mirror of
https://github.com/roytam1/palemoon27.git
synced 2026-05-26 14:30:27 +00:00
roytam1
bd9cfd0d73
- Bug 1148708: Add missing 'override' annotations in DocAccessibleChild.h. rs=ehsan (d606358545)
- Bug 1210408 - make nsMaiInterfaceAction work with proxies, r=tbsaunde (f7c819c6ae)
- Bug 1210407 - teach nsMaiInterfaceTable to use proxies, r=tbsaunde (4ca4f10b5f)
- bug 1185157 make sure we don't send an event to a destroyed ipc document r=billm (23acf53f75)
- bug 1214864 - make SetCarretOffset() async r=davidb (e3079e9b2d)
- missing of Bug 1139972 - IPC Proxy for charAt, r=tbsaunde (e9593ed752)
- bug 1191598 - Pass MOZ_CURRENT_PROJECT in environment when running post-build automation steps for universal mac builds. r=gps (fc342c6ced)
- Bug 1164596 - Add mach android-emulator command; r=ahal (afeb9b27d1)
- Bug 1223149 - Add basic usage documentation for mach build; r=glandium (bfb802d175)
- Bug 1182301 - Improve 'mach build' notifications. r=gps (2c65a122d1)
- Bug 1184696 - Add clobber targets to |mach clobber|; Ability to clobber compiled python files, r=gps (35d8be292e)
- Bug 1117958 - Allow any debugging options to the run or gtest mach subcommands to automatically enable debugging. r=gps (32f986af4b)
- Bug 1180081 - Properly rebuild gtest/libxul before running gtests. r=gps (80db9a3d49)
- Bug 1171647, part 1 - Define a new function to convert the mode to a string. r=njn (61ad16f5ba)
- Bug 1171647, part 2 - Remove redundant assertion for dark matter mode. r=njn (b5ac9519f3)
- Bug 1058178, part 1 - Implement DMD heap scanning mode. r=njn (60e1079536)
- Bug 1058178, part 2 - Implement address clamping analysis for DMD scan logs. r=njn (45c0326b93)
- Bug 1102388 - Fix DMD static constructor ordering dependency. r=mccr8 (59b87897a1)
- Bug 1128705 - Don't redefine PAGE_SIZE in DMD if it's already defined. r=erahm (49216348ee)
- Bug 1179042 - Add a script for analyzing memory blocks using a heap scan DMD log. r=njn DONTBUILD (1c08d2d66e)
- Bug 1207245 - part 6 - rename nsRefPtr<T> to RefPtr<T>; r=ehsan; a=Tomcat (1c999d139b)
- Bug 1158772 - fix non-idiomatic memset call in nsDeque.cpp; r=erahm (de6b555245)
- Bug 1199400 - Part 1: Use CheckedInt when growing nsDeque capacity. r=froydnj (dfdf6814a3)
- Bug 1199400 - Part 0: Remove unused nsDequeIterator. r=froydnj (38d69d7f47)
- Bug 1199400 - Part 2: Add tests for possible nsDeque corner cases. r=froydnj (931baff195)
- Bug 1201997 - Part 1 - Converted compiled test to gtest for nsDeque class. Added tests to test untested methods. r=froydn (e893916651)
- Bug 1201997 - Part 2 - Removing unused methods from the nsDeque class. r=froydn (41595a90ac)
- Bug 1201997 - Part 3 - Make internally used methods private. r=froydn (8cd3afd96f)
- Bug 1201997 - Part 4 - Change size and offset variables to size_t.r=froydn (73eabc8d60)
- Bug 1215140 P1 Add an nsIConsoleReportCollector interface to support navigation channel logging. r=bz (8a41535e2b)
- Bug 1215140 P2 Make HttpBaseChannel implement nsIConsoleReportCollector. r=bz (75fca301f2)
- Bug 1197679 - If nsUnknownDecoder is involved in e10s DivertToParent can break. r=jduell (5d94a12504)
- Bug 1178991 - smartptr for http converter r=hurley (8e7fbc8443)
- bug 366559 - patch 2, fix nsHTTPCompressConv indentation r=bagder (ba762da587)
- bug 366559 - patch 3, fix nsHTTPCompressConv bracing style r=bagder (54195ab451)
- bits of bug 366559 - patch 7, content-encoding brotli for http (f0b4051022)
- Bug 1205112 - Make PushEvent.data nullable. r=mt,smaug (775db32856)
