This repository has been archived by the owner on Aug 4, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathnsMixedContentBlocker.cpp
717 lines (630 loc) · 28.5 KB
/
nsMixedContentBlocker.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsMixedContentBlocker.h"
#include "nsContentPolicyUtils.h"
#include "nsThreadUtils.h"
#include "nsINode.h"
#include "nsCOMPtr.h"
#include "nsIDocShell.h"
#include "nsISecurityEventSink.h"
#include "nsIWebProgressListener.h"
#include "nsContentUtils.h"
#include "nsNetUtil.h"
#include "nsIRequest.h"
#include "nsIDocument.h"
#include "nsIContentViewer.h"
#include "nsIChannel.h"
#include "nsIHttpChannel.h"
#include "mozilla/Preferences.h"
#include "nsIScriptObjectPrincipal.h"
#include "nsISecureBrowserUI.h"
#include "nsIDocumentLoader.h"
#include "nsIWebNavigation.h"
#include "nsLoadGroup.h"
#include "nsIScriptError.h"
#include "nsIURI.h"
#include "nsIChannelEventSink.h"
#include "nsAsyncRedirectVerifyHelper.h"
#include "mozilla/LoadInfo.h"
#include "prlog.h"
using namespace mozilla;
enum nsMixedContentBlockerMessageType {
eBlocked = 0x00,
eUserOverride = 0x01
};
// Is mixed script blocking (fonts, plugin content, scripts, stylesheets,
// iframes, websockets, XHR) enabled?
bool nsMixedContentBlocker::sBlockMixedScript = false;
// Is mixed display content blocking (images, audio, video, <a ping>) enabled?
bool nsMixedContentBlocker::sBlockMixedDisplay = false;
// Fired at the document that attempted to load mixed content. The UI could
// handle this event, for example, by displaying an info bar that offers the
// choice to reload the page with mixed content permitted.
class nsMixedContentEvent : public nsRunnable
{
public:
nsMixedContentEvent(nsISupports *aContext, MixedContentTypes aType)
: mContext(aContext), mType(aType)
{}
NS_IMETHOD Run()
{
NS_ASSERTION(mContext,
"You can't call this runnable without a requesting context");
// To update the security UI in the tab with the blocked mixed content, call
// nsISecurityEventSink::OnSecurityChange. You can get to the event sink by
// calling NS_CP_GetDocShellFromContext on the context, and QI'ing to
// nsISecurityEventSink.
// Mixed content was allowed and is about to load; get the document and
// set the approriate flag to true if we are about to load Mixed Active
// Content.
nsCOMPtr<nsIDocShell> docShell = NS_CP_GetDocShellFromContext(mContext);
if (!docShell) {
return NS_OK;
}
nsCOMPtr<nsIDocShellTreeItem> sameTypeRoot;
docShell->GetSameTypeRootTreeItem(getter_AddRefs(sameTypeRoot));
NS_ASSERTION(sameTypeRoot, "No document shell root tree item from document shell tree item!");
// now get the document from sameTypeRoot
nsCOMPtr<nsIDocument> rootDoc = do_GetInterface(sameTypeRoot);
NS_ASSERTION(rootDoc, "No root document from document shell root tree item.");
if (mType == eMixedScript) {
// See if the pref will change here. If it will, only then do we need to call OnSecurityChange() to update the UI.
if (rootDoc->GetHasMixedActiveContentLoaded()) {
return NS_OK;
}
rootDoc->SetHasMixedActiveContentLoaded(true);
// Update the security UI in the tab with the allowed mixed active content
nsCOMPtr<nsISecurityEventSink> eventSink = do_QueryInterface(docShell);
if (eventSink) {
// If mixed display content is loaded, make sure to include that in the state.
if (rootDoc->GetHasMixedDisplayContentLoaded()) {
eventSink->OnSecurityChange(mContext, (nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT |
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
} else {
eventSink->OnSecurityChange(mContext, (nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
}
}
} else if (mType == eMixedDisplay) {
// See if the pref will change here. If it will, only then do we need to call OnSecurityChange() to update the UI.
