIFlags
923 nsAutoCString host, otherHost;
924 currentURI->GetHost(host);
925 currentOtherURI->GetHost(otherHost);
926 isExtensionMismatch = !host.Equals(otherHost);
927 } else {
928 bool equalExceptRef = false;
929 rv = currentURI->EqualsExceptRef(currentOtherURI, &equalExceptRef);
930 isSamePage = NS_SUCCEEDED(rv) && equalExceptRef;
931 }
932
933 // If schemes are not equal, or they're equal but the target URI
934 // is different from the source URI and doesn't always allow linking
935 // from the same scheme, or this is two different extensions, check
936 // if the URI flags of the current target URI allow the current
937 // source URI to link to it.
938 // The policy is specified by the protocol flags on both URIs.
939 if (!schemesMatch || (denySameSchemeLinks && !isSamePage) ||
940 isExtensionMismatch) {
941 return CheckLoadURIFlags(
942 currentURI, currentOtherURI, sourceBaseURI, targetBaseURI, aFlags,
943 aPrincipal->OriginAttributesRef().IsPrivateBrowsing(),
944 aInnerWindowID);
945 }
946 // Otherwise... check if we can nest another level:
947 nsCOMPtr<nsINestedURI> nestedURI = do_QueryInterface(currentURI);
948 nsCOMPtr<nsINestedURI> nestedOtherURI = do_QueryInterface(currentOtherURI);
949
950 // If schemes match and neither URI is nested further, we're OK.
951 if (!nestedURI && !nestedOtherURI) {
952 return NS_OK;
953 }
954 // If one is nested and the other isn't, something is wrong.
955 if (!nestedURI != !nestedOtherURI) {
956 return NS_ERROR_DOM_BAD_URI;
957 }
958 // Otherwise, both should be nested and we'll go through the loop again.
959 nestedURI->GetInnerURI(getter_AddRefs(currentURI));
960 nestedOtherURI->GetInnerURI(getter_AddRefs(currentOtherURI));
961 }
962
963 // We should never get here. We should always return from inside the loop.
964 return NS_ERROR_DOM_BAD_URI;
965 }
966
967 /**
968 * Helper method to check whether the target URI and its innermost ("base") URI
969 * has protocol flags that should stop it from being loaded by the source URI
970 * (and/or the source URI's innermost ("base") URI), taking into account any
971 * nsIScriptSecurityManager flags originally passed to
972 * CheckLoadURIWithPrincipal and friends.
973 *
974 * @return if success, access is allowed. Otherwise, deny access
975 */
976 nsresult nsScriptSecurityManager::CheckLoadURIFlags(
977 nsIURI* aSourceURI, nsIURI* aTargetURI, nsIURI* aSourceBaseURI,
978 nsIURI* aTargetBaseURI, uint32_t aFlags, bool aFromPrivateWindow,
979 uint64_t aInnerWindowID) {
980 // Note that the order of policy checks here is very important!
981 // We start from most restrictive and work our way down.
982 bool reportErrors = !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
983 const char* errorTag = "CheckLoadURIError";
984
985 nsAutoCString targetScheme;
986 nsresult rv = aTargetBaseURI->GetScheme(targetScheme);
987 if (NS_FAILED(rv)) return rv;
988
989 // Check for system target URI.
990 rv = DenyAccessIfURIHasFlags(aTargetURI,
991 nsIProtocolHandler::URI_DANGEROUS_TO_LOAD);
992 if (NS_FAILED(rv)) {
993 // Deny access, since the origin principal is not system
994 if (reportErrors) {
995 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
996 aInnerWindowID);
997 }
998 return rv;
999 }
1000
1001 // WebExtension URIs are only accessible if the ExtensionPolicyService allows
1002 // the source URI to load them.
1003 bool targetURIIsWebExtensionResource = false;
1004 rv = NS_URIChainHasFlags(aTargetURI,
1005 nsIProtocolHandler::URI_IS_WEBEXTENSION_RESOURCE,
1006 &targetURIIsWebExtensionResource);
1007 NS_ENSURE_SUCCESS(rv, rv);
1008 if (targetURIIsWebExtensionResource) {
1009 bool isAccessible = false;
1010 rv = ExtensionPolicyService::GetSingleton().SourceMayLoadExtensionURI(
1011 aSourceURI, aTargetURI, aFromPrivateWindow, &isAccessible);
1012 if (NS_SUCCEEDED(rv) && isAccessible) {
1013 return NS_OK;
1014 }
1015 if (reportErrors) {
1016 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
1017 aInnerWindowID);
1018 }
1019 return NS_ERROR_DOM_BAD_URI;
1020 }
1021
1022 // Check for chrome target URI
1023 bool targetURIIsUIResource = false;
1024 rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_UI_RESOURCE,
1025 &targetURIIsUIResource);
1026 NS_ENSURE_SUCCESS(rv, rv);
1027 if (targetURIIsUIResource) {
1028 // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
1029 // loads (since docshell loads run the loaded content with its origin
1030 // principal). We are effectively allowing resource:// and chrome://
1031 // URIs to load as long as they are content accessible and as long
1032 // they're not loading it as a document.