- Bug 1193414 - SharedWorkers thread should be kept alive also when the SharedWorker object is CCed, r=khuey (b77ea8125c)
- Bug 1206520: Add about:config prefs to enable throwing on asm.js validation failures; r=bz (c42126665d)
- Bug 1193414 - Telemetry for SharedWorker spawning. r=bkelly (77984b7bcc)
- Bug 1205676 - Enable WPT service-worker/unregister-then-register-new-script.https.html in e10s, r=nsm (ec24939cf6)
- Bug 1193133 - Throw when calling postMessage from a Service Worker dom object with no global. r=bkelly (526dcacfab)
- Bug 1181871 P1 Only enforce Cache Context shared data destruction on target thread after init. r=ehsan (cdbf3ed3a8)
- Bug 1181871 P2 Fix ServiceWorkerManager usage of stack-based ErrorResult. r=ehsan (c449195d90)
- minor cleanup and missing bit of 1198230 (02f459db05)
- Bug 1143717 - Implement the ServiceWorkerMessageEvent interface. r=baku (027b3465f2)
- fix misspatch (708eee4e84)
- Bug 1188545 - Disentangle service workers from shared workers and refactor event dispatching code into a separate class. r=nsm,mrbkap (fb5b5341c9)
- Bug 1205228 - Change PackagedAppVerifier to notify the verification result asynchronously. r=valentin. (9edda0fa00)
- Bug 1178518 - Packaged App Utils. r=valentin (f60f3b7a93)
- Bug 1213150 - Part 1: Add a nsContentUtils::IsNonSubresourceRequest helper; r=jdm (b509cc3cc9)
- Bug 1213150 - Part 2: Rework ShouldPrepareForIntercept() in terms of subresource requests; r=jdm (2e92fe8780)
- Bug 1213150 - Part 3: Remove nsIInterceptedChannel.isNavigation; r=jdm (becf1cc12f)
- Bug 1213150 follow-up: fix build bustage (8d73d6ca73)
- Bug 1198394 - Part 1: Allow interception of HSTS upgraded connections in non-e10s mode; r=mcmanus (f504c5be08)
- Bug 1198394 - Part 2: Add a test for interception of HSTS upgraded connections; r=jdm (054e984eef)
- Bug 1187011 - Don't allow response body with null body status. r=bkelly (b1860741d1)
- missing bit of 1140788 (29d319712e)
- Bug 1213436 - Reject core dumps with node IDs that don't fit in an IEEE 754 double; r=sfink (3c1f6fdda0)
- Bug 1211006 - Add Debugger.Source.prototype.canonicalId; r=ejpbruel (eef7b79fce)
- Bug 1199218 - Implement JS::ubi::Node::size for js::LazyScript referents; r=sfink (098a48d240)
- Bug 1220031 - Add JS::ubi::Node::scriptFilename; r=sfink (6b824ae680)
- Bug 1143575. Remove unused MediaQueue::Empty. r=cpearce (de737f3433)
- Bug 1209933 - Make sure all parent runtime pointers are the topmost parent, r=billm. (fe824d967d)
- Bug 1197012 - Fix ThrowTypeError in Notification. r=mccr8 (0b1a097526)
- Bug 1197893 - Check the number of arguments for ThrowTypeError() and ThrowRangeError() at compile time. r=peterv (d98c7d78a0)
- Bug 1142083 - Add test for IDN Unicode domain redirect. r=mcmanus (0c8961fe17)
- Bug 1187159 - Add mochitest for loading packaged apps (iframe+fetch+mozapp) r=jduell (ce90ea561b)
- Bug 1186290 - Notify TabParent to switch process when loading a signed package. r=honzab, r=kanru. (c58a14554a)
- fix (15e2df75eb)
- Bug 1206124 P1 Fix "same-origin" CORS credentials in FetchDriver. r=ehsan (fae1bb6ab3)
- Bug 1206124 P2 Test fetch() with credentials and redirects. r=ehsan (ffc6254112)
- Bug 1211751: Remove nsIChannelEventSink-forwarding from EventSource and FetchDriver. It's never needed. r=smaug (adafe5737a)
- Bug 1212433 Fail fetch() calls that require preflight and also redirect. r=sicking a=abillings (c0d6742b9e)
- Bug 1193128 - Fix base64 decoding when fetching data URIs. r=baku (80bafa291a)
