зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1725339 - Restrict systemprincipal from loading type *DOCUMENT* via HTTP, HTTPS and data schemes (data restriction preffed OFF). r=ckerschb
Differential Revision: https://phabricator.services.mozilla.com/D122420
This commit is contained in:
Frederik Braun
Родитель
2a17656c7c
Коммит
e3dbac69c7
|
|
@ -957,16 +957,8 @@ void nsContentSecurityManager::MeasureUnexpectedPrivilegedLoads(
|
|||
/* static */
|
||||
nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
|
||||
nsIChannel* aChannel) {
|
||||
// Check and assert that we never allow remote documents/scripts (http:,
|
||||
// https:, ...) to load in system privileged contexts.
|
||||
nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
|
||||
|
||||
// nothing to do here if we are not loading a resource into a
|
||||
// system prvileged context.
|
||||
if (!loadInfo->GetLoadingPrincipal() ||
|
||||
!loadInfo->GetLoadingPrincipal()->IsSystemPrincipal()) {
|
||||
return NS_OK;
|
||||
}
|
||||
// loads with the allow flag are waived through
|
||||
// until refactored (e.g., Shavar, OCSP)
|
||||
if (loadInfo->GetAllowDeprecatedSystemRequests()) {
|
||||
|
|
@ -976,6 +968,20 @@ nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
|
|||
ExtContentPolicyType contentPolicyType =
|
||||
loadInfo->GetExternalContentPolicyType();
|
||||
|
||||
// We mostly care about the triggeringPrincipal,
|
||||
// unless this is a TYPE_DOCUMENT request, which has none.
|
||||
nsCOMPtr<nsIPrincipal> inspectedPrincipal;
|
||||
if (contentPolicyType != ExtContentPolicy::TYPE_DOCUMENT) {
|
||||
inspectedPrincipal = loadInfo->GetLoadingPrincipal();
|
||||
} else {
|
||||
inspectedPrincipal = loadInfo->TriggeringPrincipal();
|
||||
}
|
||||
|
||||
// Check if we are actually dealing with a SystemPrincipal request
|
||||
if (!inspectedPrincipal || !inspectedPrincipal->IsSystemPrincipal()) {
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
// allowing some fetches due to their lowered risk
|
||||
// i.e., data & downloads fetches do limited parsing, no rendering
|
||||
// remote images are too widely used (favicons, about:addons etc.)
|
||||
|
|
@ -1047,9 +1053,7 @@ nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
|
|||
}
|
||||
// Telemetry for unexpected privileged loads.
|
||||
// pref check & data sanitization happens in the called function
|
||||
if (finalURI) {
|
||||
MeasureUnexpectedPrivilegedLoads(loadInfo, finalURI, remoteType);
|
||||
}
|
||||
MeasureUnexpectedPrivilegedLoads(loadInfo, finalURI, remoteType);
|
||||
|
||||
// Relaxing restrictions for our test suites:
|
||||
// (1) AreNonLocalConnectionsDisabled() disables network, so http://mochitest
|
||||
|
|
@ -1073,9 +1077,33 @@ nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
|
|||
nsAutoCString requestedURL;
|
||||
finalURI->GetAsciiSpec(requestedURL);
|
||||
MOZ_LOG(sCSMLog, LogLevel::Warning,
|
||||
("SystemPrincipal must not load remote documents. URL: %s, type %d",
|
||||
("SystemPrincipal should not load remote resources. URL: %s, type %d",
|
||||
requestedURL.get(), int(contentPolicyType)));
|
||||
|
||||
// The load types that we want to disallow, will extend over time and
|
||||
// prioritized by risk. The most risky/dangerous are load-types are documents,
|
||||
// subdocuments, scripts and styles in that order. The most dangerous URL
|
||||
// schemes to cover are HTTP, HTTPS, data, blob in that order. Meta bug
|
||||
// 1725112 will track upcoming restrictions
|
||||
if (contentPolicyType == ExtContentPolicy::TYPE_DOCUMENT) {
|
||||
if (StaticPrefs::security_disallow_privileged_https_documents_loads() &&
|
||||
(finalURI->SchemeIs("http") || finalURI->SchemeIs("https"))) {
|
||||
#ifdef DEBUG
|
||||
MOZ_CRASH("Disallowing SystemPrincipal load of documents on HTTP(S).");
|
||||
#endif
|
||||
aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
|
||||
return NS_ERROR_CONTENT_BLOCKED;
|
||||
}
|
||||
if ((StaticPrefs::security_disallow_privileged_data_documents_loads()) &&
|
||||
(finalURI->SchemeIs("data"))) {
|
||||
#ifdef DEBUG
|
||||
MOZ_CRASH("Disallowing SystemPrincipal load of documents on data URL.");
|
||||
#endif
|
||||
aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
|
||||
return NS_ERROR_CONTENT_BLOCKED;
|
||||
}
|
||||
}
|
||||
|
||||
if (cancelNonLocalSystemPrincipal) {
|
||||
MOZ_ASSERT(false, "SystemPrincipal must not load remote documents.");
|
||||
aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
|
||||
|
|
|
|||
|
|
@ -10872,6 +10872,20 @@
|
|||
value: false
|
||||
mirror: always
|
||||
|
||||
# Cancel outgoing requests from SystemPrincipal:
|
||||
# but only with scheme http(s) and contentpolicytype document
|
||||
- name: security.disallow_privileged_https_documents_loads
|
||||
type: bool
|
||||
value: true
|
||||
mirror: always
|
||||
|
||||
# Cancel outgoing requests from SystemPrincipal:
|
||||
# but only with scheme data and contentpolicytype document
|
||||
- name: security.disallow_privileged_data_documents_loads
|
||||
type: bool
|
||||
value: false
|
||||
mirror: always
|
||||
|
||||
# Disable preloaded static key pins by default.
|
||||
- name: security.cert_pinning.enforcement_level
|
||||
type: ReleaseAcquireAtomicUint32
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче