Bug 1596421 - Disable eval restrictions if the web extension process is disabled r=ckerschb
authorTom Ritter <tom@mozilla.com>
Fri, 15 Nov 2019 15:36:42 +0000
changeset 502186 5e324cc146e3171fd88d4ed2a3727cc1498e8d6a
parent 502185 5d471a86dc2963fadc67d4d37e03e8674289dbec
child 502187 4658f41dadeee748ec1fe0c9ad6a0ab4c4690921
push id114172
push userdluca@mozilla.com
push dateTue, 19 Nov 2019 11:31:10 +0000
treeherdermozilla-inbound@b5c5ba07d3db [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1596421
milestone72.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1596421 - Disable eval restrictions if the web extension process is disabled r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D53026
dom/security/nsContentSecurityUtils.cpp
modules/libpref/init/StaticPrefList.yaml
--- a/dom/security/nsContentSecurityUtils.cpp
+++ b/dom/security/nsContentSecurityUtils.cpp
@@ -14,16 +14,17 @@
 #include "nsIMultiPartChannel.h"
 #include "nsIURI.h"
 #if defined(XP_WIN)
 #  include "WinUtils.h"
 #  include <wininet.h>
 #endif
 
 #include "mozilla/dom/Document.h"
+#include "mozilla/StaticPrefs_extensions.h"
 
 /*
  * Performs a Regular Expression match, optionally returning the results.
  * This function is not safe to use OMT.
  *
  * @param aPattern      The regex pattern
  * @param aString       The string to compare against
  * @param aOnlyMatch    Whether we want match results or only a true/false for
@@ -305,39 +306,38 @@ bool nsContentSecurityUtils::IsEvalAllow
 
   // We also permit two specific idioms in eval()-like contexts. We'd like to
   // elminate these too; but there are in-the-wild Mozilla privileged extensions
   // that use them.
   static NS_NAMED_LITERAL_STRING(sAllowedEval1, "this");
   static NS_NAMED_LITERAL_STRING(sAllowedEval2,
                                  "function anonymous(\n) {\nreturn this\n}");
 
+  if (MOZ_LIKELY(!aIsSystemPrincipal && !XRE_IsE10sParentProcess())) {
+    // We restrict eval in the system principal and parent process.
+    // Other uses (like web content and null principal) are allowed.
+    return true;
+  }
+
   if (aIsSystemPrincipal &&
       StaticPrefs::security_allow_eval_with_system_principal()) {
-    MOZ_LOG(
-        sCSMLog, LogLevel::Debug,
-        ("Allowing eval() %s because allowing pref is "
-         "enabled",
-         (aIsSystemPrincipal ? "with System Principal" : "in parent process")));
+    MOZ_LOG(sCSMLog, LogLevel::Debug,
+            ("Allowing eval() with System Principal because allowing pref is "
+             "enabled"));
     return true;
   }
 
   if (XRE_IsE10sParentProcess() &&
       StaticPrefs::security_allow_eval_in_parent_process()) {
     MOZ_LOG(sCSMLog, LogLevel::Debug,
             ("Allowing eval() in parent process because allowing pref is "
              "enabled"));
     return true;
   }
 
-  if (!aIsSystemPrincipal && !XRE_IsE10sParentProcess()) {
-    // Usage of eval we are unconcerned with.
-    return true;
-  }
-
   // We only perform a check of this preference on the Main Thread
   // (because a String-based preference check is only safe on Main Thread.)
   // The consequence of this is that if a user is using userChromeJS _and_
   // the scripts they use start a worker and that worker uses eval - we will
   // enter this function, skip over this pref check that would normally cause
   // us to allow the eval usage - and we will block it.
   // While not ideal, we do not officially support userChromeJS, and hopefully
   // the usage of workers and eval in workers is even lower that userChromeJS
@@ -354,16 +354,24 @@ bool nsContentSecurityUtils::IsEvalAllow
               ("Allowing eval() %s because of "
                "general.config.filename",
                (aIsSystemPrincipal ? "with System Principal"
                                    : "in parent process")));
       return true;
     }
   }
 
+  if (XRE_IsE10sParentProcess() &&
+      !StaticPrefs::extensions_webextensions_remote()) {
+    MOZ_LOG(sCSMLog, LogLevel::Debug,
+            ("Allowing eval() in parent process because the web extension "
+             "process is disabled"));
+    return true;
+  }
+
   // We permit these two common idioms to get access to the global JS object
   if (!aScript.IsEmpty() &&
       (aScript == sAllowedEval1 || aScript == sAllowedEval2)) {
     MOZ_LOG(
         sCSMLog, LogLevel::Debug,
         ("Allowing eval() %s because a key string is "
          "provided",
          (aIsSystemPrincipal ? "with System Principal" : "in parent process")));
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@@ -2833,17 +2833,17 @@
 - name: extensions.content_script_csp.report_only
   type: bool
   value: true
   mirror: always
 
 # This pref governs whether we run webextensions in a separate process (true)
 # or the parent/main process (false)
 - name: extensions.webextensions.remote
-  type: bool
+  type: RelaxedAtomicBool
   value: false
   mirror: always
 
 #---------------------------------------------------------------------------
 # Prefs starting with "findbar."
 #---------------------------------------------------------------------------
 
 - name: findbar.modalHighlight