michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0: 
michael@0: #include "ThirdPartyUtil.h"
michael@0: #include "mozilla/Preferences.h"
michael@0: #include "nsNetUtil.h"
michael@0: #include "nsIServiceManager.h"
michael@0: #include "nsIHttpChannelInternal.h"
michael@0: #include "nsIDOMWindow.h"
michael@0: #include "nsICookiePermission.h"
michael@0: #include "nsIDOMDocument.h"
michael@0: #include "nsIDocument.h"
michael@0: #include "nsILoadContext.h"
michael@0: #include "nsIPrincipal.h"
michael@0: #include "nsIScriptObjectPrincipal.h"
michael@0: #include "nsThreadUtils.h"
michael@0: #include "nsPrintfCString.h"
michael@0: #include "nsIConsoleService.h"
michael@0: #include "nsContentUtils.h"
michael@0: 
michael@0: NS_IMPL_ISUPPORTS(ThirdPartyUtil, mozIThirdPartyUtil)
michael@0: 
michael@0: nsresult
michael@0: ThirdPartyUtil::Init()
michael@0: {
michael@0:   NS_ENSURE_TRUE(NS_IsMainThread(), NS_ERROR_NOT_AVAILABLE);
michael@0: 
michael@0:   nsresult rv;
michael@0:   mTLDService = do_GetService(NS_EFFECTIVETLDSERVICE_CONTRACTID, &rv);
michael@0:   mCookiePermissions = do_GetService(NS_COOKIEPERMISSION_CONTRACTID);
michael@0:   return rv;
michael@0: }
michael@0: 
michael@0: // Determine if aFirstDomain is a different base domain to aSecondURI; or, if
michael@0: // the concept of base domain does not apply, determine if the two hosts are not
michael@0: // string-identical.
michael@0: nsresult
michael@0: ThirdPartyUtil::IsThirdPartyInternal(const nsCString& aFirstDomain,
michael@0:                                      nsIURI* aSecondURI,
michael@0:                                      bool* aResult)
michael@0: {
michael@0:   NS_ASSERTION(aSecondURI, "null URI!");
michael@0: 
michael@0:   // Get the base domain for aSecondURI.
michael@0:   nsCString secondDomain;
michael@0:   nsresult rv = GetBaseDomain(aSecondURI, secondDomain);
michael@0:   if (NS_FAILED(rv))
michael@0:     return rv;
michael@0: 
michael@0:   // Check strict equality.
michael@0:   *aResult = aFirstDomain != secondDomain;
michael@0:   return NS_OK;
michael@0: }
michael@0: 
michael@0: // Return true if aURI's scheme is white listed, in which case
michael@0: // getFirstPartyURI() will not require that the firstPartyURI contains a host.
michael@0: bool ThirdPartyUtil::SchemeIsWhiteListed(nsIURI *aURI)
michael@0: {
michael@0:   if (!aURI)
michael@0:     return false;
michael@0: 
michael@0:   nsAutoCString scheme;
michael@0:   nsresult rv = aURI->GetScheme(scheme);
michael@0:   NS_ENSURE_SUCCESS(rv, false);
michael@0: 
michael@0:   return (scheme.Equals("about") || scheme.Equals("moz-safe-about")
michael@0:           || scheme.Equals("chrome"));
michael@0: }
michael@0: 
michael@0: // Get the URI associated with a window.
michael@0: already_AddRefed<nsIURI>
michael@0: ThirdPartyUtil::GetURIFromWindow(nsIDOMWindow* aWin)
michael@0: {
michael@0:   nsCOMPtr<nsIScriptObjectPrincipal> scriptObjPrin = do_QueryInterface(aWin);
michael@0:   NS_ENSURE_TRUE(scriptObjPrin, nullptr);
michael@0: 
michael@0:   nsIPrincipal* prin = scriptObjPrin->GetPrincipal();
michael@0:   NS_ENSURE_TRUE(prin, nullptr);
michael@0: 
michael@0:   nsCOMPtr<nsIURI> result;
michael@0:   prin->GetURI(getter_AddRefs(result));
michael@0:   return result.forget();
michael@0: }
michael@0: 
michael@0: 
michael@0: nsresult
michael@0: ThirdPartyUtil::GetOriginatingURI(nsIChannel *aChannel, nsIURI **aURI)
michael@0: {
michael@0:   /* to find the originating URI, we use the loadgroup of the channel to obtain
michael@0:    * the window owning the load, and from there, we find the top same-type
michael@0:    * window and its URI. there are several possible cases:
michael@0:    *
michael@0:    * 1) no channel.
