roytam1/palemoon27
1
0
Fork 0
mirror of https://github.com/roytam1/palemoon27.git synced 2026-05-26 14:18:48 +00:00
Code Issues Projects Releases Wiki Activity
Files
master
palemoon27/dom/security/nsMixedContentBlocker.cpp
T
roytam1 116abd772d import changes from `dev' branch of rmottola/Arctic-Fox: 
- Bug 1263951 - Avoid trying to initialize new GMP instances once the browser enters shutdown. r=cpearce (3ca153c7f4)
- Bug 1268714 - Check for failure result or a failed nsresult from SendLoadGMP. r=mccr8 (928546a72a)
- remove redundant decl (0c7c81e384)
- Bug 1161339 - Add gtest calling rust code. r=cajbir (9c0a4982d7)
- Bug 1269249: [MSE] P1. Clamp range to media source duration when media source is ended. r=jwwang (dfc42686b5)
- Bug 1269178: P4. Add mochitest. r=gerald (37fe5f9232)
- Bug 1269249: [MSE] P2. Add mochitest verifying behavior. r=jwwang (f50fb0d648)
- Bug 1245052 - various media b2g build errors r=jya (1fc0f3b8f1)
- Bug 1239598 - Fix potential deadlock and race condition r=bechen (dfebc1b9c5)
- Bug 1185931 - Add assert(mDecoderStateMachine). r=jwwang (16a79dd863)
- bits of Bug 1160695 (a595535a04)
- Bug 1205209 - Check whether mStreamSource is null in MediaOmxReader. r=bechen (3e380b282d)
- Bug 1210286 - Fall back to converting SourceSurfaces (RGB) to NV12 in OMXCodecWrapper. r=jolin (b9e26a43ee)
- Bug 1090015 - Suppress multichar warnings in the OMX code. r=kinetik (13cea78721)
- missing bit of Bug 1137151: Remove ref-counting from |OMXVideoEncoder| (0abf3cccf3)
- Bug 1239610 - Remove GonkNativeWindowClient usage from OmxDecoder r=jolin (a1ccc2a40e)
- missing bit of 1198576 (c3284a3002)
- Bug 1267637: P1. Consider invalid an AudioData with more than 8 audio channels. r=gerald (9bacf3fa8d)
- Bug 1267637: P2. Ignore outright audio track considered invalid. r=gerald (d34b468c87)
- Bug 1267637: [opus] P3. Reject audio data with unsupported audio configuration. r=gerald (90be7f8e3a)
- Bug 1267637: [vorbis] P4. Reject audio data with unsupported audio configuration. r=gerald (2321df4669)
- Bug 1267637: [AT] P6. Reject audio data with unsupported channel configuration. r=gerald (48756a764b)
- Bug 1267637: [ffmpeg] P7. Reject audio data with unsupported channel configuration. r=gerald (bbf90018b5)
- Bug 1267637: [gonk] P8. Reject audio data with unsupported channel configuration. r=gerald (44043594f0)
- Bug 1199809 - Remove all references to unused task queue. r=jya (829bb54ce7)
- Bug 1199809 - Don't schedule decoder I/O task when there will be more input. r=bwu (284c8b28d4)
- Bug 1215441 - Skip flush before Init() is completed. r=sotaro (f59f4ae450)
- Bug 1207214 - Assert decoder attaches EOS flag to final output buffer. r=sotaro (da0fc1f41b)
- Bug 1217220 - use output timestamp to decide which item needs to be removed from waiting list. r=jya (b056c21000)
- Bug 1222919 - Make ProcessFlush() virtual. r=jya (bea87e8e8a)
- Bug 1259366 - Flush after eos of android::MediaCodec r=jolin (c8e1e038ad)
- Bug 1199809 - Reset last decoded frame time on looper thread to avoid race condition. r=jya (1d56c95439)
- cleanup (83701e29ea)
- Bug 1267637: [wmf] P9. Reject audio data with unsupported channel configuration. r=gerald (c1f32cf152)
- Bug 1264925: Force D3D9 when attempting to decode VP8 or VP9. r=mattwoodrow (2a7d853fe6)
- Bug 1162899 - Use sync message for in-process mozHasPendingMessage. r=fabrice (d28430d0b2)
- Bug 1235484 - Part 1: Refine radio state check in MmsService. r=bevistseng (5f00e3ec79)
- remove android, fix some missing tests (01b371eb39)
- Bug 1259148 - Notify content when the notification permission pop-up is dismissed by the user. r=past,wchen (ca2dfbf92f)
- Bug 1267357 Cycle collect NotificationPermissionRequest::mCallback. r=mccr8 (6d0086af08)
- Bug 1265828 - Remove persistent notifications from storage. r=wchen (230d6f8458)
- Bug 1254816 - Use IgnoredErrorResult instead of ErrorResult for rv in nsDOMOfflineResourceList::Length(). r=bz (581f5c69db)
- Bug 1140478: Free the string returned by PrintJSStack(), in android shutdown logging function. r=jorendorff (ebf6ef80d1)
- Bug 1191137 - fix Mulet and responsive design mode to send key events properly r=ochameau,jryans (d47db5bf2b)
- Bug 1267096 - Return early if we have no global when creating a Promise. r=smaug (d4075f38fe)
- Bug 1146418 - Promise API entry points should use NS_ASSERT_OWNINGTHREAD, r=baku (a43b49c451)
- Bug 1262069: Wrap promise resolution values before storing. r=bz (66ebb63ce1)
- Bug 1246073 - Fix unique constraint errors in the H2 backend when resubscribing. r=dragana (43c67dc6bc)
- Bug 1266433 - Clean up nsIPushNotifier static casts. r=dragana (eef5497c75)
- Bug 1266433 - Update the comments in the Push XPIDL interfaces. r=me (35cd32c385)
- Bug 1266433 - Indicate push subscriptions created by privileged code. r=dragana (824381dd69)
- Bug 1242436 - default value of ok = true in order to check the return of SendPush and SendPushSubscriptionChange. r=kitcambridge (da55effde0)
- Bug 1267889 - Always steal the error result in PushMessage::Json. r=dragana (a66bf171b6)
- Bug 1243778 - PushRecord::getLastVisit cannot rely on the Places url index anymore. r=kitcambridge (07c3bdc4db)
- Bug 1260499 - Handle incoming messages before push service is initialized. r=nalexander,jchen (d60ccda56b)
- Bug 1265915 - Remove adaptive pings from the Push WebSocket backend. r=dragana (c8de7d5dd3)
- Bug 1262559: Fix misspelled comment in dom/push/PushServiceWebSocket.jsm; r=jdm (a9d869773d)
- Bug 1265914 - Remove Push UDP wake-up. r=dragana (128cf912bb)
- Bug 1261634 - Update whitespace skipping for meta csp. r=dveditz (c6abb5c502)
- Bug 1227813 - CSP: Ignore unsafe-inline within style-src if hash or nonce specified. r=kmckinley (ab1db6e779)
