dom/base/nsDataDocumentContentPolicy.cpp
author Sylvestre Ledru <sledru@mozilla.com>
Fri, 30 Nov 2018 11:46:48 +0100
changeset 448947 6f3709b3878117466168c40affa7bca0b60cf75b
parent 438077 e394388fc01759f8527852dfce2cfab361934ea9
child 452446 f0a91d36587266d7454a450c6044d573664fbed5
permissions -rw-r--r--
Bug 1511181 - Reformat everything to the Google coding style r=ehsan a=clang-format # ignore-this-changeset

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*
 * Content policy implementation that prevents all loads of images,
 * subframes, etc from documents loaded as data (eg documents loaded
 * via XMLHttpRequest).
 */

#include "nsContentUtils.h"
#include "nsDataDocumentContentPolicy.h"
#include "nsNetUtil.h"
#include "nsIProtocolHandler.h"
#include "nsScriptSecurityManager.h"
#include "nsIDocument.h"
#include "nsINode.h"
#include "nsIDOMWindow.h"
#include "nsIURI.h"

NS_IMPL_ISUPPORTS(nsDataDocumentContentPolicy, nsIContentPolicy)

// Helper method for ShouldLoad()
// Checks a URI for the given flags.  Returns true if the URI has the flags,
// and false if not (or if we weren't able to tell).
static bool HasFlags(nsIURI *aURI, uint32_t aURIFlags) {
  bool hasFlags;
  nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &hasFlags);
  return NS_SUCCEEDED(rv) && hasFlags;
}

// If you change DataDocumentContentPolicy, make sure to check that
// CHECK_PRINCIPAL_AND_DATA in nsContentPolicyUtils is still valid.
// nsContentPolicyUtils may not pass all the parameters to ShouldLoad.
NS_IMETHODIMP
nsDataDocumentContentPolicy::ShouldLoad(nsIURI *aContentLocation,
                                        nsILoadInfo *aLoadInfo,
                                        const nsACString &aMimeGuess,
                                        int16_t *aDecision) {
  uint32_t contentType = aLoadInfo->GetExternalContentPolicyType();
  nsCOMPtr<nsISupports> requestingContext = aLoadInfo->GetLoadingContext();

  MOZ_ASSERT(contentType == nsContentUtils::InternalContentPolicyTypeToExternal(
                                contentType),
             "We should only see external content policy types here.");

  *aDecision = nsIContentPolicy::ACCEPT;
  // Look for the document.  In most cases, requestingContext is a node.
  nsCOMPtr<nsIDocument> doc;
  nsCOMPtr<nsINode> node = do_QueryInterface(requestingContext);
  if (node) {
    doc = node->OwnerDoc();
  } else {
    if (nsCOMPtr<nsPIDOMWindowOuter> window =
            do_QueryInterface(requestingContext)) {
      doc = window->GetDoc();
    }
  }

  // DTDs are always OK to load
  if (!doc || contentType == nsIContentPolicy::TYPE_DTD) {
    return NS_OK;
  }

  // Nothing else is OK to load for data documents
  if (doc->IsLoadedAsData()) {
    // ...but let static (print/print preview) documents to load fonts.
    if (!doc->IsStaticDocument() ||
        contentType != nsIContentPolicy::TYPE_FONT) {
      *aDecision = nsIContentPolicy::REJECT_TYPE;
      return NS_OK;
    }
  }

  nsIDocument *docToCheckForImage = doc->GetDisplayDocument();
  if (!docToCheckForImage) {
    docToCheckForImage = doc;
  }

  if (docToCheckForImage->IsBeingUsedAsImage()) {
    // We only allow SVG images to load content from URIs that are local and
    // also satisfy one of the following conditions:
    //  - URI inherits security context, e.g. data URIs
    //   OR
    //  - URI loadable by subsumers, e.g. blob URIs
    // Any URI that doesn't meet these requirements will be rejected below.
    if (!(HasFlags(aContentLocation,
                   nsIProtocolHandler::URI_IS_LOCAL_RESOURCE) &&
          (HasFlags(aContentLocation,
                    nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT) ||
           HasFlags(aContentLocation,
                    nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS)))) {
      *aDecision = nsIContentPolicy::REJECT_TYPE;

      // Report error, if we can.
      if (node) {
        nsIPrincipal *requestingPrincipal = node->NodePrincipal();
        RefPtr<nsIURI> principalURI;
        nsresult rv = requestingPrincipal->GetURI(getter_AddRefs(principalURI));
        if (NS_SUCCEEDED(rv) && principalURI) {
          nsScriptSecurityManager::ReportError(
              "ExternalDataError", principalURI, aContentLocation,
              requestingPrincipal->OriginAttributesRef().mPrivateBrowsingId >
                  0);
        }
      }
    } else if ((contentType == nsIContentPolicy::TYPE_IMAGE ||
                contentType == nsIContentPolicy::TYPE_IMAGESET) &&
               doc->GetDocumentURI()) {
      // Check for (& disallow) recursive image-loads
      bool isRecursiveLoad;
      nsresult rv = aContentLocation->EqualsExceptRef(doc->GetDocumentURI(),
                                                      &isRecursiveLoad);
      if (NS_FAILED(rv) || isRecursiveLoad) {
        NS_WARNING("Refusing to recursively load image");
        *aDecision = nsIContentPolicy::REJECT_TYPE;
      }
    }
    return NS_OK;
  }

  // Allow all loads for non-resource documents
  if (!doc->IsResourceDoc()) {
    return NS_OK;
  }

  // For resource documents, blacklist some load types
  if (contentType == nsIContentPolicy::TYPE_OBJECT ||
      contentType == nsIContentPolicy::TYPE_DOCUMENT ||
      contentType == nsIContentPolicy::TYPE_SUBDOCUMENT ||
      contentType == nsIContentPolicy::TYPE_SCRIPT ||
      contentType == nsIContentPolicy::TYPE_XSLT ||
      contentType == nsIContentPolicy::TYPE_FETCH ||
      contentType == nsIContentPolicy::TYPE_WEB_MANIFEST) {
    *aDecision = nsIContentPolicy::REJECT_TYPE;
  }

  // If you add more restrictions here, make sure to check that
  // CHECK_PRINCIPAL_AND_DATA in nsContentPolicyUtils is still valid.
  // nsContentPolicyUtils may not pass all the parameters to ShouldLoad

  return NS_OK;
}

NS_IMETHODIMP
nsDataDocumentContentPolicy::ShouldProcess(nsIURI *aContentLocation,
                                           nsILoadInfo *aLoadInfo,
                                           const nsACString &aMimeGuess,
                                           int16_t *aDecision) {
  return ShouldLoad(aContentLocation, aLoadInfo, aMimeGuess, aDecision);
}