/
nsSecureBrowserUIImpl.cpp
466 lines (392 loc) · 15.5 KB
/
nsSecureBrowserUIImpl.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsSecureBrowserUIImpl.h"
#include "mozilla/Assertions.h"
#include "mozilla/Logging.h"
#include "mozilla/Unused.h"
#include "mozilla/dom/Document.h"
#include "mozilla/dom/nsMixedContentBlocker.h"
#include "nsContentUtils.h"
#include "nsIChannel.h"
#include "nsDocShell.h"
#include "nsIDocShellTreeItem.h"
#include "nsIInterfaceRequestorUtils.h"
#include "nsITransportSecurityInfo.h"
#include "nsIWebProgress.h"
using namespace mozilla;
LazyLogModule gSecureBrowserUILog("nsSecureBrowserUI");
nsSecureBrowserUIImpl::nsSecureBrowserUIImpl() : mState(0), mEvent(0) {
MOZ_ASSERT(NS_IsMainThread());
}
NS_IMPL_ISUPPORTS(nsSecureBrowserUIImpl, nsISecureBrowserUI,
nsIWebProgressListener, nsISupportsWeakReference)
NS_IMETHODIMP
nsSecureBrowserUIImpl::Init(nsIDocShell* aDocShell) {
MOZ_ASSERT(NS_IsMainThread());
NS_ENSURE_ARG(aDocShell);
aDocShell->SetSecurityUI(this);
// The Docshell will own the SecureBrowserUI object, we keep a weak ref.
nsresult rv;
mDocShell = do_GetWeakReference(aDocShell, &rv);
if (NS_FAILED(rv)) {
return rv;
}
// hook up to the webprogress notifications.
nsCOMPtr<nsIWebProgress> wp(do_GetInterface(aDocShell));
if (!wp) {
return NS_ERROR_FAILURE;
}
// Save this so we can compare it to the web progress in OnLocationChange.
mWebProgress = do_GetWeakReference(wp, &rv);
if (NS_FAILED(rv)) {
return rv;
}
return wp->AddProgressListener(this, nsIWebProgress::NOTIFY_LOCATION);
}
NS_IMETHODIMP
nsSecureBrowserUIImpl::GetState(uint32_t* aState) {
MOZ_ASSERT(NS_IsMainThread());
NS_ENSURE_ARG(aState);
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, ("GetState %p", this));
// With respect to mixed content and tracking protection, we won't know when
// the state of our document (or a subdocument) has changed, so we ask the
// docShell.
CheckForMixedContent();
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, (" mState: %x", mState));
*aState = mState;
return NS_OK;
}
NS_IMETHODIMP
nsSecureBrowserUIImpl::GetContentBlockingEvent(uint32_t* aEvent) {
MOZ_ASSERT(NS_IsMainThread());
NS_ENSURE_ARG(aEvent);
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
("GetContentBlockingEvent %p", this));
// With respect to mixed content and tracking protection, we won't know when
// the state of our document (or a subdocument) has changed, so we ask the
// docShell.
CheckForContentBlockingEvents();
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, (" mEvent: %x", mEvent));
*aEvent = mEvent;
return NS_OK;
}
NS_IMETHODIMP
nsSecureBrowserUIImpl::GetSecInfo(nsITransportSecurityInfo** result) {
MOZ_ASSERT(NS_IsMainThread());
NS_ENSURE_ARG_POINTER(result);
*result = mTopLevelSecurityInfo;
NS_IF_ADDREF(*result);
return NS_OK;
}
already_AddRefed<dom::Document>
nsSecureBrowserUIImpl::PrepareForContentChecks() {
nsCOMPtr<nsIDocShell> docShell = do_QueryReferent(mDocShell);
if (!docShell) {
return nullptr;
}
// For content docShells, the mixed content security state is set on the root
// docShell.
if (docShell->ItemType() == nsIDocShellTreeItem::typeContent) {
nsCOMPtr<nsIDocShellTreeItem> docShellTreeItem(docShell);
nsCOMPtr<nsIDocShellTreeItem> sameTypeRoot;
Unused << docShellTreeItem->GetSameTypeRootTreeItem(
getter_AddRefs(sameTypeRoot));
MOZ_ASSERT(
sameTypeRoot,
"No document shell root tree item from document shell tree item!");
docShell = do_QueryInterface(sameTypeRoot);
if (!docShell) {
return nullptr;
}
}
RefPtr<dom::Document> doc = docShell->GetDocument();
return doc.forget();
}
// Ask the docShell if we've blocked or loaded any mixed content.
void nsSecureBrowserUIImpl::CheckForMixedContent() {
RefPtr<dom::Document> doc = PrepareForContentChecks();
if (!doc) {
// If the docshell has no document, then there is no need to update mState.
return;
}
// Has mixed content been loaded or blocked in nsMixedContentBlocker?