michael@0:    *
michael@0:    * 2) a channel with the "force allow third party cookies" option set.
michael@0:    *    since we may not have a window, we return the channel URI in this case.
michael@0:    *
michael@0:    * 3) a channel, but no window. this can occur when the consumer kicking
michael@0:    *    off the load doesn't provide one to the channel, and should be limited
michael@0:    *    to loads of certain types of resources.
michael@0:    *
michael@0:    * 4) a window equal to the top window of same type, with the channel its
michael@0:    *    document channel. this covers the case of a freshly kicked-off load
michael@0:    *    (e.g. the user typing something in the location bar, or clicking on a
michael@0:    *    bookmark), where the window's URI hasn't yet been set, and will be
michael@0:    *    bogus. we return the channel URI in this case.
michael@0:    *
michael@0:    * 5) Anything else. this covers most cases for an ordinary page load from
michael@0:    *    the location bar, and will catch nested frames within a page, image
michael@0:    *    loads, etc. we return the URI of the root window's document's principal
michael@0:    *    in this case.
michael@0:    */
michael@0: 
michael@0:   *aURI = nullptr;
michael@0: 
michael@0:   // case 1)
michael@0:   if (!aChannel)
michael@0:     return NS_ERROR_NULL_POINTER;
michael@0: 
michael@0:   // case 2)
michael@0:   nsCOMPtr<nsIHttpChannelInternal> httpChannelInternal = do_QueryInterface(aChannel);
michael@0:   if (httpChannelInternal)
michael@0:   {
michael@0:     bool doForce = false;
michael@0:     if (NS_SUCCEEDED(httpChannelInternal->GetForceAllowThirdPartyCookie(&doForce)) && doForce)
michael@0:     {
michael@0:       // return the channel's URI (we may not have a window)
michael@0:       aChannel->GetURI(aURI);
michael@0:       if (!*aURI)
michael@0:         return NS_ERROR_NULL_POINTER;
michael@0: 
michael@0:       return NS_OK;
michael@0:     }
michael@0: 
michael@0:     // TODO: Why don't we just use this here:
michael@0:     // httpChannelInternal->GetDocumentURI(aURI);
michael@0:   }
michael@0: 
michael@0:   // find the associated window and its top window
michael@0:   nsCOMPtr<nsILoadContext> ctx;
michael@0:   NS_QueryNotificationCallbacks(aChannel, ctx);
michael@0:   nsCOMPtr<nsIDOMWindow> topWin, ourWin;
michael@0:   if (ctx) {
michael@0:     ctx->GetTopWindow(getter_AddRefs(topWin));
michael@0:     ctx->GetAssociatedWindow(getter_AddRefs(ourWin));
michael@0:   }
michael@0: 
michael@0:   // case 3)
michael@0:   if (!topWin)
michael@0:     return NS_ERROR_INVALID_ARG;
michael@0: 
michael@0:   // case 4)
michael@0:   if (ourWin == topWin) {
michael@0:     // Check whether this is the document channel for this window (representing
michael@0:     // a load of a new page).  This is a bit of a nasty hack, but we will
michael@0:     // hopefully flag these channels better later.
