зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1491825: add MOZ_LOG for content security checks r=ckerschb
Summary: This patch adds a new log module 'CSMLog' for checks in nsContentSecurityManager::doContentSecurityCheck. With log level 4 (debug) only HTTP URLs will be logged. Level 5 (verbose) logs for all loads. The logger shows the following information: - channel URI - loadingPrincipal - triggeringPrincipal - principal to be inherited - load flags from loadinfo Test Plan: n/a Reviewers: jkt, ckerschb Reviewed By: jkt, ckerschb Bug #: 1491825 Differential Revision: https://phabricator.services.mozilla.com/D6125 --HG-- extra : rebase_source : 673df7f627da05ff60a6d55fb86b1cf31e94ccf4 extra : histedit_source : 56d1880a1f34e09b37d5115eba2c6659824faa1b
This commit is contained in:
Родитель
bef9d48a23
Коммит
4f7300a921
|
@ -19,15 +19,20 @@
|
|||
#include "nsCDefaultURIFixup.h"
|
||||
#include "nsIURIFixup.h"
|
||||
#include "nsIImageLoadingContent.h"
|
||||
#include "nsIRedirectHistoryEntry.h"
|
||||
|
||||
#include "mozilla/dom/Element.h"
|
||||
#include "mozilla/dom/nsMixedContentBlocker.h"
|
||||
#include "mozilla/dom/TabChild.h"
|
||||
#include "mozilla/Logging.h"
|
||||
|
||||
|
||||
NS_IMPL_ISUPPORTS(nsContentSecurityManager,
|
||||
nsIContentSecurityManager,
|
||||
nsIChannelEventSink)
|
||||
|
||||
static mozilla::LazyLogModule sCSMLog("CSMLog");
|
||||
|
||||
/* static */ bool
|
||||
nsContentSecurityManager::AllowTopLevelNavigationToDataURI(nsIChannel* aChannel)
|
||||
{
|
||||
|
@ -617,6 +622,168 @@ DoContentSecurityChecks(nsIChannel* aChannel, nsILoadInfo* aLoadInfo)
|
|||
return NS_OK;
|
||||
}
|
||||
|
||||
static void
|
||||
LogPrincipal(nsIPrincipal* aPrincipal, const nsAString& aPrincipalName) {
|
||||
if (nsContentUtils::IsSystemPrincipal(aPrincipal)) {
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" %s: SystemPrincipal\n",
|
||||
NS_ConvertUTF16toUTF8(aPrincipalName).get()));
|
||||
return;
|
||||
}
|
||||
if (aPrincipal) {
|
||||
if (aPrincipal->GetIsNullPrincipal()) {
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" %s: NullPrincipal\n",
|
||||
NS_ConvertUTF16toUTF8(aPrincipalName).get()));
|
||||
return;
|
||||
}
|
||||
if (aPrincipal->GetIsExpandedPrincipal()) {
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" %s: Expanded Principal\n",
|
||||
NS_ConvertUTF16toUTF8(aPrincipalName).get()));
|
||||
return;
|
||||
}
|
||||
nsCOMPtr<nsIURI> principalURI;
|
||||
nsAutoCString principalSpec;
|
||||
aPrincipal->GetURI(getter_AddRefs(principalURI));
|
||||
if (principalURI) {
|
||||
principalURI->GetSpec(principalSpec);
|
||||
}
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" %s: %s\n",
|
||||
NS_ConvertUTF16toUTF8(aPrincipalName).get(), principalSpec.get()));
|
||||
return;
|
||||
}
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" %s: nullptr\n",
|
||||
NS_ConvertUTF16toUTF8(aPrincipalName).get()));
|
||||
}
|
||||
|
||||
static void
|
||||
LogSecurityFlags(nsSecurityFlags securityFlags) {
|
||||
struct DebugSecFlagType {
|
||||
unsigned long secFlag;
|
||||
char secTypeStr[128];
|
||||
};
|
||||
static const DebugSecFlagType secTypes[] =
|
||||
{
|
||||
{ nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
|
||||
"SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK" },
|
||||
{ nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS,
|
||||
"SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS" },
|
||||
{ nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED,
|
||||
"SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED" },
|
||||
{ nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS,
|
||||
"SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS" },
|
||||
{ nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
|
||||
"SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL" },
|
||||
{ nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS,
|
||||
"SEC_REQUIRE_CORS_DATA_INHERITS" },
|
||||
{ nsILoadInfo::SEC_COOKIES_DEFAULT,
|
||||
"SEC_COOKIES_DEFAULT" },
|
||||
{ nsILoadInfo::SEC_COOKIES_INCLUDE,
|
||||
"SEC_COOKIES_INCLUDE" },
|
||||
{ nsILoadInfo::SEC_COOKIES_SAME_ORIGIN,
|
||||
"SEC_COOKIES_SAME_ORIGIN" },
|
||||
{ nsILoadInfo::SEC_COOKIES_OMIT,
|
||||
"SEC_COOKIES_OMIT" },
|
||||
{ nsILoadInfo::SEC_FORCE_INHERIT_PRINCIPAL,
|
||||
"SEC_FORCE_INHERIT_PRINCIPAL" },
|
||||
{ nsILoadInfo::SEC_SANDBOXED,
|
||||
"SEC_SANDBOXED" },
|
||||
{ nsILoadInfo::SEC_ABOUT_BLANK_INHERITS,
|
||||
"SEC_ABOUT_BLANK_INHERITS" },
|
||||
{ nsILoadInfo::SEC_ALLOW_CHROME,
|
||||
"SEC_ALLOW_CHROME" },
|
||||
{ nsILoadInfo::SEC_DISALLOW_SCRIPT,
|
||||
"SEC_DISALLOW_SCRIPT" },
|
||||
{ nsILoadInfo::SEC_DONT_FOLLOW_REDIRECTS,
|
||||
"SEC_DONT_FOLLOW_REDIRECTS" },
|
||||
{ nsILoadInfo::SEC_LOAD_ERROR_PAGE,
|
||||
"SEC_LOAD_ERROR_PAGE" },
|
||||
{ nsILoadInfo::SEC_FORCE_INHERIT_PRINCIPAL_OVERRULE_OWNER,
|
||||
"SEC_FORCE_INHERIT_PRINCIPAL_OVERRULE_OWNER" }
|
||||
};
|
||||
|
||||
for (const DebugSecFlagType flag : secTypes) {
|
||||
if (securityFlags & flag.secFlag) {
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" %s,\n", flag.secTypeStr));
|
||||
}
|
||||
}
|
||||
}
|
||||
static void
|
||||
DebugDoContentSecurityCheck(nsIChannel* aChannel, nsILoadInfo* aLoadInfo) {
|
||||
nsCOMPtr<nsIHttpChannel> httpChannel(do_QueryInterface(aChannel));
|
||||
|
||||
// we only log http channels, unless loglevel is 5.