- Bug 1192840 - Fix CSP report content-type. r=ckerschb (81c55b28f0)
- Bug 1262635 - Don't strip URIs of ftp: when sending reports. r=dveditz (77e9aacac1)
- Bug 1216365 - nsMixedContentBlocker should use innerMostURI for aContentLocation. r=tanvi (9134c28268)
- Bug 1260153 - remove unreachable code in nsMixedContentBlocker. if/else blocks above all return. r=ckerschb (da297bf7ff)
- Bug 1202374 - "Can't open apps any more". r=lissyx+mozillians (ed090dbfce)
- Bug 1216498 - Bump SettinsDB version in order to enable pin the web. r=mhenretty (e2d0e9986f)
- Bug 1226906 - Bump Settings BD version. r=gwagner (e063a2d482)
- Bug 1119727 - Make Settings Soft Lockup threshold configurable. r=gwagner (1f5d9d3a50)
- var-let (48c1155a0e)
- bit of Backed out 2 changesets (bug 1202902) (828b6981a8)
- Bug 1228673 - Clean-up 'Then' before ~MediaTimer. r=jya (e51663a94b)
- align tests (0fbfa6f14b)
- Bug 1152236: OMX codec should use AnnexB as input format. r=jya (fc7ed581ac)
- Bug 1153895 - Support audio AMR-WB for Gonk in MP4Reader. r=jya (d9a530979e)
- Bug 1174623 - Support mp3 in Gonk PDM. r=sotaro (1f6efd4397)
- Bug 1174166 - Support H.263 in Gonk PDM. r=sotaro (5634e66ce3)
- Bug 1251155 - Remove GLContext from VideoDataDecoder r=snorp (814629fcd9)
- Bug 1262456 - [2.1] Replace queue adapter with deque. r=snorp (80587b789d)
- Bug 1262456 - [1.1] Prevent interruption of the decoder shutdown procedure and early shutdown return. r=snorp (98b97f0b48)
- Bug 1248792 - [1.2] Replace MediaRawData raw pointers with RefPtr. r=snorp (c1c62c4dc6)
- Bug 1226730 - [1.1] Provide sample rate instead of bit depth in audio format creation. r=snorp (86e50d757f)
- Bug 1244292 - [1.2] Release decoder on init failure. r=snorp (48b18cf8dd)
- Bug 1267637: [android] P5. Reject audio data with unsupported audio configuration. r=gerald (cf74f43c71)
- Bug 1230784 - Don't copy SurfaceTexture contents when presenting video on Android r=esawin,jya (fbd0ffd1ea)
- Bug 1230768. r=jesup (1619923f64)
- Bug 1205164 - Make sure ShmemPool high water mark is logged in all allocators. r=jesup (1fa4710751)
- Bug 1205164 - Fix ShmemPool detection of failed allocations. r=jesup (070327ef38)
- Bug 1247933 - do not perform null check on aClient since we know for sure it's a valid pointert. r=sotaro (1ac12b4091)
- Bug 1200903 - Fix MediaSystemResourceService::RemoveRequests() r=cpearce (13676b47c7)
- Bug 1250083 - make sure value attributed to usPerDataChunk is floating point value. r=cpearce (af9c3bd65d)
- Bug 1250497: Initalised Values used in WaveDemuxer.cpp. r=cpearce (36a24774ed)
- Bug 1250293 - Fixed Coverity warning in WaveDemuxer.cpp. r=cpearce (f5a690fac4)
- bug 1220042 make AlignedTArray base class inheritance private r=jwwang (3dd9efaa68)
- Bug 877662 - Add AlignmentUtils.h r=padenot (82b7563dd7)
- bug 930257 schedule Analyser inactive check when sending last null chunk r=padenot (61e9b5cf0f)
- bug 1197028 add MOZ_IMPLICIT for AudioBlock constructor from base AudioChunk on CLOSED TREE (0e2a86c6b5)
- bug 1203380 add custom AudioBlock copy constructor and make AudioChunk conversion constructor explicit r=padenot (56f2e37d5b)
- bug 1205540 initialize mBufferFormat when constructing silent block r=padenot (078feb4af4)
- bug 1203380 ClearDownstreamMark() before returning AsMutableChunk() r=padenot (56ea1f589f)
- bug 1203380 tighten not-sharing assertion in ChannelFloatsForWrite() r=padenot (368e354a06)
- bug 1203380 add custom assignment operator to AudioBlock r=padenot (31f9f914d1)
- Bug 877662 - Align audio buffer allocations to 16 byte boundaries r=padenot (5f33e9dd0e)
- Bug 1173016 - Bustage fix: mark BasicWaveformCache's ctor as `explicit`, on a CLOSED TREE. (bb28bb93fc)
- Bug 1265397 - Add a length attribute to OfflineAudioContext. r=smaug (3c2cf2aee6)
- bug 1255618 remove AudioContext from global window at unlink r=Ehsan (5332c8b42b)
- bug 1222202 implement query interface to nsIMemoryReporter r=bz (e6662d2ba8)
- Bug 1259831 - Remove the auto-suspend logic for AudioContext. r=karlt (3376fb3209)
- Bug 1232326 - Uninitialised value use in AudioBufferInPlaceScale. r=dminor. (548cbbfa52)
- Bug 1240054 - Only rebuild BandLimitedTables if more partials are required r=padenot (39bf05e142)
- Bug 1216081 - OscillatorNodeEngine::mFinalFrequency is used uninitialised. r=padenot. (5989729ec6)
- Bug 1265405 - Use a dictionary to specify how PeriodicWave should be normalized (or not); r=padenot (f43e3f17ba)
- Bug 1267096 - Check the return value of Promise::Create in AudioContext::StartRendering. r=smaug (5efca6cfe8)
- Bug 1267579 - Unexpected result when using OscillatorNode with custom wave shape; r=padenot (ed62d1b496)
- Bug 1209904 - Optimize OscillatorNode when its frequency is not changin and it's using ::ComputeCustom. r=karlt (9a2246cc3f)
- Bug 877662 - Use SSE2 versions of AudioNodeEngine functions r=padenot (1efa0b2cf3)
- Bug 877662 - Add an SSE2 implementation of AudioNodeEngine.cpp functions. r=ehsan (ce5ff146e5)
- Bug 877662 - Update SSE2 versions of AudioNodeEngine functions r=padenot (ded51f436e)
- Bug 1266405 - AudioBufferSourceNode::CopyFromBuffer should not borrow unaligned buffers; r=padenot (a2880e5c97)
- bug 1227411 add some initial logging of AudioNode API use r=padenot (6d0febaf34)
- bug 1199561 delay offline buffer allocation until non-null input is received r=padenot (38d56f3e89)
- Bug 1110344 - Replace float by double in AudioTimelineEvent ctor to prevent a rounding issue. r=padenot (c358371cfa)
- Bug 1231124 - addded mCurve to constructor. r=smaug (572fed89d6)
- Bug 1232646 - initialize 3 variables: mCurve, mTimeConstant, mDuration. r=cpearce (e36b3dbb71)
- Bug 1069825 - Check if we compare two automation curves occuring at the same time during overlap checking. r=padenot (35624be622)
