1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef mozilla_BasePrincipal_h
#define mozilla_BasePrincipal_h
#include "nsIPrincipal.h"
#include "nsIScriptSecurityManager.h"
#include "nsJSPrincipals.h"
#include "mozilla/Attributes.h"
#include "mozilla/dom/ChromeUtilsBinding.h"
class nsIContentSecurityPolicy;
class nsIObjectOutputStream;
class nsIObjectInputStream;
class nsIURI;
class nsExpandedPrincipal;
namespace mozilla {
class GenericOriginAttributes;
// Base OriginAttributes class. This has several subclass flavors, and is not
// directly constructable itself.
class OriginAttributes : public dom::OriginAttributesDictionary
{
public:
bool operator==(const OriginAttributes& aOther) const
{
return mAppId == aOther.mAppId &&
mInIsolatedMozBrowser == aOther.mInIsolatedMozBrowser &&
mAddonId == aOther.mAddonId &&
mUserContextId == aOther.mUserContextId &&
mPrivateBrowsingId == aOther.mPrivateBrowsingId &&
mFirstPartyDomain == aOther.mFirstPartyDomain;
}
bool operator!=(const OriginAttributes& aOther) const
{
return !(*this == aOther);
}
// Serializes/Deserializes non-default values into the suffix format, i.e.
// |!key1=value1&key2=value2|. If there are no non-default attributes, this
// returns an empty string.
void CreateSuffix(nsACString& aStr) const;
// Don't use this method for anything else than debugging!
void CreateAnonymizedSuffix(nsACString& aStr) const;
MOZ_MUST_USE bool PopulateFromSuffix(const nsACString& aStr);
// Populates the attributes from a string like
// |uri!key1=value1&key2=value2| and returns the uri without the suffix.
MOZ_MUST_USE bool PopulateFromOrigin(const nsACString& aOrigin,
nsACString& aOriginNoSuffix);
// Helper function to match mIsPrivateBrowsing to existing private browsing
// flags. Once all other flags are removed, this can be removed too.
void SyncAttributesWithPrivateBrowsing(bool aInPrivateBrowsing);
void SetFromGenericAttributes(const GenericOriginAttributes& aAttrs);
// check if "privacy.firstparty.isolate" is enabled.
static bool IsFirstPartyEnabled();
protected:
OriginAttributes() {}
explicit OriginAttributes(const OriginAttributesDictionary& aOther)
: OriginAttributesDictionary(aOther) {}
};
class PrincipalOriginAttributes;
class DocShellOriginAttributes;
class NeckoOriginAttributes;
// Various classes in Gecko contain OriginAttributes members, and those
// OriginAttributes get propagated to other classes according to certain rules.
// For example, the OriginAttributes on the docshell affect the OriginAttributes
// for the principal of a document loaded inside it, whose OriginAttributes in
// turn affect those of network loads and child docshells. To codify and
// centralize these rules, we introduce separate subclasses for the different
// flavors, and a variety of InheritFrom* methods to implement the transfer
// behavior.
// For OriginAttributes stored on principals.
class PrincipalOriginAttributes : public OriginAttributes
{
public:
PrincipalOriginAttributes() {}
PrincipalOriginAttributes(uint32_t aAppId, bool aInIsolatedMozBrowser)
{
mAppId = aAppId;
mInIsolatedMozBrowser = aInIsolatedMozBrowser;
}
// Inheriting OriginAttributes from docshell to document when user navigates.
//
// @param aAttrs Origin Attributes of the docshell.
// @param aURI The URI of the document.
void InheritFromDocShellToDoc(const DocShellOriginAttributes& aAttrs,
const nsIURI* aURI);
// Inherit OriginAttributes from Necko.
void InheritFromNecko(const NeckoOriginAttributes& aAttrs);
void StripUserContextIdAndFirstPartyDomain();
};
// For OriginAttributes stored on docshells / loadcontexts / browsing contexts.
class DocShellOriginAttributes : public OriginAttributes
{
public:
DocShellOriginAttributes() {}
DocShellOriginAttributes(uint32_t aAppId, bool aInIsolatedMozBrowser)
{
mAppId = aAppId;
mInIsolatedMozBrowser = aInIsolatedMozBrowser;
}
// Inheriting OriginAttributes from document to child docshell when an
// <iframe> is created.
