diff options
author | Matt A. Tobin <mattatobin@localhost.localdomain> | 2018-02-02 04:16:08 -0500 |
---|---|---|
committer | Matt A. Tobin <mattatobin@localhost.localdomain> | 2018-02-02 04:16:08 -0500 |
commit | 5f8de423f190bbb79a62f804151bc24824fa32d8 (patch) | |
tree | 10027f336435511475e392454359edea8e25895d /caps/nsPrincipal.cpp | |
parent | 49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff) | |
download | UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip |
Add m-esr52 at 52.6.0
Diffstat (limited to 'caps/nsPrincipal.cpp')
-rw-r--r-- | caps/nsPrincipal.cpp | 854 |
1 files changed, 854 insertions, 0 deletions
diff --git a/caps/nsPrincipal.cpp b/caps/nsPrincipal.cpp new file mode 100644 index 000000000..4cb472369 --- /dev/null +++ b/caps/nsPrincipal.cpp @@ -0,0 +1,854 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 sw=2 et tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsPrincipal.h" + +#include "mozIThirdPartyUtil.h" +#include "nscore.h" +#include "nsScriptSecurityManager.h" +#include "nsString.h" +#include "nsReadableUtils.h" +#include "pratom.h" +#include "nsIURI.h" +#include "nsIURL.h" +#include "nsIStandardURL.h" +#include "nsIURIWithPrincipal.h" +#include "nsJSPrincipals.h" +#include "nsIEffectiveTLDService.h" +#include "nsIClassInfoImpl.h" +#include "nsIProtocolHandler.h" +#include "nsError.h" +#include "nsIContentSecurityPolicy.h" +#include "nsNetCID.h" +#include "jswrapper.h" + +#include "mozilla/dom/nsCSPContext.h" +#include "mozilla/dom/ScriptSettings.h" +#include "mozilla/Preferences.h" +#include "mozilla/HashFunctions.h" + +#include "nsIAppsService.h" + +using namespace mozilla; + +static bool gIsWhitelistingTestDomains = false; +static bool gCodeBasePrincipalSupport = false; + +static bool URIIsImmutable(nsIURI* aURI) +{ + nsCOMPtr<nsIMutable> mutableObj(do_QueryInterface(aURI)); + bool isMutable; + return + mutableObj && + NS_SUCCEEDED(mutableObj->GetMutable(&isMutable)) && + !isMutable; +} + +NS_IMPL_CLASSINFO(nsPrincipal, nullptr, nsIClassInfo::MAIN_THREAD_ONLY, + NS_PRINCIPAL_CID) +NS_IMPL_QUERY_INTERFACE_CI(nsPrincipal, + nsIPrincipal, + nsISerializable) +NS_IMPL_CI_INTERFACE_GETTER(nsPrincipal, + nsIPrincipal, + nsISerializable) + +// Called at startup: +/* static */ void +nsPrincipal::InitializeStatics() +{ + Preferences::AddBoolVarCache( + &gIsWhitelistingTestDomains, + "layout.css.unprefixing-service.include-test-domains"); + + Preferences::AddBoolVarCache(&gCodeBasePrincipalSupport, + "signed.applets.codebase_principal_support", + false); +} + +nsPrincipal::nsPrincipal() + : mCodebaseImmutable(false) + , mDomainImmutable(false) + , mInitialized(false) +{ } + +nsPrincipal::~nsPrincipal() +{ + // let's clear the principal within the csp to avoid a tangling pointer + if (mCSP) { + static_cast<nsCSPContext*>(mCSP.get())->clearLoadingPrincipal(); + } +} + +nsresult +nsPrincipal::Init(nsIURI *aCodebase, const PrincipalOriginAttributes& aOriginAttributes) +{ + NS_ENSURE_STATE(!mInitialized); + NS_ENSURE_ARG(aCodebase); + + mInitialized = true; + + mCodebase = NS_TryToMakeImmutable(aCodebase); + mCodebaseImmutable = URIIsImmutable(mCodebase); + mOriginAttributes = aOriginAttributes; + + return NS_OK; +} + +nsresult +nsPrincipal::GetScriptLocation(nsACString &aStr) +{ + return mCodebase->GetSpec(aStr); +} + +/* static */ nsresult +nsPrincipal::GetOriginForURI(nsIURI* aURI, nsACString& aOrigin) +{ + if (!aURI) { + return NS_ERROR_FAILURE; + } + + nsCOMPtr<nsIURI> origin = NS_GetInnermostURI(aURI); + if (!origin) { + return NS_ERROR_FAILURE; + } + + nsresult rv; +// NB: This is only compiled for Thunderbird/Suite. +#if IS_ORIGIN_IS_FULL_SPEC_DEFINED + bool fullSpec = false; + rv = NS_URIChainHasFlags(origin, nsIProtocolHandler::ORIGIN_IS_FULL_SPEC, &fullSpec); + NS_ENSURE_SUCCESS(rv, rv); + if (fullSpec) { + return origin->GetAsciiSpec(aOrigin); + } +#endif + + nsAutoCString hostPort; + + // chrome: URLs don't have a meaningful origin, so make + // sure we just get the full spec for them. + // XXX this should be removed in favor of the solution in + // bug 160042. + bool isChrome; + rv = origin->SchemeIs("chrome", &isChrome); + if (NS_SUCCEEDED(rv) && !isChrome) { + rv = origin->GetAsciiHostPort(hostPort); + // Some implementations return an empty string, treat it as no support + // for asciiHost by that implementation. + if (hostPort.IsEmpty()) { + rv = NS_ERROR_FAILURE; + } + } + + // We want the invariant that prinA.origin == prinB.origin i.f.f. + // prinA.equals(prinB). However, this requires that we impose certain constraints + // on the behavior and origin semantics of principals, and in particular, forbid + // creating origin strings for principals whose equality constraints are not + // expressible as strings (i.e. object equality). Moreover, we want to forbid URIs + // containing the magic "^" we use as a separating character for origin + // attributes. + // + // These constraints can generally be achieved by restricting .origin to + // nsIStandardURL-based URIs, but there are a few other URI schemes that we need + // to handle. + bool isBehaved; + if ((NS_SUCCEEDED(origin->SchemeIs("about", &isBehaved)) && isBehaved) || + (NS_SUCCEEDED(origin->SchemeIs("moz-safe-about", &isBehaved)) && isBehaved) || + (NS_SUCCEEDED(origin->SchemeIs("indexeddb", &isBehaved)) && isBehaved)) { + rv = origin->GetAsciiSpec(aOrigin); + NS_ENSURE_SUCCESS(rv, rv); + // These URIs could technically contain a '^', but they never should. + if (NS_WARN_IF(aOrigin.FindChar('^', 0) != -1)) { + aOrigin.Truncate(); + return NS_ERROR_FAILURE; + } + return NS_OK; + } + + if (NS_SUCCEEDED(rv) && !isChrome) { + rv = origin->GetScheme(aOrigin); + NS_ENSURE_SUCCESS(rv, rv); + aOrigin.AppendLiteral("://"); + aOrigin.Append(hostPort); + } + else { + // If we reached this branch, we can only create an origin if we have a nsIStandardURL. + // So, we query to a nsIStandardURL, and fail if we aren't an instance of an nsIStandardURL + // nsIStandardURLs have the good property of escaping the '^' character in their specs, + // which means that we can be sure that the caret character (which is reserved for delimiting + // the end of the spec, and the beginning of the origin attributes) is not present in the + // origin string + nsCOMPtr<nsIStandardURL> standardURL = do_QueryInterface(origin); + NS_ENSURE_TRUE(standardURL, NS_ERROR_FAILURE); + rv = origin->GetAsciiSpec(aOrigin); + NS_ENSURE_SUCCESS(rv, rv); + } + + return NS_OK; +} + +nsresult +nsPrincipal::GetOriginInternal(nsACString& aOrigin) +{ + return GetOriginForURI(mCodebase, aOrigin); +} + +bool +nsPrincipal::SubsumesInternal(nsIPrincipal* aOther, + BasePrincipal::DocumentDomainConsideration aConsideration) +{ + MOZ_ASSERT(aOther); + + // For nsPrincipal, Subsumes is equivalent to Equals. + if (aOther == this) { + return true; + } + + // If either the subject or the object has changed its principal by + // explicitly setting document.domain then the other must also have + // done so in order to be considered the same origin. This prevents + // DNS spoofing based on document.domain (154930) + nsresult rv; + if (aConsideration == ConsiderDocumentDomain) { + // Get .domain on each principal. + nsCOMPtr<nsIURI> thisDomain, otherDomain; + GetDomain(getter_AddRefs(thisDomain)); + aOther->GetDomain(getter_AddRefs(otherDomain)); + + // If either has .domain set, we have equality i.f.f. the domains match. + // Otherwise, we fall through to the non-document-domain-considering case. + if (thisDomain || otherDomain) { + return nsScriptSecurityManager::SecurityCompareURIs(thisDomain, otherDomain); + } + } + + nsCOMPtr<nsIURI> otherURI; + rv = aOther->GetURI(getter_AddRefs(otherURI)); + NS_ENSURE_SUCCESS(rv, false); + + // Compare codebases. + return nsScriptSecurityManager::SecurityCompareURIs(mCodebase, otherURI); +} + +NS_IMETHODIMP +nsPrincipal::GetURI(nsIURI** aURI) +{ + if (mCodebaseImmutable) { + NS_ADDREF(*aURI = mCodebase); + return NS_OK; + } + + if (!mCodebase) { + *aURI = nullptr; + return NS_OK; + } + + return NS_EnsureSafeToReturn(mCodebase, aURI); +} + +bool +nsPrincipal::MayLoadInternal(nsIURI* aURI) +{ + // See if aURI is something like a Blob URI that is actually associated with + // a principal. + nsCOMPtr<nsIURIWithPrincipal> uriWithPrin = do_QueryInterface(aURI); + nsCOMPtr<nsIPrincipal> uriPrin; + if (uriWithPrin) { + uriWithPrin->GetPrincipal(getter_AddRefs(uriPrin)); + } + if (uriPrin) { + return nsIPrincipal::Subsumes(uriPrin); + } + + // If this principal is associated with an addon, check whether that addon + // has been given permission to load from this domain. + if (AddonAllowsLoad(aURI)) { + return true; + } + + if (nsScriptSecurityManager::SecurityCompareURIs(mCodebase, aURI)) { + return true; + } + + // If strict file origin policy is in effect, local files will always fail + // SecurityCompareURIs unless they are identical. Explicitly check file origin + // policy, in that case. + if (nsScriptSecurityManager::GetStrictFileOriginPolicy() && + NS_URIIsLocalFile(aURI) && + NS_RelaxStrictFileOriginPolicy(aURI, mCodebase)) { + return true; + } + + return false; +} + +void +nsPrincipal::SetURI(nsIURI* aURI) +{ + mCodebase = NS_TryToMakeImmutable(aURI); + mCodebaseImmutable = URIIsImmutable(mCodebase); +} + +NS_IMETHODIMP +nsPrincipal::GetHashValue(uint32_t* aValue) +{ + NS_PRECONDITION(mCodebase, "Need a codebase"); + + *aValue = nsScriptSecurityManager::HashPrincipalByOrigin(this); + return NS_OK; +} + +NS_IMETHODIMP +nsPrincipal::GetDomain(nsIURI** aDomain) +{ + if (!mDomain) { + *aDomain = nullptr; + return NS_OK; + } + + if (mDomainImmutable) { + NS_ADDREF(*aDomain = mDomain); + return NS_OK; + } + + return NS_EnsureSafeToReturn(mDomain, aDomain); +} + +NS_IMETHODIMP +nsPrincipal::SetDomain(nsIURI* aDomain) +{ + mDomain = NS_TryToMakeImmutable(aDomain); + mDomainImmutable = URIIsImmutable(mDomain); + + // Recompute all wrappers between compartments using this principal and other + // non-chrome compartments. + AutoSafeJSContext cx; + JSPrincipals *principals = nsJSPrincipals::get(static_cast<nsIPrincipal*>(this)); + bool success = js::RecomputeWrappers(cx, js::ContentCompartmentsOnly(), + js::CompartmentsWithPrincipals(principals)); + NS_ENSURE_TRUE(success, NS_ERROR_FAILURE); + success = js::RecomputeWrappers(cx, js::CompartmentsWithPrincipals(principals), + js::ContentCompartmentsOnly()); + NS_ENSURE_TRUE(success, NS_ERROR_FAILURE); + + return NS_OK; +} + +NS_IMETHODIMP +nsPrincipal::GetBaseDomain(nsACString& aBaseDomain) +{ + // For a file URI, we return the file path. + if (NS_URIIsLocalFile(mCodebase)) { + nsCOMPtr<nsIURL> url = do_QueryInterface(mCodebase); + + if (url) { + return url->GetFilePath(aBaseDomain); + } + } + + bool hasNoRelativeFlag; + nsresult rv = NS_URIChainHasFlags(mCodebase, + nsIProtocolHandler::URI_NORELATIVE, + &hasNoRelativeFlag); + if (NS_WARN_IF(NS_FAILED(rv))) { + return rv; + } + + if (hasNoRelativeFlag) { + return mCodebase->GetSpec(aBaseDomain); + } + + // For everything else, we ask the TLD service via + // the ThirdPartyUtil. + nsCOMPtr<mozIThirdPartyUtil> thirdPartyUtil = + do_GetService(THIRDPARTYUTIL_CONTRACTID); + if (thirdPartyUtil) { + return thirdPartyUtil->GetBaseDomain(mCodebase, aBaseDomain); + } + + return NS_OK; +} + +NS_IMETHODIMP +nsPrincipal::Read(nsIObjectInputStream* aStream) +{ + nsCOMPtr<nsISupports> supports; + nsCOMPtr<nsIURI> codebase; + nsresult rv = NS_ReadOptionalObject(aStream, true, getter_AddRefs(supports)); + if (NS_FAILED(rv)) { + return rv; + } + + codebase = do_QueryInterface(supports); + + nsCOMPtr<nsIURI> domain; + rv = NS_ReadOptionalObject(aStream, true, getter_AddRefs(supports)); + if (NS_FAILED(rv)) { + return rv; + } + + domain = do_QueryInterface(supports); + + nsAutoCString suffix; + rv = aStream->ReadCString(suffix); + NS_ENSURE_SUCCESS(rv, rv); + + PrincipalOriginAttributes attrs; + bool ok = attrs.PopulateFromSuffix(suffix); + NS_ENSURE_TRUE(ok, NS_ERROR_FAILURE); + + rv = NS_ReadOptionalObject(aStream, true, getter_AddRefs(supports)); + NS_ENSURE_SUCCESS(rv, rv); + + rv = Init(codebase, attrs); + NS_ENSURE_SUCCESS(rv, rv); + + mCSP = do_QueryInterface(supports, &rv); + // make sure setRequestContext is called after Init(), + // to make sure the principals URI been initalized. + if (mCSP) { + mCSP->SetRequestContext(nullptr, this); + } + + SetDomain(domain); + + return NS_OK; +} + +NS_IMETHODIMP +nsPrincipal::Write(nsIObjectOutputStream* aStream) +{ + NS_ENSURE_STATE(mCodebase); + nsresult rv = NS_WriteOptionalCompoundObject(aStream, mCodebase, NS_GET_IID(nsIURI), + true); + if (NS_FAILED(rv)) { + return rv; + } + + rv = NS_WriteOptionalCompoundObject(aStream, mDomain, NS_GET_IID(nsIURI), + true); + if (NS_FAILED(rv)) { + return rv; + } + + nsAutoCString suffix; + OriginAttributesRef().CreateSuffix(suffix); + + rv = aStream->WriteStringZ(suffix.get()); + NS_ENSURE_SUCCESS(rv, rv); + + rv = NS_WriteOptionalCompoundObject(aStream, mCSP, + NS_GET_IID(nsIContentSecurityPolicy), + true); + if (NS_FAILED(rv)) { + return rv; + } + + // mCodebaseImmutable and mDomainImmutable will be recomputed based + // on the deserialized URIs in Read(). + + return NS_OK; +} + +// Helper-function to indicate whether the CSS Unprefixing Service +// whitelist should include dummy domains that are only intended for +// use in testing. (Controlled by a pref.) +static inline bool +IsWhitelistingTestDomains() +{ + return gIsWhitelistingTestDomains; +} + +// Checks if the given URI's host is on our "full domain" whitelist +// (i.e. if it's an exact match against a domain that needs unprefixing) +static bool +IsOnFullDomainWhitelist(nsIURI* aURI) +{ + nsAutoCString hostStr; + nsresult rv = aURI->GetHost(hostStr); + NS_ENSURE_SUCCESS(rv, false); + + // NOTE: This static whitelist is expected to be short. If that changes, + // we should consider a different representation; e.g. hash-set, prefix tree. + static const nsLiteralCString sFullDomainsOnWhitelist[] = { + // 0th entry only active when testing: + NS_LITERAL_CSTRING("test1.example.org"), + NS_LITERAL_CSTRING("map.baidu.com"), + NS_LITERAL_CSTRING("3g.163.com"), + NS_LITERAL_CSTRING("3glogo.gtimg.com"), // for 3g.163.com + NS_LITERAL_CSTRING("info.3g.qq.com"), // for 3g.qq.com + NS_LITERAL_CSTRING("3gimg.qq.com"), // for 3g.qq.com + NS_LITERAL_CSTRING("img.m.baidu.com"), // for [shucheng|ks].baidu.com + NS_LITERAL_CSTRING("m.mogujie.com"), + NS_LITERAL_CSTRING("touch.qunar.com"), + NS_LITERAL_CSTRING("mjs.sinaimg.cn"), // for sina.cn + NS_LITERAL_CSTRING("static.qiyi.com"), // for m.iqiyi.com + NS_LITERAL_CSTRING("cdn.kuaidi100.com"), // for m.kuaidi100.com + NS_LITERAL_CSTRING("m.pc6.com"), + NS_LITERAL_CSTRING("m.haosou.com"), + NS_LITERAL_CSTRING("m.mi.com"), + NS_LITERAL_CSTRING("wappass.baidu.com"), + NS_LITERAL_CSTRING("m.video.baidu.com"), + NS_LITERAL_CSTRING("m.video.baidu.com"), + NS_LITERAL_CSTRING("imgcache.gtimg.cn"), // for m.v.qq.com + NS_LITERAL_CSTRING("s.tabelog.jp"), + NS_LITERAL_CSTRING("s.yimg.jp"), // for s.tabelog.jp + NS_LITERAL_CSTRING("i.yimg.jp"), // for *.yahoo.co.jp + NS_LITERAL_CSTRING("ai.yimg.jp"), // for *.yahoo.co.jp + NS_LITERAL_CSTRING("m.finance.yahoo.co.jp"), + NS_LITERAL_CSTRING("daily.c.yimg.jp"), // for sp.daily.co.jp + NS_LITERAL_CSTRING("stat100.ameba.jp"), // for ameblo.jp + NS_LITERAL_CSTRING("user.ameba.jp"), // for ameblo.jp + NS_LITERAL_CSTRING("www.goo.ne.jp"), + NS_LITERAL_CSTRING("x.gnst.jp"), // for mobile.gnavi.co.jp + NS_LITERAL_CSTRING("c.x.gnst.jp"), // for mobile.gnavi.co.jp + NS_LITERAL_CSTRING("www.smbc-card.com"), + NS_LITERAL_CSTRING("static.card.jp.rakuten-static.com"), // for rakuten-card.co.jp + NS_LITERAL_CSTRING("img.travel.rakuten.co.jp"), // for travel.rakuten.co.jp + NS_LITERAL_CSTRING("img.mixi.net"), // for mixi.jp + NS_LITERAL_CSTRING("girlschannel.net"), + NS_LITERAL_CSTRING("www.fancl.co.jp"), + NS_LITERAL_CSTRING("s.cosme.net"), + NS_LITERAL_CSTRING("www.sapporobeer.jp"), + NS_LITERAL_CSTRING("www.mapion.co.jp"), + NS_LITERAL_CSTRING("touch.navitime.co.jp"), + NS_LITERAL_CSTRING("sp.mbga.jp"), + NS_LITERAL_CSTRING("ava-a.sp.mbga.jp"), // for sp.mbga.jp + NS_LITERAL_CSTRING("www.ntv.co.jp"), + NS_LITERAL_CSTRING("mobile.suntory.co.jp"), // for