• file
• revisions
• annotate
• diff
• comparison
• raw

toolkit/components/passwordmgr/InsecurePasswordUtils.jsm@129ffea94266 (annotated)

toolkit/components/passwordmgr/InsecurePasswordUtils.jsm

Sat, 03 Jan 2015 20:18:00 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Sat, 03 Jan 2015 20:18:00 +0100

branch

TOR_BUG_3246

changeset 7

129ffea94266

permissions

-rw-r--r--

Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.

michael@0	1	/* This Source Code Form is subject to the terms of the Mozilla Public
michael@0	2	* License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0	3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0	4
michael@0	5	this.EXPORTED_SYMBOLS = [ "InsecurePasswordUtils" ];
michael@0	6
michael@0	7	const Ci = Components.interfaces;
michael@0	8	const Cu = Components.utils;
michael@0	9	const Cc = Components.classes;
michael@0	10
michael@0	11	Cu.import("resource://gre/modules/Services.jsm");
michael@0	12	Cu.import("resource://gre/modules/XPCOMUtils.jsm");
michael@0	13
michael@0	14	XPCOMUtils.defineLazyModuleGetter(this, "devtools",
michael@0	15	"resource://gre/modules/devtools/Loader.jsm");
michael@0	16
michael@0	17	Object.defineProperty(this, "WebConsoleUtils", {
michael@0	18	get: function() {
michael@0	19	return devtools.require("devtools/toolkit/webconsole/utils").Utils;
michael@0	20	},
michael@0	21	configurable: true,
michael@0	22	enumerable: true
michael@0	23	});
michael@0	24
michael@0	25	const STRINGS_URI = "chrome://global/locale/security/security.properties";
michael@0	26	let l10n = new WebConsoleUtils.l10n(STRINGS_URI);
michael@0	27
michael@0	28	this.InsecurePasswordUtils = {
michael@0	29
michael@0	30	_sendWebConsoleMessage : function (messageTag, domDoc) {
michael@0	31	/*
michael@0	32	* All web console messages are warnings for now so I decided to set the
michael@0	33	* flag here and save a bit of the flag creation in the callers.
michael@0	34	* It's easy to expose this later if needed
michael@0	35	*/
michael@0	36
michael@0	37	let windowId = WebConsoleUtils.getInnerWindowId(domDoc.defaultView);
michael@0	38	let category = "Insecure Password Field";
michael@0	39	let flag = Ci.nsIScriptError.warningFlag;
michael@0	40	let message = l10n.getStr(messageTag);
michael@0	41	let consoleMsg = Cc["@mozilla.org/scripterror;1"]
michael@0	42	.createInstance(Ci.nsIScriptError);
michael@0	43
michael@0	44	consoleMsg.initWithWindowID(
michael@0	45	message, "", 0, 0, 0, flag, category, windowId);
michael@0	46
michael@0	47	Services.console.logMessage(consoleMsg);
michael@0	48	},
michael@0	49
michael@0	50	/*
michael@0	51	* Checks whether the passed uri is secure
michael@0	52	* Check Protocol Flags to determine if scheme is secure:
michael@0	53	* URI_DOES_NOT_RETURN_DATA - e.g.
michael@0	54	* "mailto"
michael@0	55	* URI_IS_LOCAL_RESOURCE - e.g.
michael@0	56	* "data",
michael@0	57	* "resource",
michael@0	58	* "moz-icon"
michael@0	59	* URI_INHERITS_SECURITY_CONTEXT - e.g.
michael@0	60	* "javascript"
michael@0	61	* URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT - e.g.
michael@0	62	* "https",
michael@0	63	* "moz-safe-about"
michael@0	64	*
michael@0	65	* The use of this logic comes directly from nsMixedContentBlocker.cpp
michael@0	66	* At the time it was decided to include these protocols since a secure
michael@0	67	* uri for mixed content blocker means that the resource can't be
michael@0	68	* easily tampered with because 1) it is sent over an encrypted channel or
michael@0	69	* 2) it is a local resource that never hits the network
michael@0	70	* or 3) it is a request sent without any response that could alter
michael@0	71	* the behavior of the page. It was decided to include the same logic
