From 03cd461c063e26941509dc404ae3d570678f5210 Mon Sep 17 00:00:00 2001
From: Christoph Kerschbaumer <mozilla@christophkerschbaumer.com>
Date: Sun, 19 Jul 2015 19:11:57 -0700
Subject: [PATCH] Bug 1143922 - Add AsyncOpen2 to nsIChannel and perform
 security checks when opening a channel - loadinfo changes
 (r=sicking,tanvi,sworkman)

---
 ipc/glue/BackgroundUtils.cpp         |   4 +
 netwerk/base/LoadInfo.cpp            |  71 ++++++++++++++
 netwerk/base/LoadInfo.h              |  24 +++--
 netwerk/base/nsILoadInfo.idl         | 136 ++++++++++++++++++++++++++-
 netwerk/ipc/NeckoChannelParams.ipdlh |   2 +
 5 files changed, 224 insertions(+), 13 deletions(-)

diff --git a/ipc/glue/BackgroundUtils.cpp b/ipc/glue/BackgroundUtils.cpp
index 0d0ba2f8c7a..1db7fee623d 100644
--- a/ipc/glue/BackgroundUtils.cpp
+++ b/ipc/glue/BackgroundUtils.cpp
@@ -261,6 +261,8 @@ LoadInfoToLoadInfoArgs(nsILoadInfo *aLoadInfo,
       aLoadInfo->GetInnerWindowID(),
       aLoadInfo->GetOuterWindowID(),
       aLoadInfo->GetParentOuterWindowID(),
+      aLoadInfo->GetEnforceSecurity(),
+      aLoadInfo->GetInitialSecurityCheckDone(),
       redirectChain);
 
   return NS_OK;
@@ -303,6 +305,8 @@ LoadInfoArgsToLoadInfo(const OptionalLoadInfoArgs& aOptionalLoadInfoArgs,
                           loadInfoArgs.innerWindowID(),
                           loadInfoArgs.outerWindowID(),
                           loadInfoArgs.parentOuterWindowID(),
+                          loadInfoArgs.enforceSecurity(),
+                          loadInfoArgs.initialSecurityCheckDone(),
                           redirectChain);
 
