caps/include/nsScriptSecurityManager.h@ac0c01689b40 (annotated)
caps/include/nsScriptSecurityManager.h
Thu, 15 Jan 2015 15:59:08 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 15 Jan 2015 15:59:08 +0100
- branch
- TOR_BUG_9701
- changeset 10
- ac0c01689b40
- permissions
- -rw-r--r--
Implement a real Private Browsing Mode condition by changing the API/ABI;
This solves Tor bug #9701, complying with disk avoidance documented in
https://www.torproject.org/projects/torbrowser/design/#disk-avoidance.
| michael@0 | 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
| michael@0 | 2 | /* vim: set ts=4 et sw=4 tw=80: */ |
| michael@0 | 3 | /* This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 6 | |
| michael@0 | 7 | #ifndef nsScriptSecurityManager_h__ |
| michael@0 | 8 | #define nsScriptSecurityManager_h__ |
| michael@0 | 9 | |
| michael@0 | 10 | #include "nsIScriptSecurityManager.h" |
| michael@0 | 11 | #include "nsIPrincipal.h" |
| michael@0 | 12 | #include "nsIXPCSecurityManager.h" |
| michael@0 | 13 | #include "nsCOMPtr.h" |
| michael@0 | 14 | #include "nsIChannelEventSink.h" |
| michael@0 | 15 | #include "nsIObserver.h" |
| michael@0 | 16 | #include "plstr.h" |
| michael@0 | 17 | #include "nsIScriptExternalNameSet.h" |
| michael@0 | 18 | #include "js/TypeDecls.h" |
| michael@0 | 19 | |
| michael@0 | 20 | #include <stdint.h> |
| michael@0 | 21 | |
| michael@0 | 22 | class nsIDocShell; |
| michael@0 | 23 | class nsCString; |
| michael@0 | 24 | class nsIClassInfo; |
| michael@0 | 25 | class nsIIOService; |
| michael@0 | 26 | class nsIStringBundle; |
| michael@0 | 27 | class nsSystemPrincipal; |
| michael@0 | 28 | class ClassInfoData; |
| michael@0 | 29 | |
| michael@0 | 30 | ///////////////////////////// |
| michael@0 | 31 | // nsScriptSecurityManager // |
| michael@0 | 32 | ///////////////////////////// |
| michael@0 | 33 | #define NS_SCRIPTSECURITYMANAGER_CID \ |
| michael@0 | 34 | { 0x7ee2a4c0, 0x4b93, 0x17d3, \ |
| michael@0 | 35 | { 0xba, 0x18, 0x00, 0x60, 0xb0, 0xf1, 0x99, 0xa2 }} |
| michael@0 | 36 | |
| michael@0 | 37 | class nsScriptSecurityManager : public nsIScriptSecurityManager, |
| michael@0 | 38 | public nsIChannelEventSink, |
| michael@0 | 39 | public nsIObserver |
| michael@0 | 40 | { |
| michael@0 | 41 | public: |
| michael@0 | 42 | static void Shutdown(); |
| michael@0 | 43 | |
| michael@0 | 44 | NS_DEFINE_STATIC_CID_ACCESSOR(NS_SCRIPTSECURITYMANAGER_CID) |
| michael@0 | 45 | |
| michael@0 | 46 | NS_DECL_ISUPPORTS |
| michael@0 | 47 | NS_DECL_NSISCRIPTSECURITYMANAGER |
| michael@0 | 48 | NS_DECL_NSIXPCSECURITYMANAGER |
| michael@0 | 49 | NS_DECL_NSICHANNELEVENTSINK |
| michael@0 | 50 | NS_DECL_NSIOBSERVER |
| michael@0 | 51 | |
| michael@0 | 52 | static nsScriptSecurityManager* |
| michael@0 | 53 | GetScriptSecurityManager(); |
| michael@0 | 54 | |
| michael@0 | 55 | static nsSystemPrincipal* |
| michael@0 | 56 | SystemPrincipalSingletonConstructor(); |
| michael@0 | 57 | |
| michael@0 | 58 | JSContext* GetCurrentJSContext(); |
| michael@0 | 59 | |
| michael@0 | 60 | JSContext* GetSafeJSContext(); |
| michael@0 | 61 | |
| michael@0 | 62 | /** |
| michael@0 | 63 | * Utility method for comparing two URIs. For security purposes, two URIs |