- bug 1227411 add WEB_AUDIO_API_LOG r=padenot (89de67e91b)
- bug 1189168 avoid main thread assertion accessing mNode in SizeOfIncludingThis() r=padenot (370df2ff5b)
- Bug 1266047 - Fix crash in mozilla::AudioBufferAddWithScale_SSE r=padenot (388de2edf6)
- Bug 1266772 - Unbreak FreeBSD build after bug 881587. r=dminor (e194878792)
- Bug 1266112 - Remove unnecessary alignment checks from AudioNodeEngine.cpp; r=padenot (284ac98016)
- Bug 881587 - Add SSE2 version of AudioNodeEngine.cpp routines added in bug 815643. r=tterribe (5532515d07)
- Bug 881587 - Use SSE2 version of AudioNodeEngine.cpp routines added in bug 815643. r=padenot (82100493a4)
- Bug 1105513 - Add a NEON version for AudioBlockPanStereoToStereo when aIsOnTheLeft is an array r=padenot (b102beb60d)
- Bug 1203836 - Properly handle silent chunks in AudioNodeExternalInputStream. r=karlt (0597e5c122)
- Bug 1265131, part 1 - update moz.build for Skia m51. r=jrmuizel (745537cf9b)
- Bug 1265131, part 2 - update SkiaGLGlue for Skia m51. r=jrmuizel (71a3ffc91e)
- Bug 1265131, part 3 - update Moz2d for Skia m51. r=jrmuizel (2129a455cb)
- Bug 1262745 - Fix tests for Canvas CSS/SVG Filters. r=mstange (93d3652ac0)
- Bug 1265131, part 4 - fix tests for Skia m51 update. r=jrmuizel (964ea5c037)
- Bug 1265131, part 5 - update Skia to m51 branch. r=jrmuizel (42da76e40e)
- Bug 1268816 - allow Skia to use C++11 features on platforms that have them. r=froydnj (ff7d9e46b6)
- Bug 1268816 - follow-up to fix #ifdef -> #if. r=me (b81d86c173)
- Bug 1267180. Don't draw emojis as paths when they are too big. r=lsalzman (61c3bd732c)
- Bug 1269247 - check that SkPaint has a typeface before using it. r=mchang (cf873c19b0)
- bug 1249738 - make sScreenConfigurationObservers a function static r=dhylands (ab698385c4)
- bug 1249738 - make sBatteryObservers a function static r=dhylands (eb205b1b64)
- bits of Bug 1265131, part 5 (1340103927)
- Bug 1248224 - backport of Skia GrPathUtils::QuadUVMatrix assertion fix. r=jrmuizel (bcf81bf241)
- bug 1249738 - make sNetworkObservers a function static r=dhylands (a5d03d4425)
2024-09-18 09:50:59 +08:00

1004 lines
41 KiB
C++
Raw Permalink Blame History

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsMixedContentBlocker.h"
#include "nsContentPolicyUtils.h"
#include "nsCSPContext.h"
#include "nsThreadUtils.h"
#include "nsINode.h"
#include "nsCOMPtr.h"
#include "nsIDocShell.h"
#include "nsISecurityEventSink.h"
#include "nsIWebProgressListener.h"
#include "nsContentUtils.h"
#include "nsIRequest.h"
#include "nsIDocument.h"
#include "nsIContentViewer.h"
#include "nsIChannel.h"
#include "nsIHttpChannel.h"
#include "nsIParentChannel.h"
#include "mozilla/Preferences.h"
#include "nsIScriptObjectPrincipal.h"
#include "nsISecureBrowserUI.h"
#include "nsIDocumentLoader.h"
#include "nsIWebNavigation.h"
#include "nsLoadGroup.h"
#include "nsIScriptError.h"
#include "nsIURI.h"
#include "nsIChannelEventSink.h"
#include "nsAsyncRedirectVerifyHelper.h"
#include "mozilla/LoadInfo.h"
#include "nsISiteSecurityService.h"
#include "mozilla/Logging.h"
#include "mozilla/Telemetry.h"
#include "mozilla/dom/ContentChild.h"
#include "mozilla/ipc/URIUtils.h"
using namespace mozilla;
enum nsMixedContentBlockerMessageType {
eBlocked = 0x00,
eUserOverride = 0x01
};
// Is mixed script blocking (fonts, plugin content, scripts, stylesheets,
// iframes, websockets, XHR) enabled?
bool nsMixedContentBlocker::sBlockMixedScript = false;
// Is mixed display content blocking (images, audio, video, <a ping>) enabled?
bool nsMixedContentBlocker::sBlockMixedDisplay = false;
// Fired at the document that attempted to load mixed content. The UI could
// handle this event, for example, by displaying an info bar that offers the
// choice to reload the page with mixed content permitted.
class nsMixedContentEvent : public Runnable
{
public:
nsMixedContentEvent(nsISupports *aContext, MixedContentTypes aType, bool aRootHasSecureConnection)
: mContext(aContext), mType(aType), mRootHasSecureConnection(aRootHasSecureConnection)
{}
NS_IMETHOD Run()
{
NS_ASSERTION(mContext,
"You can't call this runnable without a requesting context");
// To update the security UI in the tab with the blocked mixed content, call
// nsISecurityEventSink::OnSecurityChange. You can get to the event sink by
// calling NS_CP_GetDocShellFromContext on the context, and QI'ing to
// nsISecurityEventSink.
// Mixed content was allowed and is about to load; get the document and
// set the approriate flag to true if we are about to load Mixed Active
// Content.
nsCOMPtr<nsIDocShell> docShell = NS_CP_GetDocShellFromContext(mContext);
if (!docShell) {
return NS_OK;
}
nsCOMPtr<nsIDocShellTreeItem> sameTypeRoot;
docShell->GetSameTypeRootTreeItem(getter_AddRefs(sameTypeRoot));
NS_ASSERTION(sameTypeRoot, "No document shell root tree item from document shell tree item!");
// now get the document from sameTypeRoot
nsCOMPtr<nsIDocument> rootDoc = do_GetInterface(sameTypeRoot);
NS_ASSERTION(rootDoc, "No root document from document shell root tree item.");
// Get eventSink and the current security state from the docShell
nsCOMPtr<nsISecurityEventSink> eventSink = do_QueryInterface(docShell);
NS_ASSERTION(eventSink, "No eventSink from docShell.");
nsCOMPtr<nsIDocShell> rootShell = do_GetInterface(sameTypeRoot);
NS_ASSERTION(rootShell, "No root docshell from document shell root tree item.");
uint32_t state = nsIWebProgressListener::STATE_IS_BROKEN;
nsCOMPtr<nsISecureBrowserUI> securityUI;
rootShell->GetSecurityUI(getter_AddRefs(securityUI));
// If there is no securityUI, document doesn't have a security state to
// update. But we still want to set the document flags, so we don't return
// early.