michael@0:     nsLoadFlags flags;
michael@0:     aChannel->GetLoadFlags(&flags);
michael@0: 
michael@0:     if (flags & nsIChannel::LOAD_DOCUMENT_URI) {
michael@0:       // get the channel URI - the window's will be bogus
michael@0:       aChannel->GetURI(aURI);
michael@0:       if (!*aURI)
michael@0:         return NS_ERROR_NULL_POINTER;
michael@0: 
michael@0:       return NS_OK;
michael@0:     }
michael@0:   }
michael@0: 
michael@0:   // case 5) - get the originating URI from the top window's principal
michael@0:   nsCOMPtr<nsIScriptObjectPrincipal> scriptObjPrin = do_QueryInterface(topWin);
michael@0:   NS_ENSURE_TRUE(scriptObjPrin, NS_ERROR_UNEXPECTED);
michael@0: 
michael@0:   nsIPrincipal* prin = scriptObjPrin->GetPrincipal();
michael@0:   NS_ENSURE_TRUE(prin, NS_ERROR_UNEXPECTED);
michael@0: 
michael@0:   prin->GetURI(aURI);
michael@0: 
michael@0:   if (!*aURI)
michael@0:     return NS_ERROR_NULL_POINTER;
michael@0: 
michael@0:   // all done!
michael@0:   return NS_OK;
michael@0: }
michael@0: 
michael@0: 
michael@0: // Determine if aFirstURI is third party with respect to aSecondURI. See docs
michael@0: // for mozIThirdPartyUtil.
michael@0: NS_IMETHODIMP
michael@0: ThirdPartyUtil::IsThirdPartyURI(nsIURI* aFirstURI,
michael@0:                                 nsIURI* aSecondURI,
michael@0:                                 bool* aResult)
michael@0: {
michael@0:   NS_ENSURE_ARG(aFirstURI);
michael@0:   NS_ENSURE_ARG(aSecondURI);
michael@0:   NS_ASSERTION(aResult, "null outparam pointer");
michael@0: 
michael@0:   nsCString firstHost;
michael@0:   nsresult rv = GetBaseDomain(aFirstURI, firstHost);
michael@0:   if (NS_FAILED(rv))
michael@0:     return rv;
michael@0: 
michael@0:   return IsThirdPartyInternal(firstHost, aSecondURI, aResult);
michael@0: }
michael@0: 
michael@0: // Determine if any URI of the window hierarchy of aWindow is foreign with
michael@0: // respect to aSecondURI. See docs for mozIThirdPartyUtil.
michael@0: NS_IMETHODIMP
michael@0: ThirdPartyUtil::IsThirdPartyWindow(nsIDOMWindow* aWindow,
michael@0:                                    nsIURI* aURI,
michael@0:                                    bool* aResult)
michael@0: {
michael@0:   NS_ENSURE_ARG(aWindow);
michael@0:   NS_ASSERTION(aResult, "null outparam pointer");
michael@0: 
michael@0:   bool result;
michael@0: 
michael@0:   // Get the URI of the window, and its base domain.
michael@0:   nsCOMPtr<nsIURI> currentURI = GetURIFromWindow(aWindow);
michael@0:   NS_ENSURE_TRUE(currentURI, NS_ERROR_INVALID_ARG);
michael@0: 
michael@0:   nsCString bottomDomain;
michael@0:   nsresult rv = GetBaseDomain(currentURI, bottomDomain);
michael@0:   if (NS_FAILED(rv))
michael@0:     return rv;
michael@0: 
michael@0:   if (aURI) {
michael@0:     // Determine whether aURI is foreign with respect to currentURI.
michael@0:     rv = IsThirdPartyInternal(bottomDomain, aURI, &result);
michael@0:     if (NS_FAILED(rv))
michael@0:       return rv;
michael@0: 
michael@0:     if (result) {
michael@0:       *aResult = true;
michael@0:       return NS_OK;
michael@0:     }
michael@0:   }
michael@0: 
michael@0:   nsCOMPtr<nsIDOMWindow> current = aWindow, parent;
michael@0:   nsCOMPtr<nsIURI> parentURI;
michael@0:   do {
michael@0:     // We use GetScriptableParent rather than GetParent because we consider
michael@0:     // <iframe mozbrowser/mozapp> to be a top-level frame.
