mirror of
https://github.com/roytam1/palemoon27.git
synced 2026-05-26 14:30:27 +00:00
roytam1
1e24b22ef4
- Bug 1150366 - Remove duplicate d3.js. r=jsantell (71f991da6) - Bug 1175352 - Refactor LoadInfo arguments to be more self contained (r=bent) (3f7d08164) - Bug 1181533 - Add nsCRTGlue.h and prtime.h includes to nsDownloadManager.cpp to fix --disable-safe-browsing build bustage. r=froydnj (af338edf1) - Bug 905127 - Part 1 - Make some functions from nsNetUtil not inline. r=jduell Bug 905127 - Part 2 - remove unnecessary nsNetUtil.h includes r=jduell Bug 905127 - Make some functions from nsNetUtil not inline. r=jduell (bc47d5b3a) - Bug 1117650 - Part 1: Move all CORS tests into dom/security/test. r=sicking (6f727387c) - Bug 1117650 - Part 2: Move all MixedContent tests into dom/security/test. r=tanvi (73f273829) - Bug 1004703 - ignore 'unsafe-inline' if nonce- or hash-source specifed - tests (r=sstamm) (ebf411159) - Bug 921493 - CSP: test whitelisting of scheme-relative sources (r=dveditz) (f0618b189) - Bug 1139569 - Optimize update function for element editors in markup view;r=mratcliffe (c60d38dca) - Partil of Bug 1139644 - Make markupview use sdk timers instead of individual timers for each window;r=pbrosset (8bc1a4d66) - Bug 1146568 - Avoid unsafe CPOW usage warnings in browser_markupview_tag_edit_08.js; r=bgrins Making use of the devtools test frame-script to set the test node's attributes instead of using a CPOW. (61d7eed64) - Bug 1146568 - Avoid unsafe CPOW usage in markupview tests, in assertAttributes helper; r=bgrins (efc492d5d) - Bug 858038 - Allow moving elements in the markupview by drag/drop; r=pbrosset (51d79c15c) - Bug 1139644 - Flash only relevant attributes in markup view when changed;r=pbrosset (29807fa46) - Bug 1147128 - Make sure attribute shows up in markup view after removing and setting to the previous value;r=mratcliffe (1947f7417) - Bug 1147325 - Clear box model timer on markup view destroy. r=pbrosset Prevents 'this._inspector.toolbox is null' spam in mochitest-dt (1d6808b4a) - Bug 921102 - 1 - Linkify URIs in the inspector; r=tromey, miker This first part adds a parser for node attributes which, given some node information and an attribute name, generates a small AST-like array of objects that tells which parts of the attribute (if any) are links, and what they link to. Using this, the markup-view generates the right HTML structure to display these parts as links. This part 1 doesn't yet allow users to follow these links. (c500e270e) - Bug 1139667 - CSP tests for fetch(). r=ckirschb (df030457f) - Bug 1086999 - CSP: Asterisk (*) wildcard should not allow blob:, data:, or filesystem: when matching source expressions - tests (r=sstamm) (dee0f2239) - Bug 1117650 - Part 3: Move all CSP tests into dom/security/test. r=sstamm (29c95475c) - Bug 1146566 - 1 - Use devtools common frame-script in markupview tests and add helper; r=bgrins (b10e42468) - Bug 1146566 - 2 - Avoid using CPOWs in test browser_markupview_tag_edit_03.js; r=bgrins This change updates the browser_markupview_tag_edit_03.js test by making use of the getDomElementInfo message listener to retrieve information about the tested nodes without having to go through CPOWs. (07f0ee3ff) - Bug 1036324 - Adds option to walker.parents() to not traverse DocShellTreeItems of different types (24123a5d2) - Bug 921102 - 2 - Markup-view tests for attribute links; r=miker (f6da81799) - Bug 901250 - Add scroll into view menu item for the inspector. r=bgrins (bfc7518b1) - Bug 994055 - Part 1: Add a toggle sidebar panel button to the inspector. r=miker This adds a new icon, next to the searchbox (like in the debugger) to expand or collapse the sidebar panel in the inspector. The state is *not* persisted yet when the toolbox is closed. The button is hidden when the toolbox host switches to 'side'. (87730e20a) - Bug 994055 - Part 2: Add tests for the inspector sidebar toggle button. r=miker (2872c3fbd) - Bug 921102 - 3 - Open/copy markup-view attribute links; r=bgrins This part adds contextual menu items that become enabled when the user right clicks on an attribute that has a link. Depending on the nature of the link, a new tab will be opened or a node selected. The user can also choose to copy the link in the clipboard. (9b93485f6) - Bug 921102 - 4 - Tests for the open/copy links on markup-view attributes; r=bgrins (861ba51f6)
811 lines
33 KiB
C++
811 lines
33 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "nsMixedContentBlocker.h"
|
|
|
|
#include "nsContentPolicyUtils.h"
|
|
#include "nsThreadUtils.h"
|
|
#include "nsINode.h"
|
|
#include "nsCOMPtr.h"
|
|
#include "nsIDocShell.h"
|
|
#include "nsISecurityEventSink.h"
|
|
#include "nsIWebProgressListener.h"
|
|
#include "nsContentUtils.h"
|
|
#include "nsIRequest.h"
|
|
#include "nsIDocument.h"
|
|
#include "nsIContentViewer.h"
|
|
#include "nsIChannel.h"
|
|
#include "nsIHttpChannel.h"
|
|
#include "nsIParentChannel.h"
|
|
#include "mozilla/Preferences.h"
|
|
#include "nsIScriptObjectPrincipal.h"
|
|
#include "nsISecureBrowserUI.h"
|
|
#include "nsIDocumentLoader.h"
|
|
#include "nsIWebNavigation.h"
|
|
#include "nsLoadGroup.h"
|
|
#include "nsIScriptError.h"
|
|
#include "nsIURI.h"
|
|
#include "nsIChannelEventSink.h"
|
|
#include "nsAsyncRedirectVerifyHelper.h"
|
|
#include "mozilla/LoadInfo.h"
|
|
|
|
#include "mozilla/Logging.h"
|
|
|
|
using namespace mozilla;
|
|
|
|
enum nsMixedContentBlockerMessageType {
|
|
eBlocked = 0x00,
|
|
eUserOverride = 0x01
|
|
};
|
|
|
|
// Is mixed script blocking (fonts, plugin content, scripts, stylesheets,
|
|
// iframes, websockets, XHR) enabled?
