docshell/base/nsDSURIContentListener.cpp
author Justin Lebar <justin.lebar@gmail.com>
Sat, 10 Nov 2012 10:32:37 -0800
changeset 114121 20ded27ba11412ccba2fb91446379fc655285dcf
parent 111299 eed7b92769c36585304e3c8eb3d80315f66d315d
child 116450 f9a9450a82afddf0ed3d65f671a13ddfd4e734c5
permissions -rw-r--r--
Bug 802366 - The main event: Let a browser process inherit its app's id. r=bz,cjones, a=blocking-basecamp The main bug fixed here is that in half of our interfaces, we use "is browser frame/element" to mean "browser or app", and in the other half, we use it to mean "is browser not app". There's a related, functional bug also fixed here, which is that a browser process doesn't inherit its parent's app-id. This causes problems e.g. for IndexedDB: If a browser inside an app uses IndexedDB, the DB should have the app's app-id. I also modified Tab{Parent,Child} and nsFrameLoader to call "app" "ownOrContainingApp", to emphasize that we might have inherited the app from a parent process. I left nsIDocShell::appId alone, because changing that would have necessitated changing nsILoadGroup and therefore a /lot/ of users in Necko; it's also not clear it would have clarified anything in those cases.

/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "nsDocShell.h"
#include "nsDSURIContentListener.h"
#include "nsIChannel.h"
#include "nsServiceManagerUtils.h"
#include "nsXPIDLString.h"
#include "nsDocShellCID.h"
#include "nsIWebNavigationInfo.h"
#include "nsIDOMWindow.h"
#include "nsNetUtil.h"
#include "nsAutoPtr.h"
#include "nsIHttpChannel.h"
#include "nsIScriptSecurityManager.h"
#include "nsError.h"
#include "nsCharSeparatedTokenizer.h"
#include "mozilla/Preferences.h"
#include "nsIConsoleService.h"
#include "nsIScriptError.h"

using namespace mozilla;

//*****************************************************************************
//***    nsDSURIContentListener: Object Management
//*****************************************************************************

nsDSURIContentListener::nsDSURIContentListener(nsDocShell* aDocShell)
    : mDocShell(aDocShell), 
      mParentContentListener(nullptr)
{
}

nsDSURIContentListener::~nsDSURIContentListener()
{
}

nsresult
nsDSURIContentListener::Init() 
{
    nsresult rv;
    mNavInfo = do_GetService(NS_WEBNAVIGATION_INFO_CONTRACTID, &rv);
    NS_ASSERTION(NS_SUCCEEDED(rv), "Failed to get webnav info");
    return rv;
}


//*****************************************************************************
// nsDSURIContentListener::nsISupports
//*****************************************************************************   

NS_IMPL_THREADSAFE_ADDREF(nsDSURIContentListener)
NS_IMPL_THREADSAFE_RELEASE(nsDSURIContentListener)

NS_INTERFACE_MAP_BEGIN(nsDSURIContentListener)
    NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsIURIContentListener)
    NS_INTERFACE_MAP_ENTRY(nsIURIContentListener)
    NS_INTERFACE_MAP_ENTRY(nsISupportsWeakReference)
NS_INTERFACE_MAP_END

//*****************************************************************************
// nsDSURIContentListener::nsIURIContentListener
//*****************************************************************************   

NS_IMETHODIMP
nsDSURIContentListener::OnStartURIOpen(nsIURI* aURI, bool* aAbortOpen)
{
    // If mDocShell is null here, that means someone's starting a load
    // in our docshell after it's already been destroyed.  Don't let
    // that happen.
    if (!mDocShell) {
        *aAbortOpen = true;
        return NS_OK;
    }
    
    nsCOMPtr<nsIURIContentListener> parentListener;
    GetParentContentListener(getter_AddRefs(parentListener));
    if (parentListener)
        return parentListener->OnStartURIOpen(aURI, aAbortOpen);

    return NS_OK;
}

NS_IMETHODIMP 
nsDSURIContentListener::DoContent(const char* aContentType, 
                                  bool aIsContentPreferred,
                                  nsIRequest* request,
                                  nsIStreamListener** aContentHandler,
                                  bool* aAbortProcess)
{
    nsresult rv;
    NS_ENSURE_ARG_POINTER(aContentHandler);
    NS_ENSURE_TRUE(mDocShell, NS_ERROR_FAILURE);

