2017-06-19 07:59:44 +03:00
|
|
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
|
|
|
#include "FramingChecker.h"
|
|
|
|
#include "nsCharSeparatedTokenizer.h"
|
|
|
|
#include "nsCSPUtils.h"
|
|
|
|
#include "nsDocShell.h"
|
2019-11-06 15:53:46 +03:00
|
|
|
#include "nsHttpChannel.h"
|
2017-06-19 07:59:44 +03:00
|
|
|
#include "nsIChannel.h"
|
|
|
|
#include "nsIConsoleService.h"
|
|
|
|
#include "nsIContentSecurityPolicy.h"
|
|
|
|
#include "nsIScriptError.h"
|
|
|
|
#include "nsNetUtil.h"
|
|
|
|
#include "nsQueryObject.h"
|
|
|
|
#include "mozilla/dom/nsCSPUtils.h"
|
2019-01-11 14:43:39 +03:00
|
|
|
#include "mozilla/dom/LoadURIOptionsBinding.h"
|
2018-09-18 17:57:04 +03:00
|
|
|
#include "mozilla/NullPrincipal.h"
|
2019-07-24 15:23:32 +03:00
|
|
|
#include "nsIStringBundle.h"
|
2017-06-19 07:59:44 +03:00
|
|
|
|
2019-10-31 11:28:35 +03:00
|
|
|
#include "nsIObserverService.h"
|
|
|
|
|
2017-06-19 07:59:44 +03:00
|
|
|
using namespace mozilla;
|
|
|
|
|
2019-10-31 11:28:35 +03:00
|
|
|
/* static */
|
|
|
|
void FramingChecker::ReportError(const char* aMessageTag, nsIURI* aParentURI,
|
|
|
|
nsIURI* aChildURI, const nsAString& aPolicy,
|
|
|
|
uint64_t aInnerWindowID) {
|
|
|
|
MOZ_ASSERT(aParentURI, "Need a parent URI");
|
|
|
|
if (!aChildURI || !aParentURI) {
|
2019-07-24 15:23:32 +03:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the parent URL spec
|
|
|
|
nsAutoCString parentSpec;
|
|
|
|
nsresult rv;
|
2019-10-31 11:28:35 +03:00
|
|
|
rv = aParentURI->GetAsciiSpec(parentSpec);
|
2019-07-24 15:23:32 +03:00
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the child URL spec
|
|
|
|
nsAutoCString childSpec;
|
|
|
|
rv = aChildURI->GetAsciiSpec(childSpec);
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
nsCOMPtr<nsIStringBundleService> bundleService =
|
|
|
|
mozilla::services::GetStringBundleService();
|
|
|
|
nsCOMPtr<nsIStringBundle> bundle;
|
|
|
|
rv = bundleService->CreateBundle(
|
|
|
|
"chrome://global/locale/security/security.properties",
|
|
|
|
getter_AddRefs(bundle));
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (NS_WARN_IF(!bundle)) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
nsCOMPtr<nsIConsoleService> console(
|
|
|
|
do_GetService(NS_CONSOLESERVICE_CONTRACTID));
|
|
|
|
nsCOMPtr<nsIScriptError> error(do_CreateInstance(NS_SCRIPTERROR_CONTRACTID));
|
|
|
|
if (!console || !error) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Localize the error message
|
|
|
|
nsAutoString message;
|
|
|
|
AutoTArray<nsString, 3> formatStrings;
|
|
|
|
formatStrings.AppendElement(aPolicy);
|
|
|
|
CopyASCIItoUTF16(childSpec, *formatStrings.AppendElement());
|
|
|
|
CopyASCIItoUTF16(parentSpec, *formatStrings.AppendElement());
|
|
|
|
rv = bundle->FormatStringFromName(aMessageTag, formatStrings, message);
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
rv = error->InitWithWindowID(message, EmptyString(), EmptyString(), 0, 0,