|
|
bool nsMixedContentBlocker::sBlockMixedScript = false;
|
|
|
|
// Is mixed display content blocking (images, audio, video, <a ping>) enabled?
|
|
bool nsMixedContentBlocker::sBlockMixedDisplay = false;
|
|
|
|
// Fired at the document that attempted to load mixed content. The UI could
|
|
// handle this event, for example, by displaying an info bar that offers the
|
|
// choice to reload the page with mixed content permitted.
|
|
class nsMixedContentEvent : public nsRunnable
|
|
{
|
|
public:
|
|
nsMixedContentEvent(nsISupports *aContext, MixedContentTypes aType)
|
|
: mContext(aContext), mType(aType)
|
|
{}
|
|
|
|
NS_IMETHOD Run()
|
|
{
|
|
NS_ASSERTION(mContext,
|
|
"You can't call this runnable without a requesting context");
|
|
|
|
// To update the security UI in the tab with the blocked mixed content, call
|
|
// nsISecurityEventSink::OnSecurityChange. You can get to the event sink by
|
|
// calling NS_CP_GetDocShellFromContext on the context, and QI'ing to
|
|
// nsISecurityEventSink.
|
|
|
|
|
|
// Mixed content was allowed and is about to load; get the document and
|
|
// set the approriate flag to true if we are about to load Mixed Active
|
|
// Content.
|
|
nsCOMPtr<nsIDocShell> docShell = NS_CP_GetDocShellFromContext(mContext);
|
|
if (!docShell) {
|
|
return NS_OK;
|
|
}
|
|
nsCOMPtr<nsIDocShellTreeItem> sameTypeRoot;
|
|
docShell->GetSameTypeRootTreeItem(getter_AddRefs(sameTypeRoot));
|
|
NS_ASSERTION(sameTypeRoot, "No document shell root tree item from document shell tree item!");
|
|
|
|
// now get the document from sameTypeRoot
|
|
nsCOMPtr<nsIDocument> rootDoc = do_GetInterface(sameTypeRoot);
|
|
NS_ASSERTION(rootDoc, "No root document from document shell root tree item.");
|
|
|
|
|
|
if (mType == eMixedScript) {
|
|
// See if the pref will change here. If it will, only then do we need to call OnSecurityChange() to update the UI.
|
|
if (rootDoc->GetHasMixedActiveContentLoaded()) {
|
|
return NS_OK;
|
|
}
|
|
rootDoc->SetHasMixedActiveContentLoaded(true);
|
|
|
|
// Update the security UI in the tab with the allowed mixed active content
|
|
nsCOMPtr<nsISecurityEventSink> eventSink = do_QueryInterface(docShell);
|
|
if (eventSink) {
|
|
// If mixed display content is loaded, make sure to include that in the state.
|
|
if (rootDoc->GetHasMixedDisplayContentLoaded()) {
|
|
eventSink->OnSecurityChange(mContext,
|
|
(nsIWebProgressListener::STATE_IS_BROKEN |
|
|
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT |
|
|
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
|
|
} else {
|
|
eventSink->OnSecurityChange(mContext,
|
|
(nsIWebProgressListener::STATE_IS_BROKEN |
|
|
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
|
|
}
|
|
}
|
|
|
|
} else if (mType == eMixedDisplay) {
|
|
// See if the pref will change here. If it will, only then do we need to call OnSecurityChange() to update the UI.
|
|
if (rootDoc->GetHasMixedDisplayContentLoaded()) {
|
|
return NS_OK;
|
|
}
|
|
rootDoc->SetHasMixedDisplayContentLoaded(true);
|
|
|
|
// Update the security UI in the tab with the allowed mixed display content.
|
|
nsCOMPtr<nsISecurityEventSink> eventSink = do_QueryInterface(docShell);
|
|
if (eventSink) {
|
|
// If mixed active content is loaded, make sure to include that in the state.
|
|
if (rootDoc->GetHasMixedActiveContentLoaded()) {
|
|
eventSink->OnSecurityChange(mContext,
|
|
(nsIWebProgressListener::STATE_IS_BROKEN |
|
|
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT |
|
|
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
|
|
} else {
|
|
eventSink->OnSecurityChange(mContext, (nsIWebProgressListener::STATE_IS_BROKEN |
|
|
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
|
|
}
|
|
}
|
|
}
|
|
|
|
return NS_OK;
|
|
}
|
|
private:
|
|
// The requesting context for the content load. Generally, a DOM node from
|
|
// the document that caused the load.
