corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1403814 - Block toplevel data: URI navigations only if openend in the browser. r=smaug

Browse Source
This commit is contained in:
Christoph Kerschbaumer
2017-11-03 13:23:11 +01:00
parent bc289ff545
commit 980d2b45c4
9 changed files with 73 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docshell/base/nsDSURIContentListener.cpp
View File

@@ -14,6 +14,7 @@
#include "nsIDOMWindow.h" #include "nsIDOMWindow.h"
#include "nsIHttpChannel.h" #include "nsIHttpChannel.h"
#include "nsError.h" #include "nsError.h"
#include "nsContentSecurityManager.h"
#include "nsDocShellLoadTypes.h" #include "nsDocShellLoadTypes.h"
#include "nsIMultiPartChannel.h" #include "nsIMultiPartChannel.h"
@@ -86,6 +87,14 @@ nsDSURIContentListener::DoContent(const nsACString& aContentType,
if (aOpenedChannel) { if (aOpenedChannel) {
aOpenedChannel->GetLoadFlags(&loadFlags); aOpenedChannel->GetLoadFlags(&loadFlags);
// block top-level data URI navigations if triggered by the web
if (!nsContentSecurityManager::AllowTopLevelNavigationToDataURI(aOpenedChannel)) {
// logging to console happens within AllowTopLevelNavigationToDataURI
aRequest->Cancel(NS_ERROR_DOM_BAD_URI);
*aAbortProcess = true;
return NS_OK;
}
} }
if (loadFlags & nsIChannel::LOAD_RETARGETED_DOCUMENT_URI) { if (loadFlags & nsIChannel::LOAD_RETARGETED_DOCUMENT_URI) {

17
docshell/base/nsDocShell.cpp
View File

@@ -9967,19 +9967,6 @@ nsDocShell::InternalLoad(nsIURI* aURI,
isTargetTopLevelDocShell = true; isTargetTopLevelDocShell = true;
} }
nsIDocument* doc = mContentViewer ? mContentViewer->GetDocument()
: nullptr;
if (!nsContentSecurityManager::AllowTopLevelNavigationToDataURI(
aURI,
contentType,
aTriggeringPrincipal,
doc,
(aLoadType == LOAD_NORMAL_EXTERNAL),
!aFileName.IsVoid())) {
// logging to console happens within AllowTopLevelNavigationToDataURI
return NS_OK;
}
// If there's no targetDocShell, that means we are about to create a new // If there's no targetDocShell, that means we are about to create a new
// window (or aWindowTarget is empty). Perform a content policy check before // window (or aWindowTarget is empty). Perform a content policy check before
// creating the window. Please note for all other docshell loads // creating the window. Please note for all other docshell loads
@@ -10108,6 +10095,9 @@ nsDocShell::InternalLoad(nsIURI* aURI,
} }
} }
nsIDocument* doc = mContentViewer ? mContentViewer->GetDocument()
: nullptr;
const bool isDocumentAuxSandboxed = doc && const bool isDocumentAuxSandboxed = doc &&
(doc->GetSandboxFlags() & SANDBOXED_AUXILIARY_NAVIGATION); (doc->GetSandboxFlags() & SANDBOXED_AUXILIARY_NAVIGATION);
@@ -11192,6 +11182,7 @@ nsDocShell::DoURILoad(nsIURI* aURI,
if (aPrincipalToInherit) { if (aPrincipalToInherit) {
loadInfo->SetPrincipalToInherit(aPrincipalToInherit); loadInfo->SetPrincipalToInherit(aPrincipalToInherit);
} }
loadInfo->SetLoadTriggeredFromExternal(aLoadFromExternal);
// We have to do this in case our OriginAttributes are different from the // We have to do this in case our OriginAttributes are different from the
// OriginAttributes of the parent document. Or in case there isn't a // OriginAttributes of the parent document. Or in case there isn't a