| michael@0 | 64 | * are equivalent if their schemes, hosts, and ports (if any) match. This |
| michael@0 | 65 | * method returns true if aSubjectURI and aObjectURI have the same origin, |
| michael@0 | 66 | * false otherwise. |
| michael@0 | 67 | */ |
| michael@0 | 68 | static bool SecurityCompareURIs(nsIURI* aSourceURI, nsIURI* aTargetURI); |
| michael@0 | 69 | static uint32_t SecurityHashURI(nsIURI* aURI); |
| michael@0 | 70 | |
| michael@0 | 71 | static nsresult |
| michael@0 | 72 | ReportError(JSContext* cx, const nsAString& messageTag, |
| michael@0 | 73 | nsIURI* aSource, nsIURI* aTarget); |
| michael@0 | 74 | |
| michael@0 | 75 | static uint32_t |
| michael@0 | 76 | HashPrincipalByOrigin(nsIPrincipal* aPrincipal); |
| michael@0 | 77 | |
| michael@0 | 78 | static bool |
| michael@0 | 79 | GetStrictFileOriginPolicy() |
| michael@0 | 80 | { |
| michael@0 | 81 | return sStrictFileOriginPolicy; |
| michael@0 | 82 | } |
| michael@0 | 83 | |
| michael@0 | 84 | /** |
| michael@0 | 85 | * Returns true if the two principals share the same app attributes. |
| michael@0 | 86 | * |
| michael@0 | 87 | * App attributes are appId and the inBrowserElement flag. |
| michael@0 | 88 | * Two principals have the same app attributes if those information are |
| michael@0 | 89 | * equals. |
| michael@0 | 90 | * This method helps keeping principals from different apps isolated from |
| michael@0 | 91 | * each other. Also, it helps making sure mozbrowser (web views) and their |
| michael@0 | 92 | * parent are isolated from each other. All those entities do not share the |
| michael@0 | 93 | * same data (cookies, IndexedDB, localStorage, etc.) so we shouldn't allow |
| michael@0 | 94 | * violating that principle. |
| michael@0 | 95 | */ |
| michael@0 | 96 | static bool |
| michael@0 | 97 | AppAttributesEqual(nsIPrincipal* aFirst, |
| michael@0 | 98 | nsIPrincipal* aSecond); |
| michael@0 | 99 | |
| michael@0 | 100 | void DeactivateDomainPolicy(); |
| michael@0 | 101 | |
| michael@0 | 102 | private: |
| michael@0 | 103 | |
| michael@0 | 104 | // GetScriptSecurityManager is the only call that can make one |
| michael@0 | 105 | nsScriptSecurityManager(); |
| michael@0 | 106 | virtual ~nsScriptSecurityManager(); |
| michael@0 | 107 | |
| michael@0 | 108 | bool SubjectIsPrivileged(); |
| michael@0 | 109 | |
| michael@0 | 110 | // Decides, based on CSP, whether or not eval() and stuff can be executed. |
| michael@0 | 111 | static bool |
| michael@0 | 112 | ContentSecurityPolicyPermitsJSAction(JSContext *cx); |
| michael@0 | 113 | |
| michael@0 | 114 | static bool |
| michael@0 | 115 | JSPrincipalsSubsume(JSPrincipals *first, JSPrincipals *second); |
| michael@0 | 116 | |
| michael@0 | 117 | // Returns null if a principal cannot be found; generally callers |
| michael@0 | 118 | // should error out at that point. |
| michael@0 | 119 | static nsIPrincipal* doGetObjectPrincipal(JSObject* obj); |
| michael@0 | 120 | |
| michael@0 | 121 | // Returns null if a principal cannot be found. Note that rv can be NS_OK |
| michael@0 | 122 | // when this happens -- this means that there was no JS running. |
| michael@0 | 123 | nsIPrincipal* |
