From ab961aeb54335fd07c66de2e3b8c3b6af6f89ea2 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 3 Sep 2018 10:11:38 +0200 Subject: Remove all C++ Telemetry Accumulation calls. This creates a number of stubs and leaves some surrounding code that may be irrelevant (eg. recorded time stamps, status variables). Stub resolution/removal should be a follow-up to this. --- dom/security/nsMixedContentBlocker.cpp | 41 +--------------------------------- 1 file changed, 1 insertion(+), 40 deletions(-) (limited to 'dom/security') diff --git a/dom/security/nsMixedContentBlocker.cpp b/dom/security/nsMixedContentBlocker.cpp index c03628da0..5f41f414d 100644 --- a/dom/security/nsMixedContentBlocker.cpp +++ b/dom/security/nsMixedContentBlocker.cpp @@ -983,44 +983,5 @@ enum MixedContentHSTSState { void nsMixedContentBlocker::AccumulateMixedContentHSTS(nsIURI* aURI, bool aActive) { - // This method must only be called in the parent, because - // nsSiteSecurityService is only available in the parent - if (!XRE_IsParentProcess()) { - MOZ_ASSERT(false); - return; - } - - bool hsts; - nsresult rv; - nsCOMPtr sss = do_GetService(NS_SSSERVICE_CONTRACTID, &rv); - if (NS_FAILED(rv)) { - return; - } - rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS, aURI, 0, nullptr, &hsts); - if (NS_FAILED(rv)) { - return; - } - - // states: would upgrade, hsts info cached - // active, passive - // - if (!aActive) { - if (!hsts) { - Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS, - MCB_HSTS_PASSIVE_NO_HSTS); - } - else { - Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS, - MCB_HSTS_PASSIVE_WITH_HSTS); - } - } else { - if (!hsts) { - Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS, - MCB_HSTS_ACTIVE_NO_HSTS); - } - else { - Telemetry::Accumulate(Telemetry::MIXED_CONTENT_HSTS, - MCB_HSTS_ACTIVE_WITH_HSTS); - } - } +/* STUB */ } \ No newline at end of file -- cgit v1.2.3 From c5c9445e3adf6b65c98f6810551d7c3d64133134 Mon Sep 17 00:00:00 2001 From: Gaming4JC Date: Tue, 25 Sep 2018 23:03:28 -0400 Subject: backport mozbug 1334776 - CVE-2017-7797 Header name interning leaks across origins Potential attack: session supercookie. [Moz Notes](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c5): "The problem is that for unknown header names we store the first one we see and then later we case-insensitively match against that name *globally*. That means you can track if a user agent has already seen a certain header name used (by using a different casing and observing whether it gets normalized). This would allow you to see if a user has used a sensitive service that uses custom header names, or allows you to track a user across sites, by teaching the browser about a certain header case once and then observing if different casings get normalized to that. What we should do instead is only store the casing for a header name for each header list and not globally. That way it only leaks where it's expected (and necessary) to leak." [Moz fix note](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c8): "nsHttpAtom now holds the old nsHttpAtom and a string that is case sensitive (only for not standard headers). So nsHttpAtom holds a pointer to a header name. (header names are store on a static structure). This is how it used to be. I left that part the same but added a nsCString which holds a string that was used to resoled the header name. So when we parse headers we call ResolveHeader with a char*. If it is a new header name the char* will be stored in a HttpHeapAtom, nsHttpAtom::_val will point to HttpHeapAtom::value and the same strings will be stored in mLocalCaseSensitiveHeader. For the first resolve request they will be the same but for the following maybe not. At the end this nsHttpAtom will be stored in nsHttpHeaderArray. For all operation we will used the old char* except when we are returning it to a script using VisitHeaders." --- dom/security/test/cors/test_CrossSiteXHR.