diff options
author | Matt A. Tobin <mattatobin@localhost.localdomain> | 2018-02-02 04:16:08 -0500 |
---|---|---|
committer | Matt A. Tobin <mattatobin@localhost.localdomain> | 2018-02-02 04:16:08 -0500 |
commit | 5f8de423f190bbb79a62f804151bc24824fa32d8 (patch) | |
tree | 10027f336435511475e392454359edea8e25895d /docshell/base/nsDSURIContentListener.cpp | |
parent | 49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff) | |
download | UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip |
Add m-esr52 at 52.6.0
Diffstat (limited to 'docshell/base/nsDSURIContentListener.cpp')
-rw-r--r-- | docshell/base/nsDSURIContentListener.cpp | 539 |
1 files changed, 539 insertions, 0 deletions
diff --git a/docshell/base/nsDSURIContentListener.cpp b/docshell/base/nsDSURIContentListener.cpp new file mode 100644 index 000000000..cfac54f7f --- /dev/null +++ b/docshell/base/nsDSURIContentListener.cpp @@ -0,0 +1,539 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsDocShell.h" +#include "nsDSURIContentListener.h" +#include "nsIChannel.h" +#include "nsServiceManagerUtils.h" +#include "nsDocShellCID.h" +#include "nsIWebNavigationInfo.h" +#include "nsIDocument.h" +#include "nsIDOMWindow.h" +#include "nsNetUtil.h" +#include "nsQueryObject.h" +#include "nsIHttpChannel.h" +#include "nsIScriptSecurityManager.h" +#include "nsError.h" +#include "nsCharSeparatedTokenizer.h" +#include "nsIConsoleService.h" +#include "nsIScriptError.h" +#include "nsDocShellLoadTypes.h" +#include "nsIMultiPartChannel.h" + +using namespace mozilla; + +nsDSURIContentListener::nsDSURIContentListener(nsDocShell* aDocShell) + : mDocShell(aDocShell) + , mExistingJPEGRequest(nullptr) + , mParentContentListener(nullptr) +{ +} + +nsDSURIContentListener::~nsDSURIContentListener() +{ +} + +nsresult +nsDSURIContentListener::Init() +{ + nsresult rv; + mNavInfo = do_GetService(NS_WEBNAVIGATION_INFO_CONTRACTID, &rv); + NS_ASSERTION(NS_SUCCEEDED(rv), "Failed to get webnav info"); + return rv; +} + +NS_IMPL_ADDREF(nsDSURIContentListener) +NS_IMPL_RELEASE(nsDSURIContentListener) + +NS_INTERFACE_MAP_BEGIN(nsDSURIContentListener) + NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsIURIContentListener) + NS_INTERFACE_MAP_ENTRY(nsIURIContentListener) + NS_INTERFACE_MAP_ENTRY(nsISupportsWeakReference) +NS_INTERFACE_MAP_END + +NS_IMETHODIMP +nsDSURIContentListener::OnStartURIOpen(nsIURI* aURI, bool* aAbortOpen) +{ + // If mDocShell is null here, that means someone's starting a load in our + // docshell after it's already been destroyed. Don't let that happen. + if (!mDocShell) { + *aAbortOpen = true; + return NS_OK; + } + + nsCOMPtr<nsIURIContentListener> parentListener; + GetParentContentListener(getter_AddRefs(parentListener)); + if (parentListener) { + return parentListener->OnStartURIOpen(aURI, aAbortOpen); + } + + return NS_OK; +} + +NS_IMETHODIMP +nsDSURIContentListener::DoContent(const nsACString& aContentType, + bool aIsContentPreferred, + nsIRequest* aRequest, + nsIStreamListener** aContentHandler, + bool* aAbortProcess) +{ + nsresult rv; + NS_ENSURE_ARG_POINTER(aContentHandler); + NS_ENSURE_TRUE(mDocShell, NS_ERROR_FAILURE); + + // Check whether X-Frame-Options permits us to load this content in an + // iframe and abort the load (unless we've disabled x-frame-options + // checking). + if (!CheckFrameOptions(aRequest)) { + *aAbortProcess = true; + return