michael@0:     rv = current->GetScriptableParent(getter_AddRefs(parent));
michael@0:     NS_ENSURE_SUCCESS(rv, rv);
michael@0: 
michael@0:     if (SameCOMIdentity(parent, current)) {
michael@0:       // We're at the topmost content window. We already know the answer.
michael@0:       *aResult = false;
michael@0:       return NS_OK;
michael@0:     }
michael@0: 
michael@0:     parentURI = GetURIFromWindow(parent);
michael@0:     NS_ENSURE_TRUE(parentURI, NS_ERROR_INVALID_ARG);
michael@0: 
michael@0:     rv = IsThirdPartyInternal(bottomDomain, parentURI, &result);
michael@0:     if (NS_FAILED(rv))
michael@0:       return rv;
michael@0: 
michael@0:     if (result) {
michael@0:       *aResult = true;
michael@0:       return NS_OK;
michael@0:     }
michael@0: 
michael@0:     current = parent;
michael@0:     currentURI = parentURI;
michael@0:   } while (1);
michael@0: 
michael@0:   NS_NOTREACHED("should've returned");
michael@0:   return NS_ERROR_UNEXPECTED;
michael@0: }
michael@0: 
michael@0: // Determine if the URI associated with aChannel or any URI of the window
michael@0: // hierarchy associated with the channel is foreign with respect to aSecondURI.
michael@0: // See docs for mozIThirdPartyUtil.
michael@0: NS_IMETHODIMP 
michael@0: ThirdPartyUtil::IsThirdPartyChannel(nsIChannel* aChannel,
michael@0:                                     nsIURI* aURI,
michael@0:                                     bool* aResult)
michael@0: {
michael@0:   NS_ENSURE_ARG(aChannel);
michael@0:   NS_ASSERTION(aResult, "null outparam pointer");
michael@0: 
michael@0:   nsresult rv;
michael@0:   bool doForce = false;
michael@0:   nsCOMPtr<nsIHttpChannelInternal> httpChannelInternal =
michael@0:     do_QueryInterface(aChannel);
michael@0:   if (httpChannelInternal) {
michael@0:     rv = httpChannelInternal->GetForceAllowThirdPartyCookie(&doForce);
michael@0:     NS_ENSURE_SUCCESS(rv, rv);
michael@0: 
michael@0:     // If aURI was not supplied, and we're forcing, then we're by definition
michael@0:     // not foreign. If aURI was supplied, we still want to check whether it's
michael@0:     // foreign with respect to the channel URI. (The forcing only applies to
michael@0:     // whatever window hierarchy exists above the channel.)
michael@0:     if (doForce && !aURI) {
michael@0:       *aResult = false;
michael@0:       return NS_OK;
michael@0:     }
michael@0:   }
michael@0: 
michael@0:   // Obtain the URI from the channel, and its base domain.
michael@0:   nsCOMPtr<nsIURI> channelURI;
michael@0:   aChannel->GetURI(getter_AddRefs(channelURI));
michael@0:   NS_ENSURE_TRUE(channelURI, NS_ERROR_INVALID_ARG);
michael@0: 
michael@0:   nsCString channelDomain;
michael@0:   rv = GetBaseDomain(channelURI, channelDomain);
michael@0:   if (NS_FAILED(rv))
michael@0:     return rv;
michael@0: 
michael@0:   if (aURI) {
michael@0:     // Determine whether aURI is foreign with respect to channelURI.
michael@0:     bool result;
michael@0:     rv = IsThirdPartyInternal(channelDomain, aURI, &result);
michael@0:     if (NS_FAILED(rv))
michael@0:      return rv;
michael@0: 
michael@0:     // If it's foreign, or we're forcing, we're done.
michael@0:     if (result || doForce) {
michael@0:       *aResult = result;
michael@0:       return NS_OK;
michael@0:     }
michael@0:   }
michael@0: 
michael@0:   // Find the associated window and its parent window.