|
|
nsCOMPtr<nsISupports> mContext;
|
|
|
|
// The type of mixed content detected, e.g. active or display
|
|
const MixedContentTypes mType;
|
|
};
|
|
|
|
|
|
nsMixedContentBlocker::nsMixedContentBlocker()
|
|
{
|
|
// Cache the pref for mixed script blocking
|
|
Preferences::AddBoolVarCache(&sBlockMixedScript,
|
|
"security.mixed_content.block_active_content");
|
|
|
|
// Cache the pref for mixed display blocking
|
|
Preferences::AddBoolVarCache(&sBlockMixedDisplay,
|
|
"security.mixed_content.block_display_content");
|
|
}
|
|
|
|
nsMixedContentBlocker::~nsMixedContentBlocker()
|
|
{
|
|
}
|
|
|
|
NS_IMPL_ISUPPORTS(nsMixedContentBlocker, nsIContentPolicy, nsIChannelEventSink)
|
|
|
|
static void
|
|
LogMixedContentMessage(MixedContentTypes aClassification,
|
|
nsIURI* aContentLocation,
|
|
nsIDocument* aRootDoc,
|
|
nsMixedContentBlockerMessageType aMessageType)
|
|
{
|
|
nsAutoCString messageCategory;
|
|
uint32_t severityFlag;
|
|
nsAutoCString messageLookupKey;
|
|
|
|
if (aMessageType == eBlocked) {
|
|
severityFlag = nsIScriptError::errorFlag;
|
|
messageCategory.AssignLiteral("Mixed Content Blocker");
|
|
if (aClassification == eMixedDisplay) {
|
|
messageLookupKey.AssignLiteral("BlockMixedDisplayContent");
|
|
} else {
|
|
messageLookupKey.AssignLiteral("BlockMixedActiveContent");
|
|
}
|
|
} else {
|
|
severityFlag = nsIScriptError::warningFlag;
|
|
messageCategory.AssignLiteral("Mixed Content Message");
|
|
if (aClassification == eMixedDisplay) {
|
|
messageLookupKey.AssignLiteral("LoadingMixedDisplayContent2");
|
|
} else {
|
|
messageLookupKey.AssignLiteral("LoadingMixedActiveContent2");
|
|
}
|
|
}
|
|
|
|
nsAutoCString locationSpec;
|
|
aContentLocation->GetSpec(locationSpec);
|
|
NS_ConvertUTF8toUTF16 locationSpecUTF16(locationSpec);
|
|
|
|
const char16_t* strings[] = { locationSpecUTF16.get() };
|
|
nsContentUtils::ReportToConsole(severityFlag, messageCategory, aRootDoc,
|
|
nsContentUtils::eSECURITY_PROPERTIES,
|
|
messageLookupKey.get(), strings, ArrayLength(strings));
|
|
}
|
|
|
|
|
|
|
|
/* nsIChannelEventSink implementation
|
|
* This code is called when a request is redirected.
|
|
* We check the channel associated with the new uri is allowed to load
|
|
* in the current context
|
|
*/
|
|
NS_IMETHODIMP
|
|
nsMixedContentBlocker::AsyncOnChannelRedirect(nsIChannel* aOldChannel,
|
|
nsIChannel* aNewChannel,
|
|
uint32_t aFlags,
|
|
nsIAsyncVerifyRedirectCallback* aCallback)
|
|
{
|
|
nsAsyncRedirectAutoCallback autoCallback(aCallback);
|
|
|
|
if (!aOldChannel) {
|
|
NS_ERROR("No channel when evaluating mixed content!");
|
|
return NS_ERROR_FAILURE;
|
|
}
|
|
|
|
// If we are in the parent process in e10s, we don't have access to the
|
|
// document node, and hence ShouldLoad will fail when we try to get
|
|
// the docShell. If that's the case, ignore mixed content checks
|
|
// on redirects in the parent. Let the child check for mixed content.
|
|
nsCOMPtr<nsIParentChannel> is_ipc_channel;
|
|
NS_QueryNotificationCallbacks(aNewChannel, is_ipc_channel);
|
|
if (is_ipc_channel) {
|
|
return NS_OK;
|
|
}
|
|
|
|
nsresult rv;
|
|
nsCOMPtr<nsIURI> oldUri;
|
|
rv = aOldChannel->GetURI(getter_AddRefs(oldUri));
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
nsCOMPtr<nsIURI> newUri;
|
|
rv = aNewChannel->GetURI(getter_AddRefs(newUri));
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
// Get the loading Info from the old channel
|
|
nsCOMPtr<nsILoadInfo> loadInfo;
|
|
rv = aOldChannel->GetLoadInfo(getter_AddRefs(loadInfo));
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
if (!loadInfo) {
|
|
// XXX: We want to have a loadInfo on all channels, but we don't yet.
|
|
// If an addon creates a channel, they may not set loadinfo. If that
|
|
// channel redirects from one page to another page, we would get caught
|
|
// in this code path. Hence, we have to return NS_OK. Once we have more
|
|
// confidence that all channels have loadinfo, we can change this to
|
|
// a failure. See bug 1077201.
|
|
return NS_OK;
|
|
}
|
|
|
|
uint32_t contentPolicyType = loadInfo->InternalContentPolicyType();
|
|
nsCOMPtr<nsIPrincipal> requestingPrincipal = loadInfo->LoadingPrincipal();
|
|
|
|
// Since we are calling shouldLoad() directly on redirects, we don't go through the code
|
|
// in nsContentPolicyUtils::NS_CheckContentLoadPolicy(). Hence, we have to
|
|
// duplicate parts of it here.