    loadInfo.forget(outLoadInfo);
diff --git a/netwerk/base/LoadInfo.cpp b/netwerk/base/LoadInfo.cpp
index 6b2f47acdfa..c4465a07fd9 100644
--- a/netwerk/base/LoadInfo.cpp
+++ b/netwerk/base/LoadInfo.cpp
@@ -37,6 +37,8 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
   , mInnerWindowID(0)
   , mOuterWindowID(0)
   , mParentOuterWindowID(0)
+  , mEnforceSecurity(false)
+  , mInitialSecurityCheckDone(false)
 {
   MOZ_ASSERT(mLoadingPrincipal);
   MOZ_ASSERT(mTriggeringPrincipal);
@@ -91,6 +93,8 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
                    uint64_t aInnerWindowID,
                    uint64_t aOuterWindowID,
                    uint64_t aParentOuterWindowID,
+                   bool aEnforceSecurity,
+                   bool aInitialSecurityCheckDone,
                    nsTArray<nsCOMPtr<nsIPrincipal>>& aRedirectChain)
   : mLoadingPrincipal(aLoadingPrincipal)
   , mTriggeringPrincipal(aTriggeringPrincipal)
@@ -100,6 +104,8 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
   , mInnerWindowID(aInnerWindowID)
   , mOuterWindowID(aOuterWindowID)
   , mParentOuterWindowID(aParentOuterWindowID)
+  , mEnforceSecurity(aEnforceSecurity)
+  , mInitialSecurityCheckDone(aInitialSecurityCheckDone)
 {
   MOZ_ASSERT(mLoadingPrincipal);
   MOZ_ASSERT(mTriggeringPrincipal);
@@ -164,6 +170,26 @@ LoadInfo::GetSecurityFlags(nsSecurityFlags* aResult)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+LoadInfo::GetSecurityMode(uint32_t *aFlags)
+{
+  *aFlags = (mSecurityFlags &
+              (nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS |
+               nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED |
+               nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS |
+               nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL |
+               nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS));
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+LoadInfo::GetRequireCorsWithCredentials(bool* aResult)
+{
+  *aResult =
+    (mSecurityFlags & nsILoadInfo::SEC_REQUIRE_CORS_WITH_CREDENTIALS);
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 LoadInfo::GetForceInheritPrincipal(bool* aInheritPrincipal)
 {
@@ -179,6 +205,14 @@ LoadInfo::GetLoadingSandboxed(bool* aLoadingSandboxed)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+LoadInfo::GetAboutBlankInherits(bool* aResult)
+{
+  *aResult =
+    (mSecurityFlags & nsILoadInfo::SEC_ABOUT_BLANK_INHERITS);
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 LoadInfo::GetContentPolicyType(nsContentPolicyType* aResult)
 {
@@ -234,6 +268,43 @@ LoadInfo::GetParentOuterWindowID(uint64_t* aResult)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+LoadInfo::SetEnforceSecurity(bool aEnforceSecurity)
+{
+  // Indicates whether the channel was openend using AsyncOpen2. Once set
+  // to true, it must remain true throughout the lifetime of the channel.
+  // Setting it to anything else than true will be discarded.
+  MOZ_ASSERT(aEnforceSecurity, "aEnforceSecurity must be true");
+  mEnforceSecurity = mEnforceSecurity || aEnforceSecurity;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+LoadInfo::GetEnforceSecurity(bool* aResult)
+{
+  *aResult = mEnforceSecurity;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+LoadInfo::SetInitialSecurityCheckDone(bool aInitialSecurityCheckDone)
+{
+  // Indicates whether the channel was ever evaluated by the
+  // ContentSecurityManager. Once set to true, this flag must
+  // remain true throughout the lifetime of the channel.
+  // Setting it to anything else than true will be discarded.
+  MOZ_ASSERT(aInitialSecurityCheckDone, "aInitialSecurityCheckDone must be true");
+  mInitialSecurityCheckDone = mInitialSecurityCheckDone || aInitialSecurityCheckDone;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+LoadInfo::GetInitialSecurityCheckDone(bool* aResult)
+{
+  *aResult = mInitialSecurityCheckDone;
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 LoadInfo::AppendRedirectedPrincipal(nsIPrincipal* aPrincipal)
 {
diff --git a/netwerk/base/LoadInfo.h b/netwerk/base/LoadInfo.h
index f4d05eab654..23f096245f7 100644
--- a/netwerk/base/LoadInfo.h
+++ b/netwerk/base/LoadInfo.h
@@ -64,6 +64,8 @@ private:
            uint64_t aInnerWindowID,
            uint64_t aOuterWindowID,
            uint64_t aParentOuterWindowID,
+           bool aEnforceSecurity,
+           bool aInitialSecurityCheckDone,
            nsTArray<nsCOMPtr<nsIPrincipal>>& aRedirectChain);
 
   friend nsresult
@@ -73,16 +75,18 @@ private:
 
   ~LoadInfo();
 
-  nsCOMPtr<nsIPrincipal> mLoadingPrincipal;
-  nsCOMPtr<nsIPrincipal> mTriggeringPrincipal;
-  nsWeakPtr              mLoadingContext;
-  nsSecurityFlags        mSecurityFlags;
-  nsContentPolicyType    mContentPolicyType;
-  nsCOMPtr<nsIURI>       mBaseURI;
-  bool                   mUpgradeInsecureRequests;
-  uint64_t               mInnerWindowID;
-  uint64_t               mOuterWindowID;
-  uint64_t               mParentOuterWindowID;
+  nsCOMPtr<nsIPrincipal>           mLoadingPrincipal;
+  nsCOMPtr<nsIPrincipal>           mTriggeringPrincipal;
+  nsWeakPtr                        mLoadingContext;
+  nsSecurityFlags                  mSecurityFlags;
+  nsContentPolicyType              mContentPolicyType;
+  nsCOMPtr<nsIURI>                 mBaseURI;
+  bool                             mUpgradeInsecureRequests;
+  uint64_t                         mInnerWindowID;
+  uint64_t                         mOuterWindowID;
+  uint64_t                         mParentOuterWindowID;
+  bool                             mEnforceSecurity;
+  bool                             mInitialSecurityCheckDone;
   nsTArray<nsCOMPtr<nsIPrincipal>> mRedirectChain;
 };
 