michael@0:   nsCOMPtr<nsILoadContext> ctx;
michael@0:   NS_QueryNotificationCallbacks(aChannel, ctx);
michael@0:   if (!ctx) return NS_ERROR_INVALID_ARG;
michael@0: 
michael@0:   // If there is no window, the consumer kicking off the load didn't provide one
michael@0:   // to the channel. This is limited to loads of certain types of resources. If
michael@0:   // those loads require cookies, the forceAllowThirdPartyCookie property should
michael@0:   // be set on the channel.
michael@0:   nsCOMPtr<nsIDOMWindow> ourWin, parentWin;
michael@0:   ctx->GetAssociatedWindow(getter_AddRefs(ourWin));
michael@0:   if (!ourWin) return NS_ERROR_INVALID_ARG;
michael@0: 
michael@0:   // We use GetScriptableParent rather than GetParent because we consider
michael@0:   // <iframe mozbrowser/mozapp> to be a top-level frame.
michael@0:   ourWin->GetScriptableParent(getter_AddRefs(parentWin));
michael@0:   NS_ENSURE_TRUE(parentWin, NS_ERROR_INVALID_ARG);
michael@0: 
michael@0:   // Check whether this is the document channel for this window (representing a
michael@0:   // load of a new page). In that situation we want to avoid comparing
michael@0:   // channelURI to ourWin, since what's in ourWin right now will be replaced as
michael@0:   // the channel loads.  This covers the case of a freshly kicked-off load
michael@0:   // (e.g. the user typing something in the location bar, or clicking on a
michael@0:   // bookmark), where the window's URI hasn't yet been set, and will be bogus.
michael@0:   // It also covers situations where a subframe is navigated to someting that
michael@0:   // is same-origin with all its ancestors.  This is a bit of a nasty hack, but
michael@0:   // we will hopefully flag these channels better later.
michael@0:   nsLoadFlags flags;
michael@0:   rv = aChannel->GetLoadFlags(&flags);
michael@0:   NS_ENSURE_SUCCESS(rv, rv);
michael@0: 
michael@0:   if (flags & nsIChannel::LOAD_DOCUMENT_URI) {
michael@0:     if (SameCOMIdentity(ourWin, parentWin)) {
michael@0:       // We only need to compare aURI to the channel URI -- the window's will be
michael@0:       // bogus. We already know the answer.
michael@0:       *aResult = false;
michael@0:       return NS_OK;
michael@0:     }
michael@0: 
michael@0:     // Make sure to still compare to ourWin's ancestors
michael@0:     ourWin = parentWin;
michael@0:   }
michael@0: 
michael@0:   // Check the window hierarchy. This covers most cases for an ordinary page
michael@0:   // load from the location bar.
michael@0:   return IsThirdPartyWindow(ourWin, channelURI, aResult);
michael@0: }
michael@0: 
michael@0: // Get the base domain for aHostURI; e.g. for "www.bbc.co.uk", this would be
michael@0: // "bbc.co.uk". Only properly-formed URI's are tolerated, though a trailing
michael@0: // dot may be present. If aHostURI is an IP address, an alias such as
michael@0: // 'localhost', an eTLD such as 'co.uk', or the empty string, aBaseDomain will
michael@0: // be the exact host. The result of this function should only be used in exact
michael@0: // string comparisons, since substring comparisons will not be valid for the
michael@0: // special cases elided above.
michael@0: NS_IMETHODIMP
michael@0: ThirdPartyUtil::GetBaseDomain(nsIURI* aHostURI,
michael@0:                               nsACString& aBaseDomain)
michael@0: {
michael@0:   // Get the base domain. this will fail if the host contains a leading dot,
michael@0:   // more than one trailing dot, or is otherwise malformed.
michael@0:   nsresult rv = mTLDService->GetBaseDomain(aHostURI, 0, aBaseDomain);
michael@0:   if (rv == NS_ERROR_HOST_IS_IP_ADDRESS ||
michael@0:       rv == NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS) {
michael@0:     // aHostURI is either an IP address, an alias such as 'localhost', an eTLD
michael@0:     // such as 'co.uk', or the empty string. Uses the normalized host in such
michael@0:     // cases.