- Bug 1195167 part 1: Let necko handle all protocols. r=bkelly (bb932b0ada)
- Bug 1195167 part 2: Remove redundant aCORSFlag argument and instead use mCORSFlagEverSet. r=bkelly (beadafcad0)
- Bug 1195167 part 3: Remove more scheme-specific handling from FetchDriver. r=bkelly (d00b38db9e)
- Bug 1195167 part 4: Remove FetchDriver::BasicFetch since it is empty. r=bkelly (c5ed097267)
- Bug 1210413 P2 Test CORS credentials on cross-origin redirects. r=sicking a=dveditz (b4eeb8aac0)
- Bug 1210413 P1 Propagate new channel load flags from child to parent on redirect. r=jduell a=dveditz (8b329af4fa)
- Bug 1195167 part 5: Make FetchDriver use AsyncOpen2. r=bkelly (cc217c4cc1)
- Bug 1195167 part 6: Some code simplification since necko handles fetch recursion. r=bkelly (f3b6da2262)
- Bug 1195167: Followup to fix test which I forgot to change (81e7439a2e)
- Bug 1215746: Remove RequestMode::Cors_with_forced_preflight. r=bkelly (0336e812b6)
- Bug 1211000: Move CORS preflight logic from nsCORSListenerProxy to nsCORSPreflightListener. r=ehsan (bf2f71cf22)
- missing bit of Bug 1211443 - Drop scheduled update if decoder initialization isn't done yet. r=jya (f6bc074e33)
- Bug 1182571: Fix nsILoadInfo->GetContentPolicyType API to be less ambigious. Audit and fix all users of it. r=ckerschb (5af6fa7442)
- fix (e40c8e7625)
- Bug 1173811 - Part 1: Propagate the response URL to intercepted channels when necessary (non-e10s). r=mayhemer,bkelly (26f4f13c28)
- Bug 1173811 - Part 2: Propagate the response URL to intercepted channels when necessary (e10s). r=mayhemer,bkelly (a603fe1df2)
- Bug 1154309 - Add New Resource Timing Fields r=bz,hurley (1d14eb6bef)
- Bug 1175685 - add OriginAttribute to LoadInfo. r=jonas, r=ckerschb, r=michal (a5d18bb637)
- Bug 1175685 - add OriginAttribute to LoadInfo. r=jonas, r=ckerschb, r=michal (fb07d2c8aa)
- Bug 1212904 P1 Add a LoadTainting enumeration. r=jduell (a1db8a3e99)
- Bug 1212904 P2 Add LoadTainting information to nsILoadInfo. r=jduell (2482e5e334)
- Bug 1221151 - use [infallible] in nsILoadInfo.idl instead of manual %{C++ blocks; r=jduell (aae73129b6)
- Bug 1045891 - CSP 2 child-src implementation r=ckerschb (792920aeb9)
- Bug 1219931 - CSP: Don't allow removing a policy (r=sicking) (9daaab4186)
- Bug 1208661 - Dump client-side layer textures. r=BenWa (1f2d17d515)
409 lines
15 KiB
C++
409 lines
15 KiB
C++
#include "nsContentSecurityManager.h"
|
|
#include "nsIChannel.h"
|
|
#include "nsIStreamListener.h"
|
|
#include "nsILoadInfo.h"
|
|
#include "nsContentUtils.h"
|
|
#include "nsCORSListenerProxy.h"
|
|
#include "nsIStreamListener.h"
|
|
|
|
#include "mozilla/dom/Element.h"
|
|
|
|
NS_IMPL_ISUPPORTS(nsContentSecurityManager, nsIContentSecurityManager)
|
|
|
|
nsresult
|
|
ValidateSecurityFlags(nsILoadInfo* aLoadInfo)
|
|
{
|
|
nsSecurityFlags securityMode = aLoadInfo->GetSecurityMode();
|
|
|
|
if (securityMode != nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS &&
|
|
securityMode != nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED &&
|
|
securityMode != nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS &&
|
|
securityMode != nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL &&
|
|
securityMode != nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS) {
|
|
MOZ_ASSERT(false, "need one securityflag from nsILoadInfo to perform security checks");
|
|
return NS_ERROR_FAILURE;
|
|
}
|
|
|
|
// make sure that cors-with-credentials is only used in combination with CORS.