62
dom/security/nsContentSecurityManager.cpp
View File

@@ -19,22 +19,16 @@
#include "nsCDefaultURIFixup.h" #include "nsCDefaultURIFixup.h"
#include "nsIURIFixup.h" #include "nsIURIFixup.h"
#include "nsIImageLoadingContent.h" #include "nsIImageLoadingContent.h"
#include "NullPrincipal.h"
#include "mozilla/dom/Element.h" #include "mozilla/dom/Element.h"
#include "mozilla/dom/TabChild.h"
NS_IMPL_ISUPPORTS(nsContentSecurityManager, NS_IMPL_ISUPPORTS(nsContentSecurityManager,
nsIContentSecurityManager, nsIContentSecurityManager,
nsIChannelEventSink) nsIChannelEventSink)
/* static */ bool /* static */ bool
nsContentSecurityManager::AllowTopLevelNavigationToDataURI( nsContentSecurityManager::AllowTopLevelNavigationToDataURI(nsIChannel* aChannel)
nsIURI* aURI,
nsContentPolicyType aContentPolicyType,
nsIPrincipal* aTriggeringPrincipal,
nsIDocument* aDoc,
bool aLoadFromExternal,
bool aIsDownLoad)
{ {
// Let's block all toplevel document navigations to a data: URI. // Let's block all toplevel document navigations to a data: URI.
// In all cases where the toplevel document is navigated to a // In all cases where the toplevel document is navigated to a
@@ -47,17 +41,24 @@ nsContentSecurityManager::AllowTopLevelNavigationToDataURI(
if (!mozilla::net::nsIOService::BlockToplevelDataUriNavigations()) { if (!mozilla::net::nsIOService::BlockToplevelDataUriNavigations()) {
return true; return true;
} }
if (aContentPolicyType != nsIContentPolicy::TYPE_DOCUMENT || aIsDownLoad) { nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo();
if (!loadInfo) {
return true; return true;
} }
if (loadInfo->GetExternalContentPolicyType() != nsIContentPolicy::TYPE_DOCUMENT) {
return true;
}
nsCOMPtr<nsIURI> uri;
nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
NS_ENSURE_SUCCESS(rv, true);
bool isDataURI = bool isDataURI =
(NS_SUCCEEDED(aURI->SchemeIs("data", &isDataURI)) && isDataURI); (NS_SUCCEEDED(uri->SchemeIs("data", &isDataURI)) && isDataURI);
if (!isDataURI) { if (!isDataURI) {
return true; return true;
} }
// Whitelist data: images as long as they are not SVGs // Whitelist data: images as long as they are not SVGs
nsAutoCString filePath; nsAutoCString filePath;
aURI->GetFilePath(filePath); uri->GetFilePath(filePath);
if (StringBeginsWith(filePath, NS_LITERAL_CSTRING("image/")) && if (StringBeginsWith(filePath, NS_LITERAL_CSTRING("image/")) &&
!StringBeginsWith(filePath, NS_LITERAL_CSTRING("image/svg+xml"))) { !StringBeginsWith(filePath, NS_LITERAL_CSTRING("image/svg+xml"))) {
return true; return true;
@@ -66,21 +67,29 @@ nsContentSecurityManager::AllowTopLevelNavigationToDataURI(
if (StringBeginsWith(filePath, NS_LITERAL_CSTRING("application/pdf"))) { if (StringBeginsWith(filePath, NS_LITERAL_CSTRING("application/pdf"))) {
return true; return true;
} }
if (!aLoadFromExternal && // Redirecting to a toplevel data: URI is not allowed, hence we make
nsContentUtils::IsSystemPrincipal(aTriggeringPrincipal)) { // sure the RedirectChain is empty.
if (!loadInfo->GetLoadTriggeredFromExternal() &&
nsContentUtils::IsSystemPrincipal(loadInfo->TriggeringPrincipal()) &&
loadInfo->RedirectChain().IsEmpty()) {
return true; return true;
} }
nsAutoCString dataSpec; nsAutoCString dataSpec;
aURI->GetSpec(dataSpec); uri->GetSpec(dataSpec);
if (dataSpec.Length() > 50) { if (dataSpec.Length() > 50) {
dataSpec.Truncate(50); dataSpec.Truncate(50);
dataSpec.AppendLiteral("..."); dataSpec.AppendLiteral("...");
} }
nsCOMPtr<nsITabChild> tabChild = do_QueryInterface(loadInfo->ContextForTopLevelLoad());
nsCOMPtr<nsIDocument> doc;
if (tabChild) {
doc = static_cast<mozilla::dom::TabChild*>(tabChild.get())->GetDocument();
}
NS_ConvertUTF8toUTF16 specUTF16(NS_UnescapeURL(dataSpec)); NS_ConvertUTF8toUTF16 specUTF16(NS_UnescapeURL(dataSpec));
const char16_t* params[] = { specUTF16.get() }; const char16_t* params[] = { specUTF16.get() };
nsContentUtils::ReportToConsole(nsIScriptError::warningFlag, nsContentUtils::ReportToConsole(nsIScriptError::warningFlag,
NS_LITERAL_CSTRING("DATA_URI_BLOCKED"), NS_LITERAL_CSTRING("DATA_URI_BLOCKED"),
aDoc, doc,
nsContentUtils::eSECURITY_PROPERTIES, nsContentUtils::eSECURITY_PROPERTIES,
"BlockTopLevelDataURINavigation", "BlockTopLevelDataURINavigation",
params, ArrayLength(params)); params, ArrayLength(params));
@@ -576,29 +585,6 @@ nsContentSecurityManager::AsyncOnChannelRedirect(nsIChannel* aOldChannel,
} }
} }
// Redirecting to a toplevel data: URI is not allowed, hence we pass
// a NullPrincipal as the TriggeringPrincipal to
// AllowTopLevelNavigationToDataURI() which definitely blocks any
// data: URI load.
nsCOMPtr<nsILoadInfo> newLoadInfo = aNewChannel->GetLoadInfo();
if (newLoadInfo) {
nsCOMPtr<nsIURI> uri;
nsresult rv = NS_GetFinalChannelURI(aNewChannel, getter_AddRefs(uri));
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIPrincipal> nullTriggeringPrincipal = NullPrincipal::Create();
if (!nsContentSecurityManager::AllowTopLevelNavigationToDataURI(
uri,
newLoadInfo->GetExternalContentPolicyType(),
nullTriggeringPrincipal,
nullptr, // no doc available, log to browser console
false,
false)) {
// logging to console happens within AllowTopLevelNavigationToDataURI
aOldChannel->Cancel(NS_ERROR_DOM_BAD_URI);
return NS_ERROR_DOM_BAD_URI;
}
}
// Also verify that the redirecting server is allowed to redirect to the // Also verify that the redirecting server is allowed to redirect to the
// given URI // given URI
nsCOMPtr<nsIPrincipal> oldPrincipal; nsCOMPtr<nsIPrincipal> oldPrincipal;

