Bug 1498526 - add in user pref to prevent loading implied triggeringPrincipal loads for dev and nightly builds. r=ckerschb
☠☠ backed out by 2f86f12badc1 ☠ ☠
authorJonathan Kingston <jkt@mozilla.com>
Tue, 06 Nov 2018 11:51:51 +0000
changeset 444613 c5cf88fb02d1a5b8c17bc415058b09a7e308a582
parent 444612 cf9235d34b5bb3b86bd351edf9cce45d26a69cd4
child 444614 1b11540e60c7f6072c411797d868a27043dc2da5
push id34998
push userapavel@mozilla.com
push dateTue, 06 Nov 2018 17:04:36 +0000
treeherdermozilla-central@f9affb18c3e1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1498526
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1498526 - add in user pref to prevent loading implied triggeringPrincipal loads for dev and nightly builds. r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D8546
docshell/base/nsDocShell.cpp
docshell/base/nsDocShell.h
modules/libpref/init/all.js
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -353,16 +353,17 @@ nsDocShell::nsDocShell()
   , mAllowMetaRedirects(true)
   , mAllowImages(true)
   , mAllowMedia(true)
   , mAllowDNSPrefetch(true)
   , mAllowWindowControl(true)
   , mAllowContentRetargeting(true)
   , mAllowContentRetargetingOnChildren(true)
   , mUseErrorPages(false)
+  , mUseStrictSecurityChecks(false)
   , mObserveErrorPages(true)
   , mCSSErrorReportingEnabled(false)
   , mAllowAuth(true)
   , mAllowKeywordFixup(false)
   , mIsOffScreenBrowser(false)
   , mIsActive(true)
   , mDisableMetaRefreshWhenInactive(false)
   , mIsAppTab(false)
@@ -4157,16 +4158,19 @@ nsDocShell::LoadURIWithOptions(const nsA
   // Eliminate embedded newlines, which single-line text fields now allow:
   uriString.StripCRLF();
   NS_ENSURE_TRUE(!uriString.IsEmpty(), NS_ERROR_FAILURE);
 
 #ifndef ANDROID
   MOZ_ASSERT(aTriggeringPrincipal, "LoadURIWithOptions: Need a valid triggeringPrincipal");
 #endif
 
+  if (mUseStrictSecurityChecks && !aTriggeringPrincipal) {
+    return NS_ERROR_FAILURE;
+  }
 
   rv = NS_NewURI(getter_AddRefs(uri), uriString);
   if (uri) {
     aLoadFlags &= ~LOAD_FLAGS_ALLOW_THIRD_PARTY_FIXUP;
   }
 
   nsCOMPtr<nsIURIFixupInfo> fixupInfo;
   if (sURIFixup) {
@@ -4914,16 +4918,19 @@ nsDocShell::Reload(uint32_t aReloadFlags
 
       nsCOMPtr<nsILoadInfo> loadInfo = chan->GetLoadInfo();
       if (loadInfo) {
         loadInfo->GetResultPrincipalURI(getter_AddRefs(resultPrincipalURI));
       }
     }
 
     MOZ_ASSERT(triggeringPrincipal, "Need a valid triggeringPrincipal");
+    if (mUseStrictSecurityChecks && !triggeringPrincipal) {
+      return NS_ERROR_FAILURE;
+    }
 
     // Stack variables to ensure changes to the member variables don't affect to
     // the call.
     nsCOMPtr<nsIURI> currentURI = mCurrentURI;
     nsCOMPtr<nsIURI> referrerURI = mReferrerURI;
     uint32_t referrerPolicy = mReferrerPolicy;
 
     // Reload always rewrites result principal URI.
@@ -5184,16 +5191,19 @@ nsDocShell::Create()
   mCreated = true;
 
   if (gValidateOrigin == 0xffffffff) {
     // Check pref to see if we should prevent frameset spoofing
     gValidateOrigin =
       Preferences::GetBool("browser.frame.validate_origin", true);
   }
 
