dom/security/ReferrerInfo.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef mozilla_dom_ReferrerInfo_h
   8 #define mozilla_dom_ReferrerInfo_h
   9
  10 #include "nsCOMPtr.h"
  11 #include "nsIReferrerInfo.h"
  12 #include "nsReadableUtils.h"
  13 #include "mozilla/Maybe.h"
  14 #include "mozilla/HashFunctions.h"
  15 #include "mozilla/dom/ReferrerPolicyBinding.h"
  16
  17 #define REFERRERINFO_CONTRACTID "@mozilla.org/referrer-info;1"
  18 // 041a129f-10ce-4bda-a60d-e027a26d5ed0
  19 #define REFERRERINFO_CID                             \
  20   {                                                  \
  21     0x041a129f, 0x10ce, 0x4bda, {                    \
  22       0xa6, 0x0d, 0xe0, 0x27, 0xa2, 0x6d, 0x5e, 0xd0 \
  23     }                                                \
  24   }
  25
  26 class nsIHttpChannel;
  27 class nsIURI;
  28 class nsIChannel;
  29 class nsILoadInfo;
  30 class nsINode;
  31 class nsIPrincipal;
  32
  33 namespace mozilla {
  34 class StyleSheet;
  35 class URLAndReferrerInfo;
  36
  37 namespace net {
  38 class HttpBaseChannel;
  39 class nsHttpChannel;
  40 }  // namespace net
  41 }  // namespace mozilla
  42
  43 namespace mozilla::dom {
  44
  45 /**
  46  * The ReferrerInfo class holds the raw referrer and potentially a referrer
  47  * policy which allows to query the computed referrer which should be applied to
  48  * a channel as the actual referrer value.
  49  *
  50  * The ReferrerInfo class solely contains readonly fields and represents a 1:1
  51  * sync to the referrer header of the corresponding channel. In turn that means
  52  * the class is immutable - so any modifications require to clone the current
  53  * ReferrerInfo.
  54  *
  55  * For example if a request undergoes a redirect, the new channel
  56  * will need a new ReferrerInfo clone with members being updated accordingly.
  57  */
  58
  59 class ReferrerInfo : public nsIReferrerInfo {
  60  public:
  61   typedef enum ReferrerPolicy ReferrerPolicyEnum;
  62   ReferrerInfo();
  63
  64   explicit ReferrerInfo(
  65       nsIURI* aOriginalReferrer,
  66       ReferrerPolicyEnum aPolicy = ReferrerPolicy::_empty,
  67       bool aSendReferrer = true,
  68       const Maybe<nsCString>& aComputedReferrer = Maybe<nsCString>());
  69
  70   // Creates already initialized ReferrerInfo from an element or a document.
  71   explicit ReferrerInfo(const Element&);
  72   explicit ReferrerInfo(const Document&, const bool = true);
  73
  74   // Creates already initialized ReferrerInfo from an element or a document with
  75   // a specific referrer policy.
  76   ReferrerInfo(const Element&, ReferrerPolicyEnum);
  77
  78   // create an exact copy of the ReferrerInfo
  79   already_AddRefed<ReferrerInfo> Clone() const;
  80
  81   // create an copy of the ReferrerInfo with new referrer policy
  82   already_AddRefed<ReferrerInfo> CloneWithNewPolicy(
  83       ReferrerPolicyEnum aPolicy) const;
  84
  85   // create an copy of the ReferrerInfo with new original referrer
  86   already_AddRefed<ReferrerInfo> CloneWithNewOriginalReferrer(
  87       nsIURI* aOriginalReferrer) const;
  88
  89   // Record the telemetry for the referrer policy.
  90   void RecordTelemetry(nsIHttpChannel* aChannel);
  91
  92   /*
  93    * Helper function to create a new ReferrerInfo object from a given document
  94    * and override referrer policy if needed (for example, when parsing link
  95    * header or speculative loading).
  96    *
  97    * @param aDocument the document to init referrerInfo object.
  98    * @param aPolicyOverride referrer policy to override if necessary.
  99    */
 100   static already_AddRefed<nsIReferrerInfo> CreateFromDocumentAndPolicyOverride(
 101       Document* aDoc, ReferrerPolicyEnum aPolicyOverride);
 102
 103   /*
 104    * Implements step 3.1 and 3.3 of the Determine request's Referrer algorithm
 105    * from the Referrer Policy specification.
 106    *
 107    * https://w3c.github.io/webappsec/specs/referrer-policy/#determine-requests-referrer
 108    */
 109   static already_AddRefed<nsIReferrerInfo> CreateForFetch(
 110       nsIPrincipal* aPrincipal, Document* aDoc);
 111
 112   /**
 113    * Helper function to create new ReferrerInfo object from a given external
 114    * stylesheet. The returned nsIReferrerInfo object will be used for any
 115    * requests or resources referenced by the sheet.
 116    *
 117    * @param aSheet the stylesheet to init referrerInfo.
 118    * @param aPolicy referrer policy from header if there's any.
 119    */
 120   static already_AddRefed<nsIReferrerInfo> CreateForExternalCSSResources(
 121       StyleSheet* aExternalSheet,
 122       ReferrerPolicyEnum aPolicy = ReferrerPolicy::_empty);
 123
 124   /**
 125    * Helper function to create new ReferrerInfo object from a given document.
 126    * The returned nsIReferrerInfo object will be used for any requests or
 127    * resources referenced by internal stylesheet (for example style="" or
 128    * wrapped by <style> tag), as well as SVG resources.
 129    *
 130    * @param aDocument the document to init referrerInfo object.
 131    */
 132   static already_AddRefed<nsIReferrerInfo> CreateForInternalCSSAndSVGResources(
 133       Document* aDocument);
 134
 135   /**
 136    * Check whether the given referrer's scheme is allowed to be computed and
 137    * sent. The allowlist schemes are: http, https.
 138    */
 139   static bool IsReferrerSchemeAllowed(nsIURI* aReferrer);
 140
 141   /*
 142    * The Referrer Policy should be inherited for nested browsing contexts that
 143    * are not created from responses. Such as: srcdoc, data, blob.
 144    */
 145   static bool ShouldResponseInheritReferrerInfo(nsIChannel* aChannel);
 146
 147   /*
 148    * Check whether referrer is allowed to send in secure to insecure scenario.
 149    */
 150   static nsresult HandleSecureToInsecureReferral(nsIURI* aOriginalURI,
 151                                                  nsIURI* aURI,
 152                                                  ReferrerPolicyEnum aPolicy,
 153                                                  bool& aAllowed);
 154
 155   /**
 156    * Returns true if the given channel is cross-origin request
 157    *
 158    * Computing whether the request is cross-origin may be expensive, so please
 159    * do that in cases where we're going to use this information later on.
 160    */
 161   static bool IsCrossOriginRequest(nsIHttpChannel* aChannel);
 162
 163   /**
 164    * Returns true if aReferrer's origin and aChannel's URI are cross-origin.
 165    */
 166   static bool IsReferrerCrossOrigin(nsIHttpChannel* aChannel,
 167                                     nsIURI* aReferrer);
 168
 169   /**
 170    * Returns true if the given channel is cross-site request.
 171    */
 172   static bool IsCrossSiteRequest(nsIHttpChannel* aChannel);
 173
 174   /**
 175    * Returns true if the given channel is suppressed by Referrer-Policy header
 176    * and should set "null" to Origin header.
 177    */
 178   static bool ShouldSetNullOriginHeader(net::HttpBaseChannel* aChannel,
 179                                         nsIURI* aOriginURI);
 180
 181   /**
 182    * Getter for network.http.sendRefererHeader.