7
dom/security/nsContentSecurityManager.h
View File

@@ -33,12 +33,7 @@ public:
static nsresult doContentSecurityCheck(nsIChannel* aChannel, static nsresult doContentSecurityCheck(nsIChannel* aChannel,
nsCOMPtr<nsIStreamListener>& aInAndOutListener); nsCOMPtr<nsIStreamListener>& aInAndOutListener);
static bool AllowTopLevelNavigationToDataURI(nsIURI* aURI, static bool AllowTopLevelNavigationToDataURI(nsIChannel* aChannel);
nsContentPolicyType aContentPolicyType,
nsIPrincipal* aTriggeringPrincipal,
nsIDocument* aDoc,
bool aLoadFromExternal,
bool aIsDownload);
private: private:
static nsresult CheckChannel(nsIChannel* aChannel); static nsresult CheckChannel(nsIChannel* aChannel);

2
ipc/glue/BackgroundUtils.cpp
View File

@@ -404,6 +404,7 @@ LoadInfoToLoadInfoArgs(nsILoadInfo *aLoadInfo,
aLoadInfo->CorsUnsafeHeaders(), aLoadInfo->CorsUnsafeHeaders(),
aLoadInfo->GetForcePreflight(), aLoadInfo->GetForcePreflight(),
aLoadInfo->GetIsPreflight(), aLoadInfo->GetIsPreflight(),
aLoadInfo->GetLoadTriggeredFromExternal(),
aLoadInfo->GetForceHSTSPriming(), aLoadInfo->GetForceHSTSPriming(),
aLoadInfo->GetMixedContentWouldBlock(), aLoadInfo->GetMixedContentWouldBlock(),
aLoadInfo->GetIsHSTSPriming(), aLoadInfo->GetIsHSTSPriming(),
@@ -511,6 +512,7 @@ LoadInfoArgsToLoadInfo(const OptionalLoadInfoArgs& aOptionalLoadInfoArgs,
loadInfoArgs.corsUnsafeHeaders(), loadInfoArgs.corsUnsafeHeaders(),
loadInfoArgs.forcePreflight(), loadInfoArgs.forcePreflight(),
loadInfoArgs.isPreflight(), loadInfoArgs.isPreflight(),
loadInfoArgs.loadTriggeredFromExternal(),
loadInfoArgs.forceHSTSPriming(), loadInfoArgs.forceHSTSPriming(),
loadInfoArgs.mixedContentWouldBlock(), loadInfoArgs.mixedContentWouldBlock(),
loadInfoArgs.isHSTSPriming(), loadInfoArgs.isHSTSPriming(),