|
|
nsCOMPtr<nsIURI> requestingLocation;
|
|
if (requestingPrincipal) {
|
|
// We check to see if the loadingPrincipal is systemPrincipal and return
|
|
// early if it is
|
|
if (nsContentUtils::IsSystemPrincipal(requestingPrincipal)) {
|
|
return NS_OK;
|
|
}
|
|
// We set the requestingLocation from the RequestingPrincipal.
|
|
rv = requestingPrincipal->GetURI(getter_AddRefs(requestingLocation));
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
}
|
|
|
|
int16_t decision = REJECT_REQUEST;
|
|
rv = ShouldLoad(nsContentUtils::InternalContentPolicyTypeToExternalOrMCBInternal(contentPolicyType),
|
|
newUri,
|
|
requestingLocation,
|
|
loadInfo->LoadingNode(),
|
|
EmptyCString(), // aMimeGuess
|
|
nullptr, // aExtra
|
|
requestingPrincipal,
|
|
&decision);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
// If the channel is about to load mixed content, abort the channel
|
|
if (!NS_CP_ACCEPTED(decision)) {
|
|
autoCallback.DontCallback();
|
|
aOldChannel->Cancel(NS_ERROR_DOM_BAD_URI);
|
|
return NS_BINDING_FAILED;
|
|
}
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
/* This version of ShouldLoad() is non-static and called by the Content Policy
|
|
* API and AsyncOnChannelRedirect(). See nsIContentPolicy::ShouldLoad()
|
|
* for detailed description of the parameters.
|
|
*/
|
|
NS_IMETHODIMP
|
|
nsMixedContentBlocker::ShouldLoad(uint32_t aContentType,
|
|
nsIURI* aContentLocation,
|
|
nsIURI* aRequestingLocation,
|
|
nsISupports* aRequestingContext,
|
|
const nsACString& aMimeGuess,
|
|
nsISupports* aExtra,
|
|
nsIPrincipal* aRequestPrincipal,
|
|
int16_t* aDecision)
|
|
{
|
|
// We pass in false as the first parameter to ShouldLoad(), because the
|
|
// callers of this method don't know whether the load went through cached
|
|
// image redirects. This is handled by direct callers of the static
|
|
// ShouldLoad.
|
|
nsresult rv = ShouldLoad(false, //aHadInsecureImageRedirect
|
|
aContentType,
|
|
aContentLocation,
|
|
aRequestingLocation,
|
|
aRequestingContext,
|
|
aMimeGuess,
|
|
aExtra,
|
|
aRequestPrincipal,
|
|
aDecision);
|
|
return rv;
|
|
}
|
|
|
|
/* Static version of ShouldLoad() that contains all the Mixed Content Blocker
|
|
* logic. Called from non-static ShouldLoad().
|
|
*/
|
|
nsresult
|
|
nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
|
|
uint32_t aContentType,
|
|
nsIURI* aContentLocation,
|
|
nsIURI* aRequestingLocation,
|
|
nsISupports* aRequestingContext,
|
|
const nsACString& aMimeGuess,
|
|
nsISupports* aExtra,
|
|
nsIPrincipal* aRequestPrincipal,
|
|
int16_t* aDecision)
|
|
{
|
|
// Asserting that we are on the main thread here and hence do not have to lock
|
|
// and unlock sBlockMixedScript and sBlockMixedDisplay before reading/writing
|
|
// to them.
|
|
MOZ_ASSERT(NS_IsMainThread());
|
|
|
|
MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternalOrMCBInternal(aContentType),
|
|
"We should only see external content policy types here.");
|
|
|
|
bool isPreload = nsContentUtils::IsPreloadType(aContentType);
|
|
|
|
// The content policy type that we receive may be an internal type for
|
|
// scripts. Let's remember if we have seen a worker type, and reset it to the
|
|
// external type in all cases right now.
|
|
bool isWorkerType = aContentType == nsIContentPolicy::TYPE_INTERNAL_WORKER ||
|
|
aContentType == nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER ||
|
|
aContentType == nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER;
|
|
aContentType = nsContentUtils::InternalContentPolicyTypeToExternal(aContentType);
|
|
|
|
// Assume active (high risk) content and blocked by default
|
|
MixedContentTypes classification = eMixedScript;
|
|
// Make decision to block/reject by default
|
|
*aDecision = REJECT_REQUEST;
|
|
|
|
|
|
// Notes on non-obvious decisions:
|
|
//
|
|
// TYPE_DTD: A DTD can contain entity definitions that expand to scripts.
|
|
//
|
|
// TYPE_FONT: The TrueType hinting mechanism is basically a scripting
|
|
// language that gets interpreted by the operating system's font rasterizer.
|
|
// Mixed content web fonts are relatively uncommon, and we can can fall back
|
|
// to built-in fonts with minimal disruption in almost all cases.
|
|
//
|
|
// TYPE_OBJECT_SUBREQUEST could actually be either active content (e.g. a
|
|
// script that a plugin will execute) or display content (e.g. Flash video
|
|
// content). Until we have a way to determine active vs passive content
|
|
// from plugin requests (bug 836352), we will treat this as passive content.
|
|
// This is to prevent false positives from causing users to become
|
|
// desensitized to the mixed content blocker.
|
|
//
|
|
// TYPE_CSP_REPORT: High-risk because they directly leak information about
|
|
// the content of the page, and because blocking them does not have any
|
|
// negative effect on the page loading.