1033 if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
1034 bool sourceIsUIResource = false;
1035 rv = NS_URIChainHasFlags(aSourceBaseURI,
1036 nsIProtocolHandler::URI_IS_UI_RESOURCE,
1037 &sourceIsUIResource);
1038 NS_ENSURE_SUCCESS(rv, rv);
1039 if (sourceIsUIResource) {
1040 // Special case for moz-icon URIs loaded by a local resources like
1041 // e.g. chrome: or resource:
1042 if (targetScheme.EqualsLiteral("moz-icon")) {
1043 return NS_OK;
1044 }
1045 }
1046
1047 if (targetScheme.EqualsLiteral("resource")) {
1048 if (StaticPrefs::security_all_resource_uri_content_accessible()) {
1049 return NS_OK;
1050 }
1051
1052 nsCOMPtr<nsIProtocolHandler> ph;
1053 rv = sIOService->GetProtocolHandler("resource", getter_AddRefs(ph));
1054 NS_ENSURE_SUCCESS(rv, rv);
1055 if (!ph) {
1056 return NS_ERROR_DOM_BAD_URI;
1057 }
1058
1059 nsCOMPtr<nsIResProtocolHandler> rph = do_QueryInterface(ph);
1060 if (!rph) {
1061 return NS_ERROR_DOM_BAD_URI;
1062 }
1063
1064 bool accessAllowed = false;
1065 rph->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
1066 if (accessAllowed) {
1067 return NS_OK;
1068 }
1069 } else if (targetScheme.EqualsLiteral("chrome")) {
1070 // Allow the load only if the chrome package is allowlisted.
1071 nsCOMPtr<nsIXULChromeRegistry> reg(
1072 do_GetService(NS_CHROMEREGISTRY_CONTRACTID));
1073 if (reg) {
1074 bool accessAllowed = false;
1075 reg->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
1076 if (accessAllowed) {
1077 return NS_OK;
1078 }
1079 }
1080 } else if (targetScheme.EqualsLiteral("moz-page-thumb") ||
1081 targetScheme.EqualsLiteral("page-icon")) {
1082 if (XRE_IsParentProcess()) {
1083 return NS_OK;
1084 }
1085
1086 auto& remoteType = dom::ContentChild::GetSingleton()->GetRemoteType();
1087 if (remoteType == PRIVILEGEDABOUT_REMOTE_TYPE) {
1088 return NS_OK;
1089 }
1090 }
1091 }
1092
1093 if (reportErrors) {
1094 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
1095 aInnerWindowID);
1096 }
1097 return NS_ERROR_DOM_BAD_URI;
1098 }
1099
1100 // Check for target URI pointing to a file
1101 bool targetURIIsLocalFile = false;
1102 rv = NS_URIChainHasFlags(aTargetURI, nsIProtocolHandler::URI_IS_LOCAL_FILE,
1103 &targetURIIsLocalFile);
1104 NS_ENSURE_SUCCESS(rv, rv);
1105 if (targetURIIsLocalFile) {
1106 // Allow domains that were allowlisted in the prefs. In 99.9% of cases,
1107 // this array is empty.
1108 bool isAllowlisted;
1109 MOZ_ALWAYS_SUCCEEDS(InFileURIAllowlist(aSourceURI, &isAllowlisted));
1110 if (isAllowlisted) {
1111 return NS_OK;
1112 }
1113
1114 // Allow chrome://
1115 if (aSourceBaseURI->SchemeIs("chrome")) {
1116 return NS_OK;
1117 }
1118
1119 // Nothing else.
1120 if (reportErrors) {
1121 ReportError(errorTag, aSourceURI, aTargetURI, aFromPrivateWindow,
1122 aInnerWindowID);
1123 }
1124 return NS_ERROR_DOM_BAD_URI;
1125 }
1126
1127 #ifdef DEBUG
1128 {
1129 // Everyone is allowed to load this. The case URI_LOADABLE_BY_SUBSUMERS
1130 // is handled by the caller which is just delegating to us as a helper.