23
netwerk/base/LoadInfo.cpp
View File

@@ -7,6 +7,7 @@
#include "mozilla/LoadInfo.h" #include "mozilla/LoadInfo.h"
#include "mozilla/Assertions.h" #include "mozilla/Assertions.h"
#include "mozilla/dom/TabChild.h"
#include "mozilla/dom/ToJSValue.h" #include "mozilla/dom/ToJSValue.h"
#include "mozIThirdPartyUtil.h" #include "mozIThirdPartyUtil.h"
#include "nsFrameLoader.h" #include "nsFrameLoader.h"
@@ -68,6 +69,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
, mIsThirdPartyContext(false) , mIsThirdPartyContext(false)
, mForcePreflight(false) , mForcePreflight(false)
, mIsPreflight(false) , mIsPreflight(false)
, mLoadTriggeredFromExternal(false)
, mForceHSTSPriming(false) , mForceHSTSPriming(false)
, mMixedContentWouldBlock(false) , mMixedContentWouldBlock(false)
, mIsHSTSPriming(false) , mIsHSTSPriming(false)
@@ -250,6 +252,7 @@ LoadInfo::LoadInfo(nsPIDOMWindowOuter* aOuterWindow,
, mIsThirdPartyContext(false) // NB: TYPE_DOCUMENT implies not third-party. , mIsThirdPartyContext(false) // NB: TYPE_DOCUMENT implies not third-party.
, mForcePreflight(false) , mForcePreflight(false)
, mIsPreflight(false) , mIsPreflight(false)
, mLoadTriggeredFromExternal(false)
, mForceHSTSPriming(false) , mForceHSTSPriming(false)
, mMixedContentWouldBlock(false) , mMixedContentWouldBlock(false)
, mIsHSTSPriming(false) , mIsHSTSPriming(false)
@@ -324,6 +327,7 @@ LoadInfo::LoadInfo(const LoadInfo& rhs)
, mCorsUnsafeHeaders(rhs.mCorsUnsafeHeaders) , mCorsUnsafeHeaders(rhs.mCorsUnsafeHeaders)
, mForcePreflight(rhs.mForcePreflight) , mForcePreflight(rhs.mForcePreflight)
, mIsPreflight(rhs.mIsPreflight) , mIsPreflight(rhs.mIsPreflight)
, mLoadTriggeredFromExternal(rhs.mLoadTriggeredFromExternal)
, mForceHSTSPriming(rhs.mForceHSTSPriming) , mForceHSTSPriming(rhs.mForceHSTSPriming)
, mMixedContentWouldBlock(rhs.mMixedContentWouldBlock) , mMixedContentWouldBlock(rhs.mMixedContentWouldBlock)
, mIsHSTSPriming(rhs.mIsHSTSPriming) , mIsHSTSPriming(rhs.mIsHSTSPriming)
@@ -359,6 +363,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
const nsTArray<nsCString>& aCorsUnsafeHeaders, const nsTArray<nsCString>& aCorsUnsafeHeaders,
bool aForcePreflight, bool aForcePreflight,
bool aIsPreflight, bool aIsPreflight,
bool aLoadTriggeredFromExternal,
bool aForceHSTSPriming, bool aForceHSTSPriming,
bool aMixedContentWouldBlock, bool aMixedContentWouldBlock,
bool aIsHSTSPriming, bool aIsHSTSPriming,
@@ -388,6 +393,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
, mCorsUnsafeHeaders(aCorsUnsafeHeaders) , mCorsUnsafeHeaders(aCorsUnsafeHeaders)
, mForcePreflight(aForcePreflight) , mForcePreflight(aForcePreflight)
, mIsPreflight(aIsPreflight) , mIsPreflight(aIsPreflight)
, mLoadTriggeredFromExternal(aLoadTriggeredFromExternal)
, mForceHSTSPriming (aForceHSTSPriming) , mForceHSTSPriming (aForceHSTSPriming)
, mMixedContentWouldBlock(aMixedContentWouldBlock) , mMixedContentWouldBlock(aMixedContentWouldBlock)
, mIsHSTSPriming(aIsHSTSPriming) , mIsHSTSPriming(aIsHSTSPriming)
@@ -982,6 +988,23 @@ LoadInfo::GetIsPreflight(bool* aIsPreflight)
return NS_OK; return NS_OK;
} }
NS_IMETHODIMP
LoadInfo::SetLoadTriggeredFromExternal(bool aLoadTriggeredFromExternal)
{
MOZ_ASSERT(!aLoadTriggeredFromExternal ||
mInternalContentPolicyType == nsIContentPolicy::TYPE_DOCUMENT,
"can only set load triggered from external for TYPE_DOCUMENT");
mLoadTriggeredFromExternal = aLoadTriggeredFromExternal;
return NS_OK;
}
NS_IMETHODIMP
LoadInfo::GetLoadTriggeredFromExternal(bool* aLoadTriggeredFromExternal)
{
*aLoadTriggeredFromExternal = mLoadTriggeredFromExternal;
return NS_OK;
}
NS_IMETHODIMP NS_IMETHODIMP
LoadInfo::GetForceHSTSPriming(bool* aForceHSTSPriming) LoadInfo::GetForceHSTSPriming(bool* aForceHSTSPriming)
{ {