|
||||
if (httpChannel || MOZ_LOG_TEST(sCSMLog, LogLevel::Verbose)) {
|
||||
nsCOMPtr<nsIURI> channelURI;
|
||||
nsAutoCString channelSpec;
|
||||
nsAutoCString channelMethod;
|
||||
NS_GetFinalChannelURI(aChannel, getter_AddRefs(channelURI));
|
||||
if (channelURI) {
|
||||
channelURI->GetSpec(channelSpec);
|
||||
}
|
||||
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, ("doContentSecurityCheck {\n"));
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" channelURI: %s\n",
|
||||
channelSpec.get()));
|
||||
|
||||
// Log HTTP-specific things
|
||||
if (httpChannel) {
|
||||
nsresult rv;
|
||||
rv = httpChannel->GetRequestMethod(channelMethod);
|
||||
if (!NS_FAILED(rv)) {
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" HTTP Method: %s\n",
|
||||
channelMethod.get()));
|
||||
}
|
||||
}
|
||||
|
||||
// Log Principals
|
||||
nsCOMPtr<nsIPrincipal> requestPrincipal = aLoadInfo->TriggeringPrincipal();
|
||||
LogPrincipal(aLoadInfo->LoadingPrincipal(),
|
||||
NS_LITERAL_STRING("loadingPrincipal"));
|
||||
LogPrincipal(requestPrincipal, NS_LITERAL_STRING("triggeringPrincipal"));
|
||||
LogPrincipal(aLoadInfo->PrincipalToInherit(),
|
||||
NS_LITERAL_STRING("principalToInherit"));
|
||||
|
||||
// Log Redirect Chain
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" RedirectChain:\n"));
|
||||
for (nsIRedirectHistoryEntry* redirectHistoryEntry :
|
||||
aLoadInfo->RedirectChain()) {
|
||||
nsCOMPtr<nsIPrincipal> principal;
|
||||
redirectHistoryEntry->GetPrincipal(getter_AddRefs(principal));
|
||||
LogPrincipal(principal, NS_LITERAL_STRING("->"));
|
||||
}
|
||||
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" internalContentPolicyType: %d\n",
|
||||
aLoadInfo->InternalContentPolicyType()));
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" externalContentPolicyType: %d\n",
|
||||
aLoadInfo->GetExternalContentPolicyType()));
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" upgradeInsecureRequests: %s\n",
|
||||
aLoadInfo->GetUpgradeInsecureRequests() ? "true" : "false"));
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" initalSecurityChecksDone: %s\n",
|
||||
aLoadInfo->GetInitialSecurityCheckDone() ? "true" : "false"));
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" enforceSecurity: %s\n",
|
||||
aLoadInfo->GetEnforceSecurity() ? "true" : "false"));
|
||||
|
||||
// Log CSPrequestPrincipal
|
||||
nsCOMPtr<nsIContentSecurityPolicy> csp;
|
||||
requestPrincipal->GetCsp(getter_AddRefs(csp));
|
||||
if (csp) {
|
||||
nsAutoString parsedPolicyStr;
|
||||
uint32_t count = 0;
|
||||
csp->GetPolicyCount(&count);
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" CSP (%d): ", count));
|
||||
for (uint32_t i = 0; i < count; ++i) {
|
||||
csp->GetPolicyString(i, parsedPolicyStr);
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" %s\n",
|
||||
NS_ConvertUTF16toUTF8(parsedPolicyStr).get()));
|
||||
}
|
||||
}
|
||||
|
||||
// Security Flags
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, (" securityFlags: "));
|
||||
LogSecurityFlags(aLoadInfo->GetSecurityFlags());
|
||||
MOZ_LOG(sCSMLog, LogLevel::Debug, ("}\n\n"));
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Based on the security flags provided in the loadInfo of the channel,
|
||||
* doContentSecurityCheck() performs the following content security checks
|
||||
|
@ -647,6 +814,10 @@ nsContentSecurityManager::doContentSecurityCheck(nsIChannel* aChannel,
|
|||
return NS_ERROR_UNEXPECTED;
|
||||
}
|
||||
|
||||
if (MOZ_UNLIKELY(MOZ_LOG_TEST(sCSMLog, LogLevel::Debug))) {
|
||||
DebugDoContentSecurityCheck(aChannel, loadInfo);
|
||||
}
|
||||
|
||||
// if dealing with a redirected channel then we have already installed
|
||||
// streamlistener and redirect proxies and so we are done.
|
||||
if (loadInfo->GetInitialSecurityCheckDone()) {
|
||||
|
|
Загрузка…
Ссылка в новой задаче