Bug 1407891: Allow view-image to open a data: URI by setting a flag on the loadinfo. r=bz

2017-11-08 20:01:41 +01:00 · 2017-11-08 20:01:41 +01:00 · 6584da597b
--- a/browser/base/content/nsContextMenu.js
+++ b/browser/base/content/nsContextMenu.js
@ -951,7 +951,8 @@ nsContextMenu.prototype = {
                       this.browser.contentPrincipal,
                       Ci.nsIScriptSecurityManager.DISALLOW_SCRIPT);
      openUILink(this.mediaURL, e, { disallowInheritPrincipal: true,
-                                     referrerURI });
+                                     referrerURI,
+                                     forceAllowDataURI: true });
    }
  },

--- a/browser/base/content/utilityOverlay.js
+++ b/browser/base/content/utilityOverlay.js
@ -207,6 +207,7 @@ function openUILinkIn(url, where, aAllowThirdPartyFixup, aPostData, aReferrerURI
  openLinkIn(url, where, params);
 }

+/* eslint-disable complexity */
 function openLinkIn(url, where, params) {
  if (!where || !url)
    return;
@ -222,6 +223,7 @@ function openLinkIn(url, where, params) {
      params.referrerPolicy : Ci.nsIHttpChannel.REFERRER_POLICY_UNSET);
  var aRelatedToCurrent     = params.relatedToCurrent;
  var aAllowMixedContent    = params.allowMixedContent;
+  var aForceAllowDataURI    = params.forceAllowDataURI;
  var aInBackground         = params.inBackground;
  var aDisallowInheritPrincipal = params.disallowInheritPrincipal;
  var aInitiatingDoc        = params.initiatingDoc;
@ -433,6 +435,9 @@ function openLinkIn(url, where, params) {
    if (aIndicateErrorPageLoad) {
      flags |= Ci.nsIWebNavigation.LOAD_FLAGS_ERROR_LOAD_CHANGES_RV;
    }
+    if (aForceAllowDataURI) {
+      flags |= Ci.nsIWebNavigation.LOAD_FLAGS_FORCE_ALLOW_DATA_URI;
+    }

    let {URI_INHERITS_SECURITY_CONTEXT} = Ci.nsIProtocolHandler;
    if (aForceAboutBlankViewerInCurrent &&
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@ -1310,6 +1310,7 @@ nsDocShell::LoadURI(nsIURI* aURI,
  nsCOMPtr<nsISHEntry> shEntry;
  nsString target;
  nsAutoString srcdoc;
+  bool forceAllowDataURI = false;
  nsCOMPtr<nsIDocShell> sourceDocShell;
  nsCOMPtr<nsIURI> baseURI;

@ -1346,6 +1347,7 @@ nsDocShell::LoadURI(nsIURI* aURI,
    aLoadInfo->GetSrcdocData(srcdoc);
    aLoadInfo->GetSourceDocShell(getter_AddRefs(sourceDocShell));
    aLoadInfo->GetBaseURI(getter_AddRefs(baseURI));
+    aLoadInfo->GetForceAllowDataURI(&forceAllowDataURI);
  }

  MOZ_LOG(gDocShellLeakLog, LogLevel::Debug,
@ -1609,6 +1611,10 @@ nsDocShell::LoadURI(nsIURI* aURI,
    flags |= INTERNAL_LOAD_FLAGS_IS_SRCDOC;
  }

+  if (forceAllowDataURI) {
+    flags |= INTERNAL_LOAD_FLAGS_FORCE_ALLOW_DATA_URI;
+  }
+
  return InternalLoad(aURI,
                      originalURI,
                      resultPrincipalURI,
@ -4917,6 +4923,9 @@ nsDocShell::LoadURIWithOptions(const char16_t* aURI,
  }
  nsAutoPopupStatePusher statePusher(popupState);