michael@0	72	* here both to be consistent with MCB and to make sure we cover all
michael@0	73	* "safe" protocols. Eventually, the code here and the code in MCB
michael@0	74	* will be moved to a common location that will be referenced from
michael@0	75	* both places. Look at
michael@0	76	* https://bugzilla.mozilla.org/show_bug.cgi?id=899099 for more info.
michael@0	77	*/
michael@0	78	_checkIfURIisSecure : function(uri) {
michael@0	79	let isSafe = false;
michael@0	80	let netutil = Cc["@mozilla.org/network/util;1"].getService(Ci.nsINetUtil);
michael@0	81	let ph = Ci.nsIProtocolHandler;
michael@0	82
michael@0	83	if (netutil.URIChainHasFlags(uri, ph.URI_IS_LOCAL_RESOURCE) ||
michael@0	84	netutil.URIChainHasFlags(uri, ph.URI_DOES_NOT_RETURN_DATA) ||
michael@0	85	netutil.URIChainHasFlags(uri, ph.URI_INHERITS_SECURITY_CONTEXT) ||
michael@0	86	netutil.URIChainHasFlags(uri, ph.URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT)) {
michael@0	87
michael@0	88	isSafe = true;
michael@0	89	}
michael@0	90
michael@0	91	return isSafe;
michael@0	92	},
michael@0	93
michael@0	94	/*
michael@0	95	* Checks whether the passed nested document is insecure
michael@0	96	* or is inside an insecure parent document.
michael@0	97	*
michael@0	98	* We check the chain of frame ancestors all the way until the top document
michael@0	99	* because MITM attackers could replace https:// iframes if they are nested inside
michael@0	100	* http:// documents with their own content, thus creating a security risk
michael@0	101	* and potentially stealing user data. Under such scenario, a user might not
michael@0	102	* get a Mixed Content Blocker message, if the main document is served over HTTP
michael@0	103	* and framing an HTTPS page as it would under the reverse scenario (http
michael@0	104	* inside https).
michael@0	105	*/
michael@0	106	_checkForInsecureNestedDocuments : function(domDoc) {
michael@0	107	let uri = domDoc.documentURIObject;
michael@0	108	if (domDoc.defaultView == domDoc.defaultView.parent) {
michael@0	109	// We are at the top, nothing to check here
michael@0	110	return false;
michael@0	111	}
michael@0	112	if (!this._checkIfURIisSecure(uri)) {
michael@0	113	// We are insecure
michael@0	114	return true;
michael@0	115	}
michael@0	116	// I am secure, but check my parent
michael@0	117	return this._checkForInsecureNestedDocuments(domDoc.defaultView.parent.document);
michael@0	118	},
michael@0	119
michael@0	120
michael@0	121	/*
michael@0	122	* Checks if there are insecure password fields present on the form's document
michael@0	123	* i.e. passwords inside forms with http action, inside iframes with http src,
michael@0	124	* or on insecure web pages. If insecure password fields are present,
michael@0	125	* a log message is sent to the web console to warn developers.
michael@0	126	*/
michael@0	127	checkForInsecurePasswords : function (aForm) {
michael@0	128	var domDoc = aForm.ownerDocument;
michael@0	129	let pageURI = domDoc.defaultView.top.document.documentURIObject;
michael@0	130	let isSafePage = this._checkIfURIisSecure(pageURI);
michael@0	131
michael@0	132	if (!isSafePage) {
michael@0	133	this._sendWebConsoleMessage("InsecurePasswordsPresentOnPage", domDoc);
michael@0	134	}
michael@0	135
michael@0	136	// Check if we are on an iframe with insecure src, or inside another
michael@0	137	// insecure iframe or document.
michael@0	138	if (this._checkForInsecureNestedDocuments(domDoc)) {
michael@0	139	this._sendWebConsoleMessage("InsecurePasswordsPresentOnIframe", domDoc);
michael@0	140	}
michael@0	141
michael@0	142	if (aForm.action.match(/^http:\/\//)) {
michael@0	143	this._sendWebConsoleMessage("InsecureFormActionPasswordsPresent", domDoc);
michael@0	144	}
michael@0	145	},
michael@0	146	};