|
|
if (aLoadInfo->GetRequireCorsWithCredentials() &&
|
|
securityMode != nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS) {
|
|
MOZ_ASSERT(false, "can not use cors-with-credentials without cors");
|
|
return NS_ERROR_FAILURE;
|
|
}
|
|
// all good, found the right security flags
|
|
return NS_OK;
|
|
}
|
|
|
|
static bool SchemeIs(nsIURI* aURI, const char* aScheme)
|
|
{
|
|
nsCOMPtr<nsIURI> baseURI = NS_GetInnermostURI(aURI);
|
|
NS_ENSURE_TRUE(baseURI, false);
|
|
|
|
bool isScheme = false;
|
|
return NS_SUCCEEDED(baseURI->SchemeIs(aScheme, &isScheme)) && isScheme;
|
|
}
|
|
|
|
nsresult
|
|
DoCheckLoadURIChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo)
|
|
{
|
|
nsresult rv = NS_OK;
|
|
|
|
nsCOMPtr<nsIPrincipal> loadingPrincipal = aLoadInfo->LoadingPrincipal();
|
|
uint32_t flags = nsIScriptSecurityManager::STANDARD;
|
|
if (aLoadInfo->GetAllowChrome()) {
|
|
flags |= nsIScriptSecurityManager::ALLOW_CHROME;
|
|
}
|
|
|
|
rv = nsContentUtils::GetSecurityManager()->
|
|
CheckLoadURIWithPrincipal(loadingPrincipal,
|
|
aURI,
|
|
flags);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
// If the loadingPrincipal and the triggeringPrincipal are different, then make
|
|
// sure the triggeringPrincipal is allowed to access that URI.
|
|
nsCOMPtr<nsIPrincipal> triggeringPrincipal = aLoadInfo->TriggeringPrincipal();
|
|
if (loadingPrincipal != triggeringPrincipal) {
|
|
rv = nsContentUtils::GetSecurityManager()->
|
|
CheckLoadURIWithPrincipal(triggeringPrincipal,
|
|
aURI,
|
|
flags);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
}
|
|
return NS_OK;
|
|
}
|
|
|
|
nsresult
|
|
DoSOPChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo)
|
|
{
|
|
if (aLoadInfo->GetAllowChrome() && SchemeIs(aURI, "chrome")) {
|
|
// Enforce same-origin policy, except to chrome.
|
|
return DoCheckLoadURIChecks(aURI, aLoadInfo);
|
|
}
|
|
|
|
nsIPrincipal* loadingPrincipal = aLoadInfo->LoadingPrincipal();
|
|
bool sameOriginDataInherits =
|
|
aLoadInfo->GetSecurityMode() == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS;
|
|
|
|
if (sameOriginDataInherits &&
|
|
aLoadInfo->GetAboutBlankInherits() &&
|
|
NS_IsAboutBlank(aURI)) {
|
|
return NS_OK;
|
|
}
|
|
|
|
return loadingPrincipal->CheckMayLoad(aURI,
|
|
true, // report to console
|
|
sameOriginDataInherits);
|
|
}
|
|
|
|
nsresult
|
|
DoCORSChecks(nsIChannel* aChannel, nsILoadInfo* aLoadInfo,
|
|
nsCOMPtr<nsIStreamListener>& aInAndOutListener)
|
|
{
|
|
MOZ_ASSERT(aInAndOutListener, "can not perform CORS checks without a listener");
|
|
|
|
// No need to set up CORS if TriggeringPrincipal is the SystemPrincipal.
|
|
// For example, allow user stylesheets to load XBL from external files
|
|
// without requiring CORS.
