зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1825561: Add in the ETP Toggle check to the ShouldRFP callgraph r=timhuang
Differential Revision: https://phabricator.services.mozilla.com/D174166
This commit is contained in:
Родитель
5eb2f2525e
Коммит
bb2a0a6fc0
|
@ -74,6 +74,7 @@
|
|||
#include "mozilla/CallState.h"
|
||||
#include "mozilla/CheckedInt.h"
|
||||
#include "mozilla/Components.h"
|
||||
#include "mozilla/ContentBlockingAllowList.h"
|
||||
#include "mozilla/CycleCollectedJSContext.h"
|
||||
#include "mozilla/DOMEventTargetHelper.h"
|
||||
#include "mozilla/DebugOnly.h"
|
||||
|
@ -2176,11 +2177,8 @@ inline void LogDomainAndPrefList(const char* exemptedDomainsPrefName,
|
|||
PromiseFlatCString(list).get()));
|
||||
}
|
||||
|
||||
inline bool CookieJarSettingsSaysShouldResistFingerprinting(
|
||||
inline already_AddRefed<nsICookieJarSettings> GetCookieJarSettings(
|
||||
nsILoadInfo* aLoadInfo) {
|
||||
// If the loadinfo's CookieJarSettings says that we _should_ resist
|
||||
// fingerprinting we can always believe it. (This is the (*) rule from
|
||||
// CookieJarSettings.h)
|
||||
nsCOMPtr<nsICookieJarSettings> cookieJarSettings;
|
||||
nsresult rv =
|
||||
aLoadInfo->GetCookieJarSettings(getter_AddRefs(cookieJarSettings));
|
||||
|
@ -2188,12 +2186,64 @@ inline bool CookieJarSettingsSaysShouldResistFingerprinting(
|
|||
// The TRRLoadInfo in particular does not implement this method
|
||||
// In that instance. We will return false and let other code decide if
|
||||
// we shouldRFP for this connection
|
||||
return false;
|
||||
return nullptr;
|
||||
}
|
||||
if (NS_WARN_IF(NS_FAILED(rv))) {
|
||||
MOZ_LOG(nsContentUtils::ResistFingerprintingLog(), LogLevel::Info,
|
||||
("Called CookieJarSettingsSaysShouldResistFingerprinting but the "
|
||||
"loadinfo's CookieJarSettings couldn't be retrieved"));
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
MOZ_ASSERT(cookieJarSettings);
|
||||
return cookieJarSettings.forget();
|
||||
}
|
||||
|
||||
bool ETPSaysShouldNotResistFingerprinting(nsIChannel* aChannel,
|
||||
nsILoadInfo* aLoadInfo) {
|
||||
// A positive return from this function should always be obeyed.
|
||||
// A negative return means we should keep checking things.
|
||||
|
||||
// We do not want this check to apply to RFP, only to FPP
|
||||
// There is one problematic combination of prefs; however:
|
||||
// If RFP is enabled in PBMode only and FPP is enabled globally
|
||||
// (so, in non-PBM mode) - we need to know if we're in PBMode or not.
|
||||
// But that's kind of expensive and we'd like to avoid it if we
|
||||
// don't have to, so special-case that scenario
|
||||
if (StaticPrefs::privacy_fingerprintingProtection_DoNotUseDirectly() &&
|
||||
!StaticPrefs::privacy_resistFingerprinting_DoNotUseDirectly() &&
|
||||
StaticPrefs::privacy_resistFingerprinting_pbmode_DoNotUseDirectly()) {
|
||||
if (NS_UsePrivateBrowsing(aChannel)) {
|
||||
// In PBM (where RFP is enabled) do not exempt based on the ETP toggle
|
||||
return false;
|
||||
}
|
||||
} else if (StaticPrefs::privacy_resistFingerprinting_DoNotUseDirectly() ||
|
||||
StaticPrefs::
|
||||
privacy_resistFingerprinting_pbmode_DoNotUseDirectly()) {
|
||||
// In RFP, never use the ETP toggle to exempt.
|
||||
// We can safely return false here even if we are not in PBM mode
|
||||
// and RFP_pbmode is enabled because we will later see that and
|
||||
// return false from the ShouldRFP function entirely.
|
||||
return false;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsICookieJarSettings> cookieJarSettings =
|
||||
GetCookieJarSettings(aLoadInfo);
|
||||
if (!cookieJarSettings) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return ContentBlockingAllowList::Check(cookieJarSettings);
|
||||
}
|
||||
|
||||
inline bool CookieJarSettingsSaysShouldResistFingerprinting(
|
||||
nsILoadInfo* aLoadInfo) {
|
||||
// A positive return from this function should always be obeyed.
|
||||
// A negative return means we should keep checking things.