    // Check whether X-Frame-Options permits us to load this content in an
    // iframe and abort the load (unless we've disabled x-frame-options
    // checking).
    if (!CheckFrameOptions(request)) {
        *aAbortProcess = true;
        return NS_OK;
    }

    *aAbortProcess = false;

    // determine if the channel has just been retargeted to us...
    nsLoadFlags loadFlags = 0;
    nsCOMPtr<nsIChannel> aOpenedChannel = do_QueryInterface(request);

    if (aOpenedChannel)
      aOpenedChannel->GetLoadFlags(&loadFlags);

    if(loadFlags & nsIChannel::LOAD_RETARGETED_DOCUMENT_URI)
    {
        // XXX: Why does this not stop the content too?
        mDocShell->Stop(nsIWebNavigation::STOP_NETWORK);

        mDocShell->SetLoadType(aIsContentPreferred ? LOAD_LINK : LOAD_NORMAL);
    }

    rv = mDocShell->CreateContentViewer(aContentType, request, aContentHandler);

    if (rv == NS_ERROR_REMOTE_XUL) {
      request->Cancel(rv);
      return NS_OK;
    }

    if (NS_FAILED(rv)) {
       // it's okay if we don't know how to handle the content   
        return NS_OK;
    }

    if (loadFlags & nsIChannel::LOAD_RETARGETED_DOCUMENT_URI) {
        nsCOMPtr<nsIDOMWindow> domWindow = do_GetInterface(static_cast<nsIDocShell*>(mDocShell));
        NS_ENSURE_TRUE(domWindow, NS_ERROR_FAILURE);
        domWindow->Focus();
    }

    return NS_OK;
}

NS_IMETHODIMP
nsDSURIContentListener::IsPreferred(const char* aContentType,
                                    char ** aDesiredContentType,
                                    bool* aCanHandle)
{
    NS_ENSURE_ARG_POINTER(aCanHandle);
    NS_ENSURE_ARG_POINTER(aDesiredContentType);

    // the docshell has no idea if it is the preferred content provider or not.
    // It needs to ask its parent if it is the preferred content handler or not...

    nsCOMPtr<nsIURIContentListener> parentListener;
    GetParentContentListener(getter_AddRefs(parentListener));
    if (parentListener) {
        return parentListener->IsPreferred(aContentType,
                                                   aDesiredContentType,
                                                   aCanHandle);
    }
    // we used to return false here if we didn't have a parent properly
    // registered at the top of the docshell hierarchy to dictate what
    // content types this docshell should be a preferred handler for.  But
    // this really makes it hard for developers using iframe or browser tags
    // because then they need to make sure they implement
    // nsIURIContentListener otherwise all link clicks would get sent to
    // another window because we said we weren't the preferred handler type.
    // I'm going to change the default now...if we can handle the content,
    // and someone didn't EXPLICITLY set a nsIURIContentListener at the top
    // of our docshell chain, then we'll now always attempt to process the
    // content ourselves...
    return CanHandleContent(aContentType,
                            true,
                            aDesiredContentType,
                            aCanHandle);
}

NS_IMETHODIMP
nsDSURIContentListener::CanHandleContent(const char* aContentType,
                                         bool aIsContentPreferred,
                                         char ** aDesiredContentType,
                                         bool* aCanHandleContent)
{
    NS_PRECONDITION(aCanHandleContent, "Null out param?");
    NS_ENSURE_ARG_POINTER(aDesiredContentType);