1131 bool hasSubsumersFlag = false;
1132 NS_URIChainHasFlags(aTargetBaseURI,
1133 nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS,
1134 &hasSubsumersFlag);
1135 bool hasLoadableByAnyone = false;
1136 NS_URIChainHasFlags(aTargetBaseURI,
1137 nsIProtocolHandler::URI_LOADABLE_BY_ANYONE,
1138 &hasLoadableByAnyone);
1139 MOZ_ASSERT(hasLoadableByAnyone || hasSubsumersFlag,
1140 "why do we get here and do not have any of the two flags set?");
1141 }
1142 #endif
1143
1144 return NS_OK;
1145 }
1146
1147 nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1148 const nsACString& aSourceSpec,
1149 const nsACString& aTargetSpec,
1150 bool aFromPrivateWindow,
1151 uint64_t aInnerWindowID) {
1152 if (aSourceSpec.IsEmpty() || aTargetSpec.IsEmpty()) {
1153 return NS_OK;
1154 }
1155
1156 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1157 if (NS_WARN_IF(!bundle)) {
1158 return NS_OK;
1159 }
1160
1161 // Localize the error message
1162 nsAutoString message;
1163 AutoTArray<nsString, 2> formatStrings;
1164 CopyASCIItoUTF16(aSourceSpec, *formatStrings.AppendElement());
1165 CopyASCIItoUTF16(aTargetSpec, *formatStrings.AppendElement());
1166 nsresult rv =
1167 bundle->FormatStringFromName(aMessageTag, formatStrings, message);
1168 NS_ENSURE_SUCCESS(rv, rv);
1169
1170 nsCOMPtr<nsIConsoleService> console(
1171 do_GetService(NS_CONSOLESERVICE_CONTRACTID));
1172 NS_ENSURE_TRUE(console, NS_ERROR_FAILURE);
1173 nsCOMPtr<nsIScriptError> error(do_CreateInstance(NS_SCRIPTERROR_CONTRACTID));
1174 NS_ENSURE_TRUE(error, NS_ERROR_FAILURE);
1175
1176 // using category of "SOP" so we can link to MDN
1177 if (aInnerWindowID != 0) {
1178 rv = error->InitWithWindowID(
1179 message, ""_ns, 0, 0, nsIScriptError::errorFlag, "SOP"_ns,
1180 aInnerWindowID, true /* From chrome context */);
1181 } else {
1182 rv = error->Init(message, ""_ns, 0, 0, nsIScriptError::errorFlag, "SOP"_ns,
1183 aFromPrivateWindow, true /* From chrome context */);
1184 }
1185 NS_ENSURE_SUCCESS(rv, rv);
1186 console->LogMessage(error);
1187 return NS_OK;
1188 }
1189
1190 nsresult nsScriptSecurityManager::ReportError(const char* aMessageTag,
1191 nsIURI* aSource, nsIURI* aTarget,
1192 bool aFromPrivateWindow,
1193 uint64_t aInnerWindowID) {
1194 NS_ENSURE_TRUE(aSource && aTarget, NS_ERROR_NULL_POINTER);
1195
1196 // Get the source URL spec
1197 nsAutoCString sourceSpec;
1198 nsresult rv = aSource->GetAsciiSpec(sourceSpec);
1199 NS_ENSURE_SUCCESS(rv, rv);
1200
1201 // Get the target URL spec
1202 nsAutoCString targetSpec;
1203 rv = aTarget->GetAsciiSpec(targetSpec);
1204 NS_ENSURE_SUCCESS(rv, rv);
1205
1206 return ReportError(aMessageTag, sourceSpec, targetSpec, aFromPrivateWindow,
1207 aInnerWindowID);
1208 }
1209
1210 NS_IMETHODIMP
1211 nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(
1212 nsIPrincipal* aPrincipal, const nsACString& aTargetURIStr,
1213 uint32_t aFlags) {
1214 nsresult rv;
1215 nsCOMPtr<nsIURI> target;
1216 rv = NS_NewURI(getter_AddRefs(target), aTargetURIStr);
1217 NS_ENSURE_SUCCESS(rv, rv);
1218
1219 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1220 if (rv == NS_ERROR_DOM_BAD_URI) {
1221 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1222 // return values.
1223 return rv;
1224 }
1225 NS_ENSURE_SUCCESS(rv, rv);
1226
1227 // Now start testing fixup -- since aTargetURIStr is a string, not
1228 // an nsIURI, we may well end up fixing it up before loading.
1229 // Note: This needs to stay in sync with the nsIURIFixup api.
1230 nsCOMPtr<nsIURIFixup> fixup = components::URIFixup::Service();
1231 if (!fixup) {
1232 return rv;
1233 }
1234
1235 // URIFixup's keyword and alternate flags can only fixup to http/https, so we
1236 // can skip testing them. This simplifies our life because this code can be
1237 // invoked from the content process where the search service would not be
1238 // available.
1239 uint32_t flags[] = {nsIURIFixup::FIXUP_FLAG_NONE,
1240 nsIURIFixup::FIXUP_FLAG_FIX_SCHEME_TYPOS};
1241 for (uint32_t i = 0; i < std::size(flags); ++i) {
1242 uint32_t fixupFlags = flags[i];
1243 if (aPrincipal->OriginAttributesRef().IsPrivateBrowsing()) {
1244 fixupFlags |= nsIURIFixup::FIXUP_FLAG_PRIVATE_CONTEXT;
1245 }
1246 nsCOMPtr<nsIURIFixupInfo> fixupInfo;
1247 rv = fixup->GetFixupURIInfo(aTargetURIStr, fixupFlags,
1248 getter_AddRefs(fixupInfo));
1249 NS_ENSURE_SUCCESS(rv, rv);
1250 rv = fixupInfo->GetPreferredURI(getter_AddRefs(target));
1251 NS_ENSURE_SUCCESS(rv, rv);
1252
1253 rv = CheckLoadURIWithPrincipal(aPrincipal, target, aFlags, 0);
1254 if (rv == NS_ERROR_DOM_BAD_URI) {
1255 // Don't warn because NS_ERROR_DOM_BAD_URI is one of the expected
1256 // return values.
