diff -r 000000000000 -r 6474c204b198 toolkit/components/passwordmgr/InsecurePasswordUtils.jsm --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/toolkit/components/passwordmgr/InsecurePasswordUtils.jsm Wed Dec 31 06:09:35 2014 +0100 @@ -0,0 +1,146 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +this.EXPORTED_SYMBOLS = [ "InsecurePasswordUtils" ]; + +const Ci = Components.interfaces; +const Cu = Components.utils; +const Cc = Components.classes; + +Cu.import("resource://gre/modules/Services.jsm"); +Cu.import("resource://gre/modules/XPCOMUtils.jsm"); + +XPCOMUtils.defineLazyModuleGetter(this, "devtools", + "resource://gre/modules/devtools/Loader.jsm"); + +Object.defineProperty(this, "WebConsoleUtils", { + get: function() { + return devtools.require("devtools/toolkit/webconsole/utils").Utils; + }, + configurable: true, + enumerable: true +}); + +const STRINGS_URI = "chrome://global/locale/security/security.properties"; +let l10n = new WebConsoleUtils.l10n(STRINGS_URI); + +this.InsecurePasswordUtils = { + + _sendWebConsoleMessage : function (messageTag, domDoc) { + /* + * All web console messages are warnings for now so I decided to set the + * flag here and save a bit of the flag creation in the callers. + * It's easy to expose this later if needed + */ + + let windowId = WebConsoleUtils.getInnerWindowId(domDoc.defaultView); + let category = "Insecure Password Field"; + let flag = Ci.nsIScriptError.warningFlag; + let message = l10n.getStr(messageTag); + let consoleMsg = Cc["@mozilla.org/scripterror;1"] + .createInstance(Ci.nsIScriptError); + + consoleMsg.initWithWindowID( + message, "", 0, 0, 0, flag, category, windowId); + + Services.console.logMessage(consoleMsg); + }, + + /* + * Checks whether the passed uri is secure + * Check Protocol Flags to determine if scheme is secure: + * URI_DOES_NOT_RETURN_DATA - e.g. + * "mailto" + * URI_IS_LOCAL_RESOURCE - e.g. + * "data", + * "resource", + * "moz-icon" + * URI_INHERITS_SECURITY_CONTEXT - e.g. + * "javascript" + * URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT - e.g. + * "https", + * "moz-safe-about" + * + * The use of this logic comes directly from nsMixedContentBlocker.cpp + * At the time it was decided to include these protocols since a secure + * uri for mixed content blocker means that the resource can't be + * easily tampered with because 1) it is sent over an encrypted channel or + * 2) it is a local resource that never hits the network + * or 3) it is a request sent without any response that could alter + * the behavior of the page. It was decided to include the same logic + * here both to be consistent with MCB and to make sure we cover all + * "safe" protocols. Eventually, the code here and the code in MCB + * will be moved to a common location that will be referenced from + * both places. Look at + * https://bugzilla.mozilla.org/show_bug.cgi?id=899099 for more info. + */ + _checkIfURIisSecure : function(uri) { + let isSafe = false; + let netutil = Cc["@mozilla.org/network/util;1"].getService(Ci.nsINetUtil); + let ph = Ci.nsIProtocolHandler; + + if (netutil.URIChainHasFlags(uri, ph.URI_IS_LOCAL_RESOURCE) || + netutil.URIChainHasFlags(uri, ph.URI_DOES_NOT_RETURN_DATA) || + netutil.URIChainHasFlags(uri, ph.URI_INHERITS_SECURITY_CONTEXT) || + netutil.URIChainHasFlags(uri, ph.URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT)) { + + isSafe = true; + } + + return isSafe; + }, + + /* + * Checks whether the passed nested document is insecure + * or is inside an insecure parent document. + * + * We check the chain of frame ancestors all the way until the top document + * because MITM attackers could replace https:// iframes if they are nested inside + * http:// documents with their own content, thus creating a security risk + * and potentially stealing user data. Under such scenario, a user might not + * get a Mixed Content Blocker message, if the main document is served over HTTP + * and framing an HTTPS page as it would under the reverse scenario (http + * inside https). + */ + _checkForInsecureNestedDocuments : function(domDoc) { + let uri = domDoc.documentURIObject; + if (domDoc.defaultView == domDoc.defaultView.parent) { + // We are at the top, nothing to check here + return false; + } + if (!this._checkIfURIisSecure(uri)) { + // We are insecure + return true; + } + // I am secure, but check my parent + return this._checkForInsecureNestedDocuments(domDoc.defaultView.parent.document); + }, + + + /* + * Checks if there are insecure password fields present on the form's document + * i.e. passwords inside forms with http action, inside iframes with http src, + * or on insecure web pages. If insecure password fields are present, + * a log message is sent to the web console to warn developers. + */ + checkForInsecurePasswords : function (aForm) { + var domDoc = aForm.ownerDocument; + let pageURI = domDoc.defaultView.top.document.documentURIObject; + let isSafePage = this._checkIfURIisSecure(pageURI); + + if (!isSafePage) { + this._sendWebConsoleMessage("InsecurePasswordsPresentOnPage", domDoc); + } + + // Check if we are on an iframe with insecure src, or inside another + // insecure iframe or document. + if (this._checkForInsecureNestedDocuments(domDoc)) { + this._sendWebConsoleMessage("InsecurePasswordsPresentOnIframe", domDoc); + } + + if (aForm.action.match(/^http:\/\//)) { + this._sendWebConsoleMessage("InsecureFormActionPasswordsPresent", domDoc); + } + }, +};