CSSLoader should check content policy. Bug 190653, r=mvl, sr=peterv

content/html/style/src/nsCSSLoader.cpp

@@ -29,6 +29,7 @@
  */
 #include "nsIContent.h"
 #include "nsIDOMNode.h"
+#include "nsIDOMWindow.h"
 #include "nsIDocument.h"
 #include "nsINameSpaceManager.h"
 #include "nsIUnicharInputStream.h"
@@ -43,6 +44,8 @@
 #include "nsCOMArray.h"
 #include "nsCOMPtr.h"
 #include "nsIScriptSecurityManager.h"
+#include "nsContentPolicyUtils.h"
+#include "nsIScriptGlobalObject.h"
 #include "nsITimelineService.h"
 #include "nsIHttpChannel.h"
 #include "nsIConsoleService.h"
@@ -902,6 +905,63 @@ CSSLoaderImpl::IsAlternate(const nsAString& aTitle)
   return PR_FALSE;
 }
 
+/**
+ * CheckLoadAllowed will return success if the load is allowed,
+ * failure otherwise. 
+ *
+ * @param aSourceURI the uri of the document or parent sheet loading the sheet
+ * @param aTargetURI the uri of the sheet to be loaded
+ * @param aContext the context.  This is the element or the @import
+ *        rule doing the loading
+ */
+nsresult
+CSSLoaderImpl::CheckLoadAllowed(nsIURI* aSourceURI,
+                                nsIURI* aTargetURI,
+                                nsISupports* aContext)
+{
+  LOG(("CSSLoaderImpl::CheckLoadAllowed"));
+  
+  // Check with the security manager
+  nsresult rv;
+  nsCOMPtr<nsIScriptSecurityManager> secMan =
+           do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = secMan->CheckLoadURI(aSourceURI, aTargetURI,
+                            nsIScriptSecurityManager::ALLOW_CHROME);
+  if (NS_FAILED(rv)) { // failure is normal here; don't warn
+    return rv;
+  }
+
+  LOG(("  Passed security check"));
+
+  // Check with content policy
+
+  if (!mDocument) {
+    return NS_OK;
+  }
+  
+  nsCOMPtr<nsIScriptGlobalObject> globalObject;
+  rv = mDocument->GetScriptGlobalObject(getter_AddRefs(globalObject));
+  if (NS_FAILED(rv) || !globalObject) {
+    LOG(("  No script global object"));
+    return rv;
+  }
+  
+  nsCOMPtr<nsIDOMWindow> domWin(do_QueryInterface(globalObject));
+  NS_ASSERTION(domWin, "Global object not DOM window?");
+
+  PRBool shouldLoad = PR_TRUE;
+  rv = NS_CheckContentLoadPolicy(nsIContentPolicy::STYLESHEET, aTargetURI,
+                                 aContext, domWin, &shouldLoad);
+  if (NS_SUCCEEDED(rv) && !shouldLoad) {
+    LOG(("  Blocked by content policy"));
+    return NS_ERROR_FAILURE;
+  }
+
+  return rv;
+}
+
 /**
  * CreateSheet() creates an nsICSSStyleSheet object for the given URI,
  * if any.  If there is no URI given, we just create a new style sheet
@@ -1593,18 +1653,14 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement,
   
   NS_ENSURE_TRUE(mDocument, NS_ERROR_NOT_INITIALIZED);
 
-  //-- Make sure this page is allowed to load this URL
-  nsresult rv;
-  nsCOMPtr<nsIScriptSecurityManager> secMan = 
-           do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
-  if (NS_FAILED(rv)) return rv;
+  // Check whether we should even load
   nsCOMPtr<nsIURI> docURI;
-  rv = mDocument->GetDocumentURL(getter_AddRefs(docURI));
+  nsresult rv = mDocument->GetDocumentURL(getter_AddRefs(docURI));
   if (NS_FAILED(rv) || !docURI) return NS_ERROR_FAILURE;
-  rv = secMan->CheckLoadURI(docURI, aURL, nsIScriptSecurityManager::ALLOW_CHROME);
+  rv = CheckLoadAllowed(docURI, aURL, aElement);
   if (NS_FAILED(rv)) return rv;
 
-  LOG(("  Passed security check"));
+  LOG(("  Passed load check"));
   
   StyleSheetState state;
   nsCOMPtr<nsICSSStyleSheet> sheet;
@@ -1675,18 +1731,14 @@ CSSLoaderImpl::LoadChildSheet(nsICSSStyleSheet* aParentSheet,
   
   LOG_URI("  Child uri: '%s'", aURL);
 