    *aCanHandleContent = false;
    *aDesiredContentType = nullptr;

    nsresult rv = NS_OK;
    if (aContentType) {
        uint32_t canHandle = nsIWebNavigationInfo::UNSUPPORTED;
        rv = mNavInfo->IsTypeSupported(nsDependentCString(aContentType),
                                       mDocShell,
                                       &canHandle);
        *aCanHandleContent = (canHandle != nsIWebNavigationInfo::UNSUPPORTED);
    }

    return rv;
}

NS_IMETHODIMP
nsDSURIContentListener::GetLoadCookie(nsISupports ** aLoadCookie)
{
    NS_IF_ADDREF(*aLoadCookie = nsDocShell::GetAsSupports(mDocShell));
    return NS_OK;
}

NS_IMETHODIMP
nsDSURIContentListener::SetLoadCookie(nsISupports * aLoadCookie)
{
#ifdef DEBUG
    nsRefPtr<nsDocLoader> cookieAsDocLoader =
        nsDocLoader::GetAsDocLoader(aLoadCookie);
    NS_ASSERTION(cookieAsDocLoader && cookieAsDocLoader == mDocShell,
                 "Invalid load cookie being set!");
#endif
    return NS_OK;
}

NS_IMETHODIMP 
nsDSURIContentListener::GetParentContentListener(nsIURIContentListener**
                                                 aParentListener)
{
    if (mWeakParentContentListener)
    {
        nsCOMPtr<nsIURIContentListener> tempListener =
            do_QueryReferent(mWeakParentContentListener);
        *aParentListener = tempListener;
        NS_IF_ADDREF(*aParentListener);
    }
    else {
        *aParentListener = mParentContentListener;
        NS_IF_ADDREF(*aParentListener);
    }
    return NS_OK;
}

NS_IMETHODIMP
nsDSURIContentListener::SetParentContentListener(nsIURIContentListener* 
                                                 aParentListener)
{
    if (aParentListener)
    {
        // Store the parent listener as a weak ref. Parents not supporting
        // nsISupportsWeakReference assert but may still be used.
        mParentContentListener = nullptr;
        mWeakParentContentListener = do_GetWeakReference(aParentListener);
        if (!mWeakParentContentListener)
        {
            mParentContentListener = aParentListener;
        }
    }
    else
    {
        mWeakParentContentListener = nullptr;
        mParentContentListener = nullptr;
    }
    return NS_OK;
}

bool nsDSURIContentListener::CheckOneFrameOptionsPolicy(nsIRequest *request,
                                                        const nsAString& policy) {
    static const char allowFrom[] = "allow-from ";
    const uint32_t allowFromLen = ArrayLength(allowFrom) - 1;
    bool isAllowFrom =
        StringHead(policy, allowFromLen).LowerCaseEqualsLiteral(allowFrom);

    // return early if header does not have one of the values with meaning
    if (!policy.LowerCaseEqualsLiteral("deny") &&
        !policy.LowerCaseEqualsLiteral("sameorigin") &&
        !isAllowFrom)
        return true;

    nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(request);
    if (!httpChannel) {
        return true;
    }

    nsCOMPtr<nsIURI> uri;
    httpChannel->GetURI(getter_AddRefs(uri));

    // XXXkhuey when does this happen?  Is returning true safe here?
    if (!mDocShell) {
        return true;
    }

    // We need to check the location of this window and the location of the top
    // window, if we're not the top.  X-F-O: SAMEORIGIN requires that the
    // document must be same-origin with top window.  X-F-O: DENY requires that
    // the document must never be framed.
    nsCOMPtr<nsIDOMWindow> thisWindow = do_GetInterface(static_cast<nsIDocShell*>(mDocShell));
    // If we don't have DOMWindow there is no risk of clickjacking
    if (!thisWindow)
        return true;