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'dom/security') diff --git a/dom/security/test/cors/test_CrossSiteXHR.html b/dom/security/test/cors/test_CrossSiteXHR.html index b3cda3b87..d9aef5c60 100644 --- a/dom/security/test/cors/test_CrossSiteXHR.html +++ b/dom/security/test/cors/test_CrossSiteXHR.html @@ -743,7 +743,7 @@ function runTest() { is(res.responseHeaders[header], test.responseHeaders[header], "|xhr.getResponseHeader()|wrong response header (" + header + ") in test for " + test.toSource()); - is(res.allResponseHeaders[header], test.responseHeaders[header], + is(res.allResponseHeaders[header.toLowerCase()], test.responseHeaders[header], "|xhr.getAllResponseHeaderss()|wrong response header (" + header + ") in test for " + test.toSource()); } -- cgit v1.2.3 From 5335681cd2ab05ad47e81be7722c9eee19d54065 Mon Sep 17 00:00:00 2001 From: adeshkp Date: Sat, 12 Jan 2019 06:20:31 -0500 Subject: Telemetry: Remove stubs and related code --- dom/security/nsMixedContentBlocker.cpp | 15 +-------------- dom/security/nsMixedContentBlocker.h | 3 --- 2 files changed, 1 insertion(+), 17 deletions(-) (limited to 'dom/security') diff --git a/dom/security/nsMixedContentBlocker.cpp b/dom/security/nsMixedContentBlocker.cpp index 5f41f414d..543429aff 100644 --- a/dom/security/nsMixedContentBlocker.cpp +++ b/dom/security/nsMixedContentBlocker.cpp @@ -35,7 +35,6 @@ #include "nsISiteSecurityService.h" #include "mozilla/Logging.h" -#include "mozilla/Telemetry.h" #include "mozilla/dom/ContentChild.h" #include "mozilla/ipc/URIUtils.h" @@ -814,17 +813,13 @@ nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect, // // We do not count requests aHadInsecureImageRedirect=true, since these are // just an artifact of the image caching system. - bool active = (classification == eMixedScript); if (!aHadInsecureImageRedirect) { - if (XRE_IsParentProcess()) { - AccumulateMixedContentHSTS(innerContentLocation, active); - } else { + if (!XRE_IsParentProcess()) { // Ask the parent process to do the same call mozilla::dom::ContentChild* cc = mozilla::dom::ContentChild::GetSingleton(); if (cc) { mozilla::ipc::URIParams uri; SerializeURI(innerContentLocation, uri); - cc->SendAccumulateMixedContentHSTS(uri, active); } } } @@ -977,11 +972,3 @@ enum MixedContentHSTSState { MCB_HSTS_ACTIVE_NO_HSTS = 2, MCB_HSTS_ACTIVE_WITH_HSTS = 3 }; - -// Record information on when HSTS would have made mixed content not mixed -// content (regardless of whether it was actually blocked) -void -nsMixedContentBlocker::AccumulateMixedContentHSTS(nsIURI* aURI, bool aActive) -{ -/* STUB */ -} \ No newline at end of file diff --git a/dom/security/nsMixedContentBlocker.h b/dom/security/nsMixedContentBlocker.h index 56ab9621f..068068b25 100644 --- a/dom/security/nsMixedContentBlocker.h +++ b/dom/security/nsMixedContentBlocker.h @@ -61,9 +61,6 @@ public: nsISupports* aExtra, nsIPrincipal* aRequestPrincipal, int16_t* aDecision); - static void AccumulateMixedContentHSTS(nsIURI* aURI, - bool aActive); - static bool sBlockMixedScript; static bool sBlockMixedDisplay; -- cgit v1.2.3 From 6b4d81521f0c7bef48a1e8c3e9254a81df27a9d2 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sat, 9 Mar 2019 08:15:36 +0100 Subject: Prevent loading of document subresources over FTP. --- dom/security/nsContentSecurityManager.cpp | 56 +++++++++++++++++++++++++++++++ dom/security/nsContentSecurityManager.h | 1 + 2 files changed, 57 insertions(+) (limited to 'dom/security') diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp index 570730312..f2cbc8fcf 100644 --- a/dom/security/nsContentSecurityManager.cpp +++ b/dom/security/nsContentSecurityManager.cpp @@ -92,6 +92,55 @@ nsContentSecurityManager::AllowTopLevelNavigationToDataURI(nsIChannel* aChannel) return false; } +/* static */ nsresult +nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) +{ + // We dissallow using FTP resources as a subresource everywhere. + // The only valid way to use FTP resources is loading it as + // a top level document. + + nsCOMPtr loadInfo = aChannel->GetLoadInfo(); + if (!loadInfo) { + return NS_OK; + } + + nsContentPolicyType type = loadInfo->GetExternalContentPolicyType(); + if (type == nsIContentPolicy::TYPE_DOCUMENT) { + return NS_OK; + } + + nsCOMPtr uri; + nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri)); + NS_ENSURE_SUCCESS(rv, rv); + if (!uri) { + return NS_OK; + } + + bool isFtpURI = (NS_SUCCEEDED(uri->SchemeIs("ftp", &isFtpURI)) && isFtpURI); + if (!isFtpURI) { + return NS_OK; + } + + nsCOMPtr doc; + if (nsINode* node = loadInfo->LoadingNode()) { + doc = node->OwnerDoc(); + } + + nsAutoCString spec; + uri->GetSpec(spec); + NS_ConvertUTF8toUTF16 specUTF16(NS_UnescapeURL(spec)); + const char16_t* params[] = { specUTF16.get() }; + + nsContentUtils::ReportToConsole(nsIScriptError::warningFlag, + NS_LITERAL_CSTRING("FTP_URI_BLOCKED"), + doc, + nsContentUtils::eSECURITY_PROPERTIES, + "BlockSubresourceFTP", + params, ArrayLength(params)); + + return NS_ERROR_CONTENT_BLOCKED; +} + static nsresult ValidateSecurityFlags(nsILoadInfo* aLoadInfo) { @@ -574,6 +623,10 @@ nsContentSecurityManager::doContentSecurityCheck(nsIChannel* aChannel, rv = DoContentSecurityChecks(aChannel, loadInfo); NS_ENSURE_SUCCESS(rv, rv); + // Apply this after CSP checks to allow CSP reporting. + rv = CheckFTPSubresourceLoad(aChannel); + NS_ENSURE_SUCCESS(rv, rv); + // now lets set the initalSecurityFlag for subsequent calls loadInfo->SetInitialSecurityCheckDone(true); @@ -591,6 +644,9 @@ nsContentSecurityManager::AsyncOnChannelRedirect(nsIChannel* aOldChannel, // Are we enforcing security using LoadInfo? if (loadInfo && loadInfo->GetEnforceSecurity()) { nsresult rv = CheckChannel(aNewChannel); + if (NS_SUCCEEDED(rv)) { + rv = CheckFTPSubresourceLoad(aNewChannel); + } if (NS_FAILED(rv)) { aOldChannel->Cancel(rv); return rv; diff --git a/dom/security/nsContentSecurityManager.h b/dom/security/nsContentSecurityManager.h index bab847743..750dd8803 100644 --- a/dom/security/nsContentSecurityManager.h +++ b/dom/security/nsContentSecurityManager.h @@ -36,6 +36,7 @@ public: private: static nsresult CheckChannel(nsIChannel* aChannel); + static nsresult CheckFTPSubresourceLoad(nsIChannel* aChannel); virtual ~nsContentSecurityManager() {} -- cgit v1.2.3 From d9aff90f06254a0b724a0ea9c21db39f74ff8fc6 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sun, 14 Jul 2019 22:41:01 +0200 Subject: Add preference to allow the loading of FTP subresources for corner cases --- dom/security/nsContentSecurityManager.cpp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'dom/security') diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp index f2cbc8fcf..12c55e8f6 100644 --- a/dom/security/nsContentSecurityManager.cpp +++ b/dom/security/nsContentSecurityManager.cpp @@ -98,6 +98,9 @@ nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) // We dissallow using FTP resources as a subresource everywhere. // The only valid way to use FTP resources is loading it as // a top level document. + if (!mozilla::net::nsIOService::BlockFTPSubresources()) { + return NS_OK; + } nsCOMPtr loadInfo = aChannel->GetLoadInfo(); if (!loadInfo) { -- cgit v1.2.3 From 4491ec5eacd5ed501737c0db2c134fe1815c50a8 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 15 Jul 2019 12:51:23 +0200 Subject: Selectively allow ftp subresources in the blocked mode. - Allow "Save As..." downloads - Allow subresource use if the top-level