1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "AddonContentPolicy.h"
8
9 #include "mozilla/dom/nsCSPUtils.h"
10 #include "nsCOMPtr.h"
11 #include "nsContentPolicyUtils.h"
12 #include "nsContentTypeParser.h"
13 #include "nsContentUtils.h"
14 #include "nsIConsoleService.h"
15 #include "nsIContentSecurityPolicy.h"
16 #include "nsIContent.h"
17 #include "nsIDocument.h"
18 #include "nsIEffectiveTLDService.h"
19 #include "nsIScriptError.h"
20 #include "nsIStringBundle.h"
21 #include "nsIUUIDGenerator.h"
22 #include "nsIURI.h"
23 #include "nsNetCID.h"
24 #include "nsNetUtil.h"
25
26 using namespace mozilla;
27
28 /* Enforces content policies for WebExtension scopes. Currently:
29 *
30 * - Prevents loading scripts with a non-default JavaScript version.
31 * - Checks custom content security policies for sufficiently stringent
32 * script-src and object-src directives.
33 */
34
35 #define VERSIONED_JS_BLOCKED_MESSAGE \
36 u"Versioned JavaScript is a non-standard, deprecated extension, and is " \
37 u"not supported in WebExtension code. For alternatives, please see: " \
38 u"https://developer.mozilla.org/Add-ons/WebExtensions/Tips"
39
AddonContentPolicy()40 AddonContentPolicy::AddonContentPolicy()
41 {
42 }
43
~AddonContentPolicy()44 AddonContentPolicy::~AddonContentPolicy()
45 {
46 }
47
NS_IMPL_ISUPPORTS(AddonContentPolicy,nsIContentPolicy,nsIAddonContentPolicy)48 NS_IMPL_ISUPPORTS(AddonContentPolicy, nsIContentPolicy, nsIAddonContentPolicy)
49
50 static nsresult
51 GetWindowIDFromContext(nsISupports* aContext, uint64_t *aResult)
52 {
53 NS_ENSURE_TRUE(aContext, NS_ERROR_FAILURE);
54
55 nsCOMPtr<nsIContent> content = do_QueryInterface(aContext);
56 NS_ENSURE_TRUE(content, NS_ERROR_FAILURE);
57
58 nsCOMPtr<nsIDocument> document = content->OwnerDoc();
59 NS_ENSURE_TRUE(document, NS_ERROR_FAILURE);
60
61 nsCOMPtr<nsPIDOMWindowInner> window = document->GetInnerWindow();
62 NS_ENSURE_TRUE(window, NS_ERROR_FAILURE);
63
64 *aResult = window->WindowID();
65 return NS_OK;
66 }
67
68 static nsresult
LogMessage(const nsAString & aMessage,nsIURI * aSourceURI,const nsAString & aSourceSample,nsISupports * aContext)69 LogMessage(const nsAString &aMessage, nsIURI* aSourceURI, const nsAString &aSourceSample,
70 nsISupports* aContext)
71 {
72 nsCOMPtr<nsIScriptError> error = do_CreateInstance(NS_SCRIPTERROR_CONTRACTID);
73 NS_ENSURE_TRUE(error, NS_ERROR_OUT_OF_MEMORY);
74
75 nsCString sourceName = aSourceURI->GetSpecOrDefault();
76
77 uint64_t windowID = 0;
78 GetWindowIDFromContext(aContext, &windowID);
79
80 nsresult rv =
81 error->InitWithWindowID(aMessage, NS_ConvertUTF8toUTF16(sourceName),
82 aSourceSample, 0, 0, nsIScriptError::errorFlag,
83 "JavaScript", windowID);
84 NS_ENSURE_SUCCESS(rv, rv);
85
86 nsCOMPtr<nsIConsoleService> console = do_GetService(NS_CONSOLESERVICE_CONTRACTID);
87 NS_ENSURE_TRUE(console, NS_ERROR_OUT_OF_MEMORY);
88
89 console->LogMessage(error);
90 return NS_OK;
91 }
92
93
94 // Content policy enforcement:
95
96 NS_IMETHODIMP
ShouldLoad(uint32_t aContentType,nsIURI * aContentLocation,nsIURI * aRequestOrigin,nsISupports * aContext,const nsACString & aMimeTypeGuess,nsISupports * aExtra,nsIPrincipal * aRequestPrincipal,int16_t * aShouldLoad)97 AddonContentPolicy::ShouldLoad(uint32_t aContentType,
98 nsIURI* aContentLocation,
99 nsIURI* aRequestOrigin,
100 nsISupports* aContext,
101 const nsACString& aMimeTypeGuess,
102 nsISupports* aExtra,
103 nsIPrincipal* aRequestPrincipal,
104 int16_t* aShouldLoad)
105 {
106 MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
107 "We should only see external content policy types here.");
108
109 *aShouldLoad = nsIContentPolicy::ACCEPT;
110
111 if (!aRequestOrigin) {
112 return NS_OK;
113 }
114
115 // Only apply this policy to requests from documents loaded from
116 // moz-extension URLs, or to resources being loaded from moz-extension URLs.
