gecko/toolkit/components/passwordmgr/InsecurePasswordUtils.jsm

147 lines
5.4 KiB
JavaScript

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
this.EXPORTED_SYMBOLS = [ "InsecurePasswordUtils" ];
const Ci = Components.interfaces;
const Cu = Components.utils;
const Cc = Components.classes;
Cu.import("resource://gre/modules/Services.jsm");
Cu.import("resource://gre/modules/XPCOMUtils.jsm");
XPCOMUtils.defineLazyModuleGetter(this, "devtools",
"resource://gre/modules/devtools/Loader.jsm");
Object.defineProperty(this, "WebConsoleUtils", {
get: function() {
return devtools.require("devtools/toolkit/webconsole/utils").Utils;
},
configurable: true,
enumerable: true
});
const STRINGS_URI = "chrome://global/locale/security/security.properties";
let l10n = new WebConsoleUtils.l10n(STRINGS_URI);
this.InsecurePasswordUtils = {
_sendWebConsoleMessage : function (messageTag, domDoc) {
/*
* All web console messages are warnings for now so I decided to set the
* flag here and save a bit of the flag creation in the callers.
* It's easy to expose this later if needed
*/
let windowId = WebConsoleUtils.getInnerWindowId(domDoc.defaultView);
let category = "Insecure Password Field";
let flag = Ci.nsIScriptError.warningFlag;
let message = l10n.getStr(messageTag);
let consoleMsg = Cc["@mozilla.org/scripterror;1"]
.createInstance(Ci.nsIScriptError);
consoleMsg.initWithWindowID(
message, "", 0, 0, 0, flag, category, windowId);
Services.console.logMessage(consoleMsg);
},
/*
* Checks whether the passed uri is secure
* Check Protocol Flags to determine if scheme is secure:
* URI_DOES_NOT_RETURN_DATA - e.g.
* "mailto"
* URI_IS_LOCAL_RESOURCE - e.g.
* "data",
* "resource",
* "moz-icon"
* URI_INHERITS_SECURITY_CONTEXT - e.g.
* "javascript"
* URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT - e.g.
* "https",
* "moz-safe-about"
*
* The use of this logic comes directly from nsMixedContentBlocker.cpp
* At the time it was decided to include these protocols since a secure
* uri for mixed content blocker means that the resource can't be
* easily tampered with because 1) it is sent over an encrypted channel or
* 2) it is a local resource that never hits the network
* or 3) it is a request sent without any response that could alter
* the behavior of the page. It was decided to include the same logic
* here both to be consistent with MCB and to make sure we cover all
* "safe" protocols. Eventually, the code here and the code in MCB
* will be moved to a common location that will be referenced from
* both places. Look at
* https://bugzilla.mozilla.org/show_bug.cgi?id=899099 for more info.
*/
_checkIfURIisSecure : function(uri) {
let isSafe = false;
let netutil = Cc["@mozilla.org/network/util;1"].getService(Ci.nsINetUtil);
let ph = Ci.nsIProtocolHandler;
if (netutil.URIChainHasFlags(uri, ph.URI_IS_LOCAL_RESOURCE) ||
netutil.URIChainHasFlags(uri, ph.URI_DOES_NOT_RETURN_DATA) ||
netutil.URIChainHasFlags(uri, ph.URI_INHERITS_SECURITY_CONTEXT) ||
netutil.URIChainHasFlags(uri, ph.URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT)) {
isSafe = true;
}
return isSafe;
},
/*
* Checks whether the passed nested document is insecure
* or is inside an insecure parent document.
*
* We check the chain of frame ancestors all the way until the top document
* because MITM attackers could replace https:// iframes if they are nested inside
* http:// documents with their own content, thus creating a security risk
* and potentially stealing user data. Under such scenario, a user might not
* get a Mixed Content Blocker message, if the main document is served over HTTP
* and framing an HTTPS page as it would under the reverse scenario (http
* inside https).
*/
_checkForInsecureNestedDocuments : function(domDoc) {
let uri = domDoc.documentURIObject;
if (domDoc.defaultView == domDoc.defaultView.parent) {
// We are at the top, nothing to check here
return false;
}
if (!this._checkIfURIisSecure(uri)) {
// We are insecure
return true;
}
// I am secure, but check my parent
return this._checkForInsecureNestedDocuments(domDoc.defaultView.parent.document);
},
/*
* Checks if there are insecure password fields present on the form's document
* i.e. passwords inside forms with http action, inside iframes with http src,
* or on insecure web pages. If insecure password fields are present,
* a log message is sent to the web console to warn developers.
*/
checkForInsecurePasswords : function (aForm) {
var domDoc = aForm.ownerDocument;
let pageURI = domDoc.defaultView.top.document.documentURIObject;
let isSafePage = this._checkIfURIisSecure(pageURI);
if (!isSafePage) {
this._sendWebConsoleMessage("InsecurePasswordsPresentOnPage", domDoc);
}
// Check if we are on an iframe with insecure src, or inside another
// insecure iframe or document.
if (this._checkForInsecureNestedDocuments(domDoc)) {
this._sendWebConsoleMessage("InsecurePasswordsPresentOnIframe", domDoc);
}
if (aForm.action.match(/^http:\/\//)) {
this._sendWebConsoleMessage("InsecureFormActionPasswordsPresent", domDoc);
}
},
};