nsresult stateRV;
if (securityUI) {
stateRV = securityUI->GetState(&state);
}
if (mType == eMixedScript) {
// See if the pref will change here. If it will, only then do we need to call OnSecurityChange() to update the UI.
if (rootDoc->GetHasMixedActiveContentLoaded()) {
return NS_OK;
}
rootDoc->SetHasMixedActiveContentLoaded(true);
// Update the security UI in the tab with the allowed mixed active content
if (securityUI) {
// Bug 1182551 - before changing the security state to broken, check
// that the root is actually secure.
if (mRootHasSecureConnection) {
// If mixed display content is loaded, make sure to include that in the state.
if (rootDoc->GetHasMixedDisplayContentLoaded()) {
eventSink->OnSecurityChange(mContext,
(nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT |
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
} else {
eventSink->OnSecurityChange(mContext,
(nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
}
} else {
// root not secure, mixed active content loaded in an https subframe
if (NS_SUCCEEDED(stateRV)) {
eventSink->OnSecurityChange(mContext, (state | nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
}
}
}
} else if (mType == eMixedDisplay) {
// See if the pref will change here. If it will, only then do we need to call OnSecurityChange() to update the UI.
if (rootDoc->GetHasMixedDisplayContentLoaded()) {
return NS_OK;
}
rootDoc->SetHasMixedDisplayContentLoaded(true);
// Update the security UI in the tab with the allowed mixed display content.
if (securityUI) {
// Bug 1182551 - before changing the security state to broken, check
// that the root is actually secure.
if (mRootHasSecureConnection) {
// If mixed active content is loaded, make sure to include that in the state.
if (rootDoc->GetHasMixedActiveContentLoaded()) {
eventSink->OnSecurityChange(mContext,
(nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT |
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
} else {
eventSink->OnSecurityChange(mContext, (nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
}
} else {
// root not secure, mixed display content loaded in an https subframe
if (NS_SUCCEEDED(stateRV)) {
eventSink->OnSecurityChange(mContext, (state | nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
}
}
}
}
return NS_OK;
}
private:
// The requesting context for the content load. Generally, a DOM node from
// the document that caused the load.
nsCOMPtr<nsISupports> mContext;
// The type of mixed content detected, e.g. active or display
const MixedContentTypes mType;
// Indicates whether the top level load is https or not.
bool mRootHasSecureConnection;
};
nsMixedContentBlocker::nsMixedContentBlocker()
{
// Cache the pref for mixed script blocking
Preferences::AddBoolVarCache(&sBlockMixedScript,
"security.mixed_content.block_active_content");
// Cache the pref for mixed display blocking
Preferences::AddBoolVarCache(&sBlockMixedDisplay,
"security.mixed_content.block_display_content");
}
nsMixedContentBlocker::~nsMixedContentBlocker()
{
}
NS_IMPL_ISUPPORTS(nsMixedContentBlocker, nsIContentPolicy, nsIChannelEventSink)
static void
LogMixedContentMessage(MixedContentTypes aClassification,
nsIURI* aContentLocation,
nsIDocument* aRootDoc,
nsMixedContentBlockerMessageType aMessageType)
{
nsAutoCString messageCategory;
uint32_t severityFlag;
nsAutoCString messageLookupKey;
if (aMessageType == eBlocked) {
severityFlag = nsIScriptError::errorFlag;
messageCategory.AssignLiteral("Mixed Content Blocker");
if (aClassification == eMixedDisplay) {
messageLookupKey.AssignLiteral("BlockMixedDisplayContent");
} else {
messageLookupKey.AssignLiteral("BlockMixedActiveContent");
}
} else {
severityFlag = nsIScriptError::warningFlag;
messageCategory.AssignLiteral("Mixed Content Message");
if (aClassification == eMixedDisplay) {
messageLookupKey.AssignLiteral("LoadingMixedDisplayContent2");
} else {
messageLookupKey.AssignLiteral("LoadingMixedActiveContent2");
}
}
nsAutoCString locationSpec;
aContentLocation->GetSpec(locationSpec);
NS_ConvertUTF8toUTF16 locationSpecUTF16(locationSpec);
const char16_t* strings[] = { locationSpecUTF16.get() };
nsContentUtils::ReportToConsole(severityFlag, messageCategory, aRootDoc,
nsContentUtils::eSECURITY_PROPERTIES,
messageLookupKey.get(), strings, ArrayLength(strings));
}
/* nsIChannelEventSink implementation
* This code is called when a request is redirected.
* We check the channel associated with the new uri is allowed to load
* in the current context
*/
NS_IMETHODIMP
nsMixedContentBlocker::AsyncOnChannelRedirect(nsIChannel* aOldChannel,
nsIChannel* aNewChannel,
uint32_t aFlags,
nsIAsyncVerifyRedirectCallback* aCallback)
{
nsAsyncRedirectAutoCallback autoCallback(aCallback);
if (!aOldChannel) {
NS_ERROR("No channel when evaluating mixed content!");
return NS_ERROR_FAILURE;
}
// If we are in the parent process in e10s, we don't have access to the
// document node, and hence ShouldLoad will fail when we try to get
// the docShell. If that's the case, ignore mixed content checks
// on redirects in the parent. Let the child check for mixed content.
nsCOMPtr<nsIParentChannel> is_ipc_channel;
NS_QueryNotificationCallbacks(aNewChannel, is_ipc_channel);
if (is_ipc_channel) {
return NS_OK;
}
nsresult rv;
nsCOMPtr<nsIURI> oldUri;
rv = aOldChannel->GetURI(getter_AddRefs(oldUri));
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIURI> newUri;
rv = aNewChannel->GetURI(getter_AddRefs(newUri));
NS_ENSURE_SUCCESS(rv, rv);
// Get the loading Info from the old channel
nsCOMPtr<nsILoadInfo> loadInfo;
rv = aOldChannel->GetLoadInfo(getter_AddRefs(loadInfo));
NS_ENSURE_SUCCESS(rv, rv);
if (!loadInfo) {
// XXX: We want to have a loadInfo on all channels, but we don't yet.