-  //-- Make sure this page is allowed to load this URL
-  nsresult rv;
-  nsCOMPtr<nsIScriptSecurityManager> secMan = 
-           do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
-  if (NS_FAILED(rv)) return rv;
+  // Check whether we should even load
   nsCOMPtr<nsIURI> sheetURI;
-  rv = aParentSheet->GetURL(*getter_AddRefs(sheetURI));
+  nsresult rv = aParentSheet->GetURL(*getter_AddRefs(sheetURI));
   if (NS_FAILED(rv) || !sheetURI) return NS_ERROR_FAILURE;
-  rv = secMan->CheckLoadURI(sheetURI, aURL, nsIScriptSecurityManager::ALLOW_CHROME);
+  rv = CheckLoadAllowed(sheetURI, aURL, aParentRule);
   if (NS_FAILED(rv)) return rv;
 
-  LOG(("  Passed security check"));
+  LOG(("  Passed load check"));
   
   SheetLoadData* parentData = nsnull;
   nsCOMPtr<nsICSSLoaderObserver> observer;

content/html/style/src/nsCSSLoader.h

@@ -49,14 +49,15 @@ class CSSLoaderImpl;
  * inline style from <style> elements, linked style, @import-ed child
  * sheets, agent sheets.  The loader handles the following tasks:
  *
- * 1) Creation of the actual style sheet objects: CreateSheet()
- * 2) setting of the right media, title, enabled state, etc on the
+ * 1) Checking whether the load is allowed: CheckLoadAllowed()
+ * 2) Creation of the actual style sheet objects: CreateSheet()
+ * 3) setting of the right media, title, enabled state, etc on the
  *    sheet: PrepareSheet()
- * 3) Insertion of the sheet in the proper cascade order:
+ * 4) Insertion of the sheet in the proper cascade order:
  *    InsertSheetInDoc() and InsertChildSheet()
- * 4) Load of the sheet: LoadSheet()
- * 5) Parsing of the sheet: ParseSheet()
- * 6) Cleanup: SheetComplete()
+ * 5) Load of the sheet: LoadSheet()
+ * 6) Parsing of the sheet: ParseSheet()
+ * 7) Cleanup: SheetComplete()
  *
  * The detailed documentation for these functions is found with the
  * function implementations.
@@ -303,6 +304,10 @@ public:
   PRBool IsAlternate(const nsAString& aTitle);
 
 private:
+  nsresult CheckLoadAllowed(nsIURI* aSourceURI,
+                            nsIURI* aTargetURI,
+                            nsISupports* aContext);
+  
   nsresult CreateSheet(nsIURI* aURI,
                        PRUint32 aDefaultNameSpaceID,
                        PRBool aSyncLoad,

layout/style/nsCSSLoader.cpp

@@ -29,6 +29,7 @@
  */
 #include "nsIContent.h"
 #include "nsIDOMNode.h"
+#include "nsIDOMWindow.h"
 #include "nsIDocument.h"
 #include "nsINameSpaceManager.h"
 #include "nsIUnicharInputStream.h"
@@ -43,6 +44,8 @@
 #include "nsCOMArray.h"
 #include "nsCOMPtr.h"
 #include "nsIScriptSecurityManager.h"
+#include "nsContentPolicyUtils.h"
+#include "nsIScriptGlobalObject.h"
 #include "nsITimelineService.h"
 #include "nsIHttpChannel.h"
 #include "nsIConsoleService.h"
@@ -902,6 +905,63 @@ CSSLoaderImpl::IsAlternate(const nsAString& aTitle)
   return PR_FALSE;
 }
 
+/**
+ * CheckLoadAllowed will return success if the load is allowed,
+ * failure otherwise. 
+ *
+ * @param aSourceURI the uri of the document or parent sheet loading the sheet
+ * @param aTargetURI the uri of the sheet to be loaded
+ * @param aContext the context.  This is the element or the @import
+ *        rule doing the loading
+ */
+nsresult
+CSSLoaderImpl::CheckLoadAllowed(nsIURI* aSourceURI,
+                                nsIURI* aTargetURI,
+                                nsISupports* aContext)
+{
+  LOG(("CSSLoaderImpl::CheckLoadAllowed"));
+  
+  // Check with the security manager
+  nsresult rv;
+  nsCOMPtr<nsIScriptSecurityManager> secMan =
+           do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = secMan->CheckLoadURI(aSourceURI, aTargetURI,
+                            nsIScriptSecurityManager::ALLOW_CHROME);
+  if (NS_FAILED(rv)) { // failure is normal here; don't warn
+    return rv;
+  }
+
+  LOG(("  Passed security check"));
+
+  // Check with content policy
+
+  if (!mDocument) {
+    return NS_OK;
+  }
+  
+  nsCOMPtr<nsIScriptGlobalObject> globalObject;
+  rv = mDocument->GetScriptGlobalObject(getter_AddRefs(globalObject));
+  if (NS_FAILED(rv) || !globalObject) {
+    LOG(("  No script global object"));
+    return rv;
+  }
+  
+  nsCOMPtr<nsIDOMWindow> domWin(do_QueryInterface(globalObject));
+  NS_ASSERTION(domWin, "Global object not DOM window?");
+
+  PRBool shouldLoad = PR_TRUE;
+  rv = NS_CheckContentLoadPolicy(nsIContentPolicy::STYLESHEET, aTargetURI,
+                                 aContext, domWin, &shouldLoad);
+  if (NS_SUCCEEDED(rv) && !shouldLoad) {
+    LOG(("  Blocked by content policy"));
+    return NS_ERROR_FAILURE;
+  }
+
+  return rv;
+}
+
 /**
  * CreateSheet() creates an nsICSSStyleSheet object for the given URI,
  * if any.  If there is no URI given, we just create a new style sheet
@@ -1593,18 +1653,14 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement,
   