michael@0:     rv = aHostURI->GetAsciiHost(aBaseDomain);
michael@0:   }
michael@0:   NS_ENSURE_SUCCESS(rv, rv);
michael@0: 
michael@0:   // aHostURI (and thus aBaseDomain) may be the string '.'. If so, fail.
michael@0:   if (aBaseDomain.Length() == 1 && aBaseDomain.Last() == '.')
michael@0:     return NS_ERROR_INVALID_ARG;
michael@0: 
michael@0:   // Reject any URIs without a host that aren't file:// URIs. This makes it the
michael@0:   // only way we can get a base domain consisting of the empty string, which
michael@0:   // means we can safely perform foreign tests on such URIs where "not foreign"
michael@0:   // means "the involved URIs are all file://".
michael@0:   if (aBaseDomain.IsEmpty()) {
michael@0:     bool isFileURI = false;
michael@0:     aHostURI->SchemeIs("file", &isFileURI);
michael@0:     NS_ENSURE_TRUE(isFileURI, NS_ERROR_INVALID_ARG);
michael@0:   }
michael@0: 
michael@0:   return NS_OK;
michael@0: }
michael@0: 
michael@0: // Returns true if First Party Isolation is currently active for the given nsIChannel.
michael@0: // Depends on Preference setting and possibly the state of Private Browsing mode.
michael@0: bool ThirdPartyUtil::IsFirstPartyIsolationActive(nsIChannel *aChannel, nsIDocument *aDoc)
michael@0: {
michael@0:   int32_t isolationState = mozilla::Preferences::GetInt("privacy.thirdparty.isolate");
michael@0:   if (isolationState == 1) {
michael@0:     if (!aChannel && aDoc) {
michael@0:       // No channel passed directly. Can we get a channel from aDoc?
michael@0:       aChannel = aDoc->GetChannel();
michael@0:     }
michael@0:     return aChannel && NS_UsePrivateBrowsing(aChannel);
michael@0:   } else { // (isolationState == 0) || (isolationState == 2)
michael@0:     return (isolationState == 2);
michael@0:   }
michael@0: }
michael@0: 
michael@0: // Produces a URI that uniquely identifies the first party to which
michael@0: // image cache and dom storage objects should be isolated. If isolation
michael@0: // is deactivated, then aOutput will return null.
michael@0: // Not scriptable due to the use of an nsIDocument parameter.
michael@0: NS_IMETHODIMP
michael@0: ThirdPartyUtil::GetFirstPartyIsolationURI(nsIChannel *aChannel, nsIDocument *aDoc, nsIURI **aOutput)
michael@0: {
michael@0:   bool isolationActive = IsFirstPartyIsolationActive(aChannel, aDoc);
michael@0:   if (isolationActive) {
michael@0:     return GetFirstPartyURI(aChannel, aDoc, aOutput);
michael@0:   } else {
michael@0:     // We return a null pointer when isolation is off.
michael@0:     *aOutput = nullptr;
michael@0:     return NS_OK;
michael@0:   }
michael@0: }
michael@0: 
michael@0: // Not scriptable due to the use of an nsIDocument parameter.
michael@0: NS_IMETHODIMP
michael@0: ThirdPartyUtil::GetFirstPartyURI(nsIChannel *aChannel,
michael@0:                                  nsIDocument *aDoc,
michael@0:                                  nsIURI **aOutput)
michael@0: {
michael@0:   return GetFirstPartyURIInternal(aChannel, aDoc, true, aOutput);
michael@0: }
michael@0: 
michael@0: nsresult
michael@0: ThirdPartyUtil::GetFirstPartyURIInternal(nsIChannel *aChannel,
michael@0:                                          nsIDocument *aDoc,
michael@0:                                          bool aLogErrors,
michael@0:                                          nsIURI **aOutput)
michael@0: {
michael@0:   nsresult rv = NS_ERROR_NULL_POINTER;
michael@0:   nsCOMPtr<nsIURI> srcURI;
michael@0: 
michael@0:   if (!aOutput)
michael@0:     return rv;
michael@0: 
michael@0:   *aOutput = nullptr;
michael@0: 
michael@0:   if (!aChannel && aDoc) {
michael@0:     aChannel = aDoc->GetChannel();
michael@0:   }
michael@0: 
michael@0:   // If aChannel is specified or available, use the official route
michael@0:   // for sure
michael@0:   if (aChannel) {
michael@0:     rv = GetOriginatingURI(aChannel, aOutput);
michael@0:     aChannel->GetURI(getter_AddRefs(srcURI));
michael@0:     if (NS_SUCCEEDED(rv) && *aOutput) {
michael@0:       // At this point, about: and chrome: URLs have been mapped to file: or
michael@0:       // jar: URLs.  Try to recover the original URL.