suntory.jp + NS_LITERAL_CSTRING("www.aeonsquare.net"), + NS_LITERAL_CSTRING("mw.nikkei.com"), + NS_LITERAL_CSTRING("www.nhk.or.jp"), + NS_LITERAL_CSTRING("www.tokyo-sports.co.jp"), + NS_LITERAL_CSTRING("www.bellemaison.jp"), + NS_LITERAL_CSTRING("www.kuronekoyamato.co.jp"), + NS_LITERAL_CSTRING("formassist.jp"), // for orico.jp + NS_LITERAL_CSTRING("sp.m.reuters.co.jp"), + NS_LITERAL_CSTRING("www.atre.co.jp"), + NS_LITERAL_CSTRING("www.jtb.co.jp"), + NS_LITERAL_CSTRING("www.sharp.co.jp"), + NS_LITERAL_CSTRING("www.biccamera.com"), + NS_LITERAL_CSTRING("weathernews.jp"), + NS_LITERAL_CSTRING("cache.ymail.jp"), // for www.yamada-denkiweb.com + }; + static const size_t sNumFullDomainsOnWhitelist = + MOZ_ARRAY_LENGTH(sFullDomainsOnWhitelist); + + // Skip 0th (dummy) entry in whitelist, unless a pref is enabled. + const size_t firstWhitelistIdx = IsWhitelistingTestDomains() ? 0 : 1; + + for (size_t i = firstWhitelistIdx; i < sNumFullDomainsOnWhitelist; ++i) { + if (hostStr == sFullDomainsOnWhitelist[i]) { + return true; + } + } + return false; +} + +// Checks if the given URI's host is on our "base domain" whitelist +// (i.e. if it's a subdomain of some host that we've whitelisted as needing +// unprefixing for all its subdomains) +static bool +IsOnBaseDomainWhitelist(nsIURI* aURI) +{ + static const nsLiteralCString sBaseDomainsOnWhitelist[] = { + // 0th entry only active when testing: + NS_LITERAL_CSTRING("test2.example.org"), + NS_LITERAL_CSTRING("tbcdn.cn"), // for m.taobao.com + NS_LITERAL_CSTRING("alicdn.com"), // for m.taobao.com + NS_LITERAL_CSTRING("dpfile.com"), // for m.dianping.com + NS_LITERAL_CSTRING("hao123img.com"), // for hao123.com + NS_LITERAL_CSTRING("tabelog.k-img.com"), // for s.tabelog.com + NS_LITERAL_CSTRING("tsite.jp"), // for *.tsite.jp + }; + static const size_t sNumBaseDomainsOnWhitelist = + MOZ_ARRAY_LENGTH(sBaseDomainsOnWhitelist); + + nsCOMPtr<nsIEffectiveTLDService> tldService = + do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID); + + if (tldService) { + // Skip 0th test-entry in whitelist, unless the testing pref is enabled. + const size_t firstWhitelistIdx = IsWhitelistingTestDomains() ? 0 : 1; + + // Right now, the test base-domain "test2.example.org" is the only entry in + // its whitelist with a nonzero "depth". So we'll only bother going beyond + // 0 depth (to 1) if that entry is enabled. (No point in slowing down the + // normal codepath, for the benefit of a disabled test domain.) If we add a + // "real" base-domain with a depth of >= 1 to our whitelist, we can get rid + // of this conditional & just make this a static variable. + const uint32_t maxSubdomainDepth = IsWhitelistingTestDomains() ? 1 : 0; + + for (uint32_t subdomainDepth = 0; + subdomainDepth <= maxSubdomainDepth; ++subdomainDepth) { + + // Get the base domain (to depth |subdomainDepth|) from passed-in URI: + nsAutoCString baseDomainStr; + nsresult rv = tldService->GetBaseDomain(aURI, subdomainDepth, + baseDomainStr); + if (NS_FAILED(rv)) { + // aURI doesn't have |subdomainDepth| levels of subdomains. If we got + // here without a match yet, then aURI is not on our whitelist. + return false; + } + + // Compare the base domain against each