    // GetScriptableTop, not GetTop, because we want this to respect
    // <iframe mozbrowser> boundaries.
    nsCOMPtr<nsIDOMWindow> topWindow;
    thisWindow->GetScriptableTop(getter_AddRefs(topWindow));

    // if the document is in the top window, it's not in a frame.
    if (thisWindow == topWindow)
        return true;

    // Find the top docshell in our parent chain that doesn't have the system
    // principal and use it for the principal comparison.  Finding the top
    // content-type docshell doesn't work because some chrome documents are
    // loaded in content docshells (see bug 593387).
    nsCOMPtr<nsIDocShellTreeItem> thisDocShellItem(do_QueryInterface(
                                                   static_cast<nsIDocShell*> (mDocShell)));
    nsCOMPtr<nsIDocShellTreeItem> parentDocShellItem,
                                  curDocShellItem = thisDocShellItem;
    nsCOMPtr<nsIDocument> topDoc;
    nsresult rv;
    nsCOMPtr<nsIScriptSecurityManager> ssm =
        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
    if (!ssm) {
        MOZ_CRASH();
    }

    // Traverse up the parent chain and stop when we see a docshell whose
    // parent has a system principal, or a docshell corresponding to
    // <iframe mozbrowser>.
    while (NS_SUCCEEDED(curDocShellItem->GetParent(getter_AddRefs(parentDocShellItem))) &&
           parentDocShellItem) {

        nsCOMPtr<nsIDocShell> curDocShell = do_QueryInterface(curDocShellItem);
        if (curDocShell && curDocShell->GetIsBrowserOrApp()) {
          break;
        }

        bool system = false;
        topDoc = do_GetInterface(parentDocShellItem);
        if (topDoc) {
            if (NS_SUCCEEDED(ssm->IsSystemPrincipal(topDoc->NodePrincipal(),
                                                    &system)) && system) {
                // Found a system-principled doc: last docshell was top.
                break;
            }
        }
        else {
            return false;
        }
        curDocShellItem = parentDocShellItem;
    }

    // If this document has the top non-SystemPrincipal docshell it is not being
    // framed or it is being framed by a chrome document, which we allow.
    if (curDocShellItem == thisDocShellItem)
        return true;

    // If the value of the header is DENY, and the previous condition is
    // not met (current docshell is not the top docshell), prohibit the
    // load.
    if (policy.LowerCaseEqualsLiteral("deny")) {
        ReportXFOViolation(curDocShellItem, uri, eDENY);
        return false;
    }

    topDoc = do_GetInterface(curDocShellItem);
    nsCOMPtr<nsIURI> topUri;
    topDoc->NodePrincipal()->GetURI(getter_AddRefs(topUri));

    // If the X-Frame-Options value is SAMEORIGIN, then the top frame in the
    // parent chain must be from the same origin as this document.
    if (policy.LowerCaseEqualsLiteral("sameorigin")) {
        rv = ssm->CheckSameOriginURI(uri, topUri, true);
        if (NS_FAILED(rv)) {
            ReportXFOViolation(curDocShellItem, uri, eSAMEORIGIN);
            return false; /* wasn't same-origin */
        }
    }

    // If the X-Frame-Options value is "allow-from [uri]", then the top
    // frame in the parent chain must be from that origin
    if (isAllowFrom) {
        rv = NS_NewURI(getter_AddRefs(uri),
                       Substring(policy, allowFromLen));
        if (NS_FAILED(rv))
          return false;

        rv = ssm->CheckSameOriginURI(uri, topUri, true);
        if (NS_FAILED(rv)) {
            ReportXFOViolation(curDocShellItem, uri, eALLOWFROM);
            return false;
        }
    }

    return true;
}

// Check if X-Frame-Options permits this document to be loaded as a subdocument.
// This will iterate through and check any number of X-Frame-Options policies
// in the request (comma-separated in a header, multiple headers, etc).
bool nsDSURIContentListener::CheckFrameOptions(nsIRequest *request)
{
    nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(request);
    if (!httpChannel) {
        return true;
    }

    nsAutoCString xfoHeaderCValue;
    httpChannel->GetResponseHeader(NS_LITERAL_CSTRING("X-Frame-Options"),
                                   xfoHeaderCValue);
    NS_ConvertUTF8toUTF16 xfoHeaderValue(xfoHeaderCValue);