NS_OK; + } + + *aAbortProcess = false; + + // determine if the channel has just been retargeted to us... + nsLoadFlags loadFlags = 0; + nsCOMPtr<nsIChannel> aOpenedChannel = do_QueryInterface(aRequest); + + if (aOpenedChannel) { + aOpenedChannel->GetLoadFlags(&loadFlags); + } + + if (loadFlags & nsIChannel::LOAD_RETARGETED_DOCUMENT_URI) { + // XXX: Why does this not stop the content too? + mDocShell->Stop(nsIWebNavigation::STOP_NETWORK); + + mDocShell->SetLoadType(aIsContentPreferred ? LOAD_LINK : LOAD_NORMAL); + } + + // In case of multipart jpeg request (mjpeg) we don't really want to + // create new viewer since the one we already have is capable of + // rendering multipart jpeg correctly (see bug 625012) + nsCOMPtr<nsIChannel> baseChannel; + if (nsCOMPtr<nsIMultiPartChannel> mpchan = do_QueryInterface(aRequest)) { + mpchan->GetBaseChannel(getter_AddRefs(baseChannel)); + } + + bool reuseCV = baseChannel && baseChannel == mExistingJPEGRequest && + aContentType.EqualsLiteral("image/jpeg"); + + if (mExistingJPEGStreamListener && reuseCV) { + RefPtr<nsIStreamListener> copy(mExistingJPEGStreamListener); + copy.forget(aContentHandler); + rv = NS_OK; + } else { + rv = mDocShell->CreateContentViewer(aContentType, aRequest, aContentHandler); + if (NS_SUCCEEDED(rv) && reuseCV) { + mExistingJPEGStreamListener = *aContentHandler; + } else { + mExistingJPEGStreamListener = nullptr; + } + mExistingJPEGRequest = baseChannel; + } + + if (rv == NS_ERROR_REMOTE_XUL) { + aRequest->Cancel(rv); + *aAbortProcess = true; + return NS_OK; + } + + if (NS_FAILED(rv)) { + // we don't know how to handle the content + *aContentHandler = nullptr; + return rv; + } + + if (loadFlags & nsIChannel::LOAD_RETARGETED_DOCUMENT_URI) { + nsCOMPtr<nsPIDOMWindowOuter> domWindow = + mDocShell ? mDocShell->GetWindow() : nullptr; + NS_ENSURE_TRUE(domWindow, NS_ERROR_FAILURE); + domWindow->Focus(); + } + + return NS_OK; +} + +NS_IMETHODIMP +nsDSURIContentListener::IsPreferred(const char* aContentType, + char** aDesiredContentType, + bool* aCanHandle) +{ + NS_ENSURE_ARG_POINTER(aCanHandle); + NS_ENSURE_ARG_POINTER(aDesiredContentType); + + // the docshell has no idea if it is the preferred content provider or not. + // It needs to ask its parent if it is the preferred content handler or not... + + nsCOMPtr<nsIURIContentListener> parentListener; + GetParentContentListener(getter_AddRefs(parentListener)); + if (parentListener) { + return parentListener->IsPreferred(aContentType, + aDesiredContentType, + aCanHandle); + } + // we used to return false here if we didn't have a parent properly registered + // at the top of the docshell hierarchy to dictate what content types this + // docshell should be a preferred handler for. But this really makes it hard + // for developers using iframe or browser tags because then they need to make + // sure they implement nsIURIContentListener otherwise all link clicks would + // get sent to another window because we said we weren't the preferred handler + // type. I'm going to change the default now... if we can handle the content, + // and someone didn't EXPLICITLY set a nsIURIContentListener at the top of our + // docshell chain, then we'll now always attempt to process the content + // ourselves... + return CanHandleContent(aContentType, true, aDesiredContentType, aCanHandle); +} + +NS_IMETHODIMP +nsDSURIContentListener::CanHandleContent(const char* aContentType, + bool aIsContentPreferred, + char** aDesiredContentType, + bool* aCanHandleContent) +{ + NS_PRECONDITION(aCanHandleContent, "Null out param?"); + NS_ENSURE_ARG_POINTER(aDesiredContentType); + + *aCanHandleContent = false; + *aDesiredContentType = nullptr; + + nsresult rv = NS_OK; + if (aContentType) { + uint32_t canHandle = nsIWebNavigationInfo::UNSUPPORTED; + rv = mNavInfo->IsTypeSupported(nsDependentCString(aContentType), + mDocShell, + &canHandle); + *aCanHandleContent = (canHandle != nsIWebNavigationInfo::UNSUPPORTED); + } + + return rv; +} + +NS_IMETHODIMP +nsDSURIContentListener::GetLoadCookie(nsISupports** aLoadCookie) +{ + NS_IF_ADDREF(*aLoadCookie = nsDocShell::GetAsSupports(mDocShell)); + return NS_OK; +} + +NS_IMETHODIMP +nsDSURIContentListener::SetLoadCookie(nsISupports* aLoadCookie) +{ +#ifdef DEBUG + RefPtr<nsDocLoader> cookieAsDocLoader = + nsDocLoader::GetAsDocLoader(aLoadCookie); + NS_ASSERTION(cookieAsDocLoader && cookieAsDocLoader == mDocShell, + "Invalid load cookie being set!"); +#endif + return NS_OK; +} + +NS_IMETHODIMP +nsDSURIContentListener::GetParentContentListener( + nsIURIContentListener** aParentListener) +{ + if (mWeakParentContentListener) { + nsCOMPtr<nsIURIContentListener> tempListener = + do_QueryReferent(mWeakParentContentListener); + *aParentListener = tempListener; + NS_IF_ADDREF(*aParentListener); + } else { + *aParentListener = mParentContentListener; + NS_IF_ADDREF(*aParentListener); + } + return NS_OK; +} + +NS_IMETHODIMP +nsDSURIContentListener::SetParentContentListener( + nsIURIContentListener* aParentListener) +{ + if (aParentListener) { + // Store the parent listener as a weak ref. Parents not supporting + // nsISupportsWeakReference assert but may still be used. + mParentContentListener = nullptr; + mWeakParentContentListener = do_GetWeakReference(aParentListener); + if (!mWeakParentContentListener) { + mParentContentListener = aParentListener; + } + } else { + mWeakParentContentListener = nullptr; + mParentContentListener = nullptr; + } + return NS_OK; +} + +bool +nsDSURIContentListener::CheckOneFrameOptionsPolicy(nsIHttpChannel* aHttpChannel, + const nsAString& aPolicy) +{ + static const char allowFrom[] = "allow-from"; + const uint32_t allowFromLen = ArrayLength(allowFrom) - 1; + bool isAllowFrom = + StringHead(aPolicy, allowFromLen).LowerCaseEqualsLiteral(allowFrom); + + // return early if header does not have one of the values with meaning + if (!aPolicy.LowerCaseEqualsLiteral("deny") && + !aPolicy.LowerCaseEqualsLiteral("sameorigin") && + !isAllowFrom) { + return true; + } + + nsCOMPtr<nsIURI> uri; + aHttpChannel->GetURI(getter_AddRefs(uri)); + + // XXXkhuey when does this happen? Is returning true safe here? + if (!mDocShell) { + return true; + } + + // We need to check the location of this window and the location of the top + // window, if we're not the top. X-F-O: SAMEORIGIN requires that the + // document must be same-origin with top window. X-F-O: DENY requires that + // the document must never be framed. + nsCOMPtr<nsPIDOMWindowOuter> thisWindow = mDocShell->GetWindow(); + // If we don't have DOMWindow there is no risk of clickjacking + if (!thisWindow) { + return true; + } + + // GetScriptableTop, not GetTop, because we want this to respect + // <iframe mozbrowser> boundaries. + nsCOMPtr<nsPIDOMWindowOuter> topWindow = thisWindow->GetScriptableTop(); + + // if the document is in the top window, it's not in a frame. + if (thisWindow == topWindow) { + return true; + } + + // Find the top docshell in our parent chain that doesn't have the system + // principal and use it for the principal comparison. Finding the top + // content-type docshell doesn't work because some chrome documents are + // loaded in content docshells (see bug 593387). + nsCOMPtr<nsIDocShellTreeItem> thisDocShellItem( + do_QueryInterface(static_cast<nsIDocShell*>(mDocShell))); + nsCOMPtr<nsIDocShellTreeItem> parentDocShellItem; + nsCOMPtr<nsIDocShellTreeItem> curDocShellItem = thisDocShellItem; + nsCOMPtr<nsIDocument> topDoc; + nsresult rv; + nsCOMPtr<nsIScriptSecurityManager> ssm = + do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv); + if (!ssm) { + MOZ_CRASH(); + } + + // Traverse up the parent chain and stop when we see a docshell whose + // parent has a system principal, or a docshell corresponding to + // <iframe mozbrowser>. + while (NS_SUCCEEDED( + curDocShellItem->GetParent(getter_AddRefs(parentDocShellItem))) && + parentDocShellItem) { + nsCOMPtr<nsIDocShell> curDocShell = do_QueryInterface(curDocShellItem); + if (curDocShell && curDocShell->GetIsMozBrowserOrApp()) { + break; + } + + bool system = false; + topDoc = parentDocShellItem->GetDocument(); + if (topDoc) { + if (NS_SUCCEEDED( + ssm->IsSystemPrincipal(topDoc->NodePrincipal(), &system)) && + system) { + // Found a system-principled doc: last docshell was top. + break; + } + } else { + return false; + } + curDocShellItem = parentDocShellItem; + } + + // If this document has the top non-SystemPrincipal docshell it is not being + // framed or it is being framed by a chrome document, which we allow. + if (curDocShellItem == thisDocShellItem) { + return true; + } + + // If the value of the header is DENY, and the previous condition is + // not met (current docshell is not the top docshell), prohibit the + // load. + if (aPolicy.LowerCaseEqualsLiteral("deny")) { + ReportXFOViolation(curDocShellItem, uri, eDENY); + return false; + } + + topDoc = curDocShellItem->GetDocument(); + nsCOMPtr<nsIURI> topUri; + topDoc->NodePrincipal()->GetURI(getter_AddRefs(topUri)); + + // If the X-Frame-Options value is SAMEORIGIN, then the top frame in the + // parent chain must be from the same origin as this document. + if (aPolicy.LowerCaseEqualsLiteral("sameorigin")) { + rv = ssm->CheckSameOriginURI(uri, topUri, true); + if (NS_FAILED(rv)) { + ReportXFOViolation(curDocShellItem, uri, eSAMEORIGIN); + return false; /* wasn't same-origin */ + } + } + + // If the X-Frame-Options value is "allow-from [uri]", then the top + // frame in the parent chain must be from that origin + if (isAllowFrom) { + if (aPolicy.Length() == allowFromLen || + (aPolicy[allowFromLen] != ' ' && + aPolicy[allowFromLen] != '\t')) { + ReportXFOViolation(curDocShellItem, uri, eALLOWFROM); + return false; + } + rv = NS_NewURI(getter_AddRefs(uri), Substring(aPolicy, allowFromLen)); + if (NS_FAILED(rv)) { + return false; + } + + rv = ssm->CheckSameOriginURI(uri, topUri, true); + if (NS_FAILED(rv)) { + ReportXFOViolation(curDocShellItem, uri, eALLOWFROM); + return false; + } + } + + return true; +} + +// Check if X-Frame-Options permits this document to be loaded as a subdocument. +// This will iterate through and check