// This only applies to secure documents even if they're affected by mixed
// content blocking in which case the STATE_IS_BROKEN bit would be set rather
// than STATE_IS_SECURE.
if (((mState & STATE_IS_SECURE) != 0) || ((mState & STATE_IS_BROKEN) != 0)) {
if (doc->GetHasMixedActiveContentLoaded()) {
mState |= STATE_IS_BROKEN | STATE_LOADED_MIXED_ACTIVE_CONTENT;
mState &= ~STATE_IS_SECURE;
}
if (doc->GetHasMixedDisplayContentLoaded()) {
mState |= STATE_IS_BROKEN | STATE_LOADED_MIXED_DISPLAY_CONTENT;
mState &= ~STATE_IS_SECURE;
}
if (doc->GetHasMixedActiveContentBlocked()) {
mState |= STATE_BLOCKED_MIXED_ACTIVE_CONTENT;
}
if (doc->GetHasMixedDisplayContentBlocked()) {
mState |= STATE_BLOCKED_MIXED_DISPLAY_CONTENT;
}
}
}
// Ask the docShell if we have any content blocking events.
void nsSecureBrowserUIImpl::CheckForContentBlockingEvents() {
RefPtr<dom::Document> doc = PrepareForContentChecks();
if (!doc) {
// If the docshell has no document, then there is no need to update mState.
return;
}
// Has tracking content been blocked or loaded?
if (doc->GetHasTrackingContentBlocked()) {
mEvent |= STATE_BLOCKED_TRACKING_CONTENT;
}
if (doc->GetHasTrackingContentLoaded()) {
mEvent |= STATE_LOADED_TRACKING_CONTENT;
}
// Has fingerprinting content been blocked or loaded?
if (doc->GetHasFingerprintingContentBlocked()) {
mEvent |= STATE_BLOCKED_FINGERPRINTING_CONTENT;
}
if (doc->GetHasFingerprintingContentLoaded()) {
mEvent |= STATE_LOADED_FINGERPRINTING_CONTENT;
}
// Has cryptomining content been blocked or loaded?
if (doc->GetHasCryptominingContentBlocked()) {
mEvent |= STATE_BLOCKED_CRYPTOMINING_CONTENT;
}
if (doc->GetHasCryptominingContentLoaded()) {
mEvent |= STATE_LOADED_CRYPTOMINING_CONTENT;
}
// Other block types.
if (doc->GetHasCookiesBlockedByPermission()) {
mEvent |= STATE_COOKIES_BLOCKED_BY_PERMISSION;
}
if (doc->GetHasTrackingCookiesBlocked()) {
mEvent |= STATE_COOKIES_BLOCKED_TRACKER;
}
if (doc->GetHasForeignCookiesBlocked()) {
mEvent |= STATE_COOKIES_BLOCKED_FOREIGN;
}
if (doc->GetHasAllCookiesBlocked()) {
mEvent |= STATE_COOKIES_BLOCKED_ALL;
}
if (doc->GetHasCookiesLoaded()) {
mEvent |= STATE_COOKIES_LOADED;
}
}
// Helper function to determine if the given URI can be considered secure.