 183    */
 184   static uint32_t GetUserReferrerSendingPolicy();
 185
 186   /**
 187    * Getter for network.http.referer.XOriginPolicy.
 188    */
 189   static uint32_t GetUserXOriginSendingPolicy();
 190
 191   /**
 192    * Getter for network.http.referer.trimmingPolicy.
 193    */
 194   static uint32_t GetUserTrimmingPolicy();
 195
 196   /**
 197    * Getter for network.http.referer.XOriginTrimmingPolicy.
 198    */
 199   static uint32_t GetUserXOriginTrimmingPolicy();
 200
 201   /**
 202    * Return default referrer policy which is controlled by user
 203    * prefs:
 204    * network.http.referer.defaultPolicy for regular mode
 205    * network.http.referer.defaultPolicy.trackers for third-party trackers
 206    * in regular mode
 207    * network.http.referer.defaultPolicy.pbmode for private mode
 208    * network.http.referer.defaultPolicy.trackers.pbmode for third-party trackers
 209    * in private mode
 210    */
 211   static ReferrerPolicyEnum GetDefaultReferrerPolicy(
 212       nsIHttpChannel* aChannel = nullptr, nsIURI* aURI = nullptr,
 213       bool aPrivateBrowsing = false);
 214
 215   /**
 216    * Return default referrer policy for third party which is controlled by user
 217    * prefs:
 218    * network.http.referer.defaultPolicy.trackers for regular mode
 219    * network.http.referer.defaultPolicy.trackers.pbmode for private mode
 220    */
 221   static ReferrerPolicyEnum GetDefaultThirdPartyReferrerPolicy(
 222       bool aPrivateBrowsing = false);
 223
 224   /*
 225    * Helper function to parse ReferrerPolicy from meta tag referrer content.
 226    * For example: <meta name="referrer" content="origin">
 227    *
 228    * @param aContent content string to be transformed into ReferrerPolicyEnum,
 229    *                 e.g. "origin".
 230    */
 231   static ReferrerPolicyEnum ReferrerPolicyFromMetaString(
 232       const nsAString& aContent);
 233
 234   /*
 235    * Helper function to parse ReferrerPolicy from string content of
 236    * referrerpolicy attribute.
 237    * For example: <a href="http://example.com" referrerpolicy="no-referrer">
 238    *
 239    * @param aContent content string to be transformed into ReferrerPolicyEnum,
 240    *                 e.g. "no-referrer".
 241    */
 242   static ReferrerPolicyEnum ReferrerPolicyAttributeFromString(
 243       const nsAString& aContent);
 244
 245   /*
 246    * Helper function to parse ReferrerPolicy from string content of
 247    * Referrer-Policy header.
 248    * For example: Referrer-Policy: origin no-referrer
 249    * https://www.w3.org/tr/referrer-policy/#parse-referrer-policy-from-header
 250    *
 251    * @param aContent content string to be transformed into ReferrerPolicyEnum.
 252    *                e.g. "origin no-referrer"
 253    */
 254   static ReferrerPolicyEnum ReferrerPolicyFromHeaderString(
 255       const nsAString& aContent);
 256
 257   /**
 258    * Hash function for this object
 259    */
 260   HashNumber Hash() const;
 261
 262   NS_DECL_THREADSAFE_ISUPPORTS
 263   NS_DECL_NSIREFERRERINFO
 264   NS_DECL_NSISERIALIZABLE
 265
 266  private:
 267   virtual ~ReferrerInfo() = default;
 268
 269   ReferrerInfo(const ReferrerInfo& rhs);
 270
 271   /*
 272    * Trimming policy when compute referrer, indicate how much information in the
 273    * referrer will be sent. Order matters here.