|
||||
|
||||
nsCOMPtr<nsICookieJarSettings> cookieJarSettings =
|
||||
GetCookieJarSettings(aLoadInfo);
|
||||
if (!cookieJarSettings) {
|
||||
return false;
|
||||
}
|
||||
return cookieJarSettings->GetShouldResistFingerprinting();
|
||||
|
@ -2281,20 +2331,24 @@ bool nsContentUtils::ShouldResistFingerprinting(nsIChannel* aChannel,
|
|||
return false;
|
||||
}
|
||||
|
||||
// Document types have no loading principal. Subdocument types do have a
|
||||
// loading principal, but it is the loading principal of the parent document;
|
||||
// not the subdocument.
|
||||
auto contentType = loadInfo->GetExternalContentPolicyType();
|
||||
if (contentType == ExtContentPolicy::TYPE_DOCUMENT ||
|
||||
contentType == ExtContentPolicy::TYPE_SUBDOCUMENT) {
|
||||
// This cookie jar check is relevant to both document and non-document
|
||||
// cases. but it will be performed inside the ShouldRFP(nsILoadInfo) as
|
||||
// well, so we put into this conditional to avoid doing it twice in that
|
||||
// case.
|
||||
if (ETPSaysShouldNotResistFingerprinting(aChannel, loadInfo)) {
|
||||
MOZ_LOG(nsContentUtils::ResistFingerprintingLog(), LogLevel::Debug,
|
||||
("Inside ShouldResistFingerprinting(nsIChannel*)"
|
||||
" ETPSaysShouldNotResistFingerprinting said false"));
|
||||
return false;
|
||||
}
|
||||
|
||||
if (CookieJarSettingsSaysShouldResistFingerprinting(loadInfo)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Document types have no loading principal. Subdocument types do have a
|
||||
// loading principal, but it is the loading principal of the parent
|
||||
// document; not the subdocument.
|
||||
auto contentType = loadInfo->GetExternalContentPolicyType();
|
||||
// Case 1: Document or Subdocument load
|
||||
if (contentType == ExtContentPolicy::TYPE_DOCUMENT ||
|
||||
contentType == ExtContentPolicy::TYPE_SUBDOCUMENT) {
|
||||
nsCOMPtr<nsIURI> channelURI;
|
||||
nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(channelURI));
|
||||
MOZ_ASSERT(
|
||||
|
@ -2335,7 +2389,16 @@ bool nsContentUtils::ShouldResistFingerprinting(nsIChannel* aChannel,
|
|||
}
|
||||
|
||||
// Case 2: Subresource Load
|
||||
return ShouldResistFingerprinting(loadInfo, aTarget);
|
||||
// Because this code is only used for subresource loads, this
|
||||
// will check the parent's principal
|
||||
nsIPrincipal* principal = loadInfo->GetLoadingPrincipal();
|
||||
|
||||
MOZ_ASSERT_IF(principal && !principal->IsSystemPrincipal() &&
|
||||
!principal->GetIsAddonOrExpandedAddonPrincipal(),
|
||||
BasePrincipal::Cast(principal)->OriginAttributesRef() ==
|
||||
loadInfo->GetOriginAttributes());
|
||||
return ShouldResistFingerprinting_dangerous(principal, "Internal Call",
|
||||
aTarget);
|
||||
}
|
||||
|
||||
/* static */
|
||||
|
@ -2379,36 +2442,6 @@ bool nsContentUtils::ShouldResistFingerprinting_dangerous(
|
|||
return !isExemptDomain;
|
||||
}
|
||||
|
||||
/* static */
|
||||
bool nsContentUtils::ShouldResistFingerprinting(nsILoadInfo* aLoadInfo,
|
||||
RFPTarget aTarget) {
|
||||
MOZ_ASSERT(aLoadInfo->GetExternalContentPolicyType() !=
|
||||
ExtContentPolicy::TYPE_DOCUMENT &&
|
||||
aLoadInfo->GetExternalContentPolicyType() !=
|
||||
ExtContentPolicy::TYPE_SUBDOCUMENT);
|
||||
|
||||
// With this check, we can ensure that the prefs and target say yes, so only
|
||||
// an exemption would cause us to return false.