//
// @param aAttrs Origin Attributes of the document.
void
InheritFromDocToChildDocShell(const PrincipalOriginAttributes& aAttrs);
};
// For OriginAttributes stored on Necko.
class NeckoOriginAttributes : public OriginAttributes
{
public:
NeckoOriginAttributes() {}
NeckoOriginAttributes(uint32_t aAppId, bool aInIsolatedMozBrowser)
{
mAppId = aAppId;
mInIsolatedMozBrowser = aInIsolatedMozBrowser;
}
// Inheriting OriginAttributes from document to necko when a network request
// is made.
void InheritFromDocToNecko(const PrincipalOriginAttributes& aAttrs);
// Inheriting OriginAttributes from a docshell when loading a top-level
// document.
void InheritFromDocShellToNecko(const DocShellOriginAttributes& aAttrs,
const bool aIsTopLevelDocument = false,
nsIURI* aURI = nullptr);
};
// For operating on OriginAttributes not associated with any data structure.
class GenericOriginAttributes : public OriginAttributes
{
public:
GenericOriginAttributes() {}
explicit GenericOriginAttributes(const OriginAttributesDictionary& aOther)
: OriginAttributes(aOther) {}
};
class OriginAttributesPattern : public dom::OriginAttributesPatternDictionary
{
public:
// To convert a JSON string to an OriginAttributesPattern, do the following:
//
// OriginAttributesPattern pattern;
// if (!pattern.Init(aJSONString)) {
// ... // handle failure.
// }
OriginAttributesPattern() {}
explicit OriginAttributesPattern(const OriginAttributesPatternDictionary& aOther)
: OriginAttributesPatternDictionary(aOther) {}
// Performs a match of |aAttrs| against this pattern.
bool Matches(const OriginAttributes& aAttrs) const
{
if (mAppId.WasPassed() && mAppId.Value() != aAttrs.mAppId) {
return false;
}
if (mInIsolatedMozBrowser.WasPassed() && mInIsolatedMozBrowser.Value() != aAttrs.mInIsolatedMozBrowser) {
return false;
}
if (mAddonId.WasPassed() && mAddonId.Value() != aAttrs.mAddonId) {
return false;
}
if (mUserContextId.WasPassed() && mUserContextId.Value() != aAttrs.mUserContextId) {
return false;
}
if (mPrivateBrowsingId.WasPassed() && mPrivateBrowsingId.Value() != aAttrs.mPrivateBrowsingId) {
return false;
}
if (mFirstPartyDomain.WasPassed() && mFirstPartyDomain.Value() != aAttrs.mFirstPartyDomain) {
return false;
}
return true;
}
bool Overlaps(const OriginAttributesPattern& aOther) const
{
if (mAppId.WasPassed() && aOther.mAppId.WasPassed() &&
mAppId.Value() != aOther.mAppId.Value()) {
return false;
}
if (mInIsolatedMozBrowser.WasPassed() &&
aOther.mInIsolatedMozBrowser.WasPassed() &&
mInIsolatedMozBrowser.Value() != aOther.mInIsolatedMozBrowser.Value()) {
return false;
}
if (mAddonId.WasPassed() && aOther.mAddonId.WasPassed() &&
mAddonId.Value() != aOther.mAddonId.Value()) {
return false;
}
if (mUserContextId.WasPassed() && aOther.mUserContextId.WasPassed() &&
mUserContextId.Value() != aOther.mUserContextId.Value()) {
return false;
}
if (mPrivateBrowsingId.WasPassed() && aOther.mPrivateBrowsingId.WasPassed() &&
mPrivateBrowsingId.Value() != aOther.mPrivateBrowsingId.Value()) {
return false;
}
if (mFirstPartyDomain.WasPassed() && aOther.mFirstPartyDomain.WasPassed() &&
mFirstPartyDomain.Value() != aOther.mFirstPartyDomain.Value()) {
return false;
}
return true;
}
};
/*
* Base class from which all nsIPrincipal implementations inherit. Use this for
* default implementations and other commonalities between principal
* implementations.
*
* We should merge nsJSPrincipals into this class at some point.
