Bug 1498526 - add in user pref to prevent loading implied triggeringPrincipal loads for dev and nightly builds. r=ckerschb
authorJonathan Kingston <jkt@mozilla.com>
Wed, 07 Nov 2018 14:42:27 +0000
changeset 444857 34938b2824caac058c3caef1b193cbc3042eec6a
parent 444856 91d4adaad7a9944f9b39f75d9849f1b8c61e1ace
child 444858 c4e0c395c954bbd374e5bfa1e3b86758045732e6
push id35005
push useraiakab@mozilla.com
push dateWed, 07 Nov 2018 21:49:53 +0000
treeherdermozilla-central@12afa29e9c8c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1498526
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1498526 - add in user pref to prevent loading implied triggeringPrincipal loads for dev and nightly builds. r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D8546
docshell/base/nsDocShell.cpp
docshell/base/nsDocShell.h
modules/libpref/init/all.js
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -353,16 +353,17 @@ nsDocShell::nsDocShell()
   , mAllowMetaRedirects(true)
   , mAllowImages(true)
   , mAllowMedia(true)
   , mAllowDNSPrefetch(true)
   , mAllowWindowControl(true)
   , mAllowContentRetargeting(true)
   , mAllowContentRetargetingOnChildren(true)
   , mUseErrorPages(false)
+  , mUseStrictSecurityChecks(false)
   , mObserveErrorPages(true)
   , mCSSErrorReportingEnabled(false)
   , mAllowAuth(true)
   , mAllowKeywordFixup(false)
   , mIsOffScreenBrowser(false)
   , mIsActive(true)
   , mDisableMetaRefreshWhenInactive(false)
   , mIsAppTab(false)
@@ -4120,16 +4121,19 @@ nsDocShell::LoadURI(const nsAString& aUR
                     nsIURI* aReferringURI,
                     nsIInputStream* aPostStream,
                     nsIInputStream* aHeaderStream,
                     nsIPrincipal* aTriggeringPrincipal)
 {
 #ifndef ANDROID
   MOZ_ASSERT(aTriggeringPrincipal, "LoadURI: Need a valid triggeringPrincipal");
 #endif
+  if (mUseStrictSecurityChecks && !aTriggeringPrincipal) {
+    return NS_ERROR_FAILURE;
+  }
   return LoadURIWithOptions(aURI, aLoadFlags, aReferringURI,
                             RP_Unset, aPostStream,
                             aHeaderStream, nullptr, aTriggeringPrincipal);
 }
 
 NS_IMETHODIMP
 nsDocShell::LoadURIWithOptions(const nsAString& aURI,
                                uint32_t aLoadFlags,
@@ -4159,16 +4163,19 @@ nsDocShell::LoadURIWithOptions(const nsA
   // Eliminate embedded newlines, which single-line text fields now allow:
   uriString.StripCRLF();
   NS_ENSURE_TRUE(!uriString.IsEmpty(), NS_ERROR_FAILURE);
 
 #ifndef ANDROID
   MOZ_ASSERT(aTriggeringPrincipal, "LoadURIWithOptions: Need a valid triggeringPrincipal");
 #endif
 
+  if (mUseStrictSecurityChecks && !aTriggeringPrincipal) {
+    return NS_ERROR_FAILURE;
+  }
 
   rv = NS_NewURI(getter_AddRefs(uri), uriString);
   if (uri) {
     aLoadFlags &= ~LOAD_FLAGS_ALLOW_THIRD_PARTY_FIXUP;
   }
 
   nsCOMPtr<nsIURIFixupInfo> fixupInfo;
   if (sURIFixup) {
@@ -4916,16 +4923,19 @@ nsDocShell::Reload(uint32_t aReloadFlags
 
       nsCOMPtr<nsILoadInfo> loadInfo = chan->GetLoadInfo();
       if (loadInfo) {
         loadInfo->GetResultPrincipalURI(getter_AddRefs(resultPrincipalURI));
       }
     }
 
     MOZ_ASSERT(triggeringPrincipal, "Need a valid triggeringPrincipal");
+    if (mUseStrictSecurityChecks && !triggeringPrincipal) {
+      return NS_ERROR_FAILURE;
+    }
 
     // Stack variables to ensure changes to the member variables don't affect to
     // the call.
     nsCOMPtr<nsIURI> currentURI = mCurrentURI;
     nsCOMPtr<nsIURI> referrerURI = mReferrerURI;
     uint32_t referrerPolicy = mReferrerPolicy;
 
     // Reload always rewrites result principal URI.
@@ -5186,16 +5196,19 @@ nsDocShell::Create()
   mCreated = true;
 
   if (gValidateOrigin == 0xffffffff) {
     // Check pref to see if we should prevent frameset spoofing
     gValidateOrigin =
       Preferences::GetBool("browser.frame.validate_origin", true);
   }
 