 274    */
 275   enum TrimmingPolicy : uint32_t {
 276     ePolicyFullURI = 0,
 277     ePolicySchemeHostPortPath = 1,
 278     ePolicySchemeHostPort = 2,
 279   };
 280
 281   /*
 282    * Referrer sending policy, indicates type of action could trigger to send
 283    * referrer header, not send at all, send only with user's action (click on a
 284    * link) or send even with inline content request (image request).
 285    * Order matters here.
 286    */
 287   enum ReferrerSendingPolicy : uint32_t {
 288     ePolicyNotSend = 0,
 289     ePolicySendWhenUserTrigger = 1,
 290     ePolicySendInlineContent = 2,
 291   };
 292
 293   /*
 294    * Sending referrer when cross origin policy, indicates when referrer should
 295    * be send when compare 2 origins. Order matters here.
 296    */
 297   enum XOriginSendingPolicy : uint32_t {
 298     ePolicyAlwaysSend = 0,
 299     ePolicySendWhenSameDomain = 1,
 300     ePolicySendWhenSameHost = 2,
 301   };
 302
 303   /*
 304    * Handle user controlled pref network.http.referer.XOriginPolicy
 305    */
 306   nsresult HandleUserXOriginSendingPolicy(nsIURI* aURI, nsIURI* aReferrer,
 307                                           bool& aAllowed) const;
 308
 309   /*
 310    * Handle user controlled pref network.http.sendRefererHeader
 311    */
 312   nsresult HandleUserReferrerSendingPolicy(nsIHttpChannel* aChannel,
 313                                            bool& aAllowed) const;
 314
 315   /*
 316    * Compute trimming policy from user controlled prefs.
 317    * This function is called when we already made sure a nonempty referrer is
 318    * allowed to send.
 319    */
 320   TrimmingPolicy ComputeTrimmingPolicy(nsIHttpChannel* aChannel,
 321                                        nsIURI* aReferrer) const;
 322
 323   // HttpBaseChannel could access IsInitialized() and ComputeReferrer();
 324   friend class mozilla::net::HttpBaseChannel;
 325
 326   /*
 327    * Compute referrer for a given channel. The computation result then will be
 328    * stored in this class and then used to set the actual referrer header of
 329    * the channel. The computation could be controlled by several user prefs
 330    * which are defined in StaticPrefList.yaml (see StaticPrefList.yaml for more
 331    * details):
 332    *  network.http.sendRefererHeader
 333    *  network.http.referer.spoofSource
 334    *  network.http.referer.hideOnionSource
 335    *  network.http.referer.XOriginPolicy
 336    *  network.http.referer.trimmingPolicy
 337    *  network.http.referer.XOriginTrimmingPolicy
 338    */
 339   nsresult ComputeReferrer(nsIHttpChannel* aChannel);
 340
 341   /*
 342    * Check whether the ReferrerInfo has been initialized or not.
 343    */
 344   bool IsInitialized() { return mInitialized; }
 345
 346   // nsHttpChannel, Document could access IsPolicyOverrided();
 347   friend class mozilla::net::nsHttpChannel;
 348   friend class mozilla::dom::Document;
 349   /*
 350    * Check whether if unset referrer policy is overrided by default or not
 351    */
 352   bool IsPolicyOverrided() { return mOverridePolicyByDefault; }
 353
 354   /*
 355    *  Get origin string from a given valid referrer URI (http, https)
 356    *
 357    *  @aReferrer - the full referrer URI
 358    *  @aResult - the resulting aReferrer in string format.
 359    */
 360   nsresult GetOriginFromReferrerURI(nsIURI* aReferrer,
 361                                     nsACString& aResult) const;
 362
 363   /*
 364    * Trim a given referrer with a given a trimming policy,
 365    */
 366   nsresult TrimReferrerWithPolicy(nsIURI* aReferrer,
 367                                   TrimmingPolicy aTrimmingPolicy,
 368                                   nsACString& aResult) const;
 369
 370   /**
 371    * Returns true if we should ignore less restricted referrer policies,
 372    * including 'unsafe_url', 'no_referrer_when_downgrade' and
 373    * 'origin_when_cross_origin', for the given channel. We only apply this
 374    * restriction for cross-site requests. For the same-site request, we will
 375    * still allow overriding the default referrer policy with less restricted
 376    * one.
