gecko/content/base/src/nsDataDocumentContentPolicy.cpp

/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*
 * Content policy implementation that prevents all loads of images,
 * subframes, etc from documents loaded as data (eg documents loaded
 * via XMLHttpRequest).
 */

#include "nsDataDocumentContentPolicy.h"
#include "nsNetUtil.h"
#include "nsScriptSecurityManager.h"
#include "nsIDocument.h"
#include "nsINode.h"
#include "nsIDOMWindow.h"
#include "nsIDOMDocument.h"

NS_IMPL_ISUPPORTS1(nsDataDocumentContentPolicy, nsIContentPolicy)

// Helper method for ShouldLoad()
// Checks a URI for the given flags.  Returns true if the URI has the flags,
// and false if not (or if we weren't able to tell).
static bool
HasFlags(nsIURI* aURI, PRUint32 aURIFlags)
{
  bool hasFlags;
  nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &hasFlags);
  return NS_SUCCEEDED(rv) && hasFlags;
}

NS_IMETHODIMP
nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType,
                                        nsIURI *aContentLocation,
                                        nsIURI *aRequestingLocation,
                                        nsISupports *aRequestingContext,
                                        const nsACString &aMimeGuess,
                                        nsISupports *aExtra,
                                        nsIPrincipal *aRequestPrincipal,
                                        PRInt16 *aDecision)
{
  *aDecision = nsIContentPolicy::ACCEPT;
  // Look for the document.  In most cases, aRequestingContext is a node.
  nsCOMPtr<nsIDocument> doc;
  nsCOMPtr<nsINode> node = do_QueryInterface(aRequestingContext);
  if (node) {
    doc = node->OwnerDoc();
  } else {
    nsCOMPtr<nsIDOMWindow> window = do_QueryInterface(aRequestingContext);
    if (window) {
      nsCOMPtr<nsIDOMDocument> domDoc;
      window->GetDocument(getter_AddRefs(domDoc));
      doc = do_QueryInterface(domDoc);
    }
  }

  // DTDs are always OK to load
  if (!doc || aContentType == nsIContentPolicy::TYPE_DTD) {
    return NS_OK;
  }

  // Nothing else is OK to load for data documents
  if (doc->IsLoadedAsData()) {
    *aDecision = nsIContentPolicy::REJECT_TYPE;
    return NS_OK;
  }

  if (doc->IsBeingUsedAsImage()) {
    // We only allow SVG images to load content from URIs that are local and
    // also satisfy one of the following conditions:
    //  - URI inherits security context, e.g. data URIs
    //   OR
    //  - URI loadable by subsumers, e.g. blob URIs
    // Any URI that doesn't meet these requirements will be rejected below.
    if (!HasFlags(aContentLocation,
                  nsIProtocolHandler::URI_IS_LOCAL_RESOURCE) ||
        (!HasFlags(aContentLocation,
                   nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT) &&
         !HasFlags(aContentLocation,
                   nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS))) {
      *aDecision = nsIContentPolicy::REJECT_TYPE;

      // Report error, if we can.
      if (node) {
        nsIPrincipal* requestingPrincipal = node->NodePrincipal();
        nsRefPtr<nsIURI> principalURI;
        nsresult rv =
          requestingPrincipal->GetURI(getter_AddRefs(principalURI));
        if (NS_SUCCEEDED(rv) && principalURI) {
          nsScriptSecurityManager::ReportError(
            nullptr, NS_LITERAL_STRING("CheckSameOriginError"), principalURI,
            aContentLocation);
        }
      }
    } else if (aContentType == nsIContentPolicy::TYPE_IMAGE &&
               doc->GetDocumentURI()) {
      // Check for (& disallow) recursive image-loads
      bool isRecursiveLoad;
      nsresult rv = aContentLocation->EqualsExceptRef(doc->GetDocumentURI(),
                                                      &isRecursiveLoad);
      if (NS_FAILED(rv) || isRecursiveLoad) {
        NS_WARNING("Refusing to recursively load image");
        *aDecision = nsIContentPolicy::REJECT_TYPE;
      }
    }
    return NS_OK;
  }