// If an addon creates a channel, they may not set loadinfo. If that
// channel redirects from one page to another page, we would get caught
// in this code path. Hence, we have to return NS_OK. Once we have more
// confidence that all channels have loadinfo, we can change this to
// a failure. See bug 1077201.
return NS_OK;
}
nsContentPolicyType contentPolicyType = loadInfo->InternalContentPolicyType();
nsCOMPtr<nsIPrincipal> requestingPrincipal = loadInfo->LoadingPrincipal();
// Since we are calling shouldLoad() directly on redirects, we don't go through the code
// in nsContentPolicyUtils::NS_CheckContentLoadPolicy(). Hence, we have to
// duplicate parts of it here.
nsCOMPtr<nsIURI> requestingLocation;
if (requestingPrincipal) {
// We check to see if the loadingPrincipal is systemPrincipal and return
// early if it is
if (nsContentUtils::IsSystemPrincipal(requestingPrincipal)) {
return NS_OK;
}
// We set the requestingLocation from the RequestingPrincipal.
rv = requestingPrincipal->GetURI(getter_AddRefs(requestingLocation));
NS_ENSURE_SUCCESS(rv, rv);
}
int16_t decision = REJECT_REQUEST;
rv = ShouldLoad(contentPolicyType,
newUri,
requestingLocation,
loadInfo->LoadingNode(),
EmptyCString(), // aMimeGuess
nullptr, // aExtra
requestingPrincipal,
&decision);
NS_ENSURE_SUCCESS(rv, rv);
// If the channel is about to load mixed content, abort the channel
if (!NS_CP_ACCEPTED(decision)) {
autoCallback.DontCallback();
return NS_BINDING_FAILED;
}
return NS_OK;
}
/* This version of ShouldLoad() is non-static and called by the Content Policy
* API and AsyncOnChannelRedirect(). See nsIContentPolicy::ShouldLoad()
* for detailed description of the parameters.
*/
NS_IMETHODIMP
nsMixedContentBlocker::ShouldLoad(uint32_t aContentType,
nsIURI* aContentLocation,
nsIURI* aRequestingLocation,
nsISupports* aRequestingContext,
const nsACString& aMimeGuess,
nsISupports* aExtra,
nsIPrincipal* aRequestPrincipal,
int16_t* aDecision)
{
// We pass in false as the first parameter to ShouldLoad(), because the
// callers of this method don't know whether the load went through cached
// image redirects. This is handled by direct callers of the static
// ShouldLoad.
nsresult rv = ShouldLoad(false, // aHadInsecureImageRedirect
aContentType,
aContentLocation,
aRequestingLocation,
aRequestingContext,
aMimeGuess,
aExtra,
aRequestPrincipal,
aDecision);
return rv;
}
/* Static version of ShouldLoad() that contains all the Mixed Content Blocker
* logic. Called from non-static ShouldLoad().
*/
nsresult
nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
uint32_t aContentType,
nsIURI* aContentLocation,
nsIURI* aRequestingLocation,
nsISupports* aRequestingContext,
const nsACString& aMimeGuess,
nsISupports* aExtra,
nsIPrincipal* aRequestPrincipal,
int16_t* aDecision)
{
// Asserting that we are on the main thread here and hence do not have to lock
// and unlock sBlockMixedScript and sBlockMixedDisplay before reading/writing
// to them.
MOZ_ASSERT(NS_IsMainThread());
bool isPreload = nsContentUtils::IsPreloadType(aContentType);
// The content policy type that we receive may be an internal type for
// scripts. Let's remember if we have seen a worker type, and reset it to the
// external type in all cases right now.
bool isWorkerType = aContentType == nsIContentPolicy::TYPE_INTERNAL_WORKER ||
aContentType == nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER ||
aContentType == nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER;
aContentType = nsContentUtils::InternalContentPolicyTypeToExternal(aContentType);
// Assume active (high risk) content and blocked by default
MixedContentTypes classification = eMixedScript;
// Make decision to block/reject by default
*aDecision = REJECT_REQUEST;
// Notes on non-obvious decisions:
//
// TYPE_DTD: A DTD can contain entity definitions that expand to scripts.
//
// TYPE_FONT: The TrueType hinting mechanism is basically a scripting
// language that gets interpreted by the operating system's font rasterizer.
// Mixed content web fonts are relatively uncommon, and we can can fall back
// to built-in fonts with minimal disruption in almost all cases.
//
// TYPE_OBJECT_SUBREQUEST could actually be either active content (e.g. a
// script that a plugin will execute) or display content (e.g. Flash video
// content). Until we have a way to determine active vs passive content
// from plugin requests (bug 836352), we will treat this as passive content.
// This is to prevent false positives from causing users to become
// desensitized to the mixed content blocker.
//
// TYPE_CSP_REPORT: High-risk because they directly leak information about
// the content of the page, and because blocking them does not have any
// negative effect on the page loading.
//
// TYPE_PING: Ping requests are POSTS, not GETs like images and media.
// Also, PING requests have no bearing on the rendering or operation of
// the page when used as designed, so even though they are lower risk than
// scripts, blocking them is basically risk-free as far as compatibility is
// concerned.
//
// TYPE_STYLESHEET: XSLT stylesheets can insert scripts. CSS positioning
// and other advanced CSS features can possibly be exploited to cause
// spoofing attacks (e.g. make a "grant permission" button look like a
// "refuse permission" button).
//
// TYPE_BEACON: Beacon requests are similar to TYPE_PING, and are blocked by
// default.
//
// TYPE_WEBSOCKET: The Websockets API requires browsers to
// reject mixed-content websockets: "If secure is false but the origin of
// the entry script has a scheme component that is itself a secure protocol,
// e.g. HTTPS, then throw a SecurityError exception." We already block mixed
// content websockets within the websockets implementation, so we don't need
// to do any blocking here, nor do we need to provide a way to undo or
// override the blocking. Websockets without TLS are very flaky anyway in the
// face of many HTTP-aware proxies. Compared to passive content, there is
// additional risk that the script using WebSockets will disclose sensitive
// information from the HTTPS page and/or eval (directly or indirectly)
// received data.
//
// TYPE_XMLHTTPREQUEST: XHR requires either same origin or CORS, so most
// mixed-content XHR will already be blocked by that check. This will also
// block HTTPS-to-HTTP XHR with CORS. The same security concerns mentioned
// above for WebSockets apply to XHR, and XHR should have the same security
// properties as WebSockets w.r.t. mixed content. XHR's handling of redirects
// amplifies these concerns.
static_assert(TYPE_DATAREQUEST == TYPE_XMLHTTPREQUEST,
"TYPE_DATAREQUEST is not a synonym for "
"TYPE_XMLHTTPREQUEST");
switch (aContentType) {
// The top-level document cannot be mixed content by definition
case TYPE_DOCUMENT:
*aDecision = ACCEPT;
return NS_OK;
// Creating insecure websocket connections in a secure page is blocked already
// in the websocket constructor. We don't need to check the blocking here
// and we don't want to un-block
case TYPE_WEBSOCKET:
*aDecision = ACCEPT;
return NS_OK;
// Static display content is considered moderate risk for mixed content so
// these will be blocked according to the mixed display preference
case TYPE_IMAGE:
case TYPE_MEDIA:
case TYPE_OBJECT_SUBREQUEST:
classification = eMixedDisplay;
break;
// Active content (or content with a low value/risk-of-blocking ratio)
// that has been explicitly evaluated; listed here for documentation
// purposes and to avoid the assertion and warning for the default case.