    // if no header value, there's nothing to do.
    if (xfoHeaderValue.IsEmpty())
        return true;

    // iterate through all the header values (usually there's only one, but can
    // be many.  If any want to deny the load, deny the load.
    nsCharSeparatedTokenizer tokenizer(xfoHeaderValue, ',');
    while (tokenizer.hasMoreTokens()) {
        const nsSubstring& tok = tokenizer.nextToken();
        if (!CheckOneFrameOptionsPolicy(request, tok)) {
            // cancel the load and display about:blank
            httpChannel->Cancel(NS_BINDING_ABORTED);
            if (mDocShell) {
                nsCOMPtr<nsIWebNavigation> webNav(do_QueryObject(mDocShell));
                if (webNav) {
                    webNav->LoadURI(NS_LITERAL_STRING("about:blank").get(),
                                    0, nullptr, nullptr, nullptr);
                }
            }
            return false;
        }
    }

    return true;
}

void
nsDSURIContentListener::ReportXFOViolation(nsIDocShellTreeItem* aTopDocShellItem,
                                           nsIURI* aThisURI,
                                           XFOHeader aHeader)
{
    nsresult rv = NS_OK;

    nsCOMPtr<nsPIDOMWindow> topOuterWindow = do_GetInterface(aTopDocShellItem);
    if (!topOuterWindow)
        return;

    NS_ASSERTION(topOuterWindow->IsOuterWindow(), "Huh?");
    nsPIDOMWindow* topInnerWindow = topOuterWindow->GetCurrentInnerWindow();
    if (!topInnerWindow)
        return;

    nsCOMPtr<nsIURI> topURI;

    nsCOMPtr<nsIDocument> document;

    document = do_GetInterface(aTopDocShellItem);
    rv = document->NodePrincipal()->GetURI(getter_AddRefs(topURI));
    if (NS_FAILED(rv))
        return;

    if (!topURI)
        return;

    nsCString topURIString;
    nsCString thisURIString;

    rv = topURI->GetSpec(topURIString);
    if (NS_FAILED(rv))
        return;

    rv = aThisURI->GetSpec(thisURIString);
    if (NS_FAILED(rv))
        return;

    nsCOMPtr<nsIConsoleService> consoleService =
      do_GetService(NS_CONSOLESERVICE_CONTRACTID);
    nsCOMPtr<nsIScriptError> errorObject =
      do_CreateInstance(NS_SCRIPTERROR_CONTRACTID);

    if (!consoleService || !errorObject)
        return;

    nsString msg = NS_LITERAL_STRING("Load denied by X-Frame-Options: ");
    msg.Append(NS_ConvertUTF8toUTF16(thisURIString));

    switch (aHeader) {
        case eDENY:
            msg.AppendLiteral(" does not permit framing.");
            break;
        case eSAMEORIGIN:
            msg.AppendLiteral(" does not permit cross-origin framing.");
            break;
        case eALLOWFROM:
            msg.AppendLiteral(" does not permit framing by ");
            msg.Append(NS_ConvertUTF8toUTF16(topURIString));
            msg.AppendLiteral(".");
            break;
    }

    rv = errorObject->InitWithWindowID(msg, EmptyString(), EmptyString(), 0, 0,
                                       nsIScriptError::errorFlag,
                                       "X-Frame-Options",
                                       topInnerWindow->WindowID());
    if (NS_FAILED(rv))
        return;

    consoleService->LogMessage(errorObject);
}