diff --git a/netwerk/base/nsILoadInfo.idl b/netwerk/base/nsILoadInfo.idl
index 8e59bcb2983..66efc5a85b0 100644
--- a/netwerk/base/nsILoadInfo.idl
+++ b/netwerk/base/nsILoadInfo.idl
@@ -23,7 +23,7 @@ typedef unsigned long nsSecurityFlags;
 /**
  * An nsILoadOwner represents per-load information about who started the load.
  */
-[scriptable, builtinclass, uuid(5c724690-7ba9-49c4-af9c-c9c4f6776871)]
+[scriptable, builtinclass, uuid(cc51498e-f8f8-469d-85ba-6dcba17027e4)]
 interface nsILoadInfo : nsISupports
 {
   /**
@@ -31,6 +31,64 @@ interface nsILoadInfo : nsISupports
    */
   const unsigned long SEC_NORMAL = 0;
 
+  /**
+   * The following five flags determine the security mode and hence what kind of
+   * security checks should be performed throughout the lifetime of the channel.
+   *
+   *    * SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS
+   *    * SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED
+   *    * SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS
+   *    * SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL
+   *    * SEC_REQUIRE_CORS_DATA_INHERITS
+   *
+   * Exactly one of these flags are required to be set in order to allow
+   * the channel to perform the correct security checks (SOP, CORS, ...) and
+   * return the correct result principal. If none or more than one of these
+   * flags are set AsyncOpen2 will fail.
+   */
+
+  /*
+   * Enforce the same origin policy where data: loads inherit
+   * the principal.
+   */
+  const unsigned long SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS = (1<<0);
+
+  /*
+   * Enforce the same origin policy but data: loads are blocked.
+   */
+  const unsigned long SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED = (1<<1);
+
+  /**
+   * Allow loads from other origins. Loads from data: will inherit
+   * the principal of the origin that triggered the load.
+   * Commonly used by plain <img>, <video>, <link rel=stylesheet> etc.
+   */
+   const unsigned long SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS = (1<<2);
+
+  /**
+   * Allow loads from other origins. Loads from data: will be allowed,
+   * but the resulting resource will get a null principal.
+   * Used in blink/webkit for <iframe>s. Likely also the mode
+   * that should be used by most Chrome code.
+   */
+  const unsigned long SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL = (1<<3);
+
+  /**
+   * Allow loads from any origin, but require CORS for cross-origin
+   * loads. Loads from data: are allowed and the result will inherit
+   * the principal of the origin that triggered the load.
+   * Commonly used by <img crossorigin>, <video crossorigin>,
+   * XHR, fetch(), etc.
+   */
+  const unsigned long SEC_REQUIRE_CORS_DATA_INHERITS = (1<<4);
+
+  /**
+   * Use this flag in addition to SEC_REQUIRE_CORS_DATA_INHERITS
+   * to make cross-origin CORS loads happen with credentials
+   * (such as cookies and client side certs).
+   */
+  const unsigned long SEC_REQUIRE_CORS_WITH_CREDENTIALS = (1<<5);
+
   /**
    * Force inheriting of the Principal. The resulting resource will use the
    * principal of the document which is doing the load. Setting this flag
@@ -46,7 +104,7 @@ interface nsILoadInfo : nsISupports
    *
    * This flag can not be used together with SEC_SANDBOXED.
    */
-  const unsigned long SEC_FORCE_INHERIT_PRINCIPAL = 0x01;
+  const unsigned long SEC_FORCE_INHERIT_PRINCIPAL = (1<<6);
 
   /**
    * Sandbox the load. The resulting resource will use a freshly created
@@ -58,7 +116,12 @@ interface nsILoadInfo : nsISupports
    *
    * This flag can not be used together with SEC_FORCE_INHERIT_PRINCIPAL.
    */
-  const unsigned long SEC_SANDBOXED = 0x02;
+  const unsigned long SEC_SANDBOXED = (1<<7);
+
+  /**
+   * Inherit the Principal for about:blank.
+   */
+  const unsigned long SEC_ABOUT_BLANK_INHERITS = (1<<8);
 