entry in our whitelist: + for (size_t i = firstWhitelistIdx; i < sNumBaseDomainsOnWhitelist; ++i) { + if (baseDomainStr == sBaseDomainsOnWhitelist[i]) { + return true; + } + } + } + } + + return false; +} + +// The actual (non-cached) implementation of IsOnCSSUnprefixingWhitelist(): +static bool +IsOnCSSUnprefixingWhitelistImpl(nsIURI* aURI) +{ + // Check scheme, so we can drop any non-HTTP/HTTPS URIs right away + nsAutoCString schemeStr; + nsresult rv = aURI->GetScheme(schemeStr); + NS_ENSURE_SUCCESS(rv, false); + + // Only proceed if scheme is "http" or "https" + if (!(StringBeginsWith(schemeStr, NS_LITERAL_CSTRING("http")) && + (schemeStr.Length() == 4 || + (schemeStr.Length() == 5 && schemeStr[4] == 's')))) { + return false; + } + + return (IsOnFullDomainWhitelist(aURI) || + IsOnBaseDomainWhitelist(aURI)); +} + + +bool +nsPrincipal::IsOnCSSUnprefixingWhitelist() +{ + if (mIsOnCSSUnprefixingWhitelist.isNothing()) { + // Value not cached -- perform our lazy whitelist-check. + // (NOTE: If our URI is mutable, we just assume it's not on the whitelist, + // since our caching strategy won't work. This isn't expected to be common.) + mIsOnCSSUnprefixingWhitelist.emplace( + mCodebaseImmutable && + IsOnCSSUnprefixingWhitelistImpl(mCodebase)); + } + + return *mIsOnCSSUnprefixingWhitelist; +} + +/************************************************************************************************************************/ + +NS_IMPL_CLASSINFO(nsExpandedPrincipal, nullptr, nsIClassInfo::MAIN_THREAD_ONLY, + NS_EXPANDEDPRINCIPAL_CID) +NS_IMPL_QUERY_INTERFACE_CI(nsExpandedPrincipal, + nsIPrincipal, + nsIExpandedPrincipal) +NS_IMPL_CI_INTERFACE_GETTER(nsExpandedPrincipal, + nsIPrincipal, + nsIExpandedPrincipal) + +struct OriginComparator +{ + bool LessThan(nsIPrincipal* a, nsIPrincipal* b) const + { + nsAutoCString originA; + nsresult rv = a->GetOrigin(originA); + NS_ENSURE_SUCCESS(rv, false); + nsAutoCString originB; + rv = b->GetOrigin(originB); + NS_ENSURE_SUCCESS(rv, false); + return originA < originB; + } + + bool Equals(nsIPrincipal* a, nsIPrincipal* b) const + { + nsAutoCString originA; + nsresult rv = a->GetOrigin(originA); + NS_ENSURE_SUCCESS(rv, false); + nsAutoCString originB; + rv = b->GetOrigin(originB); + NS_ENSURE_SUCCESS(rv, false); + return a == b; + } +}; + +nsExpandedPrincipal::nsExpandedPrincipal(nsTArray<nsCOMPtr<nsIPrincipal>> &aWhiteList, + const PrincipalOriginAttributes& aAttrs) +{ + // We force the principals to be sorted by origin so that nsExpandedPrincipal + // origins can have a canonical form. + OriginComparator c; + for (size_t i = 0; i < aWhiteList.Length(); ++i) { + mPrincipals.InsertElementSorted(aWhiteList[i], c); + } + mOriginAttributes = aAttrs; +} + +nsExpandedPrincipal::~nsExpandedPrincipal() +{ } + +NS_IMETHODIMP +nsExpandedPrincipal::GetDomain(nsIURI** aDomain) +{ + *aDomain = nullptr; + return NS_OK; +} + +NS_IMETHODIMP +nsExpandedPrincipal::SetDomain(nsIURI* aDomain) +{ + return NS_OK; +} + +nsresult +nsExpandedPrincipal::GetOriginInternal(nsACString& aOrigin) +{ + aOrigin.AssignLiteral("[Expanded Principal ["); + for (size_t i = 0; i < mPrincipals.Length(); ++i) { + if (i != 0) { + aOrigin.AppendLiteral(", "); + } + + nsAutoCString subOrigin; + nsresult