Bug 1403814 - Block toplevel data: URI navigations only if openend in the browser. r=smaug

2017-11-03 13:23:11 +01:00
parent bc289ff545
commit 980d2b45c4
9 changed files with 73 additions and 57 deletions
--- a/docshell/base/nsDSURIContentListener.cpp
+++ b/docshell/base/nsDSURIContentListener.cpp
@@ -14,6 +14,7 @@
 #include "nsIDOMWindow.h"
 #include "nsIHttpChannel.h"
 #include "nsError.h"
+#include "nsContentSecurityManager.h"
 #include "nsDocShellLoadTypes.h"
 #include "nsIMultiPartChannel.h"

@@ -86,6 +87,14 @@ nsDSURIContentListener::DoContent(const nsACString& aContentType,

  if (aOpenedChannel) {
    aOpenedChannel->GetLoadFlags(&loadFlags);
+
+    // block top-level data URI navigations if triggered by the web
+    if (!nsContentSecurityManager::AllowTopLevelNavigationToDataURI(aOpenedChannel)) {
+      // logging to console happens within AllowTopLevelNavigationToDataURI
+      aRequest->Cancel(NS_ERROR_DOM_BAD_URI);
+      *aAbortProcess = true;
+      return NS_OK; 
+    }
  }

  if (loadFlags & nsIChannel::LOAD_RETARGETED_DOCUMENT_URI) {
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -9967,19 +9967,6 @@ nsDocShell::InternalLoad(nsIURI* aURI,
    isTargetTopLevelDocShell = true;
  }

-  nsIDocument* doc = mContentViewer ? mContentViewer->GetDocument()
-                                    : nullptr;
-  if (!nsContentSecurityManager::AllowTopLevelNavigationToDataURI(
-        aURI,
-        contentType,
-        aTriggeringPrincipal,
-        doc,
-        (aLoadType == LOAD_NORMAL_EXTERNAL),
-        !aFileName.IsVoid())) {
-    // logging to console happens within AllowTopLevelNavigationToDataURI
-    return NS_OK;
-  }
-
  // If there's no targetDocShell, that means we are about to create a new
  // window (or aWindowTarget is empty). Perform a content policy check before
  // creating the window. Please note for all other docshell loads
@@ -10108,6 +10095,9 @@ nsDocShell::InternalLoad(nsIURI* aURI,
    }
  }

+  nsIDocument* doc = mContentViewer ? mContentViewer->GetDocument()
+                                    : nullptr;
+
  const bool isDocumentAuxSandboxed = doc &&
    (doc->GetSandboxFlags() & SANDBOXED_AUXILIARY_NAVIGATION);

@@ -11192,6 +11182,7 @@ nsDocShell::DoURILoad(nsIURI* aURI,
  if (aPrincipalToInherit) {
    loadInfo->SetPrincipalToInherit(aPrincipalToInherit);
  }
+  loadInfo->SetLoadTriggeredFromExternal(aLoadFromExternal);

  // We have to do this in case our OriginAttributes are different from the
  // OriginAttributes of the parent document. Or in case there isn't a
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -19,22 +19,16 @@
 #include "nsCDefaultURIFixup.h"
 #include "nsIURIFixup.h"
 #include "nsIImageLoadingContent.h"
-#include "NullPrincipal.h"

 #include "mozilla/dom/Element.h"
+#include "mozilla/dom/TabChild.h"

 NS_IMPL_ISUPPORTS(nsContentSecurityManager,
                  nsIContentSecurityManager,
                  nsIChannelEventSink)

 /* static */ bool
-nsContentSecurityManager::AllowTopLevelNavigationToDataURI(
-  nsIURI* aURI,
-  nsContentPolicyType aContentPolicyType,
-  nsIPrincipal* aTriggeringPrincipal,
-  nsIDocument* aDoc,
-  bool aLoadFromExternal,
-  bool aIsDownLoad)
+nsContentSecurityManager::AllowTopLevelNavigationToDataURI(nsIChannel* aChannel)
 {
  // Let's block all toplevel document navigations to a data: URI.
  // In all cases where the toplevel document is navigated to a
@@ -47,17 +41,24 @@ nsContentSecurityManager::AllowTopLevelNavigationToDataURI(
  if (!mozilla::net::nsIOService::BlockToplevelDataUriNavigations()) {
    return true;
  }
-  if (aContentPolicyType != nsIContentPolicy::TYPE_DOCUMENT || aIsDownLoad) {
+  nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo();
+  if (!loadInfo) {
    return true;
  }
+  if (loadInfo->GetExternalContentPolicyType() != nsIContentPolicy::TYPE_DOCUMENT) {
+    return true;
+  }
+  nsCOMPtr<nsIURI> uri;
+  nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
+  NS_ENSURE_SUCCESS(rv, true);
  bool isDataURI =
-    (NS_SUCCEEDED(aURI->SchemeIs("data", &isDataURI)) && isDataURI);
+    (NS_SUCCEEDED(uri->SchemeIs("data", &isDataURI)) && isDataURI);
  if (!isDataURI) {
    return true;
  }
  // Whitelist data: images as long as they are not SVGs
  nsAutoCString filePath;
-  aURI->GetFilePath(filePath);
+  uri->GetFilePath(filePath);
  if (StringBeginsWith(filePath, NS_LITERAL_CSTRING("image/")) &&
      !StringBeginsWith(filePath, NS_LITERAL_CSTRING("image/svg+xml"))) {
    return true;
@@ -66,21 +67,29 @@ nsContentSecurityManager::AllowTopLevelNavigationToDataURI(
  if (StringBeginsWith(filePath, NS_LITERAL_CSTRING("application/pdf"))) {
    return true;
  }
-  if (!aLoadFromExternal &&
-      nsContentUtils::IsSystemPrincipal(aTriggeringPrincipal)) {
+  // Redirecting to a toplevel data: URI is not allowed, hence we make
+  // sure the RedirectChain is empty.
+  if (!loadInfo->GetLoadTriggeredFromExternal() &&
+      nsContentUtils::IsSystemPrincipal(loadInfo->TriggeringPrincipal()) &&
+      loadInfo->RedirectChain().IsEmpty()) {
    return true;
  }
  nsAutoCString dataSpec;
-  aURI->GetSpec(dataSpec);
+  uri->GetSpec(dataSpec);
  if (dataSpec.Length() > 50) {
    dataSpec.Truncate(50);
    dataSpec.AppendLiteral("...");
  }
+  nsCOMPtr<nsITabChild> tabChild = do_QueryInterface(loadInfo->ContextForTopLevelLoad());
+  nsCOMPtr<nsIDocument> doc;
+  if (tabChild) {
+    doc = static_cast<mozilla::dom::TabChild*>(tabChild.get())->GetDocument();
+  }
  NS_ConvertUTF8toUTF16 specUTF16(NS_UnescapeURL(dataSpec));
  const char16_t* params[] = { specUTF16.get() };
  nsContentUtils::ReportToConsole(nsIScriptError::warningFlag,
                                  NS_LITERAL_CSTRING("DATA_URI_BLOCKED"),
-                                  aDoc,
+                                  doc,
                                  nsContentUtils::eSECURITY_PROPERTIES,
                                  "BlockTopLevelDataURINavigation",
                                  params, ArrayLength(params));
@@ -576,29 +585,6 @@ nsContentSecurityManager::AsyncOnChannelRedirect(nsIChannel* aOldChannel,
    }
  }

