michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0: 
michael@0: this.EXPORTED_SYMBOLS = [ "InsecurePasswordUtils" ];
michael@0: 
michael@0: const Ci = Components.interfaces;
michael@0: const Cu = Components.utils;
michael@0: const Cc = Components.classes;
michael@0: 
michael@0: Cu.import("resource://gre/modules/Services.jsm");
michael@0: Cu.import("resource://gre/modules/XPCOMUtils.jsm");
michael@0: 
michael@0: XPCOMUtils.defineLazyModuleGetter(this, "devtools",
michael@0:                                   "resource://gre/modules/devtools/Loader.jsm");
michael@0: 
michael@0: Object.defineProperty(this, "WebConsoleUtils", {
michael@0:   get: function() {
michael@0:     return devtools.require("devtools/toolkit/webconsole/utils").Utils;
michael@0:   },
michael@0:   configurable: true,
michael@0:   enumerable: true
michael@0: });
michael@0: 
michael@0: const STRINGS_URI = "chrome://global/locale/security/security.properties";
michael@0: let l10n = new WebConsoleUtils.l10n(STRINGS_URI);
michael@0: 
michael@0: this.InsecurePasswordUtils = {
michael@0: 
michael@0:   _sendWebConsoleMessage : function (messageTag, domDoc) {
michael@0:     /*
michael@0:      * All web console messages are warnings for now so I decided to set the
michael@0:      * flag here and save a bit of the flag creation in the callers.
michael@0:      * It's easy to expose this later if needed
michael@0:      */
michael@0: 
michael@0:     let  windowId = WebConsoleUtils.getInnerWindowId(domDoc.defaultView);
michael@0:     let category = "Insecure Password Field";
michael@0:     let flag = Ci.nsIScriptError.warningFlag;
michael@0:     let message = l10n.getStr(messageTag);
michael@0:     let consoleMsg = Cc["@mozilla.org/scripterror;1"]
michael@0:       .createInstance(Ci.nsIScriptError);
michael@0: 
michael@0:     consoleMsg.initWithWindowID(
michael@0:       message, "", 0, 0, 0, flag, category, windowId);
michael@0: 
michael@0:     Services.console.logMessage(consoleMsg);
michael@0:   },
michael@0: 
michael@0:   /*
michael@0:    * Checks whether the passed uri is secure
michael@0:    * Check Protocol Flags to determine if scheme is secure:
michael@0:    * URI_DOES_NOT_RETURN_DATA - e.g.
michael@0:    *   "mailto"
michael@0:    * URI_IS_LOCAL_RESOURCE - e.g.
michael@0:    *   "data",
michael@0:    *   "resource",
michael@0:    *   "moz-icon"
michael@0:    * URI_INHERITS_SECURITY_CONTEXT - e.g.
michael@0:    *   "javascript"
michael@0:    * URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT - e.g.
michael@0:    *   "https",
michael@0:    *   "moz-safe-about"
michael@0:    *
michael@0:    *   The use of this logic comes directly from nsMixedContentBlocker.cpp
michael@0:    *   At the time it was decided to include these protocols since a secure
michael@0:    *   uri for mixed content blocker means that the resource can't be
michael@0:    *   easily tampered with because 1) it is sent over an encrypted channel or
michael@0:    *   2) it is a local resource that never hits the network
michael@0:    *   or 3) it is a request sent without any response that could alter
michael@0:    *   the behavior of the page. It was decided to include the same logic
michael@0:    *   here both to be consistent with MCB and to make sure we cover all
michael@0:    *   "safe" protocols. Eventually, the code here and the code in MCB
michael@0:    *   will be moved to a common location that will be referenced from
michael@0:    *   both places. Look at
michael@0:    *   https://bugzilla.mozilla.org/show_bug.cgi?id=899099 for more info.
michael@0:    */
michael@0:   _checkIfURIisSecure : function(uri) {
michael@0:     let isSafe = false;
michael@0:     let netutil = Cc["@mozilla.org/network/util;1"].getService(Ci.nsINetUtil);
michael@0:     let ph = Ci.nsIProtocolHandler;
michael@0: 
michael@0:     if (netutil.URIChainHasFlags(uri, ph.URI_IS_LOCAL_RESOURCE) ||
michael@0:         netutil.URIChainHasFlags(uri, ph.URI_DOES_NOT_RETURN_DATA) ||
michael@0:         netutil.URIChainHasFlags(uri, ph.URI_INHERITS_SECURITY_CONTEXT) ||
michael@0:         netutil.URIChainHasFlags(uri, ph.URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT)) {
michael@0: 
michael@0:       isSafe = true;
michael@0:     }
michael@0: 
michael@0:     return isSafe;
michael@0:   },
michael@0: 
michael@0:   /*
michael@0:    * Checks whether the passed nested document is insecure
michael@0:    * or is inside an insecure parent document.
michael@0:    *
michael@0:    * We check the chain of frame ancestors all the way until the top document
michael@0:    * because MITM attackers could replace https:// iframes if they are nested inside
michael@0:    * http:// documents with their own content, thus creating a security risk
michael@0:    * and potentially stealing user data. Under such scenario, a user might not
michael@0:    * get a Mixed Content Blocker message, if the main document is served over HTTP
michael@0:    * and framing an HTTPS page as it would under the reverse scenario (http
michael@0:    * inside https).
michael@0:    */
michael@0:   _checkForInsecureNestedDocuments : function(domDoc) {
michael@0:     let uri = domDoc.documentURIObject;
michael@0:     if (domDoc.defaultView == domDoc.defaultView.parent) {
michael@0:       // We are at the top, nothing to check here
michael@0:       return false;
michael@0:     }
michael@0:     if (!this._checkIfURIisSecure(uri)) {
michael@0:       // We are insecure
michael@0:       return true;
michael@0:     }
michael@0:     // I am secure, but check my parent
michael@0:     return this._checkForInsecureNestedDocuments(domDoc.defaultView.parent.document);
michael@0:   },
michael@0: 
michael@0: 
michael@0:   /*
michael@0:    * Checks if there are insecure password fields present on the form's document
michael@0:    * i.e. passwords inside forms with http action, inside iframes with http src,
michael@0:    * or on insecure web pages. If insecure password fields are present,
michael@0:    * a log message is sent to the web console to warn developers.
michael@0:    */
michael@0:   checkForInsecurePasswords : function (aForm) {
michael@0:     var domDoc = aForm.ownerDocument;
michael@0:     let pageURI = domDoc.defaultView.top.document.documentURIObject;
michael@0:     let isSafePage = this._checkIfURIisSecure(pageURI);
michael@0: 
michael@0:     if (!isSafePage) {
michael@0:       this._sendWebConsoleMessage("InsecurePasswordsPresentOnPage", domDoc);
michael@0:     }
michael@0: 
michael@0:     // Check if we are on an iframe with insecure src, or inside another
michael@0:     // insecure iframe or document.
michael@0:     if (this._checkForInsecureNestedDocuments(domDoc)) {
michael@0:       this._sendWebConsoleMessage("InsecurePasswordsPresentOnIframe", domDoc);
michael@0:     }
michael@0: 
michael@0:     if (aForm.action.match(/^http:\/\//)) {
michael@0:       this._sendWebConsoleMessage("InsecureFormActionPasswordsPresent", domDoc);
michael@0:     }
michael@0:   },
michael@0: };