|
|
//
|
|
// TYPE_PING: Ping requests are POSTS, not GETs like images and media.
|
|
// Also, PING requests have no bearing on the rendering or operation of
|
|
// the page when used as designed, so even though they are lower risk than
|
|
// scripts, blocking them is basically risk-free as far as compatibility is
|
|
// concerned. Ping is turned off by default in Firefox, so unless a user
|
|
// opts into ping, no request will be made. Categorizing this as Mixed
|
|
// Display Content for now, but this is subject to change.
|
|
//
|
|
// TYPE_STYLESHEET: XSLT stylesheets can insert scripts. CSS positioning
|
|
// and other advanced CSS features can possibly be exploited to cause
|
|
// spoofing attacks (e.g. make a "grant permission" button look like a
|
|
// "refuse permission" button).
|
|
//
|
|
// TYPE_BEACON: Beacon requests are similar to TYPE_PING, but are default on.
|
|
//
|
|
// TYPE_WEBSOCKET: The Websockets API requires browsers to
|
|
// reject mixed-content websockets: "If secure is false but the origin of
|
|
// the entry script has a scheme component that is itself a secure protocol,
|
|
// e.g. HTTPS, then throw a SecurityError exception." We already block mixed
|
|
// content websockets within the websockets implementation, so we don't need
|
|
// to do any blocking here, nor do we need to provide a way to undo or
|
|
// override the blocking. Websockets without TLS are very flaky anyway in the
|
|
// face of many HTTP-aware proxies. Compared to psasive content, there is
|
|
// additional risk that the script using WebSockets will disclose sensitive
|
|
// information from the HTTPS page and/or eval (directly or indirectly)
|
|
// received data.
|
|
//
|
|
// TYPE_XMLHTTPREQUEST: XHR requires either same origin or CORS, so most
|
|
// mixed-content XHR will already be blocked by that check. This will also
|
|
// block HTTPS-to-HTTP XHR with CORS. The same security concerns mentioned
|
|
// above for WebSockets apply to XHR, and XHR should have the same security
|
|
// properties as WebSockets w.r.t. mixed content. XHR's handling of redirects
|
|
// amplifies these concerns.
|
|
|
|
|
|
static_assert(TYPE_DATAREQUEST == TYPE_XMLHTTPREQUEST,
|
|
"TYPE_DATAREQUEST is not a synonym for "
|
|
"TYPE_XMLHTTPREQUEST");
|
|
|
|
switch (aContentType) {
|
|
// The top-level document cannot be mixed content by definition
|
|
case TYPE_DOCUMENT:
|
|
*aDecision = ACCEPT;
|
|
return NS_OK;
|
|
// Creating insecure websocket connections in a secure page is blocked already
|
|
// in the websocket constructor. We don't need to check the blocking here
|
|
// and we don't want to un-block
|
|
case TYPE_WEBSOCKET:
|
|
*aDecision = ACCEPT;
|
|
return NS_OK;
|
|
|
|
|
|
// Static display content is considered moderate risk for mixed content so
|
|
// these will be blocked according to the mixed display preference
|
|
case TYPE_IMAGE:
|
|
case TYPE_MEDIA:
|
|
case TYPE_OBJECT_SUBREQUEST:
|
|
case TYPE_PING:
|
|
case TYPE_BEACON:
|
|
classification = eMixedDisplay;
|
|
break;
|
|
|
|
// Active content (or content with a low value/risk-of-blocking ratio)
|
|
// that has been explicitly evaluated; listed here for documentation
|
|
// purposes and to avoid the assertion and warning for the default case.
|
|
case TYPE_IMAGESET:
|
|
case TYPE_CSP_REPORT:
|
|
case TYPE_DTD:
|
|
case TYPE_FETCH:
|
|
case TYPE_FONT:
|
|
case TYPE_OBJECT:
|
|
case TYPE_SCRIPT:
|
|
case TYPE_STYLESHEET:
|
|
case TYPE_SUBDOCUMENT:
|
|
case TYPE_WEB_MANIFEST:
|
|
case TYPE_XBL:
|
|
case TYPE_XMLHTTPREQUEST:
|
|
case TYPE_XSLT:
|
|
case TYPE_OTHER:
|
|
break;
|
|
|
|
|
|
// This content policy works as a whitelist.
|
|
default:
|
|
MOZ_ASSERT(false, "Mixed content of unknown type");
|
|
break;
|
|
}
|
|
|
|
/* Get the scheme of the sub-document resource to be requested. If it is
|
|
* a safe to load in an https context then mixed content doesn't apply.
|
|
*
|
|
* Check Protocol Flags to determine if scheme is safe to load:
|
|
* URI_DOES_NOT_RETURN_DATA - e.g.
|
|
* "mailto"
|
|
* URI_IS_LOCAL_RESOURCE - e.g.
|
|
* "data",
|
|
* "resource",
|
|
* "moz-icon"
|
|
* URI_INHERITS_SECURITY_CONTEXT - e.g.
|
|
* "javascript"
|
|
* URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT - e.g.
|
|
* "https",
|
|
* "moz-safe-about"
|
|
*
|
|
*/
|
|
bool schemeLocal = false;
|
|
bool schemeNoReturnData = false;
|
|
bool schemeInherits = false;
|
|
bool schemeSecure = false;
|
|
if (NS_FAILED(NS_URIChainHasFlags(aContentLocation, nsIProtocolHandler::URI_IS_LOCAL_RESOURCE , &schemeLocal)) ||
|
|
NS_FAILED(NS_URIChainHasFlags(aContentLocation, nsIProtocolHandler::URI_DOES_NOT_RETURN_DATA, &schemeNoReturnData)) ||
|
|
NS_FAILED(NS_URIChainHasFlags(aContentLocation, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT, &schemeInherits)) ||
|
|
NS_FAILED(NS_URIChainHasFlags(aContentLocation, nsIProtocolHandler::URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT, &schemeSecure))) {
|
|
*aDecision = REJECT_REQUEST;
|
|
return NS_ERROR_FAILURE;
|
|
}
|
|
// TYPE_IMAGE redirects are cached based on the original URI, not the final
|
|
// destination and hence cache hits for images may not have the correct
|
|
// aContentLocation. Check if the cached hit went through an http redirect,
|
|
// and if it did, we can't treat this as a secure subresource.
|
|
if (!aHadInsecureImageRedirect &&
|
|
(schemeLocal || schemeNoReturnData || schemeInherits || schemeSecure)) {
|
|
*aDecision = ACCEPT;
|
|
return NS_OK;
|
|
}
|
|
|
|
// Since there are cases where aRequestingLocation and aRequestPrincipal are
|
|
// definitely not the owning document, we try to ignore them by extracting the
|
|
// requestingLocation in the following order:
|
|
// 1) from the aRequestingContext, either extracting
|
|
// a) the node's principal, or the
|
|
// b) script object's principal.
|
|
// 2) if aRequestingContext yields a principal but no location, we check
|
|
// if its the system principal. If it is, allow the load.
|
|
// 3) Special case handling for:
|
|
// a) speculative loads, where shouldLoad is called twice (bug 839235)
|
|
// and the first speculative load does not include a context.
|
|
// In this case we use aRequestingLocation to set requestingLocation.
|
|
// b) TYPE_CSP_REPORT which does not provide a context. In this case we
|
|
// use aRequestingLocation to set requestingLocation.
|
|
// c) content scripts from addon code that do not provide aRequestingContext
|
|
// or aRequestingLocation, but do provide aRequestPrincipal.
|
|
// If aRequestPrincipal is an expanded principal, we allow the load.
|
|
// 4) If we still end up not having a requestingLocation, we reject the load.
|
|
|
|
nsCOMPtr<nsIPrincipal> principal;
|
|
// 1a) Try to get the principal if aRequestingContext is a node.
|
|
nsCOMPtr<nsINode> node = do_QueryInterface(aRequestingContext);
|
|
if (node) {
|
|
principal = node->NodePrincipal();
|
|
}
|
|
|
|
// 1b) Try using the window's script object principal if it's not a node.
|
|
if (!principal) {
|
|
nsCOMPtr<nsIScriptObjectPrincipal> scriptObjPrin = do_QueryInterface(aRequestingContext);
|
|
if (scriptObjPrin) {
|
|
principal = scriptObjPrin->GetPrincipal();
|
|
}
|
|
}
|
|
|
|
nsCOMPtr<nsIURI> requestingLocation;
|
|
if (principal) {
|
|
principal->GetURI(getter_AddRefs(requestingLocation));
|
|
}
|
|
|
|
// 2) if aRequestingContext yields a principal but no location, we check if its a system principal.
|
|
if (principal && !requestingLocation) {
|
|
if (nsContentUtils::IsSystemPrincipal(principal)) {
|
|
*aDecision = ACCEPT;
|
|
return NS_OK;
|
|
}
|
|
}
|
|
|
|
// 3a,b) Special case handling for speculative loads and TYPE_CSP_REPORT. In
|
|
// such cases, aRequestingContext doesn't exist, so we use aRequestingLocation.
|
|
// Unfortunately we can not distinguish between speculative and normal loads here,
|
|
// otherwise we could special case this assignment.
|
|
if (!requestingLocation) {
|
|
requestingLocation = aRequestingLocation;
|
|
}
|
|
|
|
// 3c) Special case handling for content scripts from addons code, which only
|
|
// provide a aRequestPrincipal; aRequestingContext and aRequestingLocation are
|
|
// both null; if the aRequestPrincipal is an expandedPrincipal, we allow the load.
|
|
if (!principal && !requestingLocation && aRequestPrincipal) {
|
|
nsCOMPtr<nsIExpandedPrincipal> expanded = do_QueryInterface(aRequestPrincipal);
|
|
if (expanded) {
|
|
*aDecision = ACCEPT;
|
|
return NS_OK;
|
|
}
|
|
}
|
|
|
|
// 4) Giving up. We still don't have a requesting location, therefore we can't tell
|
|
// if this is a mixed content load. Deny to be safe.
|
|
if (!requestingLocation) {
|
|
*aDecision = REJECT_REQUEST;
|
|
return NS_OK;
|
|
}
|
|
|
|
// Check the parent scheme. If it is not an HTTPS page then mixed content
|
|
// restrictions do not apply.