1257 return rv;
1258 }
1259 NS_ENSURE_SUCCESS(rv, rv);
1260 }
1261
1262 return rv;
1263 }
1264
1265 NS_IMETHODIMP
1266 nsScriptSecurityManager::CheckLoadURIWithPrincipalFromJS(
1267 nsIPrincipal* aPrincipal, nsIURI* aTargetURI, uint32_t aFlags,
1268 uint64_t aInnerWindowID, JSContext* aCx) {
1269 MOZ_ASSERT(aPrincipal,
1270 "CheckLoadURIWithPrincipalFromJS must have a principal");
1271 NS_ENSURE_ARG_POINTER(aPrincipal);
1272 NS_ENSURE_ARG_POINTER(aTargetURI);
1273
1274 nsresult rv =
1275 CheckLoadURIWithPrincipal(aPrincipal, aTargetURI, aFlags, aInnerWindowID);
1276 if (NS_FAILED(rv)) {
1277 nsAutoCString uriStr;
1278 Unused << aTargetURI->GetSpec(uriStr);
1279
1280 nsAutoCString message("Load of ");
1281 message.Append(uriStr);
1282
1283 nsAutoCString principalStr;
1284 Unused << aPrincipal->GetSpec(principalStr);
1285 if (!principalStr.IsEmpty()) {
1286 message.AppendPrintf(" from %s", principalStr.get());
1287 }
1288
1289 message.Append(" denied");
1290
1291 dom::Throw(aCx, rv, message);
1292 }
1293
1294 return rv;
1295 }
1296
1297 NS_IMETHODIMP
1298 nsScriptSecurityManager::CheckLoadURIStrWithPrincipalFromJS(
1299 nsIPrincipal* aPrincipal, const nsACString& aTargetURIStr, uint32_t aFlags,
1300 JSContext* aCx) {
1301 nsCOMPtr<nsIURI> targetURI;
1302 MOZ_TRY(NS_NewURI(getter_AddRefs(targetURI), aTargetURIStr));
1303
1304 return CheckLoadURIWithPrincipalFromJS(aPrincipal, targetURI, aFlags, 0, aCx);
1305 }
1306
1307 NS_IMETHODIMP
1308 nsScriptSecurityManager::InFileURIAllowlist(nsIURI* aUri, bool* aResult) {
1309 MOZ_ASSERT(aUri);
1310 MOZ_ASSERT(aResult);
1311
1312 *aResult = false;
1313 for (nsIURI* uri : EnsureFileURIAllowlist()) {
1314 if (EqualOrSubdomain(aUri, uri)) {
1315 *aResult = true;
1316 return NS_OK;
1317 }
1318 }
1319
1320 return NS_OK;
1321 }
1322
1323 ///////////////// Principals ///////////////////////
1324
1325 NS_IMETHODIMP
1326 nsScriptSecurityManager::GetSystemPrincipal(nsIPrincipal** result) {
1327 NS_ADDREF(*result = mSystemPrincipal);
1328
1329 return NS_OK;
1330 }
1331
1332 NS_IMETHODIMP
1333 nsScriptSecurityManager::CreateContentPrincipal(
1334 nsIURI* aURI, JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1335 nsIPrincipal** aPrincipal) {
1336 OriginAttributes attrs;
1337 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1338 return NS_ERROR_INVALID_ARG;
1339 }
1340 nsCOMPtr<nsIPrincipal> prin =
1341 BasePrincipal::CreateContentPrincipal(aURI, attrs);
1342 prin.forget(aPrincipal);
1343 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1344 }
1345
1346 NS_IMETHODIMP
1347 nsScriptSecurityManager::CreateContentPrincipalFromOrigin(
1348 const nsACString& aOrigin, nsIPrincipal** aPrincipal) {
1349 if (StringBeginsWith(aOrigin, "["_ns)) {
1350 return NS_ERROR_INVALID_ARG;
1351 }
1352
1353 if (StringBeginsWith(aOrigin,
1354 nsLiteralCString(NS_NULLPRINCIPAL_SCHEME ":"))) {
1355 return NS_ERROR_INVALID_ARG;
1356 }
1357
1358 nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(aOrigin);
1359 prin.forget(aPrincipal);
1360 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1361 }
1362
1363 NS_IMETHODIMP
1364 nsScriptSecurityManager::PrincipalToJSON(nsIPrincipal* aPrincipal,
1365 nsACString& aJSON) {
1366 aJSON.Truncate();
1367 if (!aPrincipal) {
1368 return NS_ERROR_FAILURE;
1369 }
1370
1371 BasePrincipal::Cast(aPrincipal)->ToJSON(aJSON);
1372
1373 if (aJSON.IsEmpty()) {
1374 return NS_ERROR_FAILURE;
1375 }
1376
1377 return NS_OK;
1378 }
1379
1380 NS_IMETHODIMP
1381 nsScriptSecurityManager::JSONToPrincipal(const nsACString& aJSON,
1382 nsIPrincipal** aPrincipal) {
1383 if (aJSON.IsEmpty()) {
1384 return NS_ERROR_FAILURE;
1385 }
1386
1387 nsCOMPtr<nsIPrincipal> principal = BasePrincipal::FromJSON(aJSON);
1388
1389 if (!principal) {
1390 return NS_ERROR_FAILURE;
1391 }
1392
1393 principal.forget(aPrincipal);
1394 return NS_OK;
1395 }
1396
