Bug 1143922 - Make nsContentSecurityManager scriptable (r=sicking)

dom/interfaces/security/moz.build

@@ -5,6 +5,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 XPIDL_SOURCES += [
+    'nsIContentSecurityManager.idl',
     'nsIContentSecurityPolicy.idl'
 ]
 

dom/interfaces/security/nsIContentSecurityManager.idl

@@ -0,0 +1,43 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIChannel;
+interface nsIStreamListener;
+
+/**
+ * nsIContentSecurityManager
+ * Describes an XPCOM component used to perform security checks
+ * right before opnening a channel.
+ */
+
+[scriptable, uuid(70eaa956-1077-41f6-bef8-d722cea31245)]
+interface nsIContentSecurityManager : nsISupports
+{
+  /**
+   * Checks whether a channel is allowed to access the given URI and
+   * whether the channel should be openend or should be blocked consulting
+   * internal security checks like Same Origin Policy, Content Security
+   * Policy, Mixed Content Blocker, etc.
+   *
+   * If security checks within performSecurityCheck fail, the function
+   * throws an exception.
+   *
+   * @param aChannel
+   *     The channel about to be openend
+   * @param aStreamListener
+   *     The Streamlistener of the channel potentially wrapped
+   *     into CORSListenerProxy.
+   * @return
+   *     The StreamListener of the channel wrapped into CORSListenerProxy.
+   *
+   * @throws NS_ERROR_DOM_BAD_URI
+   *     If accessing the URI is not allowed (e.g. prohibted by SOP)
+   * @throws NS_ERROR_CONTENT_BLOCKED
+   *     If any of the security policies (CSP, Mixed content) is violated
+   */
+   nsIStreamListener performSecurityCheck(in nsIChannel aChannel,
+                                          in nsIStreamListener aStreamListener);
+};

dom/security/nsContentSecurityManager.cpp

@@ -8,6 +8,8 @@
 
 #include "mozilla/dom/Element.h"
 
+NS_IMPL_ISUPPORTS(nsContentSecurityManager, nsIContentSecurityManager)
+
 nsresult
 ValidateSecurityFlags(nsILoadInfo* aLoadInfo)
 {
@@ -345,3 +347,19 @@ nsContentSecurityManager::doContentSecurityCheck(nsIChannel* aChannel,
   // all security checks passed - lets allow the load
   return NS_OK;
 }
+
+
+// ==== nsIContentSecurityManager implementation =====
+
+NS_IMETHODIMP
+nsContentSecurityManager::PerformSecurityCheck(nsIChannel* aChannel,
+                                               nsIStreamListener* aStreamListener,
+                                               nsIStreamListener** outStreamListener)
+{
+  nsCOMPtr<nsIStreamListener> inAndOutListener = aStreamListener;
+  nsresult rv = doContentSecurityCheck(aChannel, inAndOutListener);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  inAndOutListener.forget(outStreamListener);
+  return NS_OK;
+}

dom/security/nsContentSecurityManager.h

@@ -7,18 +7,31 @@
 #ifndef nsContentSecurityManager_h___
 #define nsContentSecurityManager_h___
 
+#include "nsIContentSecurityManager.h"
 #include "nsIChannel.h"
+
 class nsIStreamListener;
 
-class nsContentSecurityManager
-{
-private:
-  nsContentSecurityManager() {}
-  virtual ~nsContentSecurityManager() {}
+#define NS_CONTENTSECURITYMANAGER_CONTRACTID "@mozilla.org/contentsecuritymanager;1"
+// cdcc1ab8-3cea-4e6c-a294-a651fa35227f
+#define NS_CONTENTSECURITYMANAGER_CID \
+{ 0xcdcc1ab8, 0x3cea, 0x4e6c, \
+  { 0xa2, 0x94, 0xa6, 0x51, 0xfa, 0x35, 0x22, 0x7f } }
 
+class nsContentSecurityManager : public nsIContentSecurityManager
+{
 public:
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSICONTENTSECURITYMANAGER
+
+  nsContentSecurityManager() {}
+
   static nsresult doContentSecurityCheck(nsIChannel* aChannel,
                                          nsCOMPtr<nsIStreamListener>& aInAndOutListener);
+
+private:
+  virtual ~nsContentSecurityManager() {}
+
 };
 
 #endif /* nsContentSecurityManager_h___ */

layout/build/nsLayoutModule.cpp

@@ -217,6 +217,7 @@ static void Shutdown();
 #ifdef MOZ_GAMEPAD
 #include "mozilla/dom/GamepadServiceTest.h"
 #endif
+#include "mozilla/dom/nsContentSecurityManager.h"
 #include "mozilla/dom/nsCSPService.h"
 #include "mozilla/dom/nsCSPContext.h"
 #include "nsICellBroadcastService.h"
@@ -652,6 +653,7 @@ NS_GENERIC_FACTORY_CONSTRUCTOR(FakeSpeechRecognitionService)
 NS_GENERIC_FACTORY_CONSTRUCTOR(PocketSphinxSpeechRecognitionService)
 #endif
 
+NS_GENERIC_FACTORY_CONSTRUCTOR(nsContentSecurityManager)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsCSPContext)
 NS_GENERIC_FACTORY_CONSTRUCTOR(CSPService)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsMixedContentBlocker)
@@ -797,6 +799,7 @@ NS_DEFINE_NAMED_CID(NS_GEOLOCATION_CID);
 NS_DEFINE_NAMED_CID(NS_AUDIOCHANNEL_SERVICE_CID);
 NS_DEFINE_NAMED_CID(NS_DATASTORE_SERVICE_CID);
 NS_DEFINE_NAMED_CID(NS_FOCUSMANAGER_CID);
+NS_DEFINE_NAMED_CID(NS_CONTENTSECURITYMANAGER_CID);
 NS_DEFINE_NAMED_CID(CSPSERVICE_CID);
 NS_DEFINE_NAMED_CID(NS_CSPCONTEXT_CID);
 NS_DEFINE_NAMED_CID(NS_MIXEDCONTENTBLOCKER_CID);
@@ -1115,6 +1118,7 @@ static const mozilla::Module::CIDEntry kLayoutCIDs[] = {
 #ifdef MOZ_WEBSPEECH
   { &kNS_SYNTHVOICEREGISTRY_CID, true, nullptr, nsSynthVoiceRegistryConstructor },
 #endif
+  { &kNS_CONTENTSECURITYMANAGER_CID, false, nullptr, nsContentSecurityManagerConstructor },
   { &kCSPSERVICE_CID, false, nullptr, CSPServiceConstructor },
   { &kNS_CSPCONTEXT_CID, false, nullptr, nsCSPContextConstructor },
   { &kNS_MIXEDCONTENTBLOCKER_CID, false, nullptr, nsMixedContentBlockerConstructor },
@@ -1284,6 +1288,7 @@ static const mozilla::Module::ContractIDEntry kLayoutContracts[] = {
 #ifdef MOZ_WEBSPEECH
   { NS_SYNTHVOICEREGISTRY_CONTRACTID, &kNS_SYNTHVOICEREGISTRY_CID },
 #endif
+  { NS_CONTENTSECURITYMANAGER_CONTRACTID, &kNS_CONTENTSECURITYMANAGER_CID },
   { CSPSERVICE_CONTRACTID, &kCSPSERVICE_CID },
   { NS_CSPCONTEXT_CONTRACTID, &kNS_CSPCONTEXT_CID },
   { NS_MIXEDCONTENTBLOCKER_CONTRACTID, &kNS_MIXEDCONTENTBLOCKER_CID },