The Tor Browser: comparison toolkit/components/passwordmgr/InsecurePasswordUtils.jsm

--1:000000000000
+:6af70bfc971a
+/* This Source Code Form is subject to the terms of the Mozilla Public
+* License, v. 2.0. If a copy of the MPL was not distributed with this
+* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+this.EXPORTED_SYMBOLS = [ "InsecurePasswordUtils" ];
+const Ci = Components.interfaces;
+const Cu = Components.utils;
+const Cc = Components.classes;
+Cu.import("resource://gre/modules/Services.jsm");
+Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+XPCOMUtils.defineLazyModuleGetter(this, "devtools",
+"resource://gre/modules/devtools/Loader.jsm");
+Object.defineProperty(this, "WebConsoleUtils", {
+get: function() {
+return devtools.require("devtools/toolkit/webconsole/utils").Utils;
+},
+configurable: true,
+enumerable: true
+});
+const STRINGS_URI = "chrome://global/locale/security/security.properties";
+let l10n = new WebConsoleUtils.l10n(STRINGS_URI);
+this.InsecurePasswordUtils = {
+_sendWebConsoleMessage : function (messageTag, domDoc) {
+/*
+* All web console messages are warnings for now so I decided to set the
+* flag here and save a bit of the flag creation in the callers.
+* It's easy to expose this later if needed
+*/
+let  windowId = WebConsoleUtils.getInnerWindowId(domDoc.defaultView);
+let category = "Insecure Password Field";
+let flag = Ci.nsIScriptError.warningFlag;
+let message = l10n.getStr(messageTag);
+let consoleMsg = Cc["@mozilla.org/scripterror;1"]
+.createInstance(Ci.nsIScriptError);
+consoleMsg.initWithWindowID(
+message, "", 0, 0, 0, flag, category, windowId);
+Services.console.logMessage(consoleMsg);
+},
+/*
+* Checks whether the passed uri is secure
+* Check Protocol Flags to determine if scheme is secure:
+* URI_DOES_NOT_RETURN_DATA - e.g.
+*   "mailto"
+* URI_IS_LOCAL_RESOURCE - e.g.
+*   "data",
+*   "resource",
+*   "moz-icon"
+* URI_INHERITS_SECURITY_CONTEXT - e.g.
+*   "javascript"
+* URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT - e.g.
+*   "https",
+*   "moz-safe-about"
+*
+*   The use of this logic comes directly from nsMixedContentBlocker.cpp
+*   At the time it was decided to include these protocols since a secure
+*   uri for mixed content blocker means that the resource can't be
+*   easily tampered with because 1) it is sent over an encrypted channel or
+*   2) it is a local resource that never hits the network
+*   or 3) it is a request sent without any response that could alter
+*   the behavior of the page. It was decided to include the same logic
+*   here both to be consistent with MCB and to make sure we cover all
+*   "safe" protocols. Eventually, the code here and the code in MCB
+*   will be moved to a common location that will be referenced from
+*   both places. Look at
+*   https://bugzilla.mozilla.org/show_bug.cgi?id=899099 for more info.
+*/
+_checkIfURIisSecure : function(uri) {
+let isSafe = false;
+let netutil = Cc["@mozilla.org/network/util;1"].getService(Ci.nsINetUtil);
+let ph = Ci.nsIProtocolHandler;
+if (netutil.URIChainHasFlags(uri, ph.URI_IS_LOCAL_RESOURCE) ||
+netutil.URIChainHasFlags(uri, ph.URI_DOES_NOT_RETURN_DATA) ||
+netutil.URIChainHasFlags(uri, ph.URI_INHERITS_SECURITY_CONTEXT) ||
+netutil.URIChainHasFlags(uri, ph.URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT)) {
+isSafe = true;
+}
+return isSafe;
+},
+/*
+* Checks whether the passed nested document is insecure
+* or is inside an insecure parent document.
+*
+* We check the chain of frame ancestors all the way until the top document
+* because MITM attackers could replace https:// iframes if they are nested inside
+* http:// documents with their own content, thus creating a security risk
+* and potentially stealing user data. Under such scenario, a user might not
+* get a Mixed Content Blocker message, if the main document is served over HTTP
+* and framing an HTTPS page as it would under the reverse scenario (http
+* inside https).
+*/
+_checkForInsecureNestedDocuments : function(domDoc) {
+let uri = domDoc.documentURIObject;
+if (domDoc.defaultView == domDoc.defaultView.parent) {
+// We are at the top, nothing to check here
+return false;
+}
+if (!this._checkIfURIisSecure(uri)) {
+// We are insecure
+return true;
+}
+// I am secure, but check my parent
+return this._checkForInsecureNestedDocuments(domDoc.defaultView.parent.document);
+},
+/*
+* Checks if there are insecure password fields present on the form's document
+* i.e. passwords inside forms with http action, inside iframes with http src,
+* or on insecure web pages. If insecure password fields are present,
+* a log message is sent to the web console to warn developers.
+*/
+checkForInsecurePasswords : function (aForm) {
+var domDoc = aForm.ownerDocument;
+let pageURI = domDoc.defaultView.top.document.documentURIObject;
+let isSafePage = this._checkIfURIisSecure(pageURI);
+if (!isSafePage) {
+this._sendWebConsoleMessage("InsecurePasswordsPresentOnPage", domDoc);
+}
+// Check if we are on an iframe with insecure src, or inside another
+// insecure iframe or document.
+if (this._checkForInsecureNestedDocuments(domDoc)) {
+this._sendWebConsoleMessage("InsecurePasswordsPresentOnIframe", domDoc);
+}
+if (aForm.action.match(/^http:\/\//)) {
+this._sendWebConsoleMessage("InsecureFormActionPasswordsPresent", domDoc);
+}
+},
+};

The Tor Browser / file comparison

comparison: toolkit/components/passwordmgr/InsecurePasswordUtils.jsm

toolkit/components/passwordmgr/InsecurePasswordUtils.jsm