if (rootDoc->GetHasMixedDisplayContentLoaded()) {
return NS_OK;
}
rootDoc->SetHasMixedDisplayContentLoaded(true);
// Update the security UI in the tab with the allowed mixed display content.
nsCOMPtr<nsISecurityEventSink> eventSink = do_QueryInterface(docShell);
if (eventSink) {
// If mixed active content is loaded, make sure to include that in the state.
if (rootDoc->GetHasMixedActiveContentLoaded()) {
eventSink->OnSecurityChange(mContext, (nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT |
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
} else {
eventSink->OnSecurityChange(mContext, (nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
}
}
}
return NS_OK;
}
private:
// The requesting context for the content load. Generally, a DOM node from
// the document that caused the load.
nsCOMPtr<nsISupports> mContext;
// The type of mixed content detected, e.g. active or display
const MixedContentTypes mType;
};
nsMixedContentBlocker::nsMixedContentBlocker()
{
// Cache the pref for mixed script blocking
Preferences::AddBoolVarCache(&sBlockMixedScript,
"security.mixed_content.block_active_content");
// Cache the pref for mixed display blocking
Preferences::AddBoolVarCache(&sBlockMixedDisplay,
"security.mixed_content.block_display_content");
}
nsMixedContentBlocker::~nsMixedContentBlocker()
{
}
NS_IMPL_ISUPPORTS(nsMixedContentBlocker, nsIContentPolicy, nsIChannelEventSink)
static void
LogMixedContentMessage(MixedContentTypes aClassification,
nsIURI* aContentLocation,
nsIDocument* aRootDoc,
nsMixedContentBlockerMessageType aMessageType)
{
nsAutoCString messageCategory;
uint32_t severityFlag;
nsAutoCString messageLookupKey;
if (aMessageType == eBlocked) {
severityFlag = nsIScriptError::errorFlag;
messageCategory.AssignLiteral("Mixed Content Blocker");
if (aClassification == eMixedDisplay) {
messageLookupKey.AssignLiteral("BlockMixedDisplayContent");
} else {
messageLookupKey.AssignLiteral("BlockMixedActiveContent");
}
} else {
severityFlag = nsIScriptError::warningFlag;
messageCategory.AssignLiteral("Mixed Content Message");
if (aClassification == eMixedDisplay) {
messageLookupKey.AssignLiteral("LoadingMixedDisplayContent2");
} else {
messageLookupKey.AssignLiteral("LoadingMixedActiveContent2");
}
}
nsAutoCString locationSpec;
aContentLocation->GetSpec(locationSpec);
NS_ConvertUTF8toUTF16 locationSpecUTF16(locationSpec);
const char16_t* strings[] = { locationSpecUTF16.get() };
nsContentUtils::ReportToConsole(severityFlag, messageCategory, aRootDoc,
nsContentUtils::eSECURITY_PROPERTIES,
messageLookupKey.get(), strings, ArrayLength(strings));
}
/* nsIChannelEventSink implementation
* This code is called when a request is redirected.
* We check the channel associated with the new uri is allowed to load
* in the current context
*/
NS_IMETHODIMP
nsMixedContentBlocker::AsyncOnChannelRedirect(nsIChannel* aOldChannel,
nsIChannel* aNewChannel,
uint32_t aFlags,
nsIAsyncVerifyRedirectCallback* aCallback)
{
nsAsyncRedirectAutoCallback autoCallback(aCallback);
if (!aOldChannel) {
NS_ERROR("No channel when evaluating mixed content!");
return NS_ERROR_FAILURE;
}
nsresult rv;
nsCOMPtr<nsIURI> oldUri;
rv = aOldChannel->GetURI(getter_AddRefs(oldUri));
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIURI> newUri;
rv = aNewChannel->GetURI(getter_AddRefs(newUri));
NS_ENSURE_SUCCESS(rv, rv);
// Get the loading Info from the old channel
nsCOMPtr<nsILoadInfo> loadInfo;
rv = aOldChannel->GetLoadInfo(getter_AddRefs(loadInfo));
NS_ENSURE_SUCCESS(rv, rv);
if (!loadInfo) {
// XXX: We want to have a loadInfo on all channels, but we don't yet.
// If an addon creates a channel, they may not set loadinfo. If that
// channel redirects from one page to another page, we would get caught
// in this code path. Hence, we have to return NS_OK. Once we have more
// confidence that all channels have loadinfo, we can change this to
// a failure. See bug 1077201.
return NS_OK;
}
uint32_t contentPolicyType = loadInfo->GetContentPolicyType();
nsCOMPtr<nsIPrincipal> requestingPrincipal = loadInfo->LoadingPrincipal();
// Since we are calling shouldLoad() directly on redirects, we don't go through the code
// in nsContentPolicyUtils::NS_CheckContentLoadPolicy(). Hence, we have to
// duplicate parts of it here.
nsCOMPtr<nsIURI> requestingLocation;
if (requestingPrincipal) {
// We check to see if the loadingPrincipal is systemPrincipal and return
// early if it is
if (nsContentUtils::IsSystemPrincipal(requestingPrincipal)) {
return NS_OK;
}
// We set the requestingLocation from the RequestingPrincipal.
rv = requestingPrincipal->GetURI(getter_AddRefs(requestingLocation));
NS_ENSURE_SUCCESS(rv, rv);
}
int16_t decision = REJECT_REQUEST;
rv = ShouldLoad(contentPolicyType,
newUri,
requestingLocation,
loadInfo->LoadingNode(),
EmptyCString(), // aMimeGuess
nullptr, // aExtra
requestingPrincipal,
&decision);
NS_ENSURE_SUCCESS(rv, rv);
// If the channel is about to load mixed content, abort the channel
if (!NS_CP_ACCEPTED(decision)) {
autoCallback.DontCallback();
return NS_BINDING_FAILED;
}
return NS_OK;
}
NS_IMETHODIMP
nsMixedContentBlocker::ShouldLoad(uint32_t aContentType,
nsIURI* aContentLocation,
nsIURI* aRequestingLocation,
nsISupports* aRequestingContext,
const nsACString& aMimeGuess,
nsISupports* aExtra,
nsIPrincipal* aRequestPrincipal,
int16_t* aDecision)
{
// Asserting that we are on the main thread here and hence do not have to lock
// and unlock sBlockMixedScript and sBlockMixedDisplay before reading/writing
// to them.
MOZ_ASSERT(NS_IsMainThread());
// Assume active (high risk) content and blocked by default
MixedContentTypes classification = eMixedScript;
// Make decision to block/reject by default
*aDecision = REJECT_REQUEST;
// Notes on non-obvious decisions:
//
// TYPE_DTD: A DTD can contain entity definitions that expand to scripts.
//
// TYPE_FONT: The TrueType hinting mechanism is basically a scripting
// language that gets interpreted by the operating system's font rasterizer.
// Mixed content web fonts are relatively uncommon, and we can can fall back
// to built-in fonts with minimal disruption in almost all cases.
//
// TYPE_OBJECT_SUBREQUEST could actually be either active content (e.g. a
// script that a plugin will execute) or display content (e.g. Flash video
// content). Until we have a way to determine active vs passive content
// from plugin requests (bug 836352), we will treat this as passive content.
// This is to prevent false positives from causing users to become
// desensitized to the mixed content blocker.
//
// TYPE_CSP_REPORT: High-risk because they directly leak information about
// the content of the page, and because blocking them does not have any
// negative effect on the page loading.
//
// TYPE_PING: Ping requests are POSTS, not GETs like images and media.
// Also, PING requests have no bearing on the rendering or operation of
// the page when used as designed, so even though they are lower risk than
// scripts, blocking them is basically risk-free as far as compatibility is
// concerned. Ping is turned off by default in Firefox, so unless a user
// opts into ping, no request will be made. Categorizing this as Mixed
// Display Content for now, but this is subject to change.