  // Allow all loads for non-resource documents
  if (!doc->IsResourceDoc()) {
    return NS_OK;
  }

  // For resource documents, blacklist some load types
  if (aContentType == nsIContentPolicy::TYPE_OBJECT ||
      aContentType == nsIContentPolicy::TYPE_DOCUMENT ||
      aContentType == nsIContentPolicy::TYPE_SUBDOCUMENT ||
      aContentType == nsIContentPolicy::TYPE_SCRIPT) {
    *aDecision = nsIContentPolicy::REJECT_TYPE;
  }

  return NS_OK;
}

NS_IMETHODIMP
nsDataDocumentContentPolicy::ShouldProcess(PRUint32 aContentType,
                                           nsIURI *aContentLocation,
                                           nsIURI *aRequestingLocation,
                                           nsISupports *aRequestingContext,
                                           const nsACString &aMimeGuess,
                                           nsISupports *aExtra,
                                           nsIPrincipal *aRequestPrincipal,
                                           PRInt16 *aDecision)
{
  return ShouldLoad(aContentType, aContentLocation, aRequestingLocation,
                    aRequestingContext, aMimeGuess, aExtra, aRequestPrincipal,
                    aDecision);
}
Free the (distributed) Lizard! Automatic merge from CVS: Module mozilla: tag HG_REPO_INITIAL_IMPORT at 22 Mar 2007 10:30 PDT, 2007-03-22 10:30:00 -07:00			`/* -- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -- */`
Bug 716478 - update licence to MPL 2. 2012-05-21 04:12:37 -07:00			`/* This Source Code Form is subject to the terms of the Mozilla Public`
			`* License, v. 2.0. If a copy of the MPL was not distributed with this`
			`* file, You can obtain one at http://mozilla.org/MPL/2.0/. */`
Free the (distributed) Lizard! Automatic merge from CVS: Module mozilla: tag HG_REPO_INITIAL_IMPORT at 22 Mar 2007 10:30 PDT, 2007-03-22 10:30:00 -07:00
			`/*`
			`* Content policy implementation that prevents all loads of images,`
			`* subframes, etc from documents loaded as data (eg documents loaded`
			`* via XMLHttpRequest).`
			`*/`

			`#include "nsDataDocumentContentPolicy.h"`
Bug 628747: (patch v2) Disallow SVG-as-an-image from loading external resources, unless we're sure they won't hit the network. r=bz r=roc a=roc 2011-01-28 07:59:15 -08:00			`#include "nsNetUtil.h"`
			`#include "nsScriptSecurityManager.h"`
Free the (distributed) Lizard! Automatic merge from CVS: Module mozilla: tag HG_REPO_INITIAL_IMPORT at 22 Mar 2007 10:30 PDT, 2007-03-22 10:30:00 -07:00			`#include "nsIDocument.h"`
			`#include "nsINode.h"`
			`#include "nsIDOMWindow.h"`
			`#include "nsIDOMDocument.h"`

			`NS_IMPL_ISUPPORTS1(nsDataDocumentContentPolicy, nsIContentPolicy)`

Bug 693940: Restrict SVG-as-an-image to being able to load (local) URIs that have either the URI_INHERITS_SECURITY_CONTEXT or URI_LOADABLE_BY_SUBSUMERS flags. r=bz 2011-11-07 13:45:42 -08:00			`// Helper method for ShouldLoad()`
			`// Checks a URI for the given flags. Returns true if the URI has the flags,`
			`// and false if not (or if we weren't able to tell).`
			`static bool`
			`HasFlags(nsIURI* aURI, PRUint32 aURIFlags)`
			`{`
			`bool hasFlags;`
			`nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &hasFlags);`
			`return NS_SUCCEEDED(rv) && hasFlags;`
			`}`

