toolkit/components/passwordmgr/InsecurePasswordUtils.jsm
author Mike Conley <mconley@mozilla.com>
Fri, 10 Apr 2015 13:45:22 -0400
changeset 257771 40a21375b99be21a55df2a7c415ccf240715922f
parent 149527 a46b44af697fbfa9170ccc28bb8769f085fe2fde
child 278756 0d81c8f063dddeea0fff9da0b30ed432884d3a41
permissions -rw-r--r--
Bug 1152864 - Disable unsafe CPOW warnings when running mochitests by default, and add option to re-enable. r=ahal. --enable-cpow-warnings can now be passed when running a mochitest to re-enable the warnings, should one wish to do that.

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

this.EXPORTED_SYMBOLS = [ "InsecurePasswordUtils" ];

const Ci = Components.interfaces;
const Cu = Components.utils;
const Cc = Components.classes;

Cu.import("resource://gre/modules/Services.jsm");
Cu.import("resource://gre/modules/XPCOMUtils.jsm");

XPCOMUtils.defineLazyModuleGetter(this, "devtools",
                                  "resource://gre/modules/devtools/Loader.jsm");

Object.defineProperty(this, "WebConsoleUtils", {
  get: function() {
    return devtools.require("devtools/toolkit/webconsole/utils").Utils;
  },
  configurable: true,
  enumerable: true
});

const STRINGS_URI = "chrome://global/locale/security/security.properties";
let l10n = new WebConsoleUtils.l10n(STRINGS_URI);

this.InsecurePasswordUtils = {

  _sendWebConsoleMessage : function (messageTag, domDoc) {
    /*
     * All web console messages are warnings for now so I decided to set the
     * flag here and save a bit of the flag creation in the callers.
     * It's easy to expose this later if needed
     */

    let  windowId = WebConsoleUtils.getInnerWindowId(domDoc.defaultView);
    let category = "Insecure Password Field";
    let flag = Ci.nsIScriptError.warningFlag;
    let message = l10n.getStr(messageTag);
    let consoleMsg = Cc["@mozilla.org/scripterror;1"]
      .createInstance(Ci.nsIScriptError);

    consoleMsg.initWithWindowID(
      message, "", 0, 0, 0, flag, category, windowId);

    Services.console.logMessage(consoleMsg);
  },

  /*
   * Checks whether the passed uri is secure
   * Check Protocol Flags to determine if scheme is secure:
   * URI_DOES_NOT_RETURN_DATA - e.g.
   *   "mailto"
   * URI_IS_LOCAL_RESOURCE - e.g.
   *   "data",
   *   "resource",
   *   "moz-icon"
   * URI_INHERITS_SECURITY_CONTEXT - e.g.
   *   "javascript"
   * URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT - e.g.
   *   "https",
   *   "moz-safe-about"
   *
   *   The use of this logic comes directly from nsMixedContentBlocker.cpp
   *   At the time it was decided to include these protocols since a secure
   *   uri for mixed content blocker means that the resource can't be
   *   easily tampered with because 1) it is sent over an encrypted channel or
   *   2) it is a local resource that never hits the network
   *   or 3) it is a request sent without any response that could alter
   *   the behavior of the page. It was decided to include the same logic
   *   here both to be consistent with MCB and to make sure we cover all
   *   "safe" protocols. Eventually, the code here and the code in MCB
   *   will be moved to a common location that will be referenced from
   *   both places. Look at
   *   https://bugzilla.mozilla.org/show_bug.cgi?id=899099 for more info.
   */
  _checkIfURIisSecure : function(uri) {
    let isSafe = false;
    let netutil = Cc["@mozilla.org/network/util;1"].getService(Ci.nsINetUtil);
    let ph = Ci.nsIProtocolHandler;

    if (netutil.URIChainHasFlags(uri, ph.URI_IS_LOCAL_RESOURCE) ||
        netutil.URIChainHasFlags(uri, ph.URI_DOES_NOT_RETURN_DATA) ||
        netutil.URIChainHasFlags(uri, ph.URI_INHERITS_SECURITY_CONTEXT) ||
        netutil.URIChainHasFlags(uri, ph.URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT)) {

      isSafe = true;
    }

    return isSafe;
  },

  /*
   * Checks whether the passed nested document is insecure
   * or is inside an insecure parent document.
   *
   * We check the chain of frame ancestors all the way until the top document
   * because MITM attackers could replace https:// iframes if they are nested inside
   * http:// documents with their own content, thus creating a security risk
   * and potentially stealing user data. Under such scenario, a user might not
   * get a Mixed Content Blocker message, if the main document is served over HTTP
   * and framing an HTTPS page as it would under the reverse scenario (http
   * inside https).
   */
  _checkForInsecureNestedDocuments : function(domDoc) {
    let uri = domDoc.documentURIObject;
    if (domDoc.defaultView == domDoc.defaultView.parent) {
      // We are at the top, nothing to check here
      return false;
    }
    if (!this._checkIfURIisSecure(uri)) {
      // We are insecure
      return true;
    }
    // I am secure, but check my parent
    return this._checkForInsecureNestedDocuments(domDoc.defaultView.parent.document);
  },


  /*
   * Checks if there are insecure password fields present on the form's document
   * i.e. passwords inside forms with http action, inside iframes with http src,
   * or on insecure web pages. If insecure password fields are present,
   * a log message is sent to the web console to warn developers.
   */
  checkForInsecurePasswords : function (aForm) {
    var domDoc = aForm.ownerDocument;
    let pageURI = domDoc.defaultView.top.document.documentURIObject;
    let isSafePage = this._checkIfURIisSecure(pageURI);

    if (!isSafePage) {
      this._sendWebConsoleMessage("InsecurePasswordsPresentOnPage", domDoc);
    }

    // Check if we are on an iframe with insecure src, or inside another
    // insecure iframe or document.
    if (this._checkForInsecureNestedDocuments(domDoc)) {
      this._sendWebConsoleMessage("InsecurePasswordsPresentOnIframe", domDoc);
    }

    if (aForm.action.match(/^http:\/\//)) {
      this._sendWebConsoleMessage("InsecureFormActionPasswordsPresent", domDoc);
    }
  },
};