 377    *
 378    * Note that the channel triggered by the system and the extension will be
 379    * exempt from this restriction.
 380    */
 381   bool ShouldIgnoreLessRestrictedPolicies(
 382       nsIHttpChannel* aChannel, const ReferrerPolicyEnum aPolicy) const;
 383
 384   /*
 385    *  Limit referrer length using the following ruleset:
 386    *   - If the length of referrer URL is over max length, strip down to origin.
 387    *   - If the origin is still over max length, remove the referrer entirely.
 388    *
 389    *  This function comlements TrimReferrerPolicy and needs to be called right
 390    *  after TrimReferrerPolicy.
 391    *
 392    *  @aChannel - used to query information needed for logging to the console.
 393    *  @aReferrer - the full referrer URI; needs to be identical to aReferrer
 394    *               passed to TrimReferrerPolicy.
 395    *  @aTrimmingPolicy - represents the trimming policy which was applied to the
 396    *                     referrer; needs to be identical to aTrimmingPolicy
 397    *                     passed to TrimReferrerPolicy.
 398    *  @aInAndOutTrimmedReferrer -  an in and outgoing argument representing the
 399    *                               referrer value. Please pass the result of
 400    *                               TrimReferrerWithPolicy as
 401    *                               aInAndOutTrimmedReferrer which will then be
 402    *                               reduced to the origin or completely truncated
 403    *                               in case the referrer value exceeds the length
 404    *                               limitation.
 405    */
 406   nsresult LimitReferrerLength(nsIHttpChannel* aChannel, nsIURI* aReferrer,
 407                                TrimmingPolicy aTrimmingPolicy,
 408                                nsACString& aInAndOutTrimmedReferrer) const;
 409
 410   /**
 411    * The helper function to read the old data format before gecko 100 for
 412    * deserialization.
 413    */
 414   nsresult ReadTailDataBeforeGecko100(const uint32_t& aData,
 415                                       nsIObjectInputStream* aInputStream);
 416
 417   /*
 418    * Write message to the error console
 419    */
 420   void LogMessageToConsole(nsIHttpChannel* aChannel, const char* aMsg,
 421                            const nsTArray<nsString>& aParams) const;
 422
 423   friend class mozilla::URLAndReferrerInfo;
 424
 425   nsCOMPtr<nsIURI> mOriginalReferrer;
 426
 427   ReferrerPolicyEnum mPolicy;
 428
 429   // The referrer policy that has been set originally for the channel. Note that
 430   // the policy may have been overridden by the default referrer policy, so we
 431   // need to keep track of this if we need to recover the original referrer
 432   // policy.
 433   ReferrerPolicyEnum mOriginalPolicy;
 434
 435   // Indicates if the referrer should be sent or not even when it's available
 436   // (default is true).
 437   bool mSendReferrer;
 438
 439   // Since the ReferrerInfo is immutable, we use this member as a helper to
 440   // ensure no one can call e.g. init() twice to modify state of the
 441   // ReferrerInfo.
 442   bool mInitialized;
 443
 444   // Indicates if unset referrer policy is overrided by default
 445   bool mOverridePolicyByDefault;
 446
 447   // Store a computed referrer for a given channel
 448   Maybe<nsCString> mComputedReferrer;
 449
 450 #ifdef DEBUG
 451   // Indicates if the telemetry has been recorded. This is used to make sure the
 452   // telemetry will be only recored once.
 453   bool mTelemetryRecorded = false;
 454 #endif  // DEBUG
 455 };
 456
 457 }  // namespace mozilla::dom
 458
 459 #endif  // mozilla_dom_ReferrerInfo_h