// Essentially, only "https" URIs can be considered secure. However, the URI we
// have may be e.g. view-source:https://example.com, in which case we have to
// evaluate the innermost URI.
static nsresult URICanBeConsideredSecure(
nsIURI* uri, /* out */ bool& canBeConsideredSecure) {
MOZ_ASSERT(uri);
NS_ENSURE_ARG(uri);
canBeConsideredSecure = false;
nsCOMPtr<nsIURI> innermostURI = NS_GetInnermostURI(uri);
if (!innermostURI) {
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
(" couldn't get innermost URI"));
return NS_ERROR_FAILURE;
}
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
(" innermost URI is '%s'", innermostURI->GetSpecOrDefault().get()));
bool isHttps;
nsresult rv = innermostURI->SchemeIs("https", &isHttps);
if (NS_FAILED(rv)) {
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
(" nsIURI->SchemeIs failed"));
return rv;
}
bool isOnion =
nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(innermostURI);
canBeConsideredSecure = isHttps || isOnion;
return NS_OK;
}
// Helper function to get the securityInfo from a channel as a
// nsITransportSecurityInfo. The out parameter will be set to null if there is
// no securityInfo set.
static void GetSecurityInfoFromChannel(
nsIChannel* channel, nsITransportSecurityInfo** securityInfoOut) {
MOZ_ASSERT(channel);
MOZ_ASSERT(securityInfoOut);
NS_ENSURE_TRUE_VOID(channel);
NS_ENSURE_TRUE_VOID(securityInfoOut);
*securityInfoOut = nullptr;
nsCOMPtr<nsISupports> securityInfoSupports;
nsresult rv = channel->GetSecurityInfo(getter_AddRefs(securityInfoSupports));
// GetSecurityInfo may return an error, but it's not necessarily fatal - the
// underlying channel may simply not have a securityInfo.
if (NS_FAILED(rv)) {
return;
}
nsCOMPtr<nsITransportSecurityInfo> securityInfo(
do_QueryInterface(securityInfoSupports));
securityInfo.forget(securityInfoOut);
}
nsresult nsSecureBrowserUIImpl::UpdateStateAndSecurityInfo(nsIChannel* channel,
nsIURI* uri) {
MOZ_ASSERT(channel);
MOZ_ASSERT(uri);
NS_ENSURE_ARG(channel);
NS_ENSURE_ARG(uri);
mState = STATE_IS_INSECURE;
mTopLevelSecurityInfo = nullptr;
// Only https is considered secure (it is possible to have e.g. an http URI
// with a channel that has a securityInfo that indicates the connection is
// secure - e.g. h2/alt-svc or by visiting an http URI over an https proxy).
bool canBeConsideredSecure;
nsresult rv = URICanBeConsideredSecure(uri, canBeConsideredSecure);
if (NS_FAILED(rv)) {
return rv;
}
if (!canBeConsideredSecure) {
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
(" URI can't be considered secure"));
return NS_OK;
}
nsCOMPtr<nsITransportSecurityInfo> securityInfo;
GetSecurityInfoFromChannel(channel, getter_AddRefs(securityInfo));
if (securityInfo) {
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
(" we have a security info %p", securityInfo.get()));
rv = securityInfo->GetSecurityState(&mState);
if (NS_FAILED(rv)) {
return rv;
}
// Skip setting some state if mState == STATE_IS_INSECURE (TLS handshake
// never completed). But do not return in that case, since a
// STATE_IS_INSECURE can still be changed later to STATE_IS_SECURE if it's
// routed over tor (.onion).
if (mState != STATE_IS_INSECURE) {
mTopLevelSecurityInfo = securityInfo;
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
(" set mTopLevelSecurityInfo"));
bool isEV;
rv = mTopLevelSecurityInfo->GetIsExtendedValidation(&isEV);
if (NS_FAILED(rv)) {
return rv;
}
if (isEV) {
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, (" is EV"));
mState |= STATE_IDENTITY_EV_TOPLEVEL;
}
}
}
// any protocol routed over tor is secure
if ((mState & STATE_IS_SECURE) == 0) {
if (nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(uri)) {
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, (" URI is onion"));
mState = STATE_IS_SECURE;
}
}
if (mState != STATE_IS_INSECURE) {
// Proactively check for mixed content in case GetState() is never called
// (this can happen when loading from the BF cache).
CheckForMixedContent();
}
return NS_OK;
}
// We receive this notification for the nsIWebProgress we added ourselves to
// (i.e. the window we were passed in Init, which should be the top-level
// window or whatever corresponds to an <iframe mozbrowser> element). In some
// cases, we also receive it from nsIWebProgress instances that are children of
// that nsIWebProgress. We ignore notifications from children because they don't
// change the top-level state (if children load mixed or tracking content, the
// docShell will know and will tell us in GetState when we call
// CheckForMixedContent).