+  bool forceAllowDataURI =
+    aLoadFlags & LOAD_FLAGS_FORCE_ALLOW_DATA_URI;
+
  // Don't pass certain flags that aren't needed and end up confusing
  // ConvertLoadTypeToDocShellLoadInfo.  We do need to ensure that they are
  // passed to LoadURI though, since it uses them.
@ -4947,6 +4956,7 @@ nsDocShell::LoadURIWithOptions(const char16_t* aURI,
  loadInfo->SetHeadersStream(aHeaderStream);
  loadInfo->SetBaseURI(aBaseURI);
  loadInfo->SetTriggeringPrincipal(aTriggeringPrincipal);
+  loadInfo->SetForceAllowDataURI(forceAllowDataURI);

  if (fixupInfo) {
    nsAutoString searchProvider, keyword;
@ -10189,6 +10199,7 @@ nsDocShell::InternalLoad(nsIURI* aURI,
        // principal to inherit is: it should be aTriggeringPrincipal.
        loadInfo->SetPrincipalIsExplicit(true);
        loadInfo->SetLoadType(ConvertLoadTypeToDocShellLoadInfo(LOAD_LINK));
+        loadInfo->SetForceAllowDataURI(aFlags & INTERNAL_LOAD_FLAGS_FORCE_ALLOW_DATA_URI);

        rv = win->Open(NS_ConvertUTF8toUTF16(spec),
                       aWindowTarget, // window name
@ -10866,7 +10877,9 @@ nsDocShell::InternalLoad(nsIURI* aURI,

  nsCOMPtr<nsIRequest> req;
  rv = DoURILoad(aURI, aOriginalURI, aResultPrincipalURI, aLoadReplace,
-                 loadFromExternal, aReferrer,
+                 loadFromExternal,
+                 (aFlags & INTERNAL_LOAD_FLAGS_FORCE_ALLOW_DATA_URI),
+                 aReferrer,
                 !(aFlags & INTERNAL_LOAD_FLAGS_DONT_SEND_REFERRER),
                 aReferrerPolicy,
                 aTriggeringPrincipal, principalToInherit, aTypeHint,
@ -11004,6 +11017,7 @@ nsDocShell::DoURILoad(nsIURI* aURI,
                      Maybe<nsCOMPtr<nsIURI>> const& aResultPrincipalURI,
                      bool aLoadReplace,
                      bool aLoadFromExternal,
+                      bool aForceAllowDataURI,
                      nsIURI* aReferrerURI,
                      bool aSendReferrer,
                      uint32_t aReferrerPolicy,
@ -11184,6 +11198,7 @@ nsDocShell::DoURILoad(nsIURI* aURI,
    loadInfo->SetPrincipalToInherit(aPrincipalToInherit);
  }
  loadInfo->SetLoadTriggeredFromExternal(aLoadFromExternal);
+  loadInfo->SetForceAllowDataURI(aForceAllowDataURI);

  // We have to do this in case our OriginAttributes are different from the
  // OriginAttributes of the parent document. Or in case there isn't a
--- a/docshell/base/nsDocShell.h
+++ b/docshell/base/nsDocShell.h
@ -452,6 +452,7 @@ protected:
                     mozilla::Maybe<nsCOMPtr<nsIURI>> const& aResultPrincipalURI,
                     bool aLoadReplace,
                     bool aLoadFromExternal,
+                     bool aForceAllowDataURI,
                     nsIURI* aReferrer,
                     bool aSendReferrer,
                     uint32_t aReferrerPolicy,
--- a/docshell/base/nsDocShellLoadInfo.cpp
+++ b/docshell/base/nsDocShellLoadInfo.cpp
@ -67,6 +67,7 @@ nsDocShellLoadInfo::nsDocShellLoadInfo()
  , mLoadReplace(false)
  , mInheritPrincipal(false)
  , mPrincipalIsExplicit(false)
+  , mForceAllowDataURI(false)
  , mSendReferrer(true)
  , mReferrerPolicy(mozilla::net::RP_Unset)
  , mLoadType(nsIDocShellLoadInfo::loadNormal)
@ -209,6 +210,20 @@ nsDocShellLoadInfo::SetPrincipalIsExplicit(bool aPrincipalIsExplicit)
  return NS_OK;
 }

+NS_IMETHODIMP
+nsDocShellLoadInfo::GetForceAllowDataURI(bool* aForceAllowDataURI)
+{
+  *aForceAllowDataURI = mForceAllowDataURI;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsDocShellLoadInfo::SetForceAllowDataURI(bool aForceAllowDataURI)
+{
+  mForceAllowDataURI = aForceAllowDataURI;
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 nsDocShellLoadInfo::GetLoadType(nsDocShellInfoLoadType* aLoadType)
 {
--- a/docshell/base/nsDocShellLoadInfo.h
+++ b/docshell/base/nsDocShellLoadInfo.h
@ -39,6 +39,7 @@ protected:
  bool mLoadReplace;
  bool mInheritPrincipal;
  bool mPrincipalIsExplicit;
+  bool mForceAllowDataURI;
  bool mSendReferrer;
  nsDocShellInfoReferrerPolicy mReferrerPolicy;
  nsDocShellInfoLoadType mLoadType;
--- a/docshell/base/nsIDocShell.idl
+++ b/docshell/base/nsIDocShell.idl
@ -127,6 +127,9 @@ interface nsIDocShell : nsIDocShellTreeItem

  const long INTERNAL_LOAD_FLAGS_NO_OPENER               = 0x100;