|
|
|
|
nsIScriptError::errorFlag, "X-Frame-Options",
|
2019-10-31 11:28:35 +03:00
|
|
|
aInnerWindowID);
|
2019-07-24 15:23:32 +03:00
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
console->LogMessage(error);
|
|
|
|
}
|
|
|
|
|
2019-02-26 01:05:29 +03:00
|
|
|
/* static */
|
2019-10-31 11:28:35 +03:00
|
|
|
void FramingChecker::ReportError(const char* aMessageTag,
|
|
|
|
BrowsingContext* aParentContext,
|
|
|
|
nsIURI* aChildURI, const nsAString& aPolicy,
|
|
|
|
uint64_t aInnerWindowID) {
|
|
|
|
nsCOMPtr<nsIURI> parentURI;
|
|
|
|
if (aParentContext) {
|
|
|
|
BrowsingContext* topContext = aParentContext->Top();
|
|
|
|
WindowGlobalParent* window =
|
|
|
|
topContext->Canonical()->GetCurrentWindowGlobal();
|
|
|
|
if (window) {
|
|
|
|
parentURI = window->GetDocumentURI();
|
|
|
|
}
|
2017-06-19 07:59:44 +03:00
|
|
|
}
|
2019-10-31 11:28:35 +03:00
|
|
|
ReportError(aMessageTag, parentURI, aChildURI, aPolicy, aInnerWindowID);
|
|
|
|
}
|
2017-06-19 07:59:44 +03:00
|
|
|
|
2019-10-31 11:28:35 +03:00
|
|
|
/* static */
|
|
|
|
bool FramingChecker::CheckOneFrameOptionsPolicy(nsIHttpChannel* aHttpChannel,
|
|
|
|
const nsAString& aPolicy) {
|
2017-06-19 07:59:44 +03:00
|
|
|
nsCOMPtr<nsIURI> uri;
|
|
|
|
aHttpChannel->GetURI(getter_AddRefs(uri));
|
|
|
|
|
2019-10-31 11:28:35 +03:00
|
|
|
nsCOMPtr<nsILoadInfo> loadInfo = aHttpChannel->LoadInfo();
|
|
|
|
uint64_t innerWindowID = loadInfo->GetInnerWindowID();
|
|
|
|
RefPtr<mozilla::dom::BrowsingContext> ctx;
|
|
|
|
loadInfo->GetBrowsingContext(getter_AddRefs(ctx));
|
|
|
|
|
2019-07-24 15:23:32 +03:00
|
|
|
// return early if header does not have one of the values with meaning
|
|
|
|
if (!aPolicy.LowerCaseEqualsLiteral("deny") &&
|
|
|
|
!aPolicy.LowerCaseEqualsLiteral("sameorigin")) {
|
2019-10-31 11:28:35 +03:00
|
|
|
ReportError("XFOInvalid", ctx, uri, aPolicy, innerWindowID);
|
2017-06-19 07:59:44 +03:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2017-11-03 18:37:10 +03:00
|
|
|
// If the X-Frame-Options value is SAMEORIGIN, then the top frame in the
|
|
|
|
// parent chain must be from the same origin as this document.
|
|
|
|
bool checkSameOrigin = aPolicy.LowerCaseEqualsLiteral("sameorigin");
|
2019-10-31 11:28:35 +03:00
|
|
|
nsCOMPtr<nsIScriptSecurityManager> ssm = nsContentUtils::GetSecurityManager();
|
2017-11-03 18:37:10 +03:00
|
|
|
nsCOMPtr<nsIURI> topUri;
|
|
|
|
|
2019-10-31 11:28:35 +03:00
|
|
|
while (ctx) {
|
|
|
|
WindowGlobalParent* window = ctx->Canonical()->GetCurrentWindowGlobal();
|
|
|
|
if (window) {
|
|
|
|
if (window->DocumentPrincipal()->IsSystemPrincipal()) {
|
|
|
|
return true;
|
2017-06-19 07:59:44 +03:00
|
|
|
}
|
2019-10-31 11:28:35 +03:00
|
|
|
// Using the URI of the Principal and not the document because e.g.
|
|
|
|
// window.open inherits the principal and hence the URI of the
|
|
|
|
// opening context needed for same origin checks.
