mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 782654 - Use a whitelist approach rather than a blacklist approach for content types, so that by default we block instead of accept unknown types. 

XHR + CORS is treated as mixed content with this patch. (r=smaug)
This commit is contained in:
Tanvi Vyas 2012-12-13 14:53:06 -08:00
Родитель cb8c045f43
Коммит d97a7cf359
1 изменённых файлов: 147 добавлений и 82 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

217
content/base/src/nsMixedContentBlocker.cpp
Просмотреть файл

@ -126,44 +126,112 @@ nsMixedContentBlocker::ShouldLoad(uint32_t aContentType,
nsIPrincipal* aRequestPrincipal,
int16_t* aDecision)
{
// Default policy: allow the load if we find no reason to block it.
*aDecision = nsIContentPolicy::ACCEPT;
// Asserting that we are on the main thread here and hence do not have to lock
// and unlock sBlockMixedScript and sBlockMixedDisplay before reading/writing
// to them.
MOZ_ASSERT(NS_IsMainThread());
// If mixed script blocking and mixed display blocking are turned off
// we can return early
if (!sBlockMixedScript && !sBlockMixedDisplay) {
return NS_OK;
}
// Assume active (high risk) content and blocked by default
MixedContentTypes classification = eMixedScript;
// Top-level load cannot be mixed content so allow it.
// Creating insecure websocket connections in a secure page is blocked already in websocket constructor.
if (aContentType == nsIContentPolicy::TYPE_DOCUMENT || aContentType == nsIContentPolicy::TYPE_WEBSOCKET) {
return NS_OK;
}
// We need aRequestingLocation to pull out the scheme. If it isn't passed
// in, get it from the DOM node.
if (!aRequestingLocation) {
nsCOMPtr<nsINode> node = do_QueryInterface(aRequestingContext);
if (node) {
nsCOMPtr<nsIURI> principalUri;
node->NodePrincipal()->GetURI(getter_AddRefs(principalUri));
aRequestingLocation = principalUri;
}
// If we still don't have a requesting location then we can't tell if
// this is a mixed content load. Deny to be safe.
if (!aRequestingLocation) {
*aDecision = nsIContentPolicy::REJECT_REQUEST;
return NS_OK;
}
}
// Notes on non-obvious decisions:
//
// TYPE_DTD: A DTD can contain entity definitions that expand to scripts.
//
// TYPE_FONT: The TrueType hinting mechanism is basically a scripting
// language that gets interpreted by the operating system's font rasterizer.
// Mixed content web fonts are relatively uncommon, and we can can fall back
// to built-in fonts with minimal disruption in almost all cases.
//
// TYPE_OBJECT_SUBREQUEST could actually be either active content (e.g. a
// script that a plugin will execute) or display content (e.g. Flash video
// content).
//
// TYPE_CSP_REPORT: High-risk because they directly leak information about
// the content of the page, and because blocking them does not have any
// negative effect on the page loading.
//
// TYPE_PING: Ping requests are POSTS, not GETs like images and media.
// Also, PING requests have no bearing on the rendering or operation of
// the page when used as designed, so even though they are lower risk than
// scripts, blocking them is basically risk-free as far as compatibility is
// concerned. Ping is turned off by default in Firefox, so unless a user
// opts into ping, no request will be made. Categorizing this as Mixed
// Display Content for now, but this is subject to change.
//
// TYPE_STYLESHEET: XSLT stylesheets can insert scripts. CSS positioning
// and other advanced CSS features can possibly be exploited to cause
// spoofing attacks (e.g. make a "grant permission" button look like a
// "refuse permission" button).
//
// TYPE_WEBSOCKET: The Websockets API requires browsers to
// reject mixed-content websockets: "If secure is false but the origin of
// the entry script has a scheme component that is itself a secure protocol,
// e.g. HTTPS, then throw a SecurityError exception." We already block mixed
// content websockets within the websockets implementation, so we don't need
// to do any blocking here, nor do we need to provide a way to undo or
// override the blocking. Websockets without TLS are very flaky anyway in the
// face of many HTTP-aware proxies. Compared to psasive content, there is
// additional risk that the script using WebSockets will disclose sensitive
// information from the HTTPS page and/or eval (directly or indirectly)
// received data.
//
// TYPE_XMLHTTPREQUEST: XHR requires either same origin or CORS, so most
// mixed-content XHR will already be blocked by that check. This will also
// block HTTPS-to-HTTP XHR with CORS. The same security concerns mentioned
// above for WebSockets apply to XHR, and XHR should have the same security
// properties as WebSockets w.r.t. mixed content. XHR's handling of redirects