michael@0:       nsAutoCString scheme;
michael@0:       nsresult rv2 = (*aOutput)->GetScheme(scheme);
michael@0:       NS_ENSURE_SUCCESS(rv2, rv2);
michael@0:       if (scheme.Equals("file") || scheme.Equals("jar")) {
michael@0:         nsCOMPtr<nsIURI> originalURI;
michael@0:         rv2 = aChannel->GetOriginalURI(getter_AddRefs(originalURI));
michael@0:         if (NS_SUCCEEDED(rv2) && originalURI) {
michael@0:           NS_RELEASE(*aOutput);
michael@0:           NS_ADDREF(*aOutput = originalURI);
michael@0:         }
michael@0:       }
michael@0:     }
michael@0:   }
michael@0: 
michael@0:   // If the channel was missing, closed or broken, try the
michael@0:   // window hierarchy directly.
michael@0:   //
michael@0:   // This might fail to work for first-party loads themselves, but
michael@0:   // we don't need this codepath for that case.
michael@0:   if (NS_FAILED(rv) && aDoc) {
michael@0:     nsCOMPtr<nsIDOMWindow> top;
michael@0:     nsCOMPtr<nsIDOMDocument> topDDoc;
michael@0:     nsIURI *docURI = nullptr;
michael@0:     srcURI = aDoc->GetDocumentURI();
michael@0: 
michael@0:     if (aDoc->GetWindow()) {
michael@0:       aDoc->GetWindow()->GetTop(getter_AddRefs(top));
michael@0:       top->GetDocument(getter_AddRefs(topDDoc));
michael@0: 
michael@0:       nsCOMPtr<nsIDocument> topDoc(do_QueryInterface(topDDoc));
michael@0:       docURI = topDoc->GetOriginalURI();
michael@0:       if (docURI) {
michael@0:         // Give us a mutable URI and also addref
michael@0:         rv = NS_EnsureSafeToReturn(docURI, aOutput);
michael@0:       }
michael@0:     } else {
michael@0:       // XXX: Chrome callers (such as NoScript) can end up here
michael@0:       // through getImageData/canvas usage with no document state
michael@0:       // (no Window and a document URI of about:blank). Propogate
michael@0:       // rv fail (by doing nothing), and hope caller recovers.
michael@0:     }
michael@0: 
michael@0:     if (*aOutput)
michael@0:       rv = NS_OK;
michael@0:   }
michael@0: 
michael@0:   if (*aOutput && !SchemeIsWhiteListed(*aOutput)) {
michael@0:     // If URI scheme is not whitelisted and the URI lacks a hostname, force a
michael@0:     // failure.
michael@0:     nsAutoCString host;
michael@0:     rv = (*aOutput)->GetHost(host);
michael@0:     if (NS_SUCCEEDED(rv) && (host.Length() == 0)) {
michael@0:       rv = NS_ERROR_FAILURE;
michael@0:     }
michael@0:   }
michael@0: 
michael@0:   // Log failure to error console.