+  mUseStrictSecurityChecks = Preferences::GetBool("security.strict_security_checks.enabled",
+                                                  mUseStrictSecurityChecks);
+
   // Should we use XUL error pages instead of alerts if possible?
   mUseErrorPages =
     Preferences::GetBool("browser.xul.error_pages.enabled", mUseErrorPages);
 
   if (!gAddedPreferencesVarCache) {
     Preferences::AddBoolVarCache(&sUseErrorPages,
                                  "browser.xul.error_pages.enabled",
                                  mUseErrorPages);
@@ -10377,16 +10387,20 @@ nsDocShell::DoURILoad(nsIURI* aURI,
     }
   }
 
   // Getting the right triggeringPrincipal needs to be updated and is only
   // ready for use once bug 1182569 landed. Until then, we cannot rely on
   // the triggeringPrincipal for TYPE_DOCUMENT loads.
   MOZ_ASSERT(aTriggeringPrincipal, "Need a valid triggeringPrincipal");
 
+  if (mUseStrictSecurityChecks && !aTriggeringPrincipal) {
+    return NS_ERROR_FAILURE;
+  }
+
   bool isSandBoxed = mSandboxFlags & SANDBOXED_ORIGIN;
 
   // We want to inherit aPrincipalToInherit when:
   // 1. ChannelShouldInheritPrincipal returns true.
   // 2. aURI is not data: URI, or data: URI is not configured as unique opaque
   //    origin.
   bool inheritAttrs = false, inheritPrincipal = false;
 
@@ -13209,16 +13223,19 @@ nsDocShell::OnLinkClickSync(nsIContent* 
                             nsIInputStream* aPostDataStream,
                             nsIInputStream* aHeadersDataStream,
                             bool aNoOpenerImplied,
                             nsIDocShell** aDocShell,
                             nsIRequest** aRequest,
                             bool aIsUserTriggered,
                             nsIPrincipal* aTriggeringPrincipal)
 {
+  if (mUseStrictSecurityChecks && !aTriggeringPrincipal) {
+    return NS_ERROR_FAILURE;
+  }
   // Initialize the DocShell / Request
   if (aDocShell) {
     *aDocShell = nullptr;
   }
   if (aRequest) {
     *aRequest = nullptr;
   }
 
--- a/docshell/base/nsDocShell.h
+++ b/docshell/base/nsDocShell.h
@@ -1133,16 +1133,17 @@ private: // data members
   bool mAllowMetaRedirects : 1;
   bool mAllowImages : 1;
   bool mAllowMedia : 1;
   bool mAllowDNSPrefetch : 1;
   bool mAllowWindowControl : 1;
   bool mAllowContentRetargeting : 1;
   bool mAllowContentRetargetingOnChildren : 1;
   bool mUseErrorPages : 1;
+  bool mUseStrictSecurityChecks : 1;
   bool mObserveErrorPages : 1;
   bool mCSSErrorReportingEnabled : 1;
   bool mAllowAuth : 1;
   bool mAllowKeywordFixup : 1;
   bool mIsOffScreenBrowser : 1;
   bool mIsActive : 1;
   bool mDisableMetaRefreshWhenInactive : 1;
   bool mIsAppTab : 1;
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2658,16 +2658,24 @@ pref("security.cert_pinning.enforcement_
 // This is to prevent accidental pinning from MITM devices and is used
 // for tests.
 pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
 
 // If set to true, allow view-source URIs to be opened from URIs that share
 // their protocol with the inner URI of the view-source URI
 pref("security.view-source.reachable-from-inner-protocol", false);
 
+// If set to true strict checks will happen on the triggering principal for loads.
+// Android is disabled at the moment pending Bug 1504968
+#if !defined(RELEASE_OR_BETA) && !defined(ANDROID)
+pref("security.strict_security_checks.enabled", true);
+#else
+pref("security.strict_security_checks.enabled", false);
+#endif
+
 // Remote settings preferences
 pref("services.settings.poll_interval", 86400); // 24H
 pref("services.settings.server", "https://firefox.settings.services.mozilla.com/v1");
 pref("services.settings.changes.path", "/buckets/monitor/collections/changes/records");
 pref("services.settings.default_bucket", "main");
 pref("services.settings.default_signer", "remote-settings.content-signature.mozilla.org");
 
 // Blocklist preferences