1397 NS_IMETHODIMP
1398 nsScriptSecurityManager::CreateNullPrincipal(
1399 JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx,
1400 nsIPrincipal** aPrincipal) {
1401 OriginAttributes attrs;
1402 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1403 return NS_ERROR_INVALID_ARG;
1404 }
1405 nsCOMPtr<nsIPrincipal> prin = NullPrincipal::Create(attrs);
1406 prin.forget(aPrincipal);
1407 return NS_OK;
1408 }
1409
1410 NS_IMETHODIMP
1411 nsScriptSecurityManager::GetLoadContextContentPrincipal(
1412 nsIURI* aURI, nsILoadContext* aLoadContext, nsIPrincipal** aPrincipal) {
1413 NS_ENSURE_STATE(aLoadContext);
1414 OriginAttributes docShellAttrs;
1415 aLoadContext->GetOriginAttributes(docShellAttrs);
1416
1417 nsCOMPtr<nsIPrincipal> prin =
1418 BasePrincipal::CreateContentPrincipal(aURI, docShellAttrs);
1419 prin.forget(aPrincipal);
1420 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1421 }
1422
1423 NS_IMETHODIMP
1424 nsScriptSecurityManager::GetDocShellContentPrincipal(
1425 nsIURI* aURI, nsIDocShell* aDocShell, nsIPrincipal** aPrincipal) {
1426 nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(
1427 aURI, nsDocShell::Cast(aDocShell)->GetOriginAttributes());
1428 prin.forget(aPrincipal);
1429 return *aPrincipal ? NS_OK : NS_ERROR_FAILURE;
1430 }
1431
1432 NS_IMETHODIMP
1433 nsScriptSecurityManager::PrincipalWithOA(
1434 nsIPrincipal* aPrincipal, JS::Handle<JS::Value> aOriginAttributes,
1435 JSContext* aCx, nsIPrincipal** aReturnPrincipal) {
1436 if (!aPrincipal) {
1437 return NS_OK;
1438 }
1439 if (aPrincipal->GetIsContentPrincipal()) {
1440 OriginAttributes attrs;
1441 if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) {
1442 return NS_ERROR_INVALID_ARG;
1443 }
1444 auto* contentPrincipal = static_cast<ContentPrincipal*>(aPrincipal);
1445 RefPtr<ContentPrincipal> copy =
1446 new ContentPrincipal(contentPrincipal, attrs);
1447 NS_ENSURE_TRUE(copy, NS_ERROR_FAILURE);
1448 copy.forget(aReturnPrincipal);
1449 } else {
1450 // We do this for null principals, system principals (both fine)
1451 // ... and expanded principals, where we should probably do something
1452 // cleverer, but I also don't think we care too much.
1453 nsCOMPtr<nsIPrincipal> prin = aPrincipal;
1454 prin.forget(aReturnPrincipal);
1455 }
1456
1457 return *aReturnPrincipal ? NS_OK : NS_ERROR_FAILURE;
1458 }
1459
1460 NS_IMETHODIMP
1461 nsScriptSecurityManager::CanCreateWrapper(JSContext* cx, const nsIID& aIID,
1462 nsISupports* aObj,
1463 nsIClassInfo* aClassInfo) {
1464 // XXX Special case for Exception ?
1465
1466 // We give remote-XUL allowlisted domains a free pass here. See bug 932906.
1467 JS::Rooted<JS::Realm*> contextRealm(cx, JS::GetCurrentRealmOrNull(cx));
1468 MOZ_RELEASE_ASSERT(contextRealm);
1469 if (!xpc::AllowContentXBLScope(contextRealm)) {
1470 return NS_OK;
1471 }
1472
1473 if (nsContentUtils::IsCallerChrome()) {
1474 return NS_OK;
1475 }
1476
1477 //-- Access denied, report an error
1478 nsAutoCString originUTF8;
1479 nsIPrincipal* subjectPrincipal = nsContentUtils::SubjectPrincipal();
1480 GetPrincipalDomainOrigin(subjectPrincipal, originUTF8);
1481 NS_ConvertUTF8toUTF16 originUTF16(originUTF8);
1482 nsAutoCString classInfoNameUTF8;
1483 if (aClassInfo) {
1484 aClassInfo->GetClassDescription(classInfoNameUTF8);
1485 }
1486 if (classInfoNameUTF8.IsEmpty()) {
1487 classInfoNameUTF8.AssignLiteral("UnnamedClass");
1488 }
1489
1490 nsCOMPtr<nsIStringBundle> bundle = BundleHelper::GetOrCreate();
1491 if (NS_WARN_IF(!bundle)) {
1492 return NS_OK;
1493 }
1494
1495 NS_ConvertUTF8toUTF16 classInfoUTF16(classInfoNameUTF8);
1496 nsresult rv;
1497 nsAutoString errorMsg;
1498 if (originUTF16.IsEmpty()) {
1499 AutoTArray<nsString, 1> formatStrings = {classInfoUTF16};
1500 rv = bundle->FormatStringFromName("CreateWrapperDenied", formatStrings,
1501 errorMsg);
1502 } else {