michael@0:   if (aLogErrors && NS_FAILED(rv)) {
michael@0:     nsCOMPtr<nsIConsoleService> console
michael@0:                               (do_GetService(NS_CONSOLESERVICE_CONTRACTID));
michael@0:     if (console) {
michael@0:       nsCString spec;
michael@0:       nsCString srcSpec("unknown");
michael@0: 
michael@0:       if (srcURI)
michael@0:         srcURI->GetSpec(srcSpec);
michael@0: 
michael@0:       if (*aOutput)
michael@0:         (*aOutput)->GetSpec(spec);
michael@0:       if (spec.Length() > 0) {
michael@0:         nsPrintfCString msg("getFirstPartyURI failed for %s: no host in first party URI %s",
michael@0:                             srcSpec.get(), spec.get()); // TODO: L10N
michael@0:         console->LogStringMessage(NS_ConvertUTF8toUTF16(msg).get());
michael@0:       } else {
michael@0:         nsPrintfCString msg("getFirstPartyURI failed for %s: 0x%x", srcSpec.get(), rv);
michael@0:         console->LogStringMessage(NS_ConvertUTF8toUTF16(msg).get());
michael@0:       }
michael@0:     }
michael@0: 
michael@0:     if (*aOutput) {
michael@0:       // discard return object.
michael@0:       (*aOutput)->Release();
michael@0:       *aOutput = nullptr;
michael@0:     }
michael@0:   }
michael@0: 
michael@0:   // TODO: We could provide a route through the loadgroup + notification
michael@0:   // callbacks too, but either channel or document was always available
michael@0:   // in the cases where this function was originally needed (the image cache).
michael@0:   // The notification callbacks also appear to suffers from the same limitation
michael@0:   // as the document path. See nsICookiePermissions.GetOriginatingURI() for
michael@0:   // details.
michael@0: 
michael@0:   return rv;
michael@0: }
michael@0: 
michael@0: NS_IMETHODIMP
michael@0: ThirdPartyUtil::GetFirstPartyURIFromChannel(nsIChannel *aChannel,
michael@0:                                             bool aLogErrors,
michael@0:                                             nsIURI **aOutput)
michael@0: {
michael@0:   return GetFirstPartyURIInternal(aChannel, nullptr, aLogErrors, aOutput);
michael@0: }
michael@0: 
michael@0: NS_IMETHODIMP
michael@0: ThirdPartyUtil::GetFirstPartyHostForIsolation(nsIURI *aFirstPartyURI,
michael@0:                                               nsACString& aHost)
michael@0: {
michael@0:   if (!aFirstPartyURI)
michael@0:     return NS_ERROR_INVALID_ARG;
michael@0: 
michael@0:   if (!SchemeIsWhiteListed(aFirstPartyURI)) {
michael@0:     nsresult rv = aFirstPartyURI->GetHost(aHost);
michael@0:     return (aHost.Length() > 0) ? NS_OK : rv;
michael@0:   }
michael@0: 
michael@0:   // This URI lacks a host, so construct and return a pseudo-host.
michael@0:   aHost = "--NoFirstPartyHost-";
michael@0: 
michael@0:   // Append the scheme.  To ensure that the pseudo-hosts are consistent
michael@0:   // when the hacky "moz-safe-about" scheme is used, map it back to "about".
michael@0:   nsAutoCString scheme;
michael@0:   nsresult rv = aFirstPartyURI->GetScheme(scheme);
michael@0:   NS_ENSURE_SUCCESS(rv, rv);
michael@0:   if (scheme.Equals("moz-safe-about"))
michael@0:     aHost.Append("about");
michael@0:   else
michael@0:     aHost.Append(scheme);
michael@0: 
michael@0:   // Append the URL's file name (e.g., -browser.xul) or its path (e.g.,
michael@0:   // -home for about:home)
michael@0:   nsAutoCString s;
michael@0:   nsCOMPtr<nsIURL> url = do_QueryInterface(aFirstPartyURI);
michael@0:   if (url)
michael@0:     url->GetFileName(s);
michael@0:   else
michael@0:     aFirstPartyURI->GetPath(s);
michael@0: 
michael@0:   if (s.Length() > 0) {
michael@0:     aHost.Append("-");
michael@0:     aHost.Append(s);
michael@0:   }
michael@0: 
michael@0:   aHost.Append("--");
michael@0:   return NS_OK;
michael@0: }