+  // Whether a top-level data URI navigation is allowed for that load
+  const long INTERNAL_LOAD_FLAGS_FORCE_ALLOW_DATA_URI    = 0x200;
+
  // NB: 0x80 is available.

  /**
--- a/docshell/base/nsIDocShellLoadInfo.idl
+++ b/docshell/base/nsIDocShellLoadInfo.idl
@ -65,6 +65,12 @@ interface nsIDocShellLoadInfo : nsISupports
     */
    attribute boolean principalIsExplicit;

+    /**
+     * If this attribute is true, then a top-level navigation
+     * to a data URI will be allowed.
+     */
+    attribute boolean forceAllowDataURI;
+
    /* these are load type enums... */
    const long loadNormal = 0;                     // Normal Load
    const long loadNormalReplace = 1;              // Normal Load but replaces current history slot
--- a/docshell/base/nsIWebNavigation.idl
+++ b/docshell/base/nsIWebNavigation.idl
@ -206,6 +206,12 @@ interface nsIWebNavigation : nsISupports
   */
  const unsigned long LOAD_FLAGS_FIXUP_SCHEME_TYPOS = 0x200000;

+  /**
+   * Allows a top-level data: navigation to occur. E.g. view-image
+   * is an explicit user action which should be allowed.
+   */
+  const unsigned long LOAD_FLAGS_FORCE_ALLOW_DATA_URI = 0x400000;
+
  /**
   * Loads a given URI.  This will give priority to loading the requested URI
   * in the object implementing	this interface.  If it can't be loaded here
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@ -48,6 +48,10 @@ nsContentSecurityManager::AllowTopLevelNavigationToDataURI(nsIChannel* aChannel)
  if (loadInfo->GetExternalContentPolicyType() != nsIContentPolicy::TYPE_DOCUMENT) {
    return true;
  }
+  if (loadInfo->GetForceAllowDataURI()) {
+    // if the loadinfo explicitly allows the data URI navigation, let's allow it now
+    return true;
+  }
  nsCOMPtr<nsIURI> uri;
  nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
  NS_ENSURE_SUCCESS(rv, true);
--- a/ipc/glue/BackgroundUtils.cpp
+++ b/ipc/glue/BackgroundUtils.cpp
@ -387,6 +387,7 @@ LoadInfoToLoadInfoArgs(nsILoadInfo *aLoadInfo,
      aLoadInfo->GetUpgradeInsecureRequests(),
      aLoadInfo->GetVerifySignedContent(),
      aLoadInfo->GetEnforceSRI(),
+      aLoadInfo->GetForceAllowDataURI(),
      aLoadInfo->GetForceInheritPrincipalDropped(),
      aLoadInfo->GetInnerWindowID(),
      aLoadInfo->GetOuterWindowID(),
@ -495,6 +496,7 @@ LoadInfoArgsToLoadInfo(const OptionalLoadInfoArgs& aOptionalLoadInfoArgs,
                          loadInfoArgs.upgradeInsecureRequests(),
                          loadInfoArgs.verifySignedContent(),
                          loadInfoArgs.enforceSRI(),
+                          loadInfoArgs.forceAllowDataURI(),
                          loadInfoArgs.forceInheritPrincipalDropped(),
                          loadInfoArgs.innerWindowID(),
                          loadInfoArgs.outerWindowID(),
--- a/netwerk/base/LoadInfo.cpp
+++ b/netwerk/base/LoadInfo.cpp
@ -58,6 +58,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
  , mUpgradeInsecureRequests(false)
  , mVerifySignedContent(false)
  , mEnforceSRI(false)
+  , mForceAllowDataURI(false)
  , mForceInheritPrincipalDropped(false)
  , mInnerWindowID(0)
  , mOuterWindowID(0)
@ -241,6 +242,7 @@ LoadInfo::LoadInfo(nsPIDOMWindowOuter* aOuterWindow,
  , mUpgradeInsecureRequests(false)
  , mVerifySignedContent(false)
  , mEnforceSRI(false)
+  , mForceAllowDataURI(false)
  , mForceInheritPrincipalDropped(false)
  , mInnerWindowID(0)
  , mOuterWindowID(0)
@ -309,6 +311,7 @@ LoadInfo::LoadInfo(const LoadInfo& rhs)
  , mUpgradeInsecureRequests(rhs.mUpgradeInsecureRequests)
  , mVerifySignedContent(rhs.mVerifySignedContent)
  , mEnforceSRI(rhs.mEnforceSRI)
+  , mForceAllowDataURI(rhs.mForceAllowDataURI)
  , mForceInheritPrincipalDropped(rhs.mForceInheritPrincipalDropped)
  , mInnerWindowID(rhs.mInnerWindowID)
  , mOuterWindowID(rhs.mOuterWindowID)
@ -346,6 +349,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
                   bool aUpgradeInsecureRequests,
                   bool aVerifySignedContent,
                   bool aEnforceSRI,
+                   bool aForceAllowDataURI,
                   bool aForceInheritPrincipalDropped,
                   uint64_t aInnerWindowID,
                   uint64_t aOuterWindowID,
@ -378,6 +382,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
  , mUpgradeInsecureRequests(aUpgradeInsecureRequests)
  , mVerifySignedContent(aVerifySignedContent)
  , mEnforceSRI(aEnforceSRI)
+  , mForceAllowDataURI(aForceAllowDataURI)
  , mForceInheritPrincipalDropped(aForceInheritPrincipalDropped)
  , mInnerWindowID(aInnerWindowID)
  , mOuterWindowID(aOuterWindowID)
@ -751,6 +756,23 @@ LoadInfo::GetEnforceSRI(bool* aResult)
  return NS_OK;
 }