Free the (distributed) Lizard! Automatic merge from CVS: Module mozilla: tag HG_REPO_INITIAL_IMPORT at 22 Mar 2007 10:30 PDT, 2007-03-22 10:30:00 -07:00			`NS_IMETHODIMP`
			`nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType,`
			`nsIURI *aContentLocation,`
			`nsIURI *aRequestingLocation,`
			`nsISupports *aRequestingContext,`
			`const nsACString &aMimeGuess,`
			`nsISupports *aExtra,`
Bug 767134 - Stuff the source principal into nsIContentPolicy (r=bz, sr=jst) 2012-07-02 16:16:11 -07:00			`nsIPrincipal *aRequestPrincipal,`
Free the (distributed) Lizard! Automatic merge from CVS: Module mozilla: tag HG_REPO_INITIAL_IMPORT at 22 Mar 2007 10:30 PDT, 2007-03-22 10:30:00 -07:00			`PRInt16 *aDecision)`
			`{`
			`*aDecision = nsIContentPolicy::ACCEPT;`
			`// Look for the document. In most cases, aRequestingContext is a node.`
			`nsCOMPtr<nsIDocument> doc;`
			`nsCOMPtr<nsINode> node = do_QueryInterface(aRequestingContext);`
			`if (node) {`
Bug 682420 - Rename nsINode::GetOwnerDoc to nsINode::OwnerDoc, part 1, r=jst --HG-- extra : rebase_source : baf1a25cdea68d499a7673fdf96e27b5a12dc83c 2011-10-18 03:53:36 -07:00			`doc = node->OwnerDoc();`
Free the (distributed) Lizard! Automatic merge from CVS: Module mozilla: tag HG_REPO_INITIAL_IMPORT at 22 Mar 2007 10:30 PDT, 2007-03-22 10:30:00 -07:00			`} else {`
			`nsCOMPtr<nsIDOMWindow> window = do_QueryInterface(aRequestingContext);`
			`if (window) {`
			`nsCOMPtr<nsIDOMDocument> domDoc;`
			`window->GetDocument(getter_AddRefs(domDoc));`
			`doc = do_QueryInterface(domDoc);`
			`}`
			`}`
Backed out changeset 4e7a2d27d636: relanding Bug 433616 part 2. Implement loading of external resource documents. r=jst, sr=roc 2008-10-04 13:00:09 -07:00
			`// DTDs are always OK to load`
			`if (!doc \|\| aContentType == nsIContentPolicy::TYPE_DTD) {`
			`return NS_OK;`
			`}`

Bug 628747: Back out 0435ed183c2d (first version of this bug's patch). a=backout 2011-01-28 07:52:16 -08:00			`// Nothing else is OK to load for data documents`
			`if (doc->IsLoadedAsData()) {`
Backed out changeset 4e7a2d27d636: relanding Bug 433616 part 2. Implement loading of external resource documents. r=jst, sr=roc 2008-10-04 13:00:09 -07:00			`*aDecision = nsIContentPolicy::REJECT_TYPE;`
			`return NS_OK;`
			`}`