1503 AutoTArray<nsString, 2> formatStrings = {classInfoUTF16, originUTF16};
1504 rv = bundle->FormatStringFromName("CreateWrapperDeniedForOrigin",
1505 formatStrings, errorMsg);
1506 }
1507 NS_ENSURE_SUCCESS(rv, rv);
1508
1509 SetPendingException(cx, errorMsg.get());
1510 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1511 }
1512
1513 NS_IMETHODIMP
1514 nsScriptSecurityManager::CanCreateInstance(JSContext* cx, const nsCID& aCID) {
1515 if (nsContentUtils::IsCallerChrome()) {
1516 return NS_OK;
1517 }
1518
1519 //-- Access denied, report an error
1520 nsAutoCString errorMsg("Permission denied to create instance of class. CID=");
1521 char cidStr[NSID_LENGTH];
1522 aCID.ToProvidedString(cidStr);
1523 errorMsg.Append(cidStr);
1524 SetPendingExceptionASCII(cx, errorMsg.get());
1525 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1526 }
1527
1528 NS_IMETHODIMP
1529 nsScriptSecurityManager::CanGetService(JSContext* cx, const nsCID& aCID) {
1530 if (nsContentUtils::IsCallerChrome()) {
1531 return NS_OK;
1532 }
1533
1534 //-- Access denied, report an error
1535 nsAutoCString errorMsg("Permission denied to get service. CID=");
1536 char cidStr[NSID_LENGTH];
1537 aCID.ToProvidedString(cidStr);
1538 errorMsg.Append(cidStr);
1539 SetPendingExceptionASCII(cx, errorMsg.get());
1540 return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
1541 }
1542
1543 const char sJSEnabledPrefName[] = "javascript.enabled";
1544 const char sFileOriginPolicyPrefName[] =
1545 "security.fileuri.strict_origin_policy";
1546
1547 static const char* kObservedPrefs[] = {sJSEnabledPrefName,
1548 sFileOriginPolicyPrefName,
1549 "capability.policy.", nullptr};
1550
1551 /////////////////////////////////////////////
1552 // Constructor, Destructor, Initialization //
1553 /////////////////////////////////////////////
1554 nsScriptSecurityManager::nsScriptSecurityManager(void)
1555 : mPrefInitialized(false), mIsJavaScriptEnabled(false) {
1556 static_assert(
1557 sizeof(intptr_t) == sizeof(void*),
1558 "intptr_t and void* have different lengths on this platform. "
1559 "This may cause a security failure with the SecurityLevel union.");
1560 }
1561
1562 nsresult nsScriptSecurityManager::Init() {
1563 nsresult rv;
1564 RefPtr<nsIIOService> io = mozilla::components::IO::Service(&rv);
1565 if (NS_FAILED(rv)) {
1566 return rv;
1567 }
1568 sIOService = std::move(io);
1569 InitPrefs();
1570
1571 // Create our system principal singleton
1572 mSystemPrincipal = SystemPrincipal::Init();
1573
1574 return NS_OK;
1575 }
1576
1577 void nsScriptSecurityManager::InitJSCallbacks(JSContext* aCx) {
1578 //-- Register security check callback in the JS engine
1579 // Currently this is used to control access to function.caller
1580
1581 static const JSSecurityCallbacks securityCallbacks = {
1582 ContentSecurityPolicyPermitsJSAction,
1583 TrustedTypeUtils::HostGetCodeForEval,
1584 JSPrincipalsSubsume,
1585 };
1586
1587 MOZ_ASSERT(!JS_GetSecurityCallbacks(aCx));
1588 JS_SetSecurityCallbacks(aCx, &securityCallbacks);
1589 JS_InitDestroyPrincipalsCallback(aCx, nsJSPrincipals::Destroy);
1590
1591 JS_SetTrustedPrincipals(aCx, BasePrincipal::Cast(mSystemPrincipal));
1592 }
1593
1594 /* static */
1595 void nsScriptSecurityManager::ClearJSCallbacks(JSContext* aCx) {
1596 JS_SetSecurityCallbacks(aCx, nullptr);
1597 JS_SetTrustedPrincipals(aCx, nullptr);
1598 }
1599
1600 static StaticRefPtr<nsScriptSecurityManager> gScriptSecMan;
1601
1602 nsScriptSecurityManager::~nsScriptSecurityManager(void) {
1603 Preferences::UnregisterPrefixCallbacks(
1604 nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1605 if (mDomainPolicy) {
1606 mDomainPolicy->Deactivate();
1607 }
1608 // ContentChild might hold a reference to the domain policy,
1609 // and it might release it only after the security manager is
1610 // gone. But we can still assert this for the main process.
1611 MOZ_ASSERT_IF(XRE_IsParentProcess(), !mDomainPolicy);
1612 }
1613
1614 void nsScriptSecurityManager::Shutdown() {
1615 sIOService = nullptr;
1616 BundleHelper::Shutdown();
1617 SystemPrincipal::Shutdown();
1618 }
1619
1620 nsScriptSecurityManager* nsScriptSecurityManager::GetScriptSecurityManager() {
1621 return gScriptSecMan;
1622 }
1623
1624 /* static */
1625 void nsScriptSecurityManager::InitStatics() {
1626 RefPtr<nsScriptSecurityManager> ssManager = new nsScriptSecurityManager();
1627 nsresult rv = ssManager->Init();
1628 if (NS_FAILED(rv)) {
1629 MOZ_CRASH("ssManager->Init() failed");
1630 }
1631
1632 ClearOnShutdown(&gScriptSecMan);
1633 gScriptSecMan = ssManager;
1634 }
1635
1636 // Currently this nsGenericFactory constructor is used only from FastLoad
1637 // (XPCOM object deserialization) code, when "creating" the system principal
1638 // singleton.
1639 already_AddRefed<SystemPrincipal>
1640 nsScriptSecurityManager::SystemPrincipalSingletonConstructor() {
1641 if (gScriptSecMan)
1642 return do_AddRef(gScriptSecMan->mSystemPrincipal)
1643 .downcast<SystemPrincipal>();
1644 return nullptr;
1645 }
1646
1647 struct IsWhitespace {
1648 static bool Test(char aChar) { return NS_IsAsciiWhitespace(aChar); };
1649 };
1650 struct IsWhitespaceOrComma {
1651 static bool Test(char aChar) {
1652 return aChar == ',' || NS_IsAsciiWhitespace(aChar);
1653 };
1654 };
1655
1656 template <typename Predicate>
1657 uint32_t SkipPast(const nsCString& str, uint32_t base) {
1658 while (base < str.Length() && Predicate::Test(str[base])) {
1659 ++base;
1660 }
1661 return base;
1662 }
1663
1664 template <typename Predicate>
1665 uint32_t SkipUntil(const nsCString& str, uint32_t base) {
1666 while (base < str.Length() && !Predicate::Test(str[base])) {
1667 ++base;
1668 }
1669 return base;
1670 }
1671
1672 // static
1673 void nsScriptSecurityManager::ScriptSecurityPrefChanged(const char* aPref,
1674 void* aSelf) {
1675 static_cast<nsScriptSecurityManager*>(aSelf)->ScriptSecurityPrefChanged(
1676 aPref);
1677 }
1678
1679 inline void nsScriptSecurityManager::ScriptSecurityPrefChanged(
1680 const char* aPref) {
1681 MOZ_ASSERT(mPrefInitialized);
1682 mIsJavaScriptEnabled =
1683 Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
1684 sStrictFileOriginPolicy =
1685 Preferences::GetBool(sFileOriginPolicyPrefName, false);
1686 mFileURIAllowlist.reset();
1687 }
1688
1689 void nsScriptSecurityManager::AddSitesToFileURIAllowlist(
1690 const nsCString& aSiteList) {
1691 for (uint32_t base = SkipPast<IsWhitespace>(aSiteList, 0), bound = 0;
1692 base < aSiteList.Length();
1693 base = SkipPast<IsWhitespace>(aSiteList, bound)) {
1694 // Grab the current site.
1695 bound = SkipUntil<IsWhitespace>(aSiteList, base);
1696 nsAutoCString site(Substring(aSiteList, base, bound - base));
1697
1698 // Check if the URI is schemeless. If so, add both http and https.
1699 nsAutoCString unused;
1700 if (NS_FAILED(sIOService->ExtractScheme(site, unused))) {
1701 AddSitesToFileURIAllowlist("http://"_ns + site);
1702 AddSitesToFileURIAllowlist("https://"_ns + site);
1703 continue;
1704 }
1705
1706 // Convert it to a URI and add it to our list.
1707 nsCOMPtr<nsIURI> uri;
1708 nsresult rv = NS_NewURI(getter_AddRefs(uri), site);
1709 if (NS_SUCCEEDED(rv)) {
1710 mFileURIAllowlist.ref().AppendElement(uri);
1711 } else {
1712 nsCOMPtr<nsIConsoleService> console(
1713 do_GetService("@mozilla.org/consoleservice;1"));
1714 if (console) {
1715 nsAutoString msg =
1716 u"Unable to to add site to file:// URI allowlist: "_ns +
1717 NS_ConvertASCIItoUTF16(site);
1718 console->LogStringMessage(msg.get());
1719 }
1720 }
1721 }
1722 }
1723
1724 nsresult nsScriptSecurityManager::InitPrefs() {
1725 nsIPrefBranch* branch = Preferences::GetRootBranch();
1726 NS_ENSURE_TRUE(branch, NS_ERROR_FAILURE);
1727
1728 mPrefInitialized = true;
1729
1730 // Set the initial value of the "javascript.enabled" prefs
1731 ScriptSecurityPrefChanged();
1732
1733 // set observer callbacks in case the value of the prefs change
1734 Preferences::RegisterPrefixCallbacks(
1735 nsScriptSecurityManager::ScriptSecurityPrefChanged, kObservedPrefs, this);
1736
1737 return NS_OK;
1738 }
1739
1740 NS_IMETHODIMP
1741 nsScriptSecurityManager::GetDomainPolicyActive(bool* aRv) {
1742 *aRv = !!mDomainPolicy;
1743 return NS_OK;
1744 }
1745
1746 NS_IMETHODIMP
1747 nsScriptSecurityManager::ActivateDomainPolicy(nsIDomainPolicy** aRv) {
1748 if (!XRE_IsParentProcess()) {
1749 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1750 }
1751
1752 return ActivateDomainPolicyInternal(aRv);
1753 }
1754
1755 NS_IMETHODIMP
1756 nsScriptSecurityManager::ActivateDomainPolicyInternal(nsIDomainPolicy** aRv) {
1757 // We only allow one domain policy at a time. The holder of the previous
1758 // policy must explicitly deactivate it first.