|
|
if (nsContentUtils::IsSystemPrincipal(aLoadInfo->TriggeringPrincipal())) {
|
|
return NS_OK;
|
|
}
|
|
|
|
nsIPrincipal* loadingPrincipal = aLoadInfo->LoadingPrincipal();
|
|
RefPtr<nsCORSListenerProxy> corsListener =
|
|
new nsCORSListenerProxy(aInAndOutListener,
|
|
loadingPrincipal,
|
|
aLoadInfo->GetRequireCorsWithCredentials());
|
|
// XXX: @arg: DataURIHandling::Allow
|
|
// lets use DataURIHandling::Allow for now and then decide on callsite basis. see also:
|
|
// http://mxr.mozilla.org/mozilla-central/source/dom/security/nsCORSListenerProxy.h#33
|
|
nsresult rv = corsListener->Init(aChannel, DataURIHandling::Allow);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
aInAndOutListener = corsListener;
|
|
return NS_OK;
|
|
}
|
|
|
|
nsresult
|
|
DoContentSecurityChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo)
|
|
{
|
|
nsContentPolicyType contentPolicyType =
|
|
aLoadInfo->GetExternalContentPolicyType();
|
|
nsContentPolicyType internalContentPolicyType =
|
|
aLoadInfo->InternalContentPolicyType();
|
|
nsCString mimeTypeGuess;
|
|
nsCOMPtr<nsINode> requestingContext = nullptr;
|
|
|
|
switch(contentPolicyType) {
|
|
case nsIContentPolicy::TYPE_OTHER: {
|
|
mimeTypeGuess = EmptyCString();
|
|
requestingContext = aLoadInfo->LoadingNode();
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_SCRIPT:
|
|
case nsIContentPolicy::TYPE_IMAGE:
|
|
case nsIContentPolicy::TYPE_STYLESHEET:
|
|
case nsIContentPolicy::TYPE_OBJECT:
|
|
case nsIContentPolicy::TYPE_DOCUMENT: {
|
|
MOZ_ASSERT(false, "contentPolicyType not supported yet");
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_SUBDOCUMENT: {
|
|
mimeTypeGuess = NS_LITERAL_CSTRING("text/html");
|
|
requestingContext = aLoadInfo->LoadingNode();
|
|
MOZ_ASSERT(!requestingContext ||
|
|
requestingContext->NodeType() == nsIDOMNode::DOCUMENT_NODE,
|
|
"type_subdocument requires requestingContext of type Document");
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_REFRESH: {
|
|
MOZ_ASSERT(false, "contentPolicyType not supported yet");
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_XBL: {
|
|
mimeTypeGuess = EmptyCString();
|
|
requestingContext = aLoadInfo->LoadingNode();
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_PING: {
|
|
mimeTypeGuess = EmptyCString();
|
|
requestingContext = aLoadInfo->LoadingNode();
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_XMLHTTPREQUEST: {
|
|
// alias nsIContentPolicy::TYPE_DATAREQUEST:
|
|
requestingContext = aLoadInfo->LoadingNode();
|
|
MOZ_ASSERT(!requestingContext ||
|
|
requestingContext->NodeType() == nsIDOMNode::DOCUMENT_NODE,
|
|
"type_xml requires requestingContext of type Document");
|
|
|
|
if (internalContentPolicyType ==
|
|
nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST) {
|
|
mimeTypeGuess = NS_LITERAL_CSTRING("application/xml");
|
|
}
|
|
else {
|
|
MOZ_ASSERT(internalContentPolicyType ==
|
|
nsIContentPolicy::TYPE_INTERNAL_EVENTSOURCE,
|
|
"can not set mime type guess for unexpected internal type");
|
|
mimeTypeGuess = NS_LITERAL_CSTRING(TEXT_EVENT_STREAM);
|
|
}
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_OBJECT_SUBREQUEST: {
|
|
mimeTypeGuess = EmptyCString();
|
|
requestingContext = aLoadInfo->LoadingNode();
|
|
MOZ_ASSERT(!requestingContext ||
|
|
requestingContext->NodeType() == nsIDOMNode::ELEMENT_NODE,
|
|
"type_subrequest requires requestingContext of type Element");