+NS_IMETHODIMP
+LoadInfo::SetForceAllowDataURI(bool aForceAllowDataURI)
+{
+  MOZ_ASSERT(!mForceAllowDataURI ||
+             mInternalContentPolicyType == nsIContentPolicy::TYPE_DOCUMENT,
+             "can only allow data URI navigation for TYPE_DOCUMENT");
+  mForceAllowDataURI = aForceAllowDataURI;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+LoadInfo::GetForceAllowDataURI(bool* aForceAllowDataURI)
+{
+  *aForceAllowDataURI = mForceAllowDataURI;
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 LoadInfo::GetForceInheritPrincipalDropped(bool* aResult)
 {
--- a/netwerk/base/LoadInfo.h
+++ b/netwerk/base/LoadInfo.h
@ -103,6 +103,7 @@ private:
           bool aUpgradeInsecureRequests,
           bool aVerifySignedContent,
           bool aEnforceSRI,
+           bool aForceAllowDataURI,
           bool aForceInheritPrincipalDropped,
           uint64_t aInnerWindowID,
           uint64_t aOuterWindowID,
@ -159,6 +160,7 @@ private:
  bool                             mUpgradeInsecureRequests;
  bool                             mVerifySignedContent;
  bool                             mEnforceSRI;
+  bool                             mForceAllowDataURI;
  bool                             mForceInheritPrincipalDropped;
  uint64_t                         mInnerWindowID;
  uint64_t                         mOuterWindowID;
--- a/netwerk/base/nsILoadInfo.idl
+++ b/netwerk/base/nsILoadInfo.idl
@ -506,6 +506,11 @@ interface nsILoadInfo : nsISupports
   */
  [infallible] attribute boolean enforceSRI;

+  /**
+   * If true, toplevel data: URI navigation is allowed
+   */
+  [infallible] attribute boolean forceAllowDataURI;
+
  /**
   * The SEC_FORCE_INHERIT_PRINCIPAL flag may be dropped when a load info
   * object is created.  Specifically, it will be dropped if the SEC_SANDBOXED
--- a/netwerk/ipc/NeckoChannelParams.ipdlh
+++ b/netwerk/ipc/NeckoChannelParams.ipdlh
@ -47,6 +47,7 @@ struct LoadInfoArgs
  bool                        upgradeInsecureRequests;
  bool                        verifySignedContent;
  bool                        enforceSRI;
+  bool                        forceAllowDataURI;
  bool                        forceInheritPrincipalDropped;
  uint64_t                    innerWindowID;
  uint64_t                    outerWindowID;