//
// TYPE_STYLESHEET: XSLT stylesheets can insert scripts. CSS positioning
// and other advanced CSS features can possibly be exploited to cause
// spoofing attacks (e.g. make a "grant permission" button look like a
// "refuse permission" button).
//
// TYPE_BEACON: Beacon requests are similar to TYPE_PING, but are default on.
//
// TYPE_WEBSOCKET: The Websockets API requires browsers to
// reject mixed-content websockets: "If secure is false but the origin of
// the entry script has a scheme component that is itself a secure protocol,
// e.g. HTTPS, then throw a SecurityError exception." We already block mixed
// content websockets within the websockets implementation, so we don't need
// to do any blocking here, nor do we need to provide a way to undo or
// override the blocking. Websockets without TLS are very flaky anyway in the
// face of many HTTP-aware proxies. Compared to psasive content, there is
// additional risk that the script using WebSockets will disclose sensitive
// information from the HTTPS page and/or eval (directly or indirectly)
// received data.
//
// TYPE_XMLHTTPREQUEST: XHR requires either same origin or CORS, so most
// mixed-content XHR will already be blocked by that check. This will also
// block HTTPS-to-HTTP XHR with CORS. The same security concerns mentioned
// above for WebSockets apply to XHR, and XHR should have the same security
// properties as WebSockets w.r.t. mixed content. XHR's handling of redirects
// amplifies these concerns.
static_assert(TYPE_DATAREQUEST == TYPE_XMLHTTPREQUEST,
"TYPE_DATAREQUEST is not a synonym for "
"TYPE_XMLHTTPREQUEST");
switch (aContentType) {
// The top-level document cannot be mixed content by definition
case TYPE_DOCUMENT:
*aDecision = ACCEPT;
return NS_OK;
// Creating insecure websocket connections in a secure page is blocked already
// in the websocket constructor. We don't need to check the blocking here
// and we don't want to un-block
case TYPE_WEBSOCKET:
*aDecision = ACCEPT;
return NS_OK;
// Static display content is considered moderate risk for mixed content so
// these will be blocked according to the mixed display preference
case TYPE_IMAGE:
case TYPE_MEDIA:
case TYPE_OBJECT_SUBREQUEST:
case TYPE_PING:
case TYPE_BEACON:
classification = eMixedDisplay;
break;
// Active content (or content with a low value/risk-of-blocking ratio)
// that has been explicitly evaluated; listed here for documentation
// purposes and to avoid the assertion and warning for the default case.
case TYPE_IMAGESET:
case TYPE_CSP_REPORT:
case TYPE_DTD:
case TYPE_FETCH:
case TYPE_FONT:
case TYPE_OBJECT:
case TYPE_SCRIPT:
case TYPE_STYLESHEET:
case TYPE_SUBDOCUMENT:
case TYPE_XBL:
case TYPE_XMLHTTPREQUEST:
case TYPE_XSLT:
case TYPE_OTHER:
break;
// This content policy works as a whitelist.
default:
MOZ_ASSERT(false, "Mixed content of unknown type");
break;
}
/* Get the scheme of the sub-document resource to be requested. If it is
* a safe to load in an https context then mixed content doesn't apply.
*
* Check Protocol Flags to determine if scheme is safe to load:
* URI_DOES_NOT_RETURN_DATA - e.g.
* "mailto"
* URI_IS_LOCAL_RESOURCE - e.g.
* "data",
* "resource",
* "moz-icon"
* URI_INHERITS_SECURITY_CONTEXT - e.g.
* "javascript"
* URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT - e.g.