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_DTD:
|
|
case nsIContentPolicy::TYPE_FONT: {
|
|
MOZ_ASSERT(false, "contentPolicyType not supported yet");
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_MEDIA: {
|
|
if (internalContentPolicyType == nsIContentPolicy::TYPE_INTERNAL_TRACK) {
|
|
mimeTypeGuess = NS_LITERAL_CSTRING("text/vtt");
|
|
}
|
|
else {
|
|
mimeTypeGuess = EmptyCString();
|
|
}
|
|
requestingContext = aLoadInfo->LoadingNode();
|
|
MOZ_ASSERT(!requestingContext ||
|
|
requestingContext->NodeType() == nsIDOMNode::ELEMENT_NODE,
|
|
"type_media requires requestingContext of type Element");
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_WEBSOCKET:
|
|
case nsIContentPolicy::TYPE_CSP_REPORT: {
|
|
MOZ_ASSERT(false, "contentPolicyType not supported yet");
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_XSLT: {
|
|
mimeTypeGuess = NS_LITERAL_CSTRING("application/xml");
|
|
requestingContext = aLoadInfo->LoadingNode();
|
|
MOZ_ASSERT(!requestingContext ||
|
|
requestingContext->NodeType() == nsIDOMNode::DOCUMENT_NODE,
|
|
"type_xslt requires requestingContext of type Document");
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_BEACON: {
|
|
mimeTypeGuess = EmptyCString();
|
|
requestingContext = aLoadInfo->LoadingNode();
|
|
MOZ_ASSERT(!requestingContext ||
|
|
requestingContext->NodeType() == nsIDOMNode::DOCUMENT_NODE,
|
|
"type_beacon requires requestingContext of type Document");
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_FETCH: {
|
|
mimeTypeGuess = EmptyCString();
|
|
requestingContext = aLoadInfo->LoadingNode();
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_IMAGESET: {
|
|
MOZ_ASSERT(false, "contentPolicyType not supported yet");
|
|
break;
|
|
}
|
|
|
|
case nsIContentPolicy::TYPE_WEB_MANIFEST: {
|
|
mimeTypeGuess = NS_LITERAL_CSTRING("application/manifest+json");
|
|
requestingContext = aLoadInfo->LoadingNode();
|
|
break;
|
|
}
|
|
|
|
default:
|
|
// nsIContentPolicy::TYPE_INVALID
|
|
MOZ_ASSERT(false, "can not perform security check without a valid contentType");
|
|
}
|
|
|
|
int16_t shouldLoad = nsIContentPolicy::ACCEPT;
|
|
nsresult rv = NS_CheckContentLoadPolicy(contentPolicyType,
|
|
aURI,
|
|
aLoadInfo->LoadingPrincipal(),
|
|
requestingContext,
|
|
mimeTypeGuess,
|
|
nullptr, //extra,
|
|
&shouldLoad,
|
|
nsContentUtils::GetContentPolicy(),
|
|
nsContentUtils::GetSecurityManager());
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
if (NS_CP_REJECTED(shouldLoad)) {
|
|
return NS_ERROR_CONTENT_BLOCKED;
|
|
}
|
|
return NS_OK;
|
|
}
|
|
|
|
/*
|
|
* Based on the security flags provided in the loadInfo of the channel,
|
|
* doContentSecurityCheck() performs the following content security checks
|
|
* before opening the channel:
|
|
*
|
|
* (1) Same Origin Policy Check (if applicable)
|
|
* (2) Allow Cross Origin but perform sanity checks whether a principal
|
|
* is allowed to access the following URL.
|
|
* (3) Perform CORS check (if applicable)
|
|
* (4) ContentPolicy checks (Content-Security-Policy, Mixed Content, ...)
|
|
*
|
|
* @param aChannel
|
|
* The channel to perform the security checks on.
|
|
* @param aInAndOutListener
|
|
* The streamListener that is passed to channel->AsyncOpen2() that is now potentially
|
|
* wrappend within nsCORSListenerProxy() and becomes the corsListener that now needs
|
|
* to be set as new streamListener on the channel.