|
|
|
|
nsCOMPtr<nsIPrincipal> principal = window->DocumentPrincipal();
|
|
|
|
principal->GetURI(getter_AddRefs(topUri));
|
2017-11-03 18:37:10 +03:00
|
|
|
|
|
|
|
if (checkSameOrigin) {
|
2018-09-25 08:25:05 +03:00
|
|
|
bool isPrivateWin =
|
2019-10-31 11:28:35 +03:00
|
|
|
principal->OriginAttributesRef().mPrivateBrowsingId > 0;
|
|
|
|
nsresult rv = ssm->CheckSameOriginURI(uri, topUri, true, isPrivateWin);
|
2017-11-03 18:37:10 +03:00
|
|
|
// one of the ancestors is not same origin as this document
|
|
|
|
if (NS_FAILED(rv)) {
|
2019-10-31 11:28:35 +03:00
|
|
|
ReportError("XFOSameOrigin", topUri, uri, aPolicy, innerWindowID);
|
2017-11-03 18:37:10 +03:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
2017-06-19 07:59:44 +03:00
|
|
|
}
|
2019-10-31 11:28:35 +03:00
|
|
|
ctx = ctx->GetParent();
|
2017-06-19 07:59:44 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// If the value of the header is DENY, and the previous condition is
|
|
|
|
// not met (current docshell is not the top docshell), prohibit the
|
|
|
|
// load.
|
|
|
|
if (aPolicy.LowerCaseEqualsLiteral("deny")) {
|
2019-10-31 11:28:35 +03:00
|
|
|
RefPtr<mozilla::dom::BrowsingContext> ctx;
|
|
|
|
loadInfo->GetBrowsingContext(getter_AddRefs(ctx));
|
|
|
|
ReportError("XFODeny", ctx, uri, aPolicy, innerWindowID);
|
2017-06-19 07:59:44 +03:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Ignore x-frame-options if CSP with frame-ancestors exists
|
|
|
|
static bool ShouldIgnoreFrameOptions(nsIChannel* aChannel,
|
2019-05-22 02:14:27 +03:00
|
|
|
nsIContentSecurityPolicy* aCSP) {
|
2017-06-19 07:59:44 +03:00
|
|
|
NS_ENSURE_TRUE(aChannel, false);
|
2019-05-22 02:14:27 +03:00
|
|
|
NS_ENSURE_TRUE(aCSP, false);
|
2017-06-19 07:59:44 +03:00
|
|
|
|
|
|
|
bool enforcesFrameAncestors = false;
|
2019-05-22 02:14:27 +03:00
|
|
|
aCSP->GetEnforcesFrameAncestors(&enforcesFrameAncestors);
|
2017-06-19 07:59:44 +03:00
|
|
|
if (!enforcesFrameAncestors) {
|
|
|
|
// if CSP does not contain frame-ancestors, then there
|
|
|
|
// is nothing to do here.
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// log warning to console that xfo is ignored because of CSP
|
2019-02-20 15:27:25 +03:00
|
|
|
nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
|
|
|
|
uint64_t innerWindowID = loadInfo->GetInnerWindowID();
|
|
|
|
bool privateWindow = !!loadInfo->GetOriginAttributes().mPrivateBrowsingId;
|
2019-06-11 18:51:51 +03:00
|
|
|
AutoTArray<nsString, 2> params = {NS_LITERAL_STRING("x-frame-options"),
|
|
|
|
NS_LITERAL_STRING("frame-ancestors")};
|
2017-07-12 08:13:37 +03:00
|
|
|
CSP_LogLocalizedStr("IgnoringSrcBecauseOfDirective", params,
|
2017-06-19 07:59:44 +03:00
|
|
|
EmptyString(), // no sourcefile
|
|
|
|
EmptyString(), // no scriptsample
|
|
|
|
0, // no linenumber
|
|
|
|
0, // no columnnumber
|
|
|
|
nsIScriptError::warningFlag,
|
2018-07-20 20:57:21 +03:00
|
|
|
NS_LITERAL_CSTRING("IgnoringSrcBecauseOfDirective"),
|
2018-03-13 08:40:38 +03:00
|
|
|
innerWindowID, privateWindow);
|
2017-06-19 07:59:44 +03:00
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if X-Frame-Options permits this document to be loaded as a subdocument.
|
|
|
|
// This will iterate through and check any number of X-Frame-Options policies
|
|
|
|
// in the request (comma-separated in a header, multiple headers, etc).
|
2019-02-26 01:05:29 +03:00
|
|
|
/* static */
|
|
|
|
bool FramingChecker::CheckFrameOptions(nsIChannel* aChannel,
|
2019-05-22 02:14:27 +03:00
|
|
|
nsIContentSecurityPolicy* aCsp) {
|
2019-10-31 11:28:35 +03:00
|
|
|
MOZ_ASSERT(XRE_IsParentProcess(), "x-frame-options check only in parent");
|
|
|
|
|
|
|
|
if (!aChannel) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
|
|
|
|
nsContentPolicyType contentType = loadInfo->GetExternalContentPolicyType();
|
|
|
|
|
2019-11-06 15:53:46 +03:00
|
|
|
// xfo check only makes sense for subdocument and object loads, if this is
|
2019-10-31 11:28:35 +03:00
|
|
|
// not a load of such type, there is nothing to do here.