// amplifies these concerns.
// Check the parent scheme. If it is not an HTTPS page then mixed content
// restrictions do not apply.
bool parentIsHttps;
if (NS_FAILED(aRequestingLocation->SchemeIs("https", &parentIsHttps)) ||
!parentIsHttps) {
MOZ_STATIC_ASSERT(TYPE_DATAREQUEST == TYPE_XMLHTTPREQUEST,
"TYPE_DATAREQUEST is not a synonym for "
"TYPE_XMLHTTPREQUEST");
switch (aContentType) {
// The top-level document cannot be mixed content by definition
case TYPE_DOCUMENT:
*aDecision = ACCEPT;
return NS_OK;
// Creating insecure websocket connections in a secure page is blocked already
// in the websocket constructor. We don't need to check the blocking here
// and we don't want to un-block
case TYPE_WEBSOCKET:
*aDecision = ACCEPT;
return NS_OK;
// Static display content is considered moderate risk for mixed content so
// these will be blocked according to the mixed display preference
case TYPE_IMAGE:
case TYPE_MEDIA:
case TYPE_PING:
classification = eMixedDisplay;
break;
// Active content (or content with a low value/risk-of-blocking ratio)
// that has been explicitly evaluated; listed here for documentation
// purposes and to avoid the assertion and warning for the default case.
case TYPE_CSP_REPORT:
case TYPE_DTD:
case TYPE_FONT:
case TYPE_OBJECT:
case TYPE_OBJECT_SUBREQUEST:
case TYPE_SCRIPT:
case TYPE_STYLESHEET:
case TYPE_SUBDOCUMENT:
case TYPE_XBL:
case TYPE_XMLHTTPREQUEST:
case TYPE_OTHER:
break;
// This content policy works as a whitelist.
default:
MOZ_NOT_REACHED("Mixed content of unknown type");
NS_WARNING("Mixed content of unknown type");
break;
}
/* Get the scheme of the sub-document resource to be requested. If it is
@ -198,57 +266,54 @@ nsMixedContentBlocker::ShouldLoad(uint32_t aContentType,
return NS_OK;
}
// We need aRequestingLocation to pull out the scheme. If it isn't passed
// in, get it from the DOM node.
if (!aRequestingLocation) {
nsCOMPtr<nsINode> node = do_QueryInterface(aRequestingContext);
if (node) {
nsCOMPtr<nsIURI> principalUri;
node->NodePrincipal()->GetURI(getter_AddRefs(principalUri));
aRequestingLocation = principalUri;
}
// If we still don't have a requesting location then we can't tell if
// this is a mixed content load. Deny to be safe.
if (!aRequestingLocation) {
*aDecision = REJECT_REQUEST;
return NS_OK;
}
}
// Check the parent scheme. If it is not an HTTPS page then mixed content
// restrictions do not apply.
bool parentIsHttps;
nsresult rv = aRequestingLocation->SchemeIs("https", &parentIsHttps);
if (NS_FAILED(rv)) {
NS_ERROR("aRequestingLocation->SchemeIs failed");
*aDecision = REJECT_REQUEST;
return NS_OK;
}
if (!parentIsHttps) {
*aDecision = ACCEPT;
return NS_OK;
}
// If we are here we have mixed content.
// Decide whether or not to allow the mixed content based on what type of
// content it is and if the user permitted it.
switch (aContentType) {
case nsIContentPolicy::TYPE_FONT:
case nsIContentPolicy::TYPE_OBJECT:
case nsIContentPolicy::TYPE_SCRIPT:
case nsIContentPolicy::TYPE_STYLESHEET:
case nsIContentPolicy::TYPE_SUBDOCUMENT:
case nsIContentPolicy::TYPE_WEBSOCKET:
case nsIContentPolicy::TYPE_XMLHTTPREQUEST:
// fonts, plugin content, scripts, stylesheets, iframes, websockets and
// XHRs are considered high risk for mixed content so these are blocked
// per the mixed script preference
if (sBlockMixedScript) {
// If the content is display content, and the pref says display content should be blocked, block it.
// If the content is mixed content, and the pref says mixed content should be blocked, block it.
if ( (sBlockMixedDisplay && classification == eMixedDisplay) || (sBlockMixedScript && classification == eMixedScript) ) {
*aDecision = nsIContentPolicy::REJECT_REQUEST;
return NS_OK;
} else {
// The content is not blocked by the mixed content prefs.
// Fire the event from a script runner as it is unsafe to run script
// from within ShouldLoad
// Disabled until bug 782654 is fixed.
/*
nsContentUtils::AddScriptRunner(
new nsMixedContentEvent(aRequestingContext, eMixedScript));
*/
}
break;
case nsIContentPolicy::TYPE_IMAGE:
case nsIContentPolicy::TYPE_MEDIA:
case nsIContentPolicy::TYPE_PING:
// display (static) content are considered moderate risk for mixed content
// so these will be blocked according to the mixed display preference
if (sBlockMixedDisplay) {
*aDecision = nsIContentPolicy::REJECT_REQUEST;
// Fire the event from a script runner as it is unsafe to run script
// from within ShouldLoad
// Disabled until bug 782654 is fixed.
/*
nsContentUtils::AddScriptRunner(
new nsMixedContentEvent(aRequestingContext, eMixedDisplay));
*/
}
break;
default:
// other types of mixed content are allowed
break;
new nsMixedContentEvent(aRequestingContext, classification));
return NS_OK;
}
*aDecision = REJECT_REQUEST;
return NS_OK;
}