any number of X-Frame-Options policies +// in the request (comma-separated in a header, multiple headers, etc). +bool +nsDSURIContentListener::CheckFrameOptions(nsIRequest* aRequest) +{ + nsresult rv; + nsCOMPtr<nsIChannel> chan = do_QueryInterface(aRequest); + if (!chan) { + return true; + } + + nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(chan); + if (!httpChannel) { + // check if it is hiding in a multipart channel + rv = mDocShell->GetHttpChannel(chan, getter_AddRefs(httpChannel)); + if (NS_FAILED(rv)) { + return false; + } + } + + if (!httpChannel) { + return true; + } + + nsAutoCString xfoHeaderCValue; + httpChannel->GetResponseHeader(NS_LITERAL_CSTRING("X-Frame-Options"), + xfoHeaderCValue); + NS_ConvertUTF8toUTF16 xfoHeaderValue(xfoHeaderCValue); + + // if no header value, there's nothing to do. + if (xfoHeaderValue.IsEmpty()) { + return true; + } + + // iterate through all the header values (usually there's only one, but can + // be many. If any want to deny the load, deny the load. + nsCharSeparatedTokenizer tokenizer(xfoHeaderValue, ','); + while (tokenizer.hasMoreTokens()) { + const nsSubstring& tok = tokenizer.nextToken(); + if (!CheckOneFrameOptionsPolicy(httpChannel, tok)) { + // cancel the load and display about:blank + httpChannel->Cancel(NS_BINDING_ABORTED); + if (mDocShell) { + nsCOMPtr<nsIWebNavigation> webNav(do_QueryObject(mDocShell)); + if (webNav) { + webNav->LoadURI(u"about:blank", + 0, nullptr, nullptr, nullptr); + } + } + return false; + } + } + + return true; +} + +void +nsDSURIContentListener::ReportXFOViolation(nsIDocShellTreeItem* aTopDocShellItem, + nsIURI* aThisURI, + XFOHeader aHeader) +{ + MOZ_ASSERT(aTopDocShellItem, "Need a top docshell"); + + nsCOMPtr<nsPIDOMWindowOuter> topOuterWindow = aTopDocShellItem->GetWindow(); + if (!topOuterWindow) { + return; + } + + nsPIDOMWindowInner* topInnerWindow = topOuterWindow->GetCurrentInnerWindow(); + if (!topInnerWindow) { + return; + } + + nsCOMPtr<nsIURI> topURI; + + nsCOMPtr<nsIDocument> document = aTopDocShellItem->GetDocument(); + nsresult rv = document->NodePrincipal()->GetURI(getter_AddRefs(topURI)); + if (NS_FAILED(rv)) { + return; + } + + if (!topURI) { + return; + } + + nsCString topURIString; + nsCString thisURIString; + + rv = topURI->GetSpec(topURIString); + if (NS_FAILED(rv)) { + return; + } + + rv = aThisURI->GetSpec(thisURIString); + if (NS_FAILED(rv)) { + return; + } + + nsCOMPtr<nsIConsoleService> consoleService = + do_GetService(NS_CONSOLESERVICE_CONTRACTID); + nsCOMPtr<nsIScriptError> errorObject = + do_CreateInstance(NS_SCRIPTERROR_CONTRACTID); + + if (!consoleService || !errorObject) { + return; + } + + nsString msg = NS_LITERAL_STRING("Load denied by X-Frame-Options: "); + msg.Append(NS_ConvertUTF8toUTF16(thisURIString)); + + switch (aHeader) { + case eDENY: + msg.AppendLiteral(" does not permit framing."); + break; + case eSAMEORIGIN: + msg.AppendLiteral(" does not permit cross-origin framing."); + break; + case eALLOWFROM: + msg.AppendLiteral(" does not permit framing by "); + msg.Append(NS_ConvertUTF8toUTF16(topURIString)); + msg.Append('.'); + break; + } + + rv = errorObject->InitWithWindowID(msg, EmptyString(), EmptyString(), 0, 0, + nsIScriptError::errorFlag, + "X-Frame-Options", + topInnerWindow->WindowID()); + if (NS_FAILED(rv)) { + return; + } + + consoleService->LogMessage(errorObject); +} |