-  // Redirecting to a toplevel data: URI is not allowed, hence we pass
-  // a NullPrincipal as the TriggeringPrincipal to
-  // AllowTopLevelNavigationToDataURI() which definitely blocks any
-  // data: URI load.
-  nsCOMPtr<nsILoadInfo> newLoadInfo = aNewChannel->GetLoadInfo();
-  if (newLoadInfo) {
-    nsCOMPtr<nsIURI> uri;
-    nsresult rv = NS_GetFinalChannelURI(aNewChannel, getter_AddRefs(uri));
-    NS_ENSURE_SUCCESS(rv, rv);
-    nsCOMPtr<nsIPrincipal> nullTriggeringPrincipal = NullPrincipal::Create();
-    if (!nsContentSecurityManager::AllowTopLevelNavigationToDataURI(
-          uri,
-          newLoadInfo->GetExternalContentPolicyType(),
-          nullTriggeringPrincipal,
-          nullptr, // no doc available, log to browser console
-          false,
-          false)) {
-        // logging to console happens within AllowTopLevelNavigationToDataURI
-      aOldChannel->Cancel(NS_ERROR_DOM_BAD_URI);
-      return NS_ERROR_DOM_BAD_URI;
-    }
-  }
-
  // Also verify that the redirecting server is allowed to redirect to the
  // given URI
  nsCOMPtr<nsIPrincipal> oldPrincipal;
--- a/dom/security/nsContentSecurityManager.h
+++ b/dom/security/nsContentSecurityManager.h
@@ -33,12 +33,7 @@ public:
  static nsresult doContentSecurityCheck(nsIChannel* aChannel,
                                         nsCOMPtr<nsIStreamListener>& aInAndOutListener);

-  static bool AllowTopLevelNavigationToDataURI(nsIURI* aURI,
-                                               nsContentPolicyType aContentPolicyType,
-                                               nsIPrincipal* aTriggeringPrincipal,
-                                               nsIDocument* aDoc,
-                                               bool aLoadFromExternal,
-                                               bool aIsDownload);
+  static bool AllowTopLevelNavigationToDataURI(nsIChannel* aChannel);

 private:
  static nsresult CheckChannel(nsIChannel* aChannel);
--- a/ipc/glue/BackgroundUtils.cpp
+++ b/ipc/glue/BackgroundUtils.cpp
@@ -404,6 +404,7 @@ LoadInfoToLoadInfoArgs(nsILoadInfo *aLoadInfo,
      aLoadInfo->CorsUnsafeHeaders(),
      aLoadInfo->GetForcePreflight(),
      aLoadInfo->GetIsPreflight(),
+      aLoadInfo->GetLoadTriggeredFromExternal(),
      aLoadInfo->GetForceHSTSPriming(),
      aLoadInfo->GetMixedContentWouldBlock(),
      aLoadInfo->GetIsHSTSPriming(),
@@ -511,6 +512,7 @@ LoadInfoArgsToLoadInfo(const OptionalLoadInfoArgs& aOptionalLoadInfoArgs,
                          loadInfoArgs.corsUnsafeHeaders(),
                          loadInfoArgs.forcePreflight(),
                          loadInfoArgs.isPreflight(),
+                          loadInfoArgs.loadTriggeredFromExternal(),
                          loadInfoArgs.forceHSTSPriming(),
                          loadInfoArgs.mixedContentWouldBlock(),
                          loadInfoArgs.isHSTSPriming(),
--- a/netwerk/base/LoadInfo.cpp
+++ b/netwerk/base/LoadInfo.cpp
@@ -7,6 +7,7 @@
 #include "mozilla/LoadInfo.h"