document is also on FTP --- dom/security/nsContentSecurityManager.cpp | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) (limited to 'dom/security') diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp index 12c55e8f6..08fd9afd9 100644 --- a/dom/security/nsContentSecurityManager.cpp +++ b/dom/security/nsContentSecurityManager.cpp @@ -95,9 +95,11 @@ nsContentSecurityManager::AllowTopLevelNavigationToDataURI(nsIChannel* aChannel) /* static */ nsresult nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) { - // We dissallow using FTP resources as a subresource everywhere. + // We dissallow using FTP resources as a subresource almost everywhere. // The only valid way to use FTP resources is loading it as // a top level document. + + // Override blocking if the pref is set to allow. if (!mozilla::net::nsIOService::BlockFTPSubresources()) { return NS_OK; } @@ -108,6 +110,13 @@ nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) } nsContentPolicyType type = loadInfo->GetExternalContentPolicyType(); + + // Allow save-as download of FTP files on HTTP pages. + if (type == nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD) { + return NS_OK; + } + + // Allow direct document requests if (type == nsIContentPolicy::TYPE_DOCUMENT) { return NS_OK; } @@ -119,11 +128,22 @@ nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) return NS_OK; } + // Allow if it's not the FTP protocol bool isFtpURI = (NS_SUCCEEDED(uri->SchemeIs("ftp", &isFtpURI)) && isFtpURI); if (!isFtpURI) { return NS_OK; } + // Allow loading FTP subresources in top-level FTP documents. + nsIPrincipal* triggeringPrincipal = loadInfo->TriggeringPrincipal(); + nsCOMPtr tURI; + triggeringPrincipal->GetURI(getter_AddRefs(tURI)); + bool isTrigFtpURI = (NS_SUCCEEDED(tURI->SchemeIs("ftp", &isTrigFtpURI)) && isTrigFtpURI); + if (isTrigFtpURI) { + return NS_OK; + } + + // If we get here, the request is blocked and should be reported. nsCOMPtr doc; if (nsINode* node = loadInfo->LoadingNode()) { doc = node->OwnerDoc(); -- cgit v1.2.3 From deae241f5e3db8f9b86b98933291b9a30e28db22 Mon Sep 17 00:00:00 2001 From: win7-7 Date: Thu, 8 Aug 2019 16:44:51 +0300 Subject: Convert dom/base/nsImageLoadingContent.cpp to use AsyncOpen2 and followups along with it (1445670 and 1373780 part 2 and 3) Convert dom/base/nsImageLoadingContent.cpp to use AsyncOpen2 and followups along with it (1445670 and 1373780 part 2 and 3) --- dom/security/nsContentSecurityManager.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'dom/security') diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp index 08fd9afd9..5c6701992 100644 --- a/dom/security/nsContentSecurityManager.cpp +++ b/dom/security/nsContentSecurityManager.cpp @@ -10,6 +10,7 @@ #include "nsIStreamListener.h" #include "nsCDefaultURIFixup.h" #include "nsIURIFixup.h" +#include "nsIImageLoadingContent.h" #include "mozilla/dom/Element.h" #include "mozilla/dom/TabChild.h" @@ -123,7 +124,7 @@ nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) nsCOMPtr uri; nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri)); - NS_ENSURE_SUCCESS(rv, rv); + NS_ENSURE_SUCCESS(rv, rv); if (!uri) { return NS_OK; } @@ -801,6 +802,8 @@ nsContentSecurityManager::CheckChannel(nsIChannel* aChannel) // within nsCorsListenerProxy rv = DoCheckLoadURIChecks(uri, loadInfo); NS_ENSURE_SUCCESS(rv, rv); + // TODO: Bug 1371237 + // consider calling SetBlockedRequest in nsContentSecurityManager::CheckChannel } return NS_OK; -- cgit v1.2.3 From 334a892eb5f94c9adc5253101a213c8b8b492df8 Mon Sep 17 00:00:00 2001 From: Sebastian Streich Date: Thu, 5 Sep 2019 09:48:51 +0200 Subject: Add checks to respect CSP-wildcard + Ports. --- dom/security/nsCSPUtils.cpp | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) (limited to 