2
netwerk/base/LoadInfo.h
View File

@@ -120,6 +120,7 @@ private:
const nsTArray<nsCString>& aUnsafeHeaders, const nsTArray<nsCString>& aUnsafeHeaders,
bool aForcePreflight, bool aForcePreflight,
bool aIsPreflight, bool aIsPreflight,
bool aLoadTriggeredFromExternal,
bool aForceHSTSPriming, bool aForceHSTSPriming,
bool aMixedContentWouldBlock, bool aMixedContentWouldBlock,
bool aIsHSTSPriming, bool aIsHSTSPriming,
@@ -175,6 +176,7 @@ private:
nsTArray<nsCString> mCorsUnsafeHeaders; nsTArray<nsCString> mCorsUnsafeHeaders;
bool mForcePreflight; bool mForcePreflight;
bool mIsPreflight; bool mIsPreflight;
bool mLoadTriggeredFromExternal;
bool mForceHSTSPriming : 1; bool mForceHSTSPriming : 1;
bool mMixedContentWouldBlock : 1; bool mMixedContentWouldBlock : 1;

7
netwerk/base/nsILoadInfo.idl
View File

@@ -598,6 +598,13 @@ interface nsILoadInfo : nsISupports
*/ */
[infallible] attribute boolean initialSecurityCheckDone; [infallible] attribute boolean initialSecurityCheckDone;
/**
* Returns true if the load was triggered from an external application
* (e.g. Thunderbird). Please note that this flag will only ever be true
* if the load is of TYPE_DOCUMENT.
*/
[infallible] attribute boolean loadTriggeredFromExternal;
/** /**
* Whenever a channel gets redirected, append the redirect history entry of * Whenever a channel gets redirected, append the redirect history entry of
* the channel which contains principal referrer and remote address [before * the channel which contains principal referrer and remote address [before

1
netwerk/ipc/NeckoChannelParams.ipdlh
View File

@@ -70,6 +70,7 @@ struct LoadInfoArgs
nsCString[] corsUnsafeHeaders; nsCString[] corsUnsafeHeaders;
bool forcePreflight; bool forcePreflight;
bool isPreflight; bool isPreflight;
bool loadTriggeredFromExternal;
bool forceHSTSPriming; bool forceHSTSPriming;
bool mixedContentWouldBlock; bool mixedContentWouldBlock;
bool isHSTSPriming; bool isHSTSPriming;