* "https",
* "moz-safe-about"
*
*/
bool schemeLocal = false;
bool schemeNoReturnData = false;
bool schemeInherits = false;
bool schemeSecure = false;
if (NS_FAILED(NS_URIChainHasFlags(aContentLocation, nsIProtocolHandler::URI_IS_LOCAL_RESOURCE , &schemeLocal)) ||
NS_FAILED(NS_URIChainHasFlags(aContentLocation, nsIProtocolHandler::URI_DOES_NOT_RETURN_DATA, &schemeNoReturnData)) ||
NS_FAILED(NS_URIChainHasFlags(aContentLocation, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT, &schemeInherits)) ||
NS_FAILED(NS_URIChainHasFlags(aContentLocation, nsIProtocolHandler::URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT, &schemeSecure))) {
*aDecision = REJECT_REQUEST;
return NS_ERROR_FAILURE;
}
if (schemeLocal || schemeNoReturnData || schemeInherits || schemeSecure) {
*aDecision = ACCEPT;
return NS_OK;
}
// Since there are cases where aRequestingLocation and aRequestPrincipal are
// definitely not the owning document, we try to ignore them by extracting the
// requestingLocation in the following order:
// 1) from the aRequestingContext, either extracting
// a) the node's principal, or the
// b) script object's principal.
// 2) if aRequestingContext yields a principal but no location, we check
// if its the system principal. If it is, allow the load.
// 3) Special case handling for:
// a) speculative loads, where shouldLoad is called twice (bug 839235)
// and the first speculative load does not include a context.
// In this case we use aRequestingLocation to set requestingLocation.
// b) TYPE_CSP_REPORT which does not provide a context. In this case we
// use aRequestingLocation to set requestingLocation.
// c) content scripts from addon code that do not provide aRequestingContext
// or aRequestingLocation, but do provide aRequestPrincipal.
// If aRequestPrincipal is an expanded principal, we allow the load.
// 4) If we still end up not having a requestingLocation, we reject the load.
nsCOMPtr<nsIPrincipal> principal;
// 1a) Try to get the principal if aRequestingContext is a node.
nsCOMPtr<nsINode> node = do_QueryInterface(aRequestingContext);
if (node) {
principal = node->NodePrincipal();
}
// 1b) Try using the window's script object principal if it's not a node.
if (!principal) {
nsCOMPtr<nsIScriptObjectPrincipal> scriptObjPrin = do_QueryInterface(aRequestingContext);
if (scriptObjPrin) {
principal = scriptObjPrin->GetPrincipal();
}
}
nsCOMPtr<nsIURI> requestingLocation;
if (principal) {
principal->GetURI(getter_AddRefs(requestingLocation));
}
// 2) if aRequestingContext yields a principal but no location, we check if its a system principal.
if (principal && !requestingLocation) {
if (nsContentUtils::IsSystemPrincipal(principal)) {
*aDecision = ACCEPT;
return NS_OK;
}
}
// 3a,b) Special case handling for speculative loads and TYPE_CSP_REPORT. In
// such cases, aRequestingContext doesn't exist, so we use aRequestingLocation.
// Unfortunately we can not distinguish between speculative and normal loads here,
// otherwise we could special case this assignment.
if (!requestingLocation) {
requestingLocation = aRequestingLocation;
}
// 3c) Special case handling for content scripts from addons code, which only
// provide a aRequestPrincipal; aRequestingContext and aRequestingLocation are
// both null; if the aRequestPrincipal is an expandedPrincipal, we allow the load.
if (!principal && !requestingLocation && aRequestPrincipal) {
nsCOMPtr<nsIExpandedPrincipal> expanded = do_QueryInterface(aRequestPrincipal);
if (expanded) {
*aDecision = ACCEPT;
return NS_OK;
}
}
// 4) Giving up. We still don't have a requesting location, therefore we can't tell
// if this is a mixed content load. Deny to be safe.
if (!requestingLocation) {
*aDecision = REJECT_REQUEST;
return NS_OK;
}
// Check the parent scheme. If it is not an HTTPS page then mixed content
// restrictions do not apply.