+  mUseStrictSecurityChecks = Preferences::GetBool("security.strict_security_checks.enabled",
+                                                  mUseStrictSecurityChecks);
+
   // Should we use XUL error pages instead of alerts if possible?
   mUseErrorPages =
     Preferences::GetBool("browser.xul.error_pages.enabled", mUseErrorPages);
 
   if (!gAddedPreferencesVarCache) {
     Preferences::AddBoolVarCache(&sUseErrorPages,
                                  "browser.xul.error_pages.enabled",
                                  mUseErrorPages);
@@ -9158,16 +9171,19 @@ nsDocShell::InternalLoad(nsIURI* aURI,
                          bool aFirstParty,
                          const nsAString& aSrcdoc,
                          nsIDocShell* aSourceDocShell,
                          nsIURI* aBaseURI,
                          nsIDocShell** aDocShell,
                          nsIRequest** aRequest)
 {
   MOZ_ASSERT(aTriggeringPrincipal, "need a valid TriggeringPrincipal");
+  if (mUseStrictSecurityChecks && !aTriggeringPrincipal) {
+    return NS_ERROR_FAILURE;
+  }
 
   nsresult rv = NS_OK;
   mOriginalUriString.Truncate();
 
   MOZ_LOG(gDocShellLeakLog, LogLevel::Debug,
           ("DOCSHELL %p InternalLoad %s\n",
            this, aURI ? aURI->GetSpecOrDefault().get() : ""));
   // Initialize aDocShell/aRequest
@@ -10379,16 +10395,20 @@ nsDocShell::DoURILoad(nsIURI* aURI,
     }
   }
 
   // Getting the right triggeringPrincipal needs to be updated and is only
   // ready for use once bug 1182569 landed. Until then, we cannot rely on
   // the triggeringPrincipal for TYPE_DOCUMENT loads.
   MOZ_ASSERT(aTriggeringPrincipal, "Need a valid triggeringPrincipal");
 
+  if (mUseStrictSecurityChecks && !aTriggeringPrincipal) {
+    return NS_ERROR_FAILURE;
+  }
+
   bool isSandBoxed = mSandboxFlags & SANDBOXED_ORIGIN;
 
   // We want to inherit aPrincipalToInherit when:
   // 1. ChannelShouldInheritPrincipal returns true.
   // 2. aURI is not data: URI, or data: URI is not configured as unique opaque
   //    origin.
   bool inheritAttrs = false, inheritPrincipal = false;
 
--- a/docshell/base/nsDocShell.h
+++ b/docshell/base/nsDocShell.h
@@ -1133,16 +1133,17 @@ private: // data members
   bool mAllowMetaRedirects : 1;
   bool mAllowImages : 1;
   bool mAllowMedia : 1;
   bool mAllowDNSPrefetch : 1;
   bool mAllowWindowControl : 1;
   bool mAllowContentRetargeting : 1;
   bool mAllowContentRetargetingOnChildren : 1;
   bool mUseErrorPages : 1;
+  bool mUseStrictSecurityChecks : 1;
   bool mObserveErrorPages : 1;
   bool mCSSErrorReportingEnabled : 1;
   bool mAllowAuth : 1;
   bool mAllowKeywordFixup : 1;
   bool mIsOffScreenBrowser : 1;
   bool mIsActive : 1;
   bool mDisableMetaRefreshWhenInactive : 1;
   bool mIsAppTab : 1;
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2669,16 +2669,24 @@ pref("security.cert_pinning.enforcement_
 // This is to prevent accidental pinning from MITM devices and is used
 // for tests.
 pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
 
 // If set to true, allow view-source URIs to be opened from URIs that share
 // their protocol with the inner URI of the view-source URI
 pref("security.view-source.reachable-from-inner-protocol", false);
 
+// If set to true strict checks will happen on the triggering principal for loads.
+// Android is disabled at the moment pending Bug 1504968
+#if !defined(RELEASE_OR_BETA) && !defined(ANDROID)
+pref("security.strict_security_checks.enabled", true);
+#else
+pref("security.strict_security_checks.enabled", false);
+#endif
+
 // Remote settings preferences
 pref("services.settings.poll_interval", 86400); // 24H
 pref("services.settings.server", "https://firefox.settings.services.mozilla.com/v1");
 pref("services.settings.changes.path", "/buckets/monitor/collections/changes/records");
 pref("services.settings.default_bucket", "main");
 pref("services.settings.default_signer", "remote-settings.content-signature.mozilla.org");
 
 // Blocklist preferences