*/
class BasePrincipal : public nsJSPrincipals
{
public:
BasePrincipal();
enum DocumentDomainConsideration { DontConsiderDocumentDomain, ConsiderDocumentDomain};
bool Subsumes(nsIPrincipal* aOther, DocumentDomainConsideration aConsideration);
NS_IMETHOD GetOrigin(nsACString& aOrigin) final;
NS_IMETHOD GetOriginNoSuffix(nsACString& aOrigin) final;
NS_IMETHOD Equals(nsIPrincipal* other, bool* _retval) final;
NS_IMETHOD EqualsConsideringDomain(nsIPrincipal* other, bool* _retval) final;
NS_IMETHOD Subsumes(nsIPrincipal* other, bool* _retval) final;
NS_IMETHOD SubsumesConsideringDomain(nsIPrincipal* other, bool* _retval) final;
NS_IMETHOD CheckMayLoad(nsIURI* uri, bool report, bool allowIfInheritsPrincipal) final;
NS_IMETHOD GetCsp(nsIContentSecurityPolicy** aCsp) override;
NS_IMETHOD SetCsp(nsIContentSecurityPolicy* aCsp) override;
NS_IMETHOD EnsureCSP(nsIDOMDocument* aDocument, nsIContentSecurityPolicy** aCSP) override;
NS_IMETHOD GetPreloadCsp(nsIContentSecurityPolicy** aPreloadCSP) override;
NS_IMETHOD EnsurePreloadCSP(nsIDOMDocument* aDocument, nsIContentSecurityPolicy** aCSP) override;
NS_IMETHOD GetCspJSON(nsAString& outCSPinJSON) override;
NS_IMETHOD GetIsNullPrincipal(bool* aResult) override;
NS_IMETHOD GetIsCodebasePrincipal(bool* aResult) override;
NS_IMETHOD GetIsExpandedPrincipal(bool* aResult) override;
NS_IMETHOD GetIsSystemPrincipal(bool* aResult) override;
NS_IMETHOD GetOriginAttributes(JSContext* aCx, JS::MutableHandle<JS::Value> aVal) final;
NS_IMETHOD GetOriginSuffix(nsACString& aOriginSuffix) final;
NS_IMETHOD GetAppStatus(uint16_t* aAppStatus) final;
NS_IMETHOD GetAppId(uint32_t* aAppStatus) final;
NS_IMETHOD GetAddonId(nsAString& aAddonId) final;
NS_IMETHOD GetIsInIsolatedMozBrowserElement(bool* aIsInIsolatedMozBrowserElement) final;
NS_IMETHOD GetUnknownAppId(bool* aUnknownAppId) final;
NS_IMETHOD GetUserContextId(uint32_t* aUserContextId) final;
NS_IMETHOD GetPrivateBrowsingId(uint32_t* aPrivateBrowsingId) final;
bool EqualsIgnoringAddonId(nsIPrincipal *aOther);
virtual bool AddonHasPermission(const nsAString& aPerm);
virtual bool IsOnCSSUnprefixingWhitelist() override { return false; }
virtual bool IsCodebasePrincipal() const { return false; };
static BasePrincipal* Cast(nsIPrincipal* aPrin) { return static_cast<BasePrincipal*>(aPrin); }
static already_AddRefed<BasePrincipal>
CreateCodebasePrincipal(nsIURI* aURI, const PrincipalOriginAttributes& aAttrs);
static already_AddRefed<BasePrincipal> CreateCodebasePrincipal(const nsACString& aOrigin);
const PrincipalOriginAttributes& OriginAttributesRef() { return mOriginAttributes; }
uint32_t AppId() const { return mOriginAttributes.mAppId; }
uint32_t UserContextId() const { return mOriginAttributes.mUserContextId; }
uint32_t PrivateBrowsingId() const { return mOriginAttributes.mPrivateBrowsingId; }
bool IsInIsolatedMozBrowserElement() const { return mOriginAttributes.mInIsolatedMozBrowser; }
enum PrincipalKind {
eNullPrincipal,
eCodebasePrincipal,
eExpandedPrincipal,
eSystemPrincipal
};
virtual PrincipalKind Kind() = 0;
already_AddRefed<BasePrincipal> CloneStrippingUserContextIdAndFirstPartyDomain();
protected:
virtual ~BasePrincipal();
virtual nsresult GetOriginInternal(nsACString& aOrigin) = 0;
// Note that this does not check OriginAttributes. Callers that depend on
// those must call Subsumes instead.
virtual bool SubsumesInternal(nsIPrincipal* aOther, DocumentDomainConsideration aConsider) = 0;
// Internal, side-effect-free check to determine whether the concrete
// principal would allow the load ignoring any common behavior implemented in
// BasePrincipal::CheckMayLoad.
virtual bool MayLoadInternal(nsIURI* aURI) = 0;
friend class ::nsExpandedPrincipal;
// Helper to check whether this principal is associated with an addon that
// allows unprivileged code to load aURI.
bool AddonAllowsLoad(nsIURI* aURI);
nsCOMPtr<nsIContentSecurityPolicy> mCSP;
nsCOMPtr<nsIContentSecurityPolicy> mPreloadCSP;
PrincipalOriginAttributes mOriginAttributes;
};
} // namespace mozilla
#endif /* mozilla_BasePrincipal_h */
|