|
|
*/
|
|
nsresult
|
|
nsContentSecurityManager::doContentSecurityCheck(nsIChannel* aChannel,
|
|
nsCOMPtr<nsIStreamListener>& aInAndOutListener)
|
|
{
|
|
NS_ENSURE_ARG(aChannel);
|
|
nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo();
|
|
|
|
if (!loadInfo) {
|
|
MOZ_ASSERT(false, "channel needs to have loadInfo to perform security checks");
|
|
return NS_ERROR_UNEXPECTED;
|
|
}
|
|
|
|
// make sure that only one of the five security flags is set in the loadinfo
|
|
// e.g. do not require same origin and allow cross origin at the same time
|
|
nsresult rv = ValidateSecurityFlags(loadInfo);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
// lets store the initialSecurityCheckDone flag which indicates whether the channel
|
|
// was initialy evaluated by the contentSecurityManager. Once the inital
|
|
// asyncOpen() of the channel went through the contentSecurityManager then
|
|
// redirects do not have perform all the security checks, e.g. no reason
|
|
// to setup CORS again.
|
|
bool initialSecurityCheckDone = loadInfo->GetInitialSecurityCheckDone();
|
|
|
|
// now lets set the initalSecurityFlag for subsequent calls
|
|
rv = loadInfo->SetInitialSecurityCheckDone(true);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
// since aChannel was openend using asyncOpen2() we have to make sure
|
|
// that redirects of that channel also get openend using asyncOpen2()
|
|
// please note that some implementations of ::AsyncOpen2 might already
|
|
// have set that flag to true (e.g. nsViewSourceChannel) in which case
|
|
// we just set the flag again.
|
|
rv = loadInfo->SetEnforceSecurity(true);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
nsCOMPtr<nsIURI> finalChannelURI;
|
|
rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(finalChannelURI));
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
nsSecurityFlags securityMode = loadInfo->GetSecurityMode();
|
|
|
|
// Allow subresource loads if TriggeringPrincipal is the SystemPrincipal.
|
|
// For example, allow user stylesheets to load XBL from external files.
|
|
if (nsContentUtils::IsSystemPrincipal(loadInfo->TriggeringPrincipal()) &&
|
|
loadInfo->GetExternalContentPolicyType() != nsIContentPolicy::TYPE_DOCUMENT &&
|
|
loadInfo->GetExternalContentPolicyType() != nsIContentPolicy::TYPE_SUBDOCUMENT) {
|
|
return NS_OK;
|
|
}
|
|
|
|
// if none of the REQUIRE_SAME_ORIGIN flags are set, then SOP does not apply
|
|
if ((securityMode == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS) ||
|
|
(securityMode == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED)) {
|
|
rv = DoSOPChecks(finalChannelURI, loadInfo);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
}
|
|
|
|
// if dealing with a redirected channel then we only enforce SOP
|
|
// and can return at this point.
|
|
if (initialSecurityCheckDone) {
|
|
return NS_OK;
|
|
}
|
|
|
|
if ((securityMode == nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS) ||
|
|
(securityMode == nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL)) {
|
|
// Please note that DoCheckLoadURIChecks should only be enforced for
|
|
// cross origin requests. If the flag SEC_REQUIRE_CORS_DATA_INHERITS is set
|
|
// within the loadInfo, then then CheckLoadURIWithPrincipal is performed
|
|
// within nsCorsListenerProxy
|
|
rv = DoCheckLoadURIChecks(finalChannelURI, loadInfo);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
}
|
|
|
|
if (securityMode == nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS) {
|
|
rv = DoCORSChecks(aChannel, loadInfo, aInAndOutListener);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
}
|
|
|
|
// Perform all ContentPolicy checks (MixedContent, CSP, ...)
|
|
rv = DoContentSecurityChecks(finalChannelURI, loadInfo);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
// all security checks passed - lets allow the load
|
|
return NS_OK;
|
|
}
|
|
|
|
|
|
// ==== nsIContentSecurityManager implementation =====
|
|
|
|
NS_IMETHODIMP
|
|
nsContentSecurityManager::PerformSecurityCheck(nsIChannel* aChannel,
|
|
nsIStreamListener* aStreamListener,
|
|
nsIStreamListener** outStreamListener)
|
|
{
|
|
nsCOMPtr<nsIStreamListener> inAndOutListener = aStreamListener;
|
|
nsresult rv = doContentSecurityCheck(aChannel, inAndOutListener);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
inAndOutListener.forget(outStreamListener);
|
|
return NS_OK;
|
|
}
|