117 bool equals;
118 if (!((NS_SUCCEEDED(aContentLocation->SchemeIs("moz-extension", &equals)) && equals) ||
119 (NS_SUCCEEDED(aRequestOrigin->SchemeIs("moz-extension", &equals)) && equals))) {
120 return NS_OK;
121 }
122
123 if (aContentType == nsIContentPolicy::TYPE_SCRIPT) {
124 NS_ConvertUTF8toUTF16 typeString(aMimeTypeGuess);
125 nsContentTypeParser mimeParser(typeString);
126
127 // Reject attempts to load JavaScript scripts with a non-default version.
128 nsAutoString mimeType, version;
129 if (NS_SUCCEEDED(mimeParser.GetType(mimeType)) &&
130 nsContentUtils::IsJavascriptMIMEType(mimeType) &&
131 NS_SUCCEEDED(mimeParser.GetParameter("version", version))) {
132 *aShouldLoad = nsIContentPolicy::REJECT_REQUEST;
133
134 LogMessage(NS_MULTILINE_LITERAL_STRING(VERSIONED_JS_BLOCKED_MESSAGE),
135 aRequestOrigin, typeString, aContext);
136 return NS_OK;
137 }
138 }
139
140 return NS_OK;
141 }
142
143 NS_IMETHODIMP
ShouldProcess(uint32_t aContentType,nsIURI * aContentLocation,nsIURI * aRequestOrigin,nsISupports * aRequestingContext,const nsACString & aMimeTypeGuess,nsISupports * aExtra,nsIPrincipal * aRequestPrincipal,int16_t * aShouldProcess)144 AddonContentPolicy::ShouldProcess(uint32_t aContentType,
145 nsIURI* aContentLocation,
146 nsIURI* aRequestOrigin,
147 nsISupports* aRequestingContext,
148 const nsACString& aMimeTypeGuess,
149 nsISupports* aExtra,
150 nsIPrincipal* aRequestPrincipal,
151 int16_t* aShouldProcess)
152 {
153 MOZ_ASSERT(aContentType == nsContentUtils::InternalContentPolicyTypeToExternal(aContentType),
154 "We should only see external content policy types here.");
155
156 *aShouldProcess = nsIContentPolicy::ACCEPT;
157 return NS_OK;
158 }
159
160
161 // CSP Validation:
162
163 static const char* allowedSchemes[] = {
164 "blob",
165 "filesystem",
166 nullptr
167 };
168
169 static const char* allowedHostSchemes[] = {
170 "https",
171 "moz-extension",
172 nullptr
173 };
174
175 /**
176 * Validates a CSP directive to ensure that it is sufficiently stringent.
177 * In particular, ensures that:
178 *
179 * - No remote sources are allowed other than from https: schemes
180 *
181 * - No remote sources specify host wildcards for generic domains
182 * (*.blogspot.com, *.com, *)
183 *
184 * - All remote sources and local extension sources specify a host
185 *
186 * - No scheme sources are allowed other than blob:, filesystem:,
187 * moz-extension:, and https:
188 *
189 * - No keyword sources are allowed other than 'none', 'self', 'unsafe-eval',
190 * and hash sources.
191 */
192 class CSPValidator final : public nsCSPSrcVisitor {
193 public:
CSPValidator(nsAString & aURL,CSPDirective aDirective,bool aDirectiveRequired=true)194 CSPValidator(nsAString& aURL, CSPDirective aDirective, bool aDirectiveRequired = true) :
195 mURL(aURL),
196 mDirective(CSP_CSPDirectiveToString(aDirective)),
197 mFoundSelf(false)
198 {
199 // Start with the default error message for a missing directive, since no
200 // visitors will be called if the directive isn't present.