bool parentIsHttps;
nsresult rv = requestingLocation->SchemeIs("https", &parentIsHttps);
if (NS_FAILED(rv)) {
NS_ERROR("requestingLocation->SchemeIs failed");
*aDecision = REJECT_REQUEST;
return NS_OK;
}
if (!parentIsHttps) {
*aDecision = ACCEPT;
return NS_OK;
}
// Determine if the rootDoc is https and if the user decided to allow Mixed Content
nsCOMPtr<nsIDocShell> docShell = NS_CP_GetDocShellFromContext(aRequestingContext);
NS_ENSURE_TRUE(docShell, NS_OK);
bool rootHasSecureConnection = false;
bool allowMixedContent = false;
bool isRootDocShell = false;
rv = docShell->GetAllowMixedContentAndConnectionData(&rootHasSecureConnection, &allowMixedContent, &isRootDocShell);
if (NS_FAILED(rv)) {
*aDecision = REJECT_REQUEST;
return rv;
}
// Get the sameTypeRoot tree item from the docshell
nsCOMPtr<nsIDocShellTreeItem> sameTypeRoot;
docShell->GetSameTypeRootTreeItem(getter_AddRefs(sameTypeRoot));
NS_ASSERTION(sameTypeRoot, "No root tree item from docshell!");
// When navigating an iframe, the iframe may be https
// but its parents may not be. Check the parents to see if any of them are https.
// If none of the parents are https, allow the load.
if (aContentType == TYPE_SUBDOCUMENT && !rootHasSecureConnection) {
bool httpsParentExists = false;
nsCOMPtr<nsIDocShellTreeItem> parentTreeItem;
parentTreeItem = docShell;
while(!httpsParentExists && parentTreeItem) {
nsCOMPtr<nsIWebNavigation> parentAsNav(do_QueryInterface(parentTreeItem));
NS_ASSERTION(parentAsNav, "No web navigation object from parent's docshell tree item");
nsCOMPtr<nsIURI> parentURI;
parentAsNav->GetCurrentURI(getter_AddRefs(parentURI));
if (!parentURI || NS_FAILED(parentURI->SchemeIs("https", &httpsParentExists))) {
// if getting the URI or the scheme fails, assume there is a https parent and break.
httpsParentExists = true;
break;
}
// When the parent and the root are the same, we have traversed all the way up
// the same type docshell tree. Break out of the while loop.
if(sameTypeRoot == parentTreeItem) {
break;
}
// update the parent to the grandparent.
nsCOMPtr<nsIDocShellTreeItem> newParentTreeItem;
parentTreeItem->GetSameTypeParent(getter_AddRefs(newParentTreeItem));
parentTreeItem = newParentTreeItem;
} // end while loop.
if (!httpsParentExists) {
*aDecision = nsIContentPolicy::ACCEPT;
return NS_OK;
}
}
// Get the root document from the sameTypeRoot
nsCOMPtr<nsIDocument> rootDoc = do_GetInterface(sameTypeRoot);
NS_ASSERTION(rootDoc, "No root document from document shell root tree item.");
// Get eventSink and the current security state from the docShell
nsCOMPtr<nsISecurityEventSink> eventSink = do_QueryInterface(docShell);
NS_ASSERTION(eventSink, "No eventSink from docShell.");
nsCOMPtr<nsIDocShell> rootShell = do_GetInterface(sameTypeRoot);
NS_ASSERTION(rootShell, "No root docshell from document shell root tree item.");
uint32_t State = nsIWebProgressListener::STATE_IS_BROKEN;
nsCOMPtr<nsISecureBrowserUI> securityUI;
rootShell->GetSecurityUI(getter_AddRefs(securityUI));
// If there is no securityUI, document doesn't have a security state.
// Allow load and return early.
if (!securityUI) {
*aDecision = nsIContentPolicy::ACCEPT;
return NS_OK;
}
nsresult stateRV = securityUI->GetState(&State);
// If the content is display content, and the pref says display content should be blocked, block it.