|
|
bool parentIsHttps;
|
|
nsresult rv = requestingLocation->SchemeIs("https", &parentIsHttps);
|
|
if (NS_FAILED(rv)) {
|
|
NS_ERROR("requestingLocation->SchemeIs failed");
|
|
*aDecision = REJECT_REQUEST;
|
|
return NS_OK;
|
|
}
|
|
if (!parentIsHttps) {
|
|
*aDecision = ACCEPT;
|
|
return NS_OK;
|
|
}
|
|
|
|
// Determine if the rootDoc is https and if the user decided to allow Mixed Content
|
|
nsCOMPtr<nsIDocShell> docShell = NS_CP_GetDocShellFromContext(aRequestingContext);
|
|
NS_ENSURE_TRUE(docShell, NS_OK);
|
|
bool rootHasSecureConnection = false;
|
|
bool allowMixedContent = false;
|
|
bool isRootDocShell = false;
|
|
rv = docShell->GetAllowMixedContentAndConnectionData(&rootHasSecureConnection, &allowMixedContent, &isRootDocShell);
|
|
if (NS_FAILED(rv)) {
|
|
*aDecision = REJECT_REQUEST;
|
|
return rv;
|
|
}
|
|
|
|
|
|
// Get the sameTypeRoot tree item from the docshell
|
|
nsCOMPtr<nsIDocShellTreeItem> sameTypeRoot;
|
|
docShell->GetSameTypeRootTreeItem(getter_AddRefs(sameTypeRoot));
|
|
NS_ASSERTION(sameTypeRoot, "No root tree item from docshell!");
|
|
|
|
// When navigating an iframe, the iframe may be https
|
|
// but its parents may not be. Check the parents to see if any of them are https.
|
|
// If none of the parents are https, allow the load.
|
|
if (aContentType == TYPE_SUBDOCUMENT && !rootHasSecureConnection) {
|
|
|
|
bool httpsParentExists = false;
|
|
|
|
nsCOMPtr<nsIDocShellTreeItem> parentTreeItem;
|
|
parentTreeItem = docShell;
|
|
|
|
while(!httpsParentExists && parentTreeItem) {
|
|
nsCOMPtr<nsIWebNavigation> parentAsNav(do_QueryInterface(parentTreeItem));
|
|
NS_ASSERTION(parentAsNav, "No web navigation object from parent's docshell tree item");
|
|
nsCOMPtr<nsIURI> parentURI;
|
|
|
|
parentAsNav->GetCurrentURI(getter_AddRefs(parentURI));
|
|
if (!parentURI || NS_FAILED(parentURI->SchemeIs("https", &httpsParentExists))) {
|
|
// if getting the URI or the scheme fails, assume there is a https parent and break.
|
|
httpsParentExists = true;
|
|
break;
|
|
}
|
|
|
|
// When the parent and the root are the same, we have traversed all the way up
|
|
// the same type docshell tree. Break out of the while loop.
|
|
if(sameTypeRoot == parentTreeItem) {
|
|
break;
|
|
}
|
|
|
|
// update the parent to the grandparent.
|
|
nsCOMPtr<nsIDocShellTreeItem> newParentTreeItem;
|
|
parentTreeItem->GetSameTypeParent(getter_AddRefs(newParentTreeItem));
|
|
parentTreeItem = newParentTreeItem;
|
|
} // end while loop.
|
|
|
|
if (!httpsParentExists) {
|
|
*aDecision = nsIContentPolicy::ACCEPT;
|
|
return NS_OK;
|
|
}
|
|
}
|
|
|
|
// Get the root document from the sameTypeRoot
|
|
nsCOMPtr<nsIDocument> rootDoc = do_GetInterface(sameTypeRoot);
|
|
NS_ASSERTION(rootDoc, "No root document from document shell root tree item.");
|
|
|
|
// Get eventSink and the current security state from the docShell
|
|
nsCOMPtr<nsISecurityEventSink> eventSink = do_QueryInterface(docShell);
|
|
NS_ASSERTION(eventSink, "No eventSink from docShell.");
|
|
nsCOMPtr<nsIDocShell> rootShell = do_GetInterface(sameTypeRoot);
|
|
NS_ASSERTION(rootShell, "No root docshell from document shell root tree item.");
|
|
uint32_t State = nsIWebProgressListener::STATE_IS_BROKEN;
|
|
nsCOMPtr<nsISecureBrowserUI> securityUI;
|
|
rootShell->GetSecurityUI(getter_AddRefs(securityUI));
|
|
// If there is no securityUI, document doesn't have a security state.
|
|
// Allow load and return early.
|
|
if (!securityUI) {
|
|
*aDecision = nsIContentPolicy::ACCEPT;
|
|
return NS_OK;
|
|
}
|
|
nsresult stateRV = securityUI->GetState(&State);
|
|
|
|
// If the content is display content, and the pref says display content should be blocked, block it.
|
|
if (sBlockMixedDisplay && classification == eMixedDisplay) {
|
|
if (allowMixedContent) {
|
|
LogMixedContentMessage(classification, aContentLocation, rootDoc, eUserOverride);
|
|
*aDecision = nsIContentPolicy::ACCEPT;
|
|
// See if mixed display content has already loaded on the page or if the state needs to be updated here.
|
|
// If mixed display hasn't loaded previously, then we need to call OnSecurityChange() to update the UI.
|
|
if (rootDoc->GetHasMixedDisplayContentLoaded()) {
|
|
return NS_OK;
|
|
}
|
|
rootDoc->SetHasMixedDisplayContentLoaded(true);
|
|
|
|
if (rootHasSecureConnection) {
|
|
if (rootDoc->GetHasMixedActiveContentLoaded()) {
|
|
// If mixed active content is loaded, make sure to include that in the state.
|
|
eventSink->OnSecurityChange(aRequestingContext,
|
|
(nsIWebProgressListener::STATE_IS_BROKEN |
|
|
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT |
|
|
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
|
|
} else {
|
|
eventSink->OnSecurityChange(aRequestingContext,
|
|
(nsIWebProgressListener::STATE_IS_BROKEN |
|
|
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
|
|
}
|
|
} else {
|
|
// User has overriden the pref and the root is not https;
|
|
// mixed display content was allowed on an https subframe.