1759 if (mDomainPolicy) {
1760 return NS_ERROR_SERVICE_NOT_AVAILABLE;
1761 }
1762
1763 mDomainPolicy = new DomainPolicy();
1764 nsCOMPtr<nsIDomainPolicy> ptr = mDomainPolicy;
1765 ptr.forget(aRv);
1766 return NS_OK;
1767 }
1768
1769 // Intentionally non-scriptable. Script must have a reference to the
1770 // nsIDomainPolicy to deactivate it.
1771 void nsScriptSecurityManager::DeactivateDomainPolicy() {
1772 mDomainPolicy = nullptr;
1773 }
1774
1775 void nsScriptSecurityManager::CloneDomainPolicy(DomainPolicyClone* aClone) {
1776 MOZ_ASSERT(aClone);
1777 if (mDomainPolicy) {
1778 mDomainPolicy->CloneDomainPolicy(aClone);
1779 } else {
1780 aClone->active() = false;
1781 }
1782 }
1783
1784 NS_IMETHODIMP
1785 nsScriptSecurityManager::PolicyAllowsScript(nsIURI* aURI, bool* aRv) {
1786 nsresult rv;
1787
1788 // Compute our rule. If we don't have any domain policy set up that might
1789 // provide exceptions to this rule, we're done.
1790 *aRv = mIsJavaScriptEnabled;
1791 if (!mDomainPolicy) {
1792 return NS_OK;
1793 }
1794
1795 // We have a domain policy. Grab the appropriate set of exceptions to the
1796 // rule (either the blocklist or the allowlist, depending on whether script
1797 // is enabled or disabled by default).
1798 nsCOMPtr<nsIDomainSet> exceptions;
1799 nsCOMPtr<nsIDomainSet> superExceptions;
1800 if (*aRv) {
1801 mDomainPolicy->GetBlocklist(getter_AddRefs(exceptions));
1802 mDomainPolicy->GetSuperBlocklist(getter_AddRefs(superExceptions));
1803 } else {
1804 mDomainPolicy->GetAllowlist(getter_AddRefs(exceptions));
1805 mDomainPolicy->GetSuperAllowlist(getter_AddRefs(superExceptions));
1806 }
1807
1808 bool contains;
1809 rv = exceptions->Contains(aURI, &contains);
1810 NS_ENSURE_SUCCESS(rv, rv);
1811 if (contains) {
1812 *aRv = !*aRv;
1813 return NS_OK;
1814 }
1815 rv = superExceptions->ContainsSuperDomain(aURI, &contains);
1816 NS_ENSURE_SUCCESS(rv, rv);
1817 if (contains) {
1818 *aRv = !*aRv;
1819 }
1820
1821 return NS_OK;
1822 }
1823
1824 const nsTArray<nsCOMPtr<nsIURI>>&
1825 nsScriptSecurityManager::EnsureFileURIAllowlist() {
1826 if (mFileURIAllowlist.isSome()) {
1827 return mFileURIAllowlist.ref();
1828 }
1829
1830 //
1831 // Rebuild the set of principals for which we allow file:// URI loads. This
1832 // implements a small subset of an old pref-based CAPS people that people
1833 // have come to depend on. See bug 995943.
1834 //
1835
1836 mFileURIAllowlist.emplace();
1837 nsAutoCString policies;
1838 mozilla::Preferences::GetCString("capability.policy.policynames", policies);
1839 for (uint32_t base = SkipPast<IsWhitespaceOrComma>(policies, 0), bound = 0;
1840 base < policies.Length();
1841 base = SkipPast<IsWhitespaceOrComma>(policies, bound)) {
1842 // Grab the current policy name.
1843 bound = SkipUntil<IsWhitespaceOrComma>(policies, base);
1844 auto policyName = Substring(policies, base, bound - base);
1845
1846 // Figure out if this policy allows loading file:// URIs. If not, we can
1847 // skip it.
1848 nsCString checkLoadURIPrefName =
1849 "capability.policy."_ns + policyName + ".checkloaduri.enabled"_ns;
1850 nsAutoString value;
1851 nsresult rv = Preferences::GetString(checkLoadURIPrefName.get(), value);
1852 if (NS_FAILED(rv) || !value.LowerCaseEqualsLiteral("allaccess")) {
1853 continue;
1854 }
1855
1856 // Grab the list of domains associated with this policy.
1857 nsCString domainPrefName =
1858 "capability.policy."_ns + policyName + ".sites"_ns;
1859 nsAutoCString siteList;
1860 Preferences::GetCString(domainPrefName.get(), siteList);
1861 AddSitesToFileURIAllowlist(siteList);
1862 }
1863
1864 return mFileURIAllowlist.ref();
1865 }