if (sBlockMixedDisplay && classification == eMixedDisplay) {
if (allowMixedContent) {
LogMixedContentMessage(classification, aContentLocation, rootDoc, eUserOverride);
*aDecision = nsIContentPolicy::ACCEPT;
rootDoc->SetHasMixedActiveContentLoaded(true);
if (!rootDoc->GetHasMixedDisplayContentLoaded() && NS_SUCCEEDED(stateRV)) {
rootDoc->SetHasMixedDisplayContentLoaded(true);
eventSink->OnSecurityChange(aRequestingContext, (State | nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
}
} else {
*aDecision = nsIContentPolicy::REJECT_REQUEST;
LogMixedContentMessage(classification, aContentLocation, rootDoc, eBlocked);
if (!rootDoc->GetHasMixedDisplayContentBlocked() && NS_SUCCEEDED(stateRV)) {
rootDoc->SetHasMixedDisplayContentBlocked(true);
eventSink->OnSecurityChange(aRequestingContext, (State | nsIWebProgressListener::STATE_BLOCKED_MIXED_DISPLAY_CONTENT));
}
}
return NS_OK;
} else if (sBlockMixedScript && classification == eMixedScript) {
// If the content is active content, and the pref says active content should be blocked, block it
// unless the user has choosen to override the pref
if (allowMixedContent) {
LogMixedContentMessage(classification, aContentLocation, rootDoc, eUserOverride);
*aDecision = nsIContentPolicy::ACCEPT;
// See if the pref will change here. If it will, only then do we need to call OnSecurityChange() to update the UI.
if (rootDoc->GetHasMixedActiveContentLoaded()) {
return NS_OK;
}
rootDoc->SetHasMixedActiveContentLoaded(true);
if (rootHasSecureConnection) {
// User has decided to override the pref and the root is https, so change the Security State.
if (rootDoc->GetHasMixedDisplayContentLoaded()) {
// If mixed display content is loaded, make sure to include that in the state.
eventSink->OnSecurityChange(aRequestingContext, (nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT |
nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT));
} else {
eventSink->OnSecurityChange(aRequestingContext, (nsIWebProgressListener::STATE_IS_BROKEN |
nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
}
return NS_OK;
} else {
// User has already overriden the pref and the root is not https;
// mixed content was allowed on an https subframe.
if (NS_SUCCEEDED(stateRV)) {
eventSink->OnSecurityChange(aRequestingContext, (State | nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT));
}
return NS_OK;
}
} else {
//User has not overriden the pref by Disabling protection. Reject the request and update the security state.
*aDecision = nsIContentPolicy::REJECT_REQUEST;
LogMixedContentMessage(classification, aContentLocation, rootDoc, eBlocked);
// See if the pref will change here. If it will, only then do we need to call OnSecurityChange() to update the UI.
if (rootDoc->GetHasMixedActiveContentBlocked()) {
return NS_OK;
}
rootDoc->SetHasMixedActiveContentBlocked(true);
// The user has not overriden the pref, so make sure they still have an option by calling eventSink
// which will invoke the doorhanger
if (NS_SUCCEEDED(stateRV)) {
eventSink->OnSecurityChange(aRequestingContext, (State | nsIWebProgressListener::STATE_BLOCKED_MIXED_ACTIVE_CONTENT));
}
return NS_OK;
}
} else {
// The content is not blocked by the mixed content prefs.
// Log a message that we are loading mixed content.
LogMixedContentMessage(classification, aContentLocation, rootDoc, eUserOverride);
// Fire the event from a script runner as it is unsafe to run script
// from within ShouldLoad
nsContentUtils::AddScriptRunner(
new nsMixedContentEvent(aRequestingContext, classification));
*aDecision = ACCEPT;
return NS_OK;
}
*aDecision = REJECT_REQUEST;
return NS_OK;
}
NS_IMETHODIMP
nsMixedContentBlocker::ShouldProcess(uint32_t aContentType,
nsIURI* aContentLocation,
nsIURI* aRequestingLocation,
nsISupports* aRequestingContext,
const nsACString& aMimeGuess,
nsISupports* aExtra,
nsIPrincipal* aRequestPrincipal,
int16_t* aDecision)
{
if (!aContentLocation) {
// aContentLocation may be null when a plugin is loading without an associated URI resource
if (aContentType == TYPE_OBJECT) {
*aDecision = ACCEPT;
return NS_OK;
} else {
*aDecision = REJECT_REQUEST;
return NS_ERROR_FAILURE;
}
}
return ShouldLoad(aContentType, aContentLocation, aRequestingLocation,
aRequestingContext, aMimeGuess, aExtra, aRequestPrincipal,
aDecision);
}