201 if (aDirectiveRequired) {
202 FormatError("csp.error.missing-directive");
203 }
204 }
205
206 // Visitors
207
visitSchemeSrc(const nsCSPSchemeSrc & src)208 bool visitSchemeSrc(const nsCSPSchemeSrc& src) override
209 {
210 nsAutoString scheme;
211 src.getScheme(scheme);
212
213 if (SchemeInList(scheme, allowedHostSchemes)) {
214 FormatError("csp.error.missing-host", scheme);
215 return false;
216 }
217 if (!SchemeInList(scheme, allowedSchemes)) {
218 FormatError("csp.error.illegal-protocol", scheme);
219 return false;
220 }
221 return true;
222 };
223
visitHostSrc(const nsCSPHostSrc & src)224 bool visitHostSrc(const nsCSPHostSrc& src) override
225 {
226 nsAutoString scheme, host;
227
228 src.getScheme(scheme);
229 src.getHost(host);
230
231 if (scheme.LowerCaseEqualsLiteral("https")) {
232 if (!HostIsAllowed(host)) {
233 FormatError("csp.error.illegal-host-wildcard", scheme);
234 return false;
235 }
236 } else if (scheme.LowerCaseEqualsLiteral("moz-extension")) {
237 // The CSP parser silently converts 'self' keywords to the origin
238 // URL, so we need to reconstruct the URL to see if it was present.
239 if (!mFoundSelf) {
240 nsAutoString url(u"moz-extension://");
241 url.Append(host);
242
243 mFoundSelf = url.Equals(mURL);
244 }
245
246 if (host.IsEmpty() || host.EqualsLiteral("*")) {
247 FormatError("csp.error.missing-host", scheme);
248 return false;
249 }
250 } else if (!SchemeInList(scheme, allowedSchemes)) {
251 FormatError("csp.error.illegal-protocol", scheme);
252 return false;
253 }
254
255 return true;
256 };
257
visitKeywordSrc(const nsCSPKeywordSrc & src)258 bool visitKeywordSrc(const nsCSPKeywordSrc& src) override
259 {
260 switch (src.getKeyword()) {
261 case CSP_NONE:
262 case CSP_SELF:
263 case CSP_UNSAFE_EVAL:
264 return true;
265
266 default:
267 NS_ConvertASCIItoUTF16 keyword(CSP_EnumToKeyword(src.getKeyword()));
268
269 FormatError("csp.error.illegal-keyword", keyword);
270 return false;
271 }
272 };
273
visitNonceSrc(const nsCSPNonceSrc & src)274 bool visitNonceSrc(const nsCSPNonceSrc& src) override
275 {
276 FormatError("csp.error.illegal-keyword", NS_LITERAL_STRING("'nonce-*'"));
277 return false;
278 };
279
visitHashSrc(const nsCSPHashSrc & src)280 bool visitHashSrc(const nsCSPHashSrc& src) override
281 {
282 return true;
283 };
284
285 // Accessors
286
GetError()287 inline nsAString& GetError()
288 {
289 return mError;
290 };
291
FoundSelf()292 inline bool FoundSelf()
293 {
294 return mFoundSelf;
295 };
296
297
298 // Formatters
299
300 template <typename... T>
FormatError(const char * aName,const T...aParams)301 inline void FormatError(const char* aName, const T ...aParams)
302 {
303 const char16_t* params[] = { mDirective.get(), aParams.get()... };
304 FormatErrorParams(aName, params, MOZ_ARRAY_LENGTH(params));
305 };
306
307 private:
308 // Validators
309
HostIsAllowed(nsAString & host)310 bool HostIsAllowed(nsAString& host)
311 {
312 if (host.First() == '*') {
313 if (host.EqualsLiteral("*") || host[1] != '.') {
314 return false;
315 }
316
317 host.Cut(0, 2);
318
319 nsCOMPtr<nsIEffectiveTLDService> tldService =
320 do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID);
321
322 if (!tldService) {
323 return false;
324 }
325
326 NS_ConvertUTF16toUTF8 cHost(host);
327 nsAutoCString publicSuffix;
328
329 nsresult rv = tldService->GetPublicSuffixFromHost(cHost, publicSuffix);
330
331 return NS_SUCCEEDED(rv) && !cHost.Equals(publicSuffix);
332 }
333
334 return true;
335 };
336
SchemeInList(nsAString & scheme,const char ** schemes)337 bool SchemeInList(nsAString& scheme, const char** schemes)
338 {
339 for (; *schemes; schemes++) {
340 if (scheme.LowerCaseEqualsASCII(*schemes)) {
341 return true;
342 }
343 }
344 return false;
345 };
346
347
348 // Formatters
349
350 already_AddRefed<nsIStringBundle>
GetStringBundle()351 GetStringBundle()
352 {
353 nsCOMPtr<nsIStringBundleService> sbs =
354 mozilla::services::GetStringBundleService();
355 NS_ENSURE_TRUE(sbs, nullptr);
356
357 nsCOMPtr<nsIStringBundle> stringBundle;
358 sbs->CreateBundle("chrome://global/locale/extensions.properties",
359 getter_AddRefs(stringBundle));
360
361 return stringBundle.forget();
362 };
363
FormatErrorParams(const char * aName,const char16_t ** aParams,int32_t aLength)364 void FormatErrorParams(const char* aName, const char16_t** aParams, int32_t aLength)
365 {
366 nsresult rv = NS_ERROR_FAILURE;
367
368 nsCOMPtr<nsIStringBundle> stringBundle = GetStringBundle();
369
370 if (stringBundle) {
371 NS_ConvertASCIItoUTF16 name(aName);
372
373 rv = stringBundle->FormatStringFromName(name.get(), aParams, aLength,
374 getter_Copies(mError));
375 }
376
377 if (NS_WARN_IF(NS_FAILED(rv))) {
378 mError.AssignLiteral("An unexpected error occurred");
379 }
380 };
381
382
383 // Data members
384
385 nsAutoString mURL;
386 NS_ConvertASCIItoUTF16 mDirective;
387 nsXPIDLString mError;
388
389 bool mFoundSelf;
390 };
391
392 /**
393 * Validates a custom content security policy string for use by an add-on.
394 * In particular, ensures that:
395 *
396 * - Both object-src and script-src directives are present, and meet
397 * the policies required by the CSPValidator class
398 *
399 * - The script-src directive includes the source 'self'
400 */
401 NS_IMETHODIMP
ValidateAddonCSP(const nsAString & aPolicyString,nsAString & aResult)402 AddonContentPolicy::ValidateAddonCSP(const nsAString& aPolicyString,
403 nsAString& aResult)
404 {
405 nsresult rv;
406
407 // Validate against a randomly-generated extension origin.
408 // There is no add-on-specific behavior in the CSP code, beyond the ability
409 // for add-ons to specify a custom policy, but the parser requires a valid
410 // origin in order to operate correctly.
411 nsAutoString url(u"moz-extension://");
412 {
413 nsCOMPtr<nsIUUIDGenerator> uuidgen = services::GetUUIDGenerator();
414 NS_ENSURE_TRUE(uuidgen, NS_ERROR_FAILURE);
415
416 nsID id;
417 rv = uuidgen->GenerateUUIDInPlace(&id);
418 NS_ENSURE_SUCCESS(rv, rv);
419
420 char idString[NSID_LENGTH];
421 id.ToProvidedString(idString);
422
423 MOZ_RELEASE_ASSERT(idString[0] == '{' && idString[NSID_LENGTH - 2] == '}',
424 "UUID generator did not return a valid UUID");
425
426 url.AppendASCII(idString + 1, NSID_LENGTH - 3);
427 }
428
429
430 RefPtr<BasePrincipal> principal =
431 BasePrincipal::CreateCodebasePrincipal(NS_ConvertUTF16toUTF8(url));
432
433 nsCOMPtr<nsIContentSecurityPolicy> csp;
434 rv = principal->EnsureCSP(nullptr, getter_AddRefs(csp));
435 NS_ENSURE_SUCCESS(rv, rv);
436
437
438 csp->AppendPolicy(aPolicyString, false, false);
439
440 const nsCSPPolicy* policy = csp->GetPolicy(0);
441 if (!policy) {
442 CSPValidator validator(url, nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE);
443 aResult.Assign(validator.GetError());
444 return NS_OK;
445 }
446
447 bool haveValidDefaultSrc = false;
448 {
449 CSPDirective directive = nsIContentSecurityPolicy::DEFAULT_SRC_DIRECTIVE;
450 CSPValidator validator(url, directive);
451
452 haveValidDefaultSrc = policy->visitDirectiveSrcs(directive, &validator);
453 }
454
455 aResult.SetIsVoid(true);
456 {
457 CSPDirective directive = nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE;
458 CSPValidator validator(url, directive, !haveValidDefaultSrc);
459
460 if (!policy->visitDirectiveSrcs(directive, &validator)) {
461 aResult.Assign(validator.GetError());
462 } else if (!validator.FoundSelf()) {
463 validator.FormatError("csp.error.missing-source", NS_LITERAL_STRING("'self'"));
464 aResult.Assign(validator.GetError());
465 }
466 }
467
468 if (aResult.IsVoid()) {
469 CSPDirective directive = nsIContentSecurityPolicy::OBJECT_SRC_DIRECTIVE;
470 CSPValidator validator(url, directive, !haveValidDefaultSrc);
471
472 if (!policy->visitDirectiveSrcs(directive, &validator)) {
473 aResult.Assign(validator.GetError());
474 }
475 }
476
477 return NS_OK;
478 }
479