rv = mPrincipals.ElementAt(i)->GetOrigin(subOrigin); + NS_ENSURE_SUCCESS(rv, rv); + aOrigin.Append(subOrigin); + } + + aOrigin.Append("]]"); + return NS_OK; +} + +bool +nsExpandedPrincipal::SubsumesInternal(nsIPrincipal* aOther, + BasePrincipal::DocumentDomainConsideration aConsideration) +{ + // If aOther is an ExpandedPrincipal too, we break it down into its component + // nsIPrincipals, and check subsumes on each one. + nsCOMPtr<nsIExpandedPrincipal> expanded = do_QueryInterface(aOther); + if (expanded) { + nsTArray< nsCOMPtr<nsIPrincipal> >* otherList; + expanded->GetWhiteList(&otherList); + for (uint32_t i = 0; i < otherList->Length(); ++i){ + // Use SubsumesInternal rather than Subsumes here, since OriginAttribute + // checks are only done between non-expanded sub-principals, and we don't + // need to incur the extra virtual call overhead. + if (!SubsumesInternal((*otherList)[i], aConsideration)) { + return false; + } + } + return true; + } + + // We're dealing with a regular principal. One of our principals must subsume + // it. + for (uint32_t i = 0; i < mPrincipals.Length(); ++i) { + if (Cast(mPrincipals[i])->Subsumes(aOther, aConsideration)) { + return true; + } + } + + return false; +} + +bool +nsExpandedPrincipal::MayLoadInternal(nsIURI* uri) +{ + for (uint32_t i = 0; i < mPrincipals.Length(); ++i){ + if (BasePrincipal::Cast(mPrincipals[i])->MayLoadInternal(uri)) { + return true; + } + } + + return false; +} + +NS_IMETHODIMP +nsExpandedPrincipal::GetHashValue(uint32_t* result) +{ + MOZ_CRASH("extended principal should never be used as key in a hash map"); +} + +NS_IMETHODIMP +nsExpandedPrincipal::GetURI(nsIURI** aURI) +{ + *aURI = nullptr; + return NS_OK; +} + +NS_IMETHODIMP +nsExpandedPrincipal::GetWhiteList(nsTArray<nsCOMPtr<nsIPrincipal> >** aWhiteList) +{ + *aWhiteList = &mPrincipals; + return NS_OK; +} + +NS_IMETHODIMP +nsExpandedPrincipal::GetBaseDomain(nsACString& aBaseDomain) +{ + return NS_ERROR_NOT_AVAILABLE; +} + +bool +nsExpandedPrincipal::AddonHasPermission(const nsAString& aPerm) +{ + for (size_t i = 0; i < mPrincipals.Length(); ++i) { + if (BasePrincipal::Cast(mPrincipals[i])->AddonHasPermission(aPerm)) { + return true; + } + } + return false; +} + +bool +nsExpandedPrincipal::IsOnCSSUnprefixingWhitelist() +{ + // CSS Unprefixing Whitelist is a per-origin thing; doesn't really make sense + // for an expanded principal. (And probably shouldn't be needed.) + return false; +} + + +nsresult +nsExpandedPrincipal::GetScriptLocation(nsACString& aStr) +{ + aStr.Assign("[Expanded Principal ["); + for (size_t i = 0; i < mPrincipals.Length(); ++i) { + if (i != 0) { + aStr.AppendLiteral(", "); + } + + nsAutoCString spec; + nsresult rv = + nsJSPrincipals::get(mPrincipals.ElementAt(i))->GetScriptLocation(spec); + NS_ENSURE_SUCCESS(rv, rv); + + aStr.Append(spec); + } + aStr.Append("]]"); + return NS_OK; +} + +////////////////////////////////////////// +// Methods implementing nsISerializable // +////////////////////////////////////////// + +NS_IMETHODIMP +nsExpandedPrincipal::Read(nsIObjectInputStream* aStream) +{ + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +nsExpandedPrincipal::Write(nsIObjectOutputStream* aStream) +{ + return NS_ERROR_NOT_IMPLEMENTED; +} |