// When we receive a notification from the top-level nsIWebProgress, we extract
// any relevant security information and set our state accordingly. We then call
// OnSecurityChange on the docShell corresponding to the nsIWebProgress we were
// initialized with to notify any downstream listeners of the security state.
NS_IMETHODIMP
nsSecureBrowserUIImpl::OnLocationChange(nsIWebProgress* aWebProgress,
nsIRequest* aRequest, nsIURI* aLocation,
uint32_t aFlags) {
MOZ_ASSERT(NS_IsMainThread());
NS_ENSURE_ARG(aWebProgress);
NS_ENSURE_ARG(aLocation);
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
("%p OnLocationChange: %p %p %s %x", this, aWebProgress, aRequest,
aLocation->GetSpecOrDefault().get(), aFlags));
// Filter out events from children. See comment at the top of this function.
// It would be nice if the attribute isTopLevel worked for this, but that
// filters out events for <iframe mozbrowser> elements, which means they don't
// get OnSecurityChange events from this implementation. Instead, we check to
// see if the web progress we were handed here is the same one as we were
// initialized with.
nsCOMPtr<nsIWebProgress> originalWebProgress = do_QueryReferent(mWebProgress);
if (aWebProgress != originalWebProgress) {
return NS_OK;
}
// If this is a same-document location change, we don't need to update our
// state or notify anyone.
if (aFlags & LOCATION_CHANGE_SAME_DOCUMENT) {
return NS_OK;
}
mState = 0;
mEvent = 0;
mTopLevelSecurityInfo = nullptr;
if (aFlags & LOCATION_CHANGE_ERROR_PAGE) {
mState = STATE_IS_INSECURE;
mTopLevelSecurityInfo = nullptr;
} else {
// NB: aRequest may be null. It may also not be QI-able to nsIChannel.
nsCOMPtr<nsIChannel> channel(do_QueryInterface(aRequest));
if (channel) {
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
(" we have a channel %p", channel.get()));
nsresult rv = UpdateStateAndSecurityInfo(channel, aLocation);
// Even if this failed, we still want to notify downstream so that we
// don't leave a stale security indicator. We set everything to "not
// secure" to be safe.
if (NS_WARN_IF(NS_FAILED(rv))) {
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
(" Failed to update security info. "
"Setting everything to 'not secure' to be safe."));
mState = STATE_IS_INSECURE;
mTopLevelSecurityInfo = nullptr;
}
}
}
nsCOMPtr<nsIDocShell> docShell = do_QueryReferent(mDocShell);
if (docShell) {
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
(" calling OnSecurityChange %p %x", aRequest, mState));
nsDocShell::Cast(docShell)->nsDocLoader::OnSecurityChange(aRequest, mState);
} else {
MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, (" no docShell?"));
}
return NS_OK;
}
NS_IMETHODIMP
nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress*, nsIRequest*, uint32_t,
nsresult) {
MOZ_ASSERT_UNREACHABLE("Should have been excluded in AddProgressListener()");
return NS_OK;
}
NS_IMETHODIMP
nsSecureBrowserUIImpl::OnProgressChange(nsIWebProgress*, nsIRequest*, int32_t,
int32_t, int32_t, int32_t) {
MOZ_ASSERT_UNREACHABLE("Should have been excluded in AddProgressListener()");
return NS_OK;
}
NS_IMETHODIMP
nsSecureBrowserUIImpl::OnStatusChange(nsIWebProgress*, nsIRequest*, nsresult,
const char16_t*) {
MOZ_ASSERT_UNREACHABLE("Should have been excluded in AddProgressListener()");
return NS_OK;
}
nsresult nsSecureBrowserUIImpl::OnSecurityChange(nsIWebProgress*, nsIRequest*,
uint32_t) {
MOZ_ASSERT_UNREACHABLE("Should have been excluded in AddProgressListener()");
return NS_OK;
}
nsresult nsSecureBrowserUIImpl::OnContentBlockingEvent(nsIWebProgress*,
nsIRequest*, uint32_t) {
MOZ_ASSERT_UNREACHABLE("Should have been excluded in AddProgressListener()");
return NS_OK;
}