Bug 1725339 - Restrict systemprincipal from loading type *SUBDOCUMENT* via HTTP, HTTPS and data schemes (data restriction preffed OFF). r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D122420
2021-08-23 09:23:25 +00:00 · 2021-08-23 09:23:25 +00:00 · 0d6ba1700d
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@ -957,25 +957,35 @@ void nsContentSecurityManager::MeasureUnexpectedPrivilegedLoads(
 /* static */
 nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
    nsIChannel* aChannel) {
-  // Check and assert that we never allow remote documents/scripts (http:,
-  // https:, ...) to load in system privileged contexts.
  nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();

-  // nothing to do here if we are not loading a resource into a
-  // system prvileged context.
-  if (!loadInfo->GetLoadingPrincipal() ||
-      !loadInfo->GetLoadingPrincipal()->IsSystemPrincipal()) {
-    return NS_OK;
-  }
  // loads with the allow flag are waived through
  // until refactored (e.g., Shavar, OCSP)
  if (loadInfo->GetAllowDeprecatedSystemRequests()) {
    return NS_OK;
  }
-
  ExtContentPolicyType contentPolicyType =
      loadInfo->GetExternalContentPolicyType();

+  // For now, let's not inspect top-level document loads
+  if (contentPolicyType == ExtContentPolicy::TYPE_DOCUMENT) {
+    return NS_OK;
+  }
+
+  // We mostly care about the triggeringPrincipal,
+  // unless this is a TYPE_DOCUMENT request, which has none.
+  nsCOMPtr<nsIPrincipal> inspectedPrincipal;
+  if (contentPolicyType != ExtContentPolicy::TYPE_DOCUMENT) {
+    inspectedPrincipal = loadInfo->GetLoadingPrincipal();
+  } else {
+    inspectedPrincipal = loadInfo->TriggeringPrincipal();
+  }
+
+  // Check if we are actually dealing with a SystemPrincipal request
+  if (!inspectedPrincipal || !inspectedPrincipal->IsSystemPrincipal()) {
+    return NS_OK;
+  }
+
  // allowing some fetches due to their lowered risk
  // i.e., data & downloads fetches do limited parsing, no rendering
  // remote images are too widely used (favicons, about:addons etc.)
@ -1047,9 +1057,7 @@ nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
  }
  // Telemetry for unexpected privileged loads.
  // pref check & data sanitization happens in the called function
-  if (finalURI) {
-    MeasureUnexpectedPrivilegedLoads(loadInfo, finalURI, remoteType);
-  }
+  MeasureUnexpectedPrivilegedLoads(loadInfo, finalURI, remoteType);

  // Relaxing restrictions for our test suites:
  // (1) AreNonLocalConnectionsDisabled() disables network, so http://mochitest
@ -1073,9 +1081,34 @@ nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
  nsAutoCString requestedURL;
  finalURI->GetAsciiSpec(requestedURL);
  MOZ_LOG(sCSMLog, LogLevel::Warning,
-          ("SystemPrincipal must not load remote documents. URL: %s, type %d",
+          ("SystemPrincipal should not load remote resources. URL: %s, type %d",
           requestedURL.get(), int(contentPolicyType)));

+  // The load types that we want to disallow, will extend over time and
+  // prioritized by risk. The most risky/dangerous are load-types are documents,
+  // subdocuments, scripts and styles in that order. The most dangerous URL
+  // schemes to cover are HTTP, HTTPS, data, blob in that order. Meta bug
+  // 1725112 will track upcoming restrictions
+  if (contentPolicyType == ExtContentPolicy::TYPE_SUBDOCUMENT) {
+    if (StaticPrefs::security_disallow_privileged_https_subdocuments_loads() &&
+        (finalURI->SchemeIs("http") || finalURI->SchemeIs("https"))) {
+#ifdef DEBUG
+      MOZ_CRASH("Disallowing SystemPrincipal load of subdocuments on HTTP(S).");
+#endif
+      aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
+      return NS_ERROR_CONTENT_BLOCKED;
+    }
+    if ((StaticPrefs::security_disallow_privileged_data_subdocuments_loads()) &&
+        (finalURI->SchemeIs("data"))) {
+#ifdef DEBUG
+      MOZ_CRASH(
+          "Disallowing SystemPrincipal load of subdocuments on data URL.");
+#endif
+      aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
+      return NS_ERROR_CONTENT_BLOCKED;
+    }
+  }
+
  if (cancelNonLocalSystemPrincipal) {
    MOZ_ASSERT(false, "SystemPrincipal must not load remote documents.");
    aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -10887,6 +10887,20 @@
  value: false
  mirror: always

+# Cancel outgoing requests from SystemPrincipal:
+# but only with scheme http(s) and contentpolicytype subdocument
+- name: security.disallow_privileged_https_subdocuments_loads
+  type: bool
+  value: true
+  mirror: always
+
+# Cancel outgoing requests from SystemPrincipal:
+# but only with scheme data and contentpolicytype subdocument
+- name: security.disallow_privileged_data_subdocuments_loads
+  type: bool
+  value: false
+  mirror: always
+
 # Disable preloaded static key pins by default.
 - name: security.cert_pinning.enforcement_level
  type: ReleaseAcquireAtomicUint32