corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Backed out changeset ed0cca70a9a5 (bug 1725339) for causing failures on nsContentSecurityManager. CLOSED TREE

Browse Source
This commit is contained in:
Marian-Vasile Laza
2021-08-16 11:32:15 +03:00
parent 9568be50ae
commit 77d1b4fe51
2 changed files with 12 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
dom/security/nsContentSecurityManager.cpp
View File

@@ -957,8 +957,16 @@ void nsContentSecurityManager::MeasureUnexpectedPrivilegedLoads(
/* static */ /* static */
nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext( nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
nsIChannel* aChannel) { nsIChannel* aChannel) {
// Check and assert that we never allow remote documents/scripts (http:,
// https:, ...) to load in system privileged contexts.
nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo(); nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
// nothing to do here if we are not loading a resource into a
// system prvileged context.
if (!loadInfo->GetLoadingPrincipal() ||
!loadInfo->GetLoadingPrincipal()->IsSystemPrincipal()) {
return NS_OK;
}
// loads with the allow flag are waived through // loads with the allow flag are waived through
// until refactored (e.g., Shavar, OCSP) // until refactored (e.g., Shavar, OCSP)
if (loadInfo->GetAllowDeprecatedSystemRequests()) { if (loadInfo->GetAllowDeprecatedSystemRequests()) {
@@ -968,20 +976,6 @@ nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
ExtContentPolicyType contentPolicyType = ExtContentPolicyType contentPolicyType =
loadInfo->GetExternalContentPolicyType(); loadInfo->GetExternalContentPolicyType();
// We mostly care about the triggeringPrincipal,
// unless this is a TYPE_DOCUMENT request, which has none.
nsCOMPtr<nsIPrincipal> inspectedPrincipal;
if (contentPolicyType != ExtContentPolicy::TYPE_DOCUMENT) {
inspectedPrincipal = loadInfo->GetLoadingPrincipal();
} else {
inspectedPrincipal = loadInfo->TriggeringPrincipal();
}
// Check if we are actually dealing with a SystemPrincipal request
if (!inspectedPrincipal || !inspectedPrincipal->IsSystemPrincipal()) {
return NS_OK;
}
// allowing some fetches due to their lowered risk // allowing some fetches due to their lowered risk
// i.e., data & downloads fetches do limited parsing, no rendering // i.e., data & downloads fetches do limited parsing, no rendering
// remote images are too widely used (favicons, about:addons etc.) // remote images are too widely used (favicons, about:addons etc.)
@@ -1053,7 +1047,9 @@ nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
} }
// Telemetry for unexpected privileged loads. // Telemetry for unexpected privileged loads.
// pref check & data sanitization happens in the called function // pref check & data sanitization happens in the called function
if (finalURI) {
MeasureUnexpectedPrivilegedLoads(loadInfo, finalURI, remoteType); MeasureUnexpectedPrivilegedLoads(loadInfo, finalURI, remoteType);
}
// Relaxing restrictions for our test suites: // Relaxing restrictions for our test suites:
// (1) AreNonLocalConnectionsDisabled() disables network, so http://mochitest // (1) AreNonLocalConnectionsDisabled() disables network, so http://mochitest
@@ -1077,33 +1073,9 @@ nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
nsAutoCString requestedURL; nsAutoCString requestedURL;
finalURI->GetAsciiSpec(requestedURL); finalURI->GetAsciiSpec(requestedURL);
MOZ_LOG(sCSMLog, LogLevel::Warning, MOZ_LOG(sCSMLog, LogLevel::Warning,
("SystemPrincipal should not load remote resources. URL: %s, type %d", ("SystemPrincipal must not load remote documents. URL: %s, type %d",
requestedURL.get(), int(contentPolicyType))); requestedURL.get(), int(contentPolicyType)));
// The load types that we want to disallow, will extend over time and
// prioritized by risk. The most risky/dangerous are load-types are documents,
// subdocuments, scripts and styles in that order. The most dangerous URL
// schemes to cover are HTTP, HTTPS, data, blob in that order. Meta bug
// 1725112 will track upcoming restrictions
if (contentPolicyType == ExtContentPolicy::TYPE_DOCUMENT) {
if (StaticPrefs::security_disallow_privileged_https_documents_loads() &&
(finalURI->SchemeIs("http") || finalURI->SchemeIs("https"))) {
#ifdef DEBUG
MOZ_CRASH("Disallowing SystemPrincipal load of documents on HTTP(S).");
#endif
aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
return NS_ERROR_CONTENT_BLOCKED;
}
if ((StaticPrefs::security_disallow_privileged_data_documents_loads()) &&
(finalURI->SchemeIs("data"))) {
#ifdef DEBUG
MOZ_CRASH("Disallowing SystemPrincipal load of documents on data URL.");
#endif
aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
return NS_ERROR_CONTENT_BLOCKED;
}
}
if (cancelNonLocalSystemPrincipal) { if (cancelNonLocalSystemPrincipal) {
MOZ_ASSERT(false, "SystemPrincipal must not load remote documents."); MOZ_ASSERT(false, "SystemPrincipal must not load remote documents.");
aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED); aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);

14
modules/libpref/init/StaticPrefList.yaml
View File

@@ -10872,20 +10872,6 @@
value: false value: false
mirror: always mirror: always
# Cancel outgoing requests from SystemPrincipal:
# but only with scheme http(s) and contentpolicytype document
- name: security.disallow_privileged_https_documents_loads
type: bool
value: true
mirror: always
# Cancel outgoing requests from SystemPrincipal:
# but only with scheme data and contentpolicytype document
- name: security.disallow_privileged_data_documents_loads
type: bool
value: false
mirror: always
# Disable preloaded static key pins by default. # Disable preloaded static key pins by default.
- name: security.cert_pinning.enforcement_level - name: security.cert_pinning.enforcement_level
type: ReleaseAcquireAtomicUint32 type: ReleaseAcquireAtomicUint32