|
||||
if (!ShouldResistFingerprinting("Positive return check", aTarget)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (CookieJarSettingsSaysShouldResistFingerprinting(aLoadInfo)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Because this function is only used for subresource loads, this
|
||||
// will check the parent's principal
|
||||
nsIPrincipal* principal = aLoadInfo->GetLoadingPrincipal();
|
||||
|
||||
MOZ_ASSERT_IF(principal && !principal->IsSystemPrincipal() &&
|
||||
!principal->GetIsAddonOrExpandedAddonPrincipal(),
|
||||
BasePrincipal::Cast(principal)->OriginAttributesRef() ==
|
||||
aLoadInfo->GetOriginAttributes());
|
||||
return ShouldResistFingerprinting_dangerous(principal, "Internal Call",
|
||||
aTarget);
|
||||
}
|
||||
|
||||
/* static */
|
||||
bool nsContentUtils::ShouldResistFingerprinting_dangerous(
|
||||
nsIPrincipal* aPrincipal, const char* aJustification, RFPTarget aTarget) {
|
||||
|
|
|
@ -368,8 +368,6 @@ class nsContentUtils {
|
|||
// These functions are the new, nuanced functions
|
||||
static bool ShouldResistFingerprinting(nsIChannel* aChannel,
|
||||
RFPTarget aTarget);
|
||||
static bool ShouldResistFingerprinting(nsILoadInfo* aLoadInfo,
|
||||
RFPTarget aTarget);
|
||||
// These functions are labeled as dangerous because they will do the wrong
|
||||
// thing in _most_ cases. They should only be used if you don't have a fully
|
||||
// constructed LoadInfo or Document.
|
||||
|
|
|
@ -30,15 +30,12 @@ As you can see in the callgraph below, directly calling a *dangerous* function w
|
|||
SRFP_docshell["ShouldResistFingerprinting(nsIDocShell*)"]
|
||||
click SRFP_docshell href "https://searchfox.org/mozilla-central/search?q=symbol:_ZN14nsContentUtils26ShouldResistFingerprintingEP11nsIDocShellN7mozilla9RFPTargetE&redirect=false"
|
||||
|
||||
SRFP_channel["ShouldResistFingerprinting(nsIChannel*)"]
|
||||
SRFP_channel["ShouldResistFingerprinting(nsIChannel*)<br />ETPSaysShouldNotResistFingerprinting Check<br />CookieJarSettingsSaysShouldResistFingerprinting Check"]
|
||||
click SRFP_channel href "https://searchfox.org/mozilla-central/search?q=symbol:_ZN14nsContentUtils26ShouldResistFingerprintingEP10nsIChannelN7mozilla9RFPTargetE&redirect=false"
|
||||
|
||||
SRFP_uri["ShouldResistFingerprinting_dangerous(nsIURI*, OriginAttributes)<br />PBM Check<br />Scheme (inc WebExtension) Check<br />About Page Check<br />URI Exempt Check"]
|
||||
click SRFP_uri href "https://searchfox.org/mozilla-central/search?q=symbol:_ZN14nsContentUtils36ShouldResistFingerprinting_dangerousEP6nsIURIRKN7mozilla16OriginAttributesEPKcNS2_9RFPTargetE&redirect=false"
|
||||
|
||||
SRFP_loadinfo["ShouldResistFingerprinting(nsILoadInfo)<br />CookieJarSettingsSaysShouldResistFingerprinting Check<br />System Principal Check"]
|
||||
click SRFP_loadinfo href "https://searchfox.org/mozilla-central/search?q=symbol:_ZN14nsContentUtils26ShouldResistFingerprintingEP11nsILoadInfoN7mozilla9RFPTargetE&redirect=false"
|
||||
|
||||
SRFP_principal["ShouldResistFingerprinting_dangerous(nsIPrincipal*)<br />System Principal Check<br />PBM Check<br />Scheme Check<br />About Page Check<br />Web Extension Principal Check<br />URI Exempt Check"]
|
||||
click SRFP_principal href "https://searchfox.org/mozilla-central/search?q=symbol:_ZN14nsContentUtils36ShouldResistFingerprinting_dangerousEP12nsIPrincipalPKcN7mozilla9RFPTargetE&redirect=false"
|
||||
|
||||
|
@ -47,14 +44,11 @@ As you can see in the callgraph below, directly calling a *dangerous* function w
|
|||
|
||||
SRFP_principal --> |null| SRFP_char
|
||||
|
||||
SRFP_loadinfo --> SRFP_principal
|
||||
SRFP_loadinfo --> |null| SRFP_char
|
||||
|
||||
SRFP_uri --> |null| SRFP_char
|
||||
|
||||
SRFP_channel -->|null| SRFP_char
|
||||
SRFP_channel --> |Document Load<br />CookieJarSettingsSaysShouldResistFingerprinting| SRFP_uri
|
||||
SRFP_channel --> |Subresource Load| SRFP_loadinfo
|
||||
SRFP_channel --> |Document Load| SRFP_uri
|
||||
SRFP_channel --> |Subresource Load| SRFP_principal
|
||||
|
||||
SRFP_docshell -->|null| SRFP_char
|
||||
SRFP_docshell --> Doc_SRFP
|
||||
|
|
Загрузка…
Ссылка в новой задаче