   /**
    * The loadingPrincipal is the principal that is responsible for the load.
@@ -143,6 +206,17 @@ interface nsILoadInfo : nsISupports
   }
 %}
 
+  /**
+   * Allows to query only the security mode bits from above.
+   */
+  [infallible] readonly attribute unsigned long securityMode;
+
+  /**
+   * Determines whether credentials are sent with CORS requests.
+   * Using this flag requires SEC_REQUIRE_CORS_DATA_INHERITS also to be set.
+   */
+  [infallible] readonly attribute boolean requireCorsWithCredentials;
+
   /**
    * If forceInheritPrincipal is true, the data coming from the channel should
    * use loadingPrincipal for its principal, even when the data is loaded over
@@ -158,6 +232,12 @@ interface nsILoadInfo : nsISupports
    */
   [infallible] readonly attribute boolean loadingSandboxed;
 
+  /**
+   * If aboutBlankInherits is true, then about:blank should inherit
+   * the principal.
+   */
+  [infallible] readonly attribute boolean aboutBlankInherits;
+
   /**
    * The external contentPolicyType of the channel, used for security checks
    * like Mixed Content Blocking and Content Security Policy.
@@ -266,6 +346,56 @@ interface nsILoadInfo : nsISupports
   }
 %}
 
+  /**
+   * Whenever a channel is openend by asyncOpen2() [or also open2()],
+   * lets set this flag so that redirects of such channels are also
+   * openend using asyncOpen2() [open2()].
+   *
+   * Please note, once the flag is set to true it must remain true
+   * throughout the lifetime of the channel. Trying to set it
+   * to anything else than true will be discareded.
+   *
+   */
+  attribute bool enforceSecurity;
+
+%{ C++
+  inline bool GetEnforceSecurity()
+  {
+    bool result;
+    mozilla::DebugOnly<nsresult> rv = GetEnforceSecurity(&result);
+    MOZ_ASSERT(NS_SUCCEEDED(rv));
+    return result;
+  }
+%}
+
+  /**
+   * Whenever a channel is evaluated by the ContentSecurityManager
+   * the first time, we set this flag to true to indicate that
+   * subsequent calls of AsyncOpen2() do not have to enforce all
+   * security checks again. E.g., after a redirect there is no
+   * need to set up CORS again. We need this separate flag
+   * because the redirectChain might also contain internal
+   * redirects which might pollute the redirectChain so we can't
+   * rely on the size of the redirectChain-array to query whether
+   * a channel got redirected or not.
+   *
+   * Please note, once the flag is set to true it must remain true
+   * throughout the lifetime of the channel. Trying to set it
+   * to anything else than true will be discareded.
+   *
+   */
+  attribute bool initialSecurityCheckDone;
+
+%{ C++
+  inline bool GetInitialSecurityCheckDone()
+  {
+    bool result;
+    mozilla::DebugOnly<nsresult> rv = GetInitialSecurityCheckDone(&result);
+    MOZ_ASSERT(NS_SUCCEEDED(rv));
+    return result;
+  }
+%}
+
   /**
    * Whenever a channel gets redirected, append the principal of the
    * channel [before the channels got redirected] to the loadinfo,
diff --git a/netwerk/ipc/NeckoChannelParams.ipdlh b/netwerk/ipc/NeckoChannelParams.ipdlh
index 3065d23ba09..9a550249d84 100644
--- a/netwerk/ipc/NeckoChannelParams.ipdlh
+++ b/netwerk/ipc/NeckoChannelParams.ipdlh
@@ -34,6 +34,8 @@ struct LoadInfoArgs
   uint64_t        innerWindowID;
   uint64_t        outerWindowID;
   uint64_t        parentOuterWindowID;
+  bool            enforceSecurity;
+  bool            initialSecurityCheckDone;
   PrincipalInfo[] redirectChain;
 };