   NS_ENSURE_TRUE(mDocument, NS_ERROR_NOT_INITIALIZED);
 
-  //-- Make sure this page is allowed to load this URL
-  nsresult rv;
-  nsCOMPtr<nsIScriptSecurityManager> secMan = 
-           do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
-  if (NS_FAILED(rv)) return rv;
+  // Check whether we should even load
   nsCOMPtr<nsIURI> docURI;
-  rv = mDocument->GetDocumentURL(getter_AddRefs(docURI));
+  nsresult rv = mDocument->GetDocumentURL(getter_AddRefs(docURI));
   if (NS_FAILED(rv) || !docURI) return NS_ERROR_FAILURE;
-  rv = secMan->CheckLoadURI(docURI, aURL, nsIScriptSecurityManager::ALLOW_CHROME);
+  rv = CheckLoadAllowed(docURI, aURL, aElement);
   if (NS_FAILED(rv)) return rv;
 
-  LOG(("  Passed security check"));
+  LOG(("  Passed load check"));
   
   StyleSheetState state;
   nsCOMPtr<nsICSSStyleSheet> sheet;
@@ -1675,18 +1731,14 @@ CSSLoaderImpl::LoadChildSheet(nsICSSStyleSheet* aParentSheet,
   
   LOG_URI("  Child uri: '%s'", aURL);
 
-  //-- Make sure this page is allowed to load this URL
-  nsresult rv;
-  nsCOMPtr<nsIScriptSecurityManager> secMan = 
-           do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
-  if (NS_FAILED(rv)) return rv;
+  // Check whether we should even load
   nsCOMPtr<nsIURI> sheetURI;
-  rv = aParentSheet->GetURL(*getter_AddRefs(sheetURI));
+  nsresult rv = aParentSheet->GetURL(*getter_AddRefs(sheetURI));
   if (NS_FAILED(rv) || !sheetURI) return NS_ERROR_FAILURE;
-  rv = secMan->CheckLoadURI(sheetURI, aURL, nsIScriptSecurityManager::ALLOW_CHROME);
+  rv = CheckLoadAllowed(sheetURI, aURL, aParentRule);
   if (NS_FAILED(rv)) return rv;
 
-  LOG(("  Passed security check"));
+  LOG(("  Passed load check"));
   
   SheetLoadData* parentData = nsnull;
   nsCOMPtr<nsICSSLoaderObserver> observer;

layout/style/nsCSSLoader.h

@@ -49,14 +49,15 @@ class CSSLoaderImpl;
  * inline style from <style> elements, linked style, @import-ed child
  * sheets, agent sheets.  The loader handles the following tasks:
  *
- * 1) Creation of the actual style sheet objects: CreateSheet()
- * 2) setting of the right media, title, enabled state, etc on the
+ * 1) Checking whether the load is allowed: CheckLoadAllowed()
+ * 2) Creation of the actual style sheet objects: CreateSheet()
+ * 3) setting of the right media, title, enabled state, etc on the
  *    sheet: PrepareSheet()
- * 3) Insertion of the sheet in the proper cascade order:
+ * 4) Insertion of the sheet in the proper cascade order:
  *    InsertSheetInDoc() and InsertChildSheet()
- * 4) Load of the sheet: LoadSheet()
- * 5) Parsing of the sheet: ParseSheet()
- * 6) Cleanup: SheetComplete()
+ * 5) Load of the sheet: LoadSheet()
+ * 6) Parsing of the sheet: ParseSheet()
+ * 7) Cleanup: SheetComplete()
  *
  * The detailed documentation for these functions is found with the
  * function implementations.
@@ -303,6 +304,10 @@ public:
   PRBool IsAlternate(const nsAString& aTitle);
 
 private:
+  nsresult CheckLoadAllowed(nsIURI* aSourceURI,
+                            nsIURI* aTargetURI,
+                            nsISupports* aContext);
+  
   nsresult CreateSheet(nsIURI* aURI,
                        PRUint32 aDefaultNameSpaceID,
                        PRBool aSyncLoad,