case TYPE_BEACON:
case TYPE_CSP_REPORT:
case TYPE_DTD:
case TYPE_FETCH:
case TYPE_FONT:
case TYPE_IMAGESET:
case TYPE_OBJECT:
case TYPE_SCRIPT:
case TYPE_STYLESHEET:
case TYPE_SUBDOCUMENT:
case TYPE_PING:
case TYPE_WEB_MANIFEST:
case TYPE_XBL:
case TYPE_XMLHTTPREQUEST:
case TYPE_XSLT:
case TYPE_OTHER:
break;
// This content policy works as a whitelist.
default:
MOZ_ASSERT(false, "Mixed content of unknown type");
break;
}
// Make sure to get the URI the load started with. No need to check
// outer schemes because all the wrapping pseudo protocols inherit the
// security properties of the actual network request represented
// by the innerMost URL.
nsCOMPtr<nsIURI> innerContentLocation = NS_GetInnermostURI(aContentLocation);
if (!innerContentLocation) {
NS_ERROR("Can't get innerURI from aContentLocation");
*aDecision = REJECT_REQUEST;
return NS_OK;
}
/* Get the scheme of the sub-document resource to be requested. If it is
* a safe to load in an https context then mixed content doesn't apply.
*
* Check Protocol Flags to determine if scheme is safe to load:
* URI_DOES_NOT_RETURN_DATA - e.g.
* "mailto"
* URI_IS_LOCAL_RESOURCE - e.g.
* "data",
* "resource",
* "moz-icon"
* URI_INHERITS_SECURITY_CONTEXT - e.g.
* "javascript"
* URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT - e.g.
* "https",
* "moz-safe-about"
*
*/
bool schemeLocal = false;
bool schemeNoReturnData = false;
bool schemeInherits = false;
bool schemeSecure = false;
if (NS_FAILED(NS_URIChainHasFlags(innerContentLocation, nsIProtocolHandler::URI_IS_LOCAL_RESOURCE , &schemeLocal)) ||
NS_FAILED(NS_URIChainHasFlags(innerContentLocation, nsIProtocolHandler::URI_DOES_NOT_RETURN_DATA, &schemeNoReturnData)) ||
NS_FAILED(NS_URIChainHasFlags(innerContentLocation, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT, &schemeInherits)) ||
NS_FAILED(NS_URIChainHasFlags(innerContentLocation, nsIProtocolHandler::URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT, &schemeSecure))) {
*aDecision = REJECT_REQUEST;
return NS_ERROR_FAILURE;
}
// TYPE_IMAGE redirects are cached based on the original URI, not the final
// destination and hence cache hits for images may not have the correct
// innerContentLocation. Check if the cached hit went through an http redirect,
// and if it did, we can't treat this as a secure subresource.
if (!aHadInsecureImageRedirect &&
(schemeLocal || schemeNoReturnData || schemeInherits || schemeSecure)) {
*aDecision = ACCEPT;
return NS_OK;
}
// Since there are cases where aRequestingLocation and aRequestPrincipal are
// definitely not the owning document, we try to ignore them by extracting the
// requestingLocation in the following order:
// 1) from the aRequestingContext, either extracting
// a) the node's principal, or the
// b) script object's principal.
// 2) if aRequestingContext yields a principal but no location, we check
// if its the system principal. If it is, allow the load.
// 3) Special case handling for:
// a) speculative loads, where shouldLoad is called twice (bug 839235)
// and the first speculative load does not include a context.
// In this case we use aRequestingLocation to set requestingLocation.
// b) TYPE_CSP_REPORT which does not provide a context. In this case we
// use aRequestingLocation to set requestingLocation.
// c) content scripts from addon code that do not provide aRequestingContext
// or aRequestingLocation, but do provide aRequestPrincipal.
// If aRequestPrincipal is an expanded principal, we allow the load.
// 4) If we still end up not having a requestingLocation, we reject the load.
nsCOMPtr<nsIPrincipal> principal;
// 1a) Try to get the principal if aRequestingContext is a node.
nsCOMPtr<nsINode> node = do_QueryInterface(aRequestingContext);
if (node) {
principal = node->NodePrincipal();
}
// 1b) Try using the window's script object principal if it's not a node.
if (!principal) {
nsCOMPtr<nsIScriptObjectPrincipal> scriptObjPrin = do_QueryInterface(aRequestingContext);
if (scriptObjPrin) {
principal = scriptObjPrin->GetPrincipal();
}
}
nsCOMPtr<nsIURI> requestingLocation;
if (principal) {
principal->GetURI(getter_AddRefs(requestingLocation));
}
// 2) if aRequestingContext yields a principal but no location, we check if its a system principal.
if (principal && !requestingLocation) {
if (nsContentUtils::IsSystemPrincipal(principal)) {
*aDecision = ACCEPT;
return NS_OK;
}
}
// 3a,b) Special case handling for speculative loads and TYPE_CSP_REPORT. In
// such cases, aRequestingContext doesn't exist, so we use aRequestingLocation.
// Unfortunately we can not distinguish between speculative and normal loads here,
// otherwise we could special case this assignment.
if (!requestingLocation) {
requestingLocation = aRequestingLocation;
}
// 3c) Special case handling for content scripts from addons code, which only
// provide a aRequestPrincipal; aRequestingContext and aRequestingLocation are
// both null; if the aRequestPrincipal is an expandedPrincipal, we allow the load.
if (!principal && !requestingLocation && aRequestPrincipal) {
nsCOMPtr<nsIExpandedPrincipal> expanded = do_QueryInterface(aRequestPrincipal);
if (expanded) {
*aDecision = ACCEPT;
return NS_OK;
}
}
// 4) Giving up. We still don't have a requesting location, therefore we can't tell
// if this is a mixed content load. Deny to be safe.
if (!requestingLocation) {
*aDecision = REJECT_REQUEST;
return NS_OK;
}
// Check the parent scheme. If it is not an HTTPS page then mixed content
// restrictions do not apply.
bool parentIsHttps;
nsCOMPtr<nsIURI> innerRequestingLocation = NS_GetInnermostURI(requestingLocation);
if (!innerRequestingLocation) {
NS_ERROR("Can't get innerURI from requestingLocation");
*aDecision = REJECT_REQUEST;
return NS_OK;
}
nsresult rv = innerRequestingLocation->SchemeIs("https", &parentIsHttps);
if (NS_FAILED(rv)) {
NS_ERROR("requestingLocation->SchemeIs failed");
*aDecision = REJECT_REQUEST;
return NS_OK;
}
if (!parentIsHttps) {
*aDecision = ACCEPT;
return NS_OK;
}
nsCOMPtr<nsIDocShell> docShell = NS_CP_GetDocShellFromContext(aRequestingContext);
NS_ENSURE_TRUE(docShell, NS_OK);
// The page might have set the CSP directive 'block-all-mixed-content' which
// should block not only active mixed content loads but in fact all mixed content
// loads, see https://www.w3.org/TR/mixed-content/#strict-checking
// Block all non secure loads in case the CSP directive is present. Please note
// that at this point we already know, based on |schemeSecure| that the load is
// not secure, so we can bail out early at this point.