| michael@0 | 124 | doGetSubjectPrincipal(nsresult* rv); |
| michael@0 | 125 | |
| michael@0 | 126 | nsresult |
| michael@0 | 127 | GetCodebasePrincipalInternal(nsIURI* aURI, uint32_t aAppId, |
| michael@0 | 128 | bool aInMozBrowser, |
| michael@0 | 129 | nsIPrincipal** result); |
| michael@0 | 130 | |
| michael@0 | 131 | nsresult |
| michael@0 | 132 | CreateCodebasePrincipal(nsIURI* aURI, uint32_t aAppId, bool aInMozBrowser, |
| michael@0 | 133 | nsIPrincipal** result); |
| michael@0 | 134 | |
| michael@0 | 135 | // Returns null if a principal cannot be found. Note that rv can be NS_OK |
| michael@0 | 136 | // when this happens -- this means that there was no script for the |
| michael@0 | 137 | // context. Callers MUST pass in a non-null rv here. |
| michael@0 | 138 | nsIPrincipal* |
| michael@0 | 139 | GetSubjectPrincipal(JSContext* cx, nsresult* rv); |
| michael@0 | 140 | |
| michael@0 | 141 | nsresult |
| michael@0 | 142 | Init(); |
| michael@0 | 143 | |
| michael@0 | 144 | nsresult |
| michael@0 | 145 | InitPrefs(); |
| michael@0 | 146 | |
| michael@0 | 147 | inline void |
| michael@0 | 148 | ScriptSecurityPrefChanged(); |
| michael@0 | 149 | |
| michael@0 | 150 | inline void |
| michael@0 | 151 | AddSitesToFileURIWhitelist(const nsCString& aSiteList); |
| michael@0 | 152 | |
| michael@0 | 153 | nsCOMPtr<nsIPrincipal> mSystemPrincipal; |
| michael@0 | 154 | bool mPrefInitialized; |
| michael@0 | 155 | bool mIsJavaScriptEnabled; |
| michael@0 | 156 | nsTArray<nsCOMPtr<nsIURI>> mFileURIWhitelist; |
| michael@0 | 157 | |
| michael@0 | 158 | // This machinery controls new-style domain policies. The old-style |
| michael@0 | 159 | // policy machinery will be removed soon. |
| michael@0 | 160 | nsCOMPtr<nsIDomainPolicy> mDomainPolicy; |
| michael@0 | 161 | |
| michael@0 | 162 | static bool sStrictFileOriginPolicy; |
| michael@0 | 163 | |
| michael@0 | 164 | static nsIIOService *sIOService; |
| michael@0 | 165 | static nsIStringBundle *sStrBundle; |
| michael@0 | 166 | static JSRuntime *sRuntime; |
| michael@0 | 167 | }; |
| michael@0 | 168 | |
| michael@0 | 169 | #define NS_SECURITYNAMESET_CID \ |
| michael@0 | 170 | { 0x7c02eadc, 0x76, 0x4d03, \ |
| michael@0 | 171 | { 0x99, 0x8d, 0x80, 0xd7, 0x79, 0xc4, 0x85, 0x89 } } |
| michael@0 | 172 | #define NS_SECURITYNAMESET_CONTRACTID "@mozilla.org/security/script/nameset;1" |
| michael@0 | 173 | |
| michael@0 | 174 | class nsSecurityNameSet : public nsIScriptExternalNameSet |
| michael@0 | 175 | { |
| michael@0 | 176 | public: |
| michael@0 | 177 | nsSecurityNameSet(); |
| michael@0 | 178 | virtual ~nsSecurityNameSet(); |
| michael@0 | 179 | |
| michael@0 | 180 | NS_DECL_ISUPPORTS |
| michael@0 | 181 | |
| michael@0 | 182 | NS_IMETHOD InitializeNameSet(nsIScriptContext* aScriptContext); |
| michael@0 | 183 | }; |
| michael@0 | 184 | |
| michael@0 | 185 | namespace mozilla { |
| michael@0 | 186 | |
| michael@0 | 187 | void |
| michael@0 | 188 | GetJarPrefix(uint32_t aAppid, |
| michael@0 | 189 | bool aInMozBrowser, |
| michael@0 | 190 | nsACString& aJarPrefix); |
| michael@0 | 191 | |
| michael@0 | 192 | } // namespace mozilla |
| michael@0 | 193 | |
| michael@0 | 194 | #endif // nsScriptSecurityManager_h__ |