'dom/security') diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp index 71c8e3433..d07ad7945 100644 --- a/dom/security/nsCSPUtils.cpp +++ b/dom/security/nsCSPUtils.cpp @@ -641,13 +641,22 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected // just a specific scheme, the parser should generate a nsCSPSchemeSource. NS_ASSERTION((!mHost.IsEmpty()), "host can not be the empty string"); + // Before we can check if the host matches, we have to + // extract the host part from aUri. + nsAutoCString uriHost; + nsresult rv = aUri->GetAsciiHost(uriHost); + NS_ENSURE_SUCCESS(rv, false); + + nsString decodedUriHost; + CSP_PercentDecodeStr(NS_ConvertUTF8toUTF16(uriHost), decodedUriHost); + // 2) host matching: Enforce a single * if (mHost.EqualsASCII("*")) { // The single ASTERISK character (*) does not match a URI's scheme of a type // designating a globally unique identifier (such as blob:, data:, or filesystem:) - // At the moment firefox does not support filesystem; but for future compatibility + // At the moment UXP does not support "filesystem:" but for future compatibility // we support it in CSP according to the spec, see: 4.2.2 Matching Source Expressions - // Note, that whitelisting any of these schemes would call nsCSPSchemeSrc::permits(). + // Note: whitelisting any of these schemes would call nsCSPSchemeSrc::permits(). bool isBlobScheme = (NS_SUCCEEDED(aUri->SchemeIs("blob", &isBlobScheme)) && isBlobScheme); bool isDataScheme = @@ -658,20 +667,15 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected if (isBlobScheme || isDataScheme || isFileScheme) { return false; } - return true; - } - - // Before we can check if the host matches, we have to - // extract the host part from aUri. - nsAutoCString uriHost; - nsresult rv = aUri->GetAsciiHost(uriHost); - NS_ENSURE_SUCCESS(rv, false); - - nsString decodedUriHost; - CSP_PercentDecodeStr(NS_ConvertUTF8toUTF16(uriHost), decodedUriHost); + // If no scheme is present there also won't be a port and folder to check + // which means we can return early. + if (mScheme.IsEmpty()) { + return true; + } + } // 4.5) host matching: Check if the allowed host starts with a wilcard. - if (mHost.First() == '*') { + else if (mHost.First() == '*') { NS_ASSERTION(mHost[1] == '.', "Second character needs to be '.' whenever host starts with '*'"); // Eliminate leading "*", but keeping the FULL STOP (.) thereafter before checking -- cgit v1.2.3 From 6db06749e2037029adc96660aafa5339ed609e60 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 5 Sep 2019 18:42:49 +0200 Subject: Fix whitelisting of JavaScript-uris by CSP hash. --- dom/security/nsCSPContext.cpp | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'dom/security') diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp index 65be02809..56a119e1a 100644 --- a/dom/security/nsCSPContext.cpp +++ b/dom/security/nsCSPContext.cpp @@ -513,8 +513,19 @@ nsCSPContext::GetAllowsInline(nsContentPolicyType aContentType, for (uint32_t i = 0; i < mPolicies.Length(); i++) { bool allowed = mPolicies[i]->allows(aContentType, CSP_UNSAFE_INLINE, EmptyString(), aParserCreated) || - mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated) || - mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated); + mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated); + + // If the inlined script or style is allowed by either unsafe-inline or the + // nonce, go ahead and shortcut this loop. + if (allowed) { + continue; + } + + // Check if the csp-hash matches against the hash of the script. + // If we don't have any content to check, block the script. + if (!aContent.IsEmpty()) { + allowed = mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated); + } if (!allowed) { // policy is violoated: deny the load unless policy is report only and -- cgit v1.2.3