Bug 628747: (patch v2) Disallow SVG-as-an-image from loading external resources, unless we're sure they won't hit the network. r=bz r=roc a=roc 2011-01-28 07:59:15 -08:00			`if (doc->IsBeingUsedAsImage()) {`
Bug 693940: Restrict SVG-as-an-image to being able to load (local) URIs that have either the URI_INHERITS_SECURITY_CONTEXT or URI_LOADABLE_BY_SUBSUMERS flags. r=bz 2011-11-07 13:45:42 -08:00			`// We only allow SVG images to load content from URIs that are local and`
			`// also satisfy one of the following conditions:`
			`// - URI inherits security context, e.g. data URIs`
			`// OR`
Bug 716570 - Rename blob URI scheme from "moz-filedata" to "blob" per spec. r=sicking --HG-- rename : content/base/src/nsFileDataProtocolHandler.cpp => content/base/src/nsBlobProtocolHandler.cpp rename : content/base/src/nsFileDataProtocolHandler.h => content/base/src/nsBlobProtocolHandler.h 2012-01-12 02:36:03 -08:00			`// - URI loadable by subsumers, e.g. blob URIs`
Bug 693940: Restrict SVG-as-an-image to being able to load (local) URIs that have either the URI_INHERITS_SECURITY_CONTEXT or URI_LOADABLE_BY_SUBSUMERS flags. r=bz 2011-11-07 13:45:42 -08:00			`// Any URI that doesn't meet these requirements will be rejected below.`
			`if (!HasFlags(aContentLocation,`
			`nsIProtocolHandler::URI_IS_LOCAL_RESOURCE) \|\|`
			`(!HasFlags(aContentLocation,`
			`nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT) &&`
			`!HasFlags(aContentLocation,`
			`nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS))) {`
Bug 628747: (patch v2) Disallow SVG-as-an-image from loading external resources, unless we're sure they won't hit the network. r=bz r=roc a=roc 2011-01-28 07:59:15 -08:00			`*aDecision = nsIContentPolicy::REJECT_TYPE;`

Bug 693940: Restrict SVG-as-an-image to being able to load (local) URIs that have either the URI_INHERITS_SECURITY_CONTEXT or URI_LOADABLE_BY_SUBSUMERS flags. r=bz 2011-11-07 13:45:42 -08:00			`// Report error, if we can.`
Bug 628747: (patch v2) Disallow SVG-as-an-image from loading external resources, unless we're sure they won't hit the network. r=bz r=roc a=roc 2011-01-28 07:59:15 -08:00			`if (node) {`
			`nsIPrincipal* requestingPrincipal = node->NodePrincipal();`
			`nsRefPtr<nsIURI> principalURI;`
Bug 693940: Restrict SVG-as-an-image to being able to load (local) URIs that have either the URI_INHERITS_SECURITY_CONTEXT or URI_LOADABLE_BY_SUBSUMERS flags. r=bz 2011-11-07 13:45:42 -08:00			`nsresult rv =`
			`requestingPrincipal->GetURI(getter_AddRefs(principalURI));`
Bug 628747: (patch v2) Disallow SVG-as-an-image from loading external resources, unless we're sure they won't hit the network. r=bz r=roc a=roc 2011-01-28 07:59:15 -08:00			`if (NS_SUCCEEDED(rv) && principalURI) {`
			`nsScriptSecurityManager::ReportError(`
Bug 777292 part 2 - Change all nsnull to nullptr 2012-07-30 07:20:58 -07:00			`nullptr, NS_LITERAL_STRING("CheckSameOriginError"), principalURI,`
Bug 628747: (patch v2) Disallow SVG-as-an-image from loading external resources, unless we're sure they won't hit the network. r=bz r=roc a=roc 2011-01-28 07:59:15 -08:00			`aContentLocation);`
			`}`
			`}`
Bug 665209: Disable recursive image loads in content(). r=bz 2011-06-22 22:21:47 -07:00			`} else if (aContentType == nsIContentPolicy::TYPE_IMAGE &&`
			`doc->GetDocumentURI()) {`
			`// Check for (& disallow) recursive image-loads`
Bug 675553 - Switch from PRBool to bool on a CLOSED TREE , r=bsmedberg,khuey,bz,cjones --HG-- rename : tools/trace-malloc/bloatblame.c => tools/trace-malloc/bloatblame.cpp 2011-09-28 23:19:26 -07:00			`bool isRecursiveLoad;`
Bug 693940: Restrict SVG-as-an-image to being able to load (local) URIs that have either the URI_INHERITS_SECURITY_CONTEXT or URI_LOADABLE_BY_SUBSUMERS flags. r=bz 2011-11-07 13:45:42 -08:00			`nsresult rv = aContentLocation->EqualsExceptRef(doc->GetDocumentURI(),`
			`&isRecursiveLoad);`
Bug 665209: Disable recursive image loads in content(). r=bz 2011-06-22 22:21:47 -07:00			`if (NS_FAILED(rv) \|\| isRecursiveLoad) {`
			`NS_WARNING("Refusing to recursively load image");`
			`*aDecision = nsIContentPolicy::REJECT_TYPE;`
			`}`
Bug 628747: (patch v2) Disallow SVG-as-an-image from loading external resources, unless we're sure they won't hit the network. r=bz r=roc a=roc 2011-01-28 07:59:15 -08:00			`}`
			`return NS_OK;`
			`}`