if (docShell->GetDocument()->GetBlockAllMixedContent(isPreload)) {
// log a message to the console before returning.
nsAutoCString spec;
rv = aContentLocation->GetSpec(spec);
NS_ENSURE_SUCCESS(rv, rv);
NS_ConvertUTF8toUTF16 reportSpec(spec);
const char16_t* params[] = { reportSpec.get()};
CSP_LogLocalizedStr(MOZ_UTF16("blockAllMixedContent"),
params, ArrayLength(params),
EmptyString(), // aSourceFile
EmptyString(), // aScriptSample
0, // aLineNumber
0, // aColumnNumber
nsIScriptError::errorFlag, "CSP",
docShell->GetDocument()->InnerWindowID());
*aDecision = REJECT_REQUEST;
return NS_OK;
}
// Disallow mixed content loads for workers, shared workers and service
// workers.
if (isWorkerType) {
// For workers, we can assume that we're mixed content at this point, since
// the parent is https, and the protocol associated with innerContentLocation
// doesn't map to the secure URI flags checked above. Assert this for
// sanity's sake
#ifdef DEBUG
bool isHttpsScheme = false;
rv = innerContentLocation->SchemeIs("https", &isHttpsScheme);
NS_ENSURE_SUCCESS(rv, rv);
MOZ_ASSERT(!isHttpsScheme);
#endif
*aDecision = REJECT_REQUEST;
return NS_OK;
}
// The page might have set the CSP directive 'upgrade-insecure-requests'. In such
// a case allow the http: load to succeed with the promise that the channel will
// get upgraded to https before fetching any data from the netwerk.
// Please see: nsHttpChannel::Connect()
//
// Please note that the CSP directive 'upgrade-insecure-requests' only applies to
// http: and ws: (for websockets). Websockets are not subject to mixed content
// blocking since insecure websockets are not allowed within secure pages. Hence,
// we only have to check against http: here. Skip mixed content blocking if the
// subresource load uses http: and the CSP directive 'upgrade-insecure-requests'
// is present on the page.
bool isHttpScheme = false;
rv = innerContentLocation->SchemeIs("http", &isHttpScheme);
NS_ENSURE_SUCCESS(rv, rv);
if (isHttpScheme && docShell->GetDocument()->GetUpgradeInsecureRequests(isPreload)) {
*aDecision = ACCEPT;
return NS_OK;
}
// Determine if the rootDoc is https and if the user decided to allow Mixed Content
bool rootHasSecureConnection = false;
bool allowMixedContent = false;
bool isRootDocShell = false;
rv = docShell->GetAllowMixedContentAndConnectionData(&rootHasSecureConnection, &allowMixedContent, &isRootDocShell);
if (NS_FAILED(rv)) {
*aDecision = REJECT_REQUEST;
return rv;
}
// Get the sameTypeRoot tree item from the docshell
nsCOMPtr<nsIDocShellTreeItem> sameTypeRoot;
docShell->GetSameTypeRootTreeItem(getter_AddRefs(sameTypeRoot));
NS_ASSERTION(sameTypeRoot, "No root tree item from docshell!");
// When navigating an iframe, the iframe may be https
// but its parents may not be. Check the parents to see if any of them are https.
// If none of the parents are https, allow the load.
if (aContentType == TYPE_SUBDOCUMENT && !rootHasSecureConnection) {
bool httpsParentExists = false;
nsCOMPtr<nsIDocShellTreeItem> parentTreeItem;
parentTreeItem = docShell;
while(!httpsParentExists && parentTreeItem) {
nsCOMPtr<nsIWebNavigation> parentAsNav(do_QueryInterface(parentTreeItem));
NS_ASSERTION(parentAsNav, "No web navigation object from parent's docshell tree item");
nsCOMPtr<nsIURI> parentURI;
parentAsNav->GetCurrentURI(getter_AddRefs(parentURI));
if (!parentURI || NS_FAILED(parentURI->SchemeIs("https", &httpsParentExists))) {
// if getting the URI or the scheme fails, assume there is a https parent and break.
httpsParentExists = true;
break;
}
// When the parent and the root are the same, we have traversed all the way up
// the same type docshell tree. Break out of the while loop.
if(sameTypeRoot == parentTreeItem) {
break;
}
// update the parent to the grandparent.
nsCOMPtr<nsIDocShellTreeItem> newParentTreeItem;
parentTreeItem->GetSameTypeParent(getter_AddRefs(newParentTreeItem));
parentTreeItem = newParentTreeItem;
} // end while loop.
if (!httpsParentExists) {
*aDecision = nsIContentPolicy::ACCEPT;
return NS_OK;
}
}
// Get the root document from the sameTypeRoot
nsCOMPtr<nsIDocument> rootDoc = do_GetInterface(sameTypeRoot);
NS_ASSERTION(rootDoc, "No root document from document shell root tree item.");
// Get eventSink and the current security state from the docShell
nsCOMPtr<nsISecurityEventSink> eventSink = do_QueryInterface(docShell);
NS_ASSERTION(eventSink, "No eventSink from docShell.");
nsCOMPtr<nsIDocShell> rootShell = do_GetInterface(sameTypeRoot);
NS_ASSERTION(rootShell, "No root docshell from document shell root tree item.");
uint32_t state = nsIWebProgressListener::STATE_IS_BROKEN;
nsCOMPtr<nsISecureBrowserUI> securityUI;
rootShell->GetSecurityUI(getter_AddRefs(securityUI));
// If there is no securityUI, document doesn't have a security state.
// Allow load and return early.
if (!securityUI) {
*aDecision = nsIContentPolicy::ACCEPT;
return NS_OK;
}
nsresult stateRV = securityUI->GetState(&state);
// At this point we know that the request is mixed content, and the only
// question is whether we block it. Record telemetry at this point as to
// whether HSTS would have fixed things by making the content location
// into an HTTPS URL.
//
// Note that we count this for redirects as well as primary requests. This
// will cause some degree of double-counting, especially when mixed content
// is not blocked (e.g., for images). For more detail, see:
// https://bugzilla.mozilla.org/show_bug.cgi?id=1198572#c19
//
// We do not count requests aHadInsecureImageRedirect=true, since these are
// just an artifact of the image caching system.
bool active = (classification == eMixedScript);
if (!aHadInsecureImageRedirect) {
if (XRE_IsParentProcess()) {
AccumulateMixedContentHSTS(innerContentLocation, active);
} else {
// Ask the parent process to do the same call
mozilla::dom::ContentChild* cc = mozilla::dom::ContentChild::GetSingleton();
if (cc) {
mozilla::ipc::URIParams uri;
SerializeURI(innerContentLocation, uri);
cc->SendAccumulateMixedContentHSTS(uri, active);
}
}
}
// set hasMixedContentObjectSubrequest on this object if necessary
if (aContentType == TYPE_OBJECT_SUBREQUEST) {
rootDoc->SetHasMixedContentObjectSubrequest(true);
}
// If the content is display content, and the pref says display content should be blocked, block it.
if (sBlockMixedDisplay && classification == eMixedDisplay) {
if (allowMixedContent) {
LogMixedContentMessage(classification, aContentLocation, rootDoc, eUserOverride);
*aDecision = nsIContentPolicy::ACCEPT;
// See if mixed display content has already loaded on the page or if the state needs to be updated here.
// If mixed display hasn't loaded previously, then we need to call OnSecurityChange() to update the UI.
if (rootDoc->GetHasMixedDisplayContentLoaded()) {
return NS_OK;
}
rootDoc->SetHasMixedDisplayContentLoaded(true);
if (rootHasSecureConnection) {
if (rootDoc->GetHasMixedActiveContentLoaded()) {
// If mixed active content is loaded, make sure to include that in the state.
eventSink->OnSecurityChange(aRequestingContext,
(nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT |
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
} else {
eventSink->OnSecurityChange(aRequestingContext,
(nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
}
} else {
// User has overriden the pref and the root is not https;
// mixed display content was allowed on an https subframe.
if (NS_SUCCEEDED(stateRV)) {
eventSink->OnSecurityChange(aRequestingContext, (state | nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
}
}
} else {
*aDecision = nsIContentPolicy::REJECT_REQUEST;
LogMixedContentMessage(classification, aContentLocation, rootDoc, eBlocked);
if (!rootDoc->GetHasMixedDisplayContentBlocked() && NS_SUCCEEDED(stateRV)) {
rootDoc->SetHasMixedDisplayContentBlocked(true);
eventSink->OnSecurityChange(aRequestingContext, (state | nsIWebProgressListener::STATE_BLOCKED_MIXED_DISPLAY_CONTENT));
}
}
return NS_OK;
} else if (sBlockMixedScript && classification == eMixedScript) {
// If the content is active content, and the pref says active content should be blocked, block it
// unless the user has choosen to override the pref
if (allowMixedContent) {
LogMixedContentMessage(classification, aContentLocation, rootDoc, eUserOverride);
*aDecision = nsIContentPolicy::ACCEPT;
// See if the state will change here. If it will, only then do we need to call OnSecurityChange() to update the UI.
if (rootDoc->GetHasMixedActiveContentLoaded()) {
return NS_OK;
}
rootDoc->SetHasMixedActiveContentLoaded(true);
if (rootHasSecureConnection) {
// User has decided to override the pref and the root is https, so change the Security State.
if (rootDoc->GetHasMixedDisplayContentLoaded()) {
// If mixed display content is loaded, make sure to include that in the state.
eventSink->OnSecurityChange(aRequestingContext,
(nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT |
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
} else {
eventSink->OnSecurityChange(aRequestingContext,
(nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
}
return NS_OK;
} else {
// User has already overriden the pref and the root is not https;
// mixed active content was allowed on an https subframe.
if (NS_SUCCEEDED(stateRV)) {
eventSink->OnSecurityChange(aRequestingContext, (state | nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
}
return NS_OK;
}
} else {
//User has not overriden the pref by Disabling protection. Reject the request and update the security state.
*aDecision = nsIContentPolicy::REJECT_REQUEST;
LogMixedContentMessage(classification, aContentLocation, rootDoc, eBlocked);
// See if the pref will change here. If it will, only then do we need to call OnSecurityChange() to update the UI.
if (rootDoc->GetHasMixedActiveContentBlocked()) {
return NS_OK;
}
rootDoc->SetHasMixedActiveContentBlocked(true);
// The user has not overriden the pref, so make sure they still have an option by calling eventSink
// which will invoke the doorhanger
if (NS_SUCCEEDED(stateRV)) {
eventSink->OnSecurityChange(aRequestingContext, (state | nsIWebProgressListener::STATE_BLOCKED_MIXED_ACTIVE_CONTENT));
}
return NS_OK;
}
} else {
// The content is not blocked by the mixed content prefs.
// Log a message that we are loading mixed content.
LogMixedContentMessage(classification, aContentLocation, rootDoc, eUserOverride);
// Fire the event from a script runner as it is unsafe to run script
// from within ShouldLoad
nsContentUtils::AddScriptRunner(
new nsMixedContentEvent(aRequestingContext, classification, rootHasSecureConnection));
*aDecision = ACCEPT;
return NS_OK;
}
}
NS_IMETHODIMP
nsMixedContentBlocker::ShouldProcess(uint32_t aContentType,
nsIURI* aContentLocation,
nsIURI* aRequestingLocation,
nsISupports* aRequestingContext,
const nsACString& aMimeGuess,
nsISupports* aExtra,
nsIPrincipal* aRequestPrincipal,
int16_t* aDecision)
{
aContentType = nsContentUtils::InternalContentPolicyTypeToExternal(aContentType);
if (!aContentLocation) {
// aContentLocation may be null when a plugin is loading without an associated URI resource
if (aContentType == TYPE_OBJECT) {
*aDecision = ACCEPT;
return NS_OK;
} else {
*aDecision = REJECT_REQUEST;
return NS_ERROR_FAILURE;
}
}
return ShouldLoad(aContentType, aContentLocation, aRequestingLocation,
aRequestingContext, aMimeGuess, aExtra, aRequestPrincipal,
aDecision);
}
enum MixedContentHSTSState {
MCB_HSTS_PASSIVE_NO_HSTS = 0,
MCB_HSTS_PASSIVE_WITH_HSTS = 1,
MCB_HSTS_ACTIVE_NO_HSTS = 2,
MCB_HSTS_ACTIVE_WITH_HSTS = 3
};
// Record information on when HSTS would have made mixed content not mixed
// content (regardless of whether it was actually blocked)
void
nsMixedContentBlocker::AccumulateMixedContentHSTS(nsIURI* aURI, bool aActive)
{
// This method must only be called in the parent, because
// nsSiteSecurityService is only available in the parent
if (!XRE_IsParentProcess()) {
MOZ_ASSERT(false);
return;
}
bool hsts;
nsresult rv;
nsCOMPtr<nsISiteSecurityService> sss = do_GetService(NS_SSSERVICE_CONTRACTID, &rv);
if (NS_FAILED(rv)) {
return;
}
rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS, aURI, 0, &hsts);
if (NS_FAILED(rv)) {
return;
}
if (!aActive) {
if (!hsts) {
Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS,
MCB_HSTS_PASSIVE_NO_HSTS);
}
else {
Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS,
MCB_HSTS_PASSIVE_WITH_HSTS);
}
} else {
if (!hsts) {
Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS,
MCB_HSTS_ACTIVE_NO_HSTS);
}
else {
Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS,
MCB_HSTS_ACTIVE_WITH_HSTS);
}
}
}
Reference in New Issue View Git Blame Copy Permalink