|
|
if (NS_SUCCEEDED(stateRV)) {
|
|
eventSink->OnSecurityChange(aRequestingContext, (State | nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
|
|
}
|
|
}
|
|
} else {
|
|
*aDecision = nsIContentPolicy::REJECT_REQUEST;
|
|
LogMixedContentMessage(classification, aContentLocation, rootDoc, eBlocked);
|
|
if (!rootDoc->GetHasMixedDisplayContentBlocked() && NS_SUCCEEDED(stateRV)) {
|
|
rootDoc->SetHasMixedDisplayContentBlocked(true);
|
|
eventSink->OnSecurityChange(aRequestingContext, (State | nsIWebProgressListener::STATE_BLOCKED_MIXED_DISPLAY_CONTENT));
|
|
}
|
|
}
|
|
return NS_OK;
|
|
|
|
} else if (sBlockMixedScript && classification == eMixedScript) {
|
|
// If the content is active content, and the pref says active content should be blocked, block it
|
|
// unless the user has choosen to override the pref
|
|
if (allowMixedContent) {
|
|
LogMixedContentMessage(classification, aContentLocation, rootDoc, eUserOverride);
|
|
*aDecision = nsIContentPolicy::ACCEPT;
|
|
// See if the state will change here. If it will, only then do we need to call OnSecurityChange() to update the UI.
|
|
if (rootDoc->GetHasMixedActiveContentLoaded()) {
|
|
return NS_OK;
|
|
}
|
|
rootDoc->SetHasMixedActiveContentLoaded(true);
|
|
|
|
if (rootHasSecureConnection) {
|
|
// User has decided to override the pref and the root is https, so change the Security State.
|
|
if (rootDoc->GetHasMixedDisplayContentLoaded()) {
|
|
// If mixed display content is loaded, make sure to include that in the state.
|
|
eventSink->OnSecurityChange(aRequestingContext,
|
|
(nsIWebProgressListener::STATE_IS_BROKEN |
|
|
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT |
|
|
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
|
|
} else {
|
|
eventSink->OnSecurityChange(aRequestingContext,
|
|
(nsIWebProgressListener::STATE_IS_BROKEN |
|
|
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
|
|
}
|
|
return NS_OK;
|
|
} else {
|
|
// User has already overriden the pref and the root is not https;
|
|
// mixed active content was allowed on an https subframe.
|
|
if (NS_SUCCEEDED(stateRV)) {
|
|
eventSink->OnSecurityChange(aRequestingContext, (State | nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
|
|
}
|
|
return NS_OK;
|
|
}
|
|
} else {
|
|
//User has not overriden the pref by Disabling protection. Reject the request and update the security state.
|
|
*aDecision = nsIContentPolicy::REJECT_REQUEST;
|
|
LogMixedContentMessage(classification, aContentLocation, rootDoc, eBlocked);
|
|
// See if the pref will change here. If it will, only then do we need to call OnSecurityChange() to update the UI.
|
|
if (rootDoc->GetHasMixedActiveContentBlocked()) {
|
|
return NS_OK;
|
|
}
|
|
rootDoc->SetHasMixedActiveContentBlocked(true);
|
|
|
|
// The user has not overriden the pref, so make sure they still have an option by calling eventSink
|
|
// which will invoke the doorhanger
|
|
if (NS_SUCCEEDED(stateRV)) {
|
|
eventSink->OnSecurityChange(aRequestingContext, (State | nsIWebProgressListener::STATE_BLOCKED_MIXED_ACTIVE_CONTENT));
|
|
}
|
|
return NS_OK;
|
|
}
|
|
|
|
} else {
|
|
// The content is not blocked by the mixed content prefs.
|
|
|
|
// Log a message that we are loading mixed content.
|
|
LogMixedContentMessage(classification, aContentLocation, rootDoc, eUserOverride);
|
|
|
|
// Fire the event from a script runner as it is unsafe to run script
|
|
// from within ShouldLoad
|
|
nsContentUtils::AddScriptRunner(
|
|
new nsMixedContentEvent(aRequestingContext, classification));
|
|
*aDecision = ACCEPT;
|
|
return NS_OK;
|
|
}
|
|
|
|
*aDecision = REJECT_REQUEST;
|
|
return NS_OK;
|
|
}
|
|
|
|
NS_IMETHODIMP
|
|
nsMixedContentBlocker::ShouldProcess(uint32_t aContentType,
|
|
nsIURI* aContentLocation,
|
|
nsIURI* aRequestingLocation,
|
|
nsISupports* aRequestingContext,
|
|
const nsACString& aMimeGuess,
|
|
nsISupports* aExtra,
|
|
nsIPrincipal* aRequestPrincipal,
|
|
int16_t* aDecision)
|
|
{
|
|
MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
|
|
"We should only see external content policy types here.");
|
|
|
|
if (!aContentLocation) {
|
|
// aContentLocation may be null when a plugin is loading without an associated URI resource
|
|
if (aContentType == TYPE_OBJECT) {
|
|
*aDecision = ACCEPT;
|
|
return NS_OK;
|
|
} else {
|
|
*aDecision = REJECT_REQUEST;
|
|
return NS_ERROR_FAILURE;
|
|
}
|
|
}
|
|
|
|
return ShouldLoad(aContentType, aContentLocation, aRequestingLocation,
|
|
aRequestingContext, aMimeGuess, aExtra, aRequestPrincipal,
|
|
aDecision);
|
|
}
|