Bug 700895 patch 3: Apply nsDataDocumentContentPolicy::ShouldLoad()'s external-resource-doc restrictions to image documents, too. r=roc 2011-11-13 14:21:41 -08:00			`// Allow all loads for non-resource documents`
			`if (!doc->IsResourceDoc()) {`
Backed out changeset 4e7a2d27d636: relanding Bug 433616 part 2. Implement loading of external resource documents. r=jst, sr=roc 2008-10-04 13:00:09 -07:00			`return NS_OK;`
			`}`

Bug 700895 patch 3: Apply nsDataDocumentContentPolicy::ShouldLoad()'s external-resource-doc restrictions to image documents, too. r=roc 2011-11-13 14:21:41 -08:00			`// For resource documents, blacklist some load types`
Backed out changeset 4e7a2d27d636: relanding Bug 433616 part 2. Implement loading of external resource documents. r=jst, sr=roc 2008-10-04 13:00:09 -07:00			`if (aContentType == nsIContentPolicy::TYPE_OBJECT \|\|`
			`aContentType == nsIContentPolicy::TYPE_DOCUMENT \|\|`
			`aContentType == nsIContentPolicy::TYPE_SUBDOCUMENT \|\|`
			`aContentType == nsIContentPolicy::TYPE_SCRIPT) {`
Free the (distributed) Lizard! Automatic merge from CVS: Module mozilla: tag HG_REPO_INITIAL_IMPORT at 22 Mar 2007 10:30 PDT, 2007-03-22 10:30:00 -07:00			`*aDecision = nsIContentPolicy::REJECT_TYPE;`
			`}`

			`return NS_OK;`
			`}`

			`NS_IMETHODIMP`
			`nsDataDocumentContentPolicy::ShouldProcess(PRUint32 aContentType,`
			`nsIURI *aContentLocation,`
			`nsIURI *aRequestingLocation,`
			`nsISupports *aRequestingContext,`
			`const nsACString &aMimeGuess,`
			`nsISupports *aExtra,`
Bug 767134 - Stuff the source principal into nsIContentPolicy (r=bz, sr=jst) 2012-07-02 16:16:11 -07:00			`nsIPrincipal *aRequestPrincipal,`
Free the (distributed) Lizard! Automatic merge from CVS: Module mozilla: tag HG_REPO_INITIAL_IMPORT at 22 Mar 2007 10:30 PDT, 2007-03-22 10:30:00 -07:00			`PRInt16 *aDecision)`
			`{`
			`return ShouldLoad(aContentType, aContentLocation, aRequestingLocation,`
Bug 767134 - Stuff the source principal into nsIContentPolicy (r=bz, sr=jst) 2012-07-02 16:16:11 -07:00			`aRequestingContext, aMimeGuess, aExtra, aRequestPrincipal,`
			`aDecision);`
Free the (distributed) Lizard! Automatic merge from CVS: Module mozilla: tag HG_REPO_INITIAL_IMPORT at 22 Mar 2007 10:30 PDT, 2007-03-22 10:30:00 -07:00			`}`