 #include "mozilla/Assertions.h"
+#include "mozilla/dom/TabChild.h"
 #include "mozilla/dom/ToJSValue.h"
 #include "mozIThirdPartyUtil.h"
 #include "nsFrameLoader.h"
@@ -68,6 +69,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
  , mIsThirdPartyContext(false)
  , mForcePreflight(false)
  , mIsPreflight(false)
+  , mLoadTriggeredFromExternal(false)
  , mForceHSTSPriming(false)
  , mMixedContentWouldBlock(false)
  , mIsHSTSPriming(false)
@@ -250,6 +252,7 @@ LoadInfo::LoadInfo(nsPIDOMWindowOuter* aOuterWindow,
  , mIsThirdPartyContext(false) // NB: TYPE_DOCUMENT implies not third-party.
  , mForcePreflight(false)
  , mIsPreflight(false)
+  , mLoadTriggeredFromExternal(false)
  , mForceHSTSPriming(false)
  , mMixedContentWouldBlock(false)
  , mIsHSTSPriming(false)
@@ -324,6 +327,7 @@ LoadInfo::LoadInfo(const LoadInfo& rhs)
  , mCorsUnsafeHeaders(rhs.mCorsUnsafeHeaders)
  , mForcePreflight(rhs.mForcePreflight)
  , mIsPreflight(rhs.mIsPreflight)
+  , mLoadTriggeredFromExternal(rhs.mLoadTriggeredFromExternal)
  , mForceHSTSPriming(rhs.mForceHSTSPriming)
  , mMixedContentWouldBlock(rhs.mMixedContentWouldBlock)
  , mIsHSTSPriming(rhs.mIsHSTSPriming)
@@ -359,6 +363,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
                   const nsTArray<nsCString>& aCorsUnsafeHeaders,
                   bool aForcePreflight,
                   bool aIsPreflight,
+                   bool aLoadTriggeredFromExternal,
                   bool aForceHSTSPriming,
                   bool aMixedContentWouldBlock,
                   bool aIsHSTSPriming,
@@ -388,6 +393,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
  , mCorsUnsafeHeaders(aCorsUnsafeHeaders)
  , mForcePreflight(aForcePreflight)
  , mIsPreflight(aIsPreflight)
+  , mLoadTriggeredFromExternal(aLoadTriggeredFromExternal)
  , mForceHSTSPriming (aForceHSTSPriming)
  , mMixedContentWouldBlock(aMixedContentWouldBlock)
  , mIsHSTSPriming(aIsHSTSPriming)
@@ -982,6 +988,23 @@ LoadInfo::GetIsPreflight(bool* aIsPreflight)
  return NS_OK;
 }

+NS_IMETHODIMP
+LoadInfo::SetLoadTriggeredFromExternal(bool aLoadTriggeredFromExternal)
+{
+  MOZ_ASSERT(!aLoadTriggeredFromExternal ||
+             mInternalContentPolicyType == nsIContentPolicy::TYPE_DOCUMENT,
+             "can only set load triggered from external for TYPE_DOCUMENT");
+  mLoadTriggeredFromExternal = aLoadTriggeredFromExternal;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+LoadInfo::GetLoadTriggeredFromExternal(bool* aLoadTriggeredFromExternal)
+{
+  *aLoadTriggeredFromExternal = mLoadTriggeredFromExternal;
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 LoadInfo::GetForceHSTSPriming(bool* aForceHSTSPriming)
 {
--- a/netwerk/base/LoadInfo.h
+++ b/netwerk/base/LoadInfo.h
@@ -120,6 +120,7 @@ private:
           const nsTArray<nsCString>& aUnsafeHeaders,
           bool aForcePreflight,
           bool aIsPreflight,
+           bool aLoadTriggeredFromExternal,
           bool aForceHSTSPriming,
           bool aMixedContentWouldBlock,
           bool aIsHSTSPriming,
@@ -175,6 +176,7 @@ private:
  nsTArray<nsCString>              mCorsUnsafeHeaders;
  bool                             mForcePreflight;
  bool                             mIsPreflight;
+  bool                             mLoadTriggeredFromExternal;

  bool                             mForceHSTSPriming : 1;
  bool                             mMixedContentWouldBlock : 1;
--- a/netwerk/base/nsILoadInfo.idl
+++ b/netwerk/base/nsILoadInfo.idl
@@ -598,6 +598,13 @@ interface nsILoadInfo : nsISupports
   */
  [infallible] attribute boolean initialSecurityCheckDone;

+  /**
+   * Returns true if the load was triggered from an external application
+   * (e.g. Thunderbird). Please note that this flag will only ever be true
+   * if the load is of TYPE_DOCUMENT. 
+   */
+  [infallible] attribute boolean loadTriggeredFromExternal;
+
  /**
   * Whenever a channel gets redirected, append the redirect history entry of
   * the channel which contains principal referrer and remote address [before
--- a/netwerk/ipc/NeckoChannelParams.ipdlh
+++ b/netwerk/ipc/NeckoChannelParams.ipdlh
@@ -70,6 +70,7 @@ struct LoadInfoArgs
  nsCString[]                 corsUnsafeHeaders;
  bool                        forcePreflight;
  bool                        isPreflight;
+  bool                        loadTriggeredFromExternal;
  bool                        forceHSTSPriming;
  bool                        mixedContentWouldBlock;
  bool                        isHSTSPriming;