|
2019-11-06 15:53:46 +03:00
|
|
|
if (contentType != nsIContentPolicy::TYPE_SUBDOCUMENT &&
|
|
|
|
contentType != nsIContentPolicy::TYPE_OBJECT) {
|
2017-06-19 07:59:44 +03:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2019-10-31 11:28:35 +03:00
|
|
|
// xfo checks are ignored in case CSP frame-ancestors is present,
|
|
|
|
// if so, there is nothing to do here.
|
2019-05-22 02:14:27 +03:00
|
|
|
if (ShouldIgnoreFrameOptions(aChannel, aCsp)) {
|
2017-06-19 07:59:44 +03:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2019-11-21 15:10:29 +03:00
|
|
|
// if the load is triggered by an extension, then xfo should
|
|
|
|
// not apply and we should allow the load.
|
|
|
|
if (loadInfo->TriggeringPrincipal()->GetIsAddonOrExpandedAddonPrincipal()) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2019-10-31 11:28:35 +03:00
|
|
|
nsCOMPtr<nsIHttpChannel> httpChannel;
|
|
|
|
nsresult rv = nsContentSecurityUtils::GetHttpChannelFromPotentialMultiPart(
|
|
|
|
aChannel, getter_AddRefs(httpChannel));
|
|
|
|
if (NS_WARN_IF(NS_FAILED(rv))) {
|
|
|
|
return true;
|
2017-06-19 07:59:44 +03:00
|
|
|
}
|
|
|
|
|
2019-10-31 11:28:35 +03:00
|
|
|
// xfo can only hang off an httpchannel, if this is not an httpChannel
|
|
|
|
// then there is nothing to do here.
|
2017-06-19 07:59:44 +03:00
|
|
|
if (!httpChannel) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2019-11-06 15:53:46 +03:00
|
|
|
// ignore XFO checks on channels that will be redirected
|
|
|
|
uint32_t responseStatus;
|
|
|
|
rv = httpChannel->GetResponseStatus(&responseStatus);
|
|
|
|
if (NS_WARN_IF(NS_FAILED(rv))) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
if (mozilla::net::nsHttpChannel::IsRedirectStatus(responseStatus)) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2017-06-19 07:59:44 +03:00
|
|
|
nsAutoCString xfoHeaderCValue;
|
|
|
|
Unused << httpChannel->GetResponseHeader(
|
|
|
|
NS_LITERAL_CSTRING("X-Frame-Options"), xfoHeaderCValue);
|
|
|
|
NS_ConvertUTF8toUTF16 xfoHeaderValue(xfoHeaderCValue);
|
|
|
|
|
|
|
|
// if no header value, there's nothing to do.
|
|
|
|
if (xfoHeaderValue.IsEmpty()) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
// iterate through all the header values (usually there's only one, but can
|
|
|
|
// be many. If any want to deny the load, deny the load.
|
|
|
|
nsCharSeparatedTokenizer tokenizer(xfoHeaderValue, ',');
|
|
|
|
while (tokenizer.hasMoreTokens()) {
|
2017-06-20 12:19:52 +03:00
|
|
|
const nsAString& tok = tokenizer.nextToken();
|
2019-10-31 11:28:35 +03:00
|
|
|
if (!CheckOneFrameOptionsPolicy(httpChannel, tok)) {
|
|
|
|
// if xfo blocks the load we are notifying observers for
|
|
|
|
// testing purposes because there is no event to gather
|
|
|
|
// what an iframe load was blocked or not.
|
|
|
|
nsCOMPtr<nsIURI> uri;
|
|
|
|
httpChannel->GetURI(getter_AddRefs(uri));
|
|
|
|
nsCOMPtr<nsIObserverService> observerService =
|
|
|
|
mozilla::services::GetObserverService();
|
|
|
|
nsAutoString policy(tok);
|
|
|
|
observerService->NotifyObservers(uri, "xfo-on-violate-policy",
|
|
|
|
policy.get());
|
2017-06-19 07:59:44 +03:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|