// ::permits is only called for external load requests, therefore:
// nsCSPKeywordSrc and nsCSPHashSource fall back to this base class
// implementation which will never allow the load.
bool
nsCSPBaseSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected) const
{
if (CSPUTILSLOGENABLED()) {
nsAutoCString spec;
aUri->GetSpec(spec);
CSPUTILSLOG(("nsCSPBaseSrc::permits, aUri: %s", spec.get()));
}
return false;
}
bool
nsCSPSchemeSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected,
bool aReportOnly, bool aUpgradeInsecure) const
{
if (CSPUTILSLOGENABLED()) {
nsAutoCString spec;
aUri->GetSpec(spec);
CSPUTILSLOG(("nsCSPSchemeSrc::permits, aUri: %s", spec.get()));
}
MOZ_ASSERT((!mScheme.EqualsASCII("")), "scheme can not be the empty string");
return permitsScheme(mScheme, aUri, aReportOnly, aUpgradeInsecure);
}
bool
nsCSPNonceSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected) const
{
if (CSPUTILSLOGENABLED()) {
nsAutoCString spec;
aUri->GetSpec(spec);
CSPUTILSLOG(("nsCSPNonceSrc::permits, aUri: %s, aNonce: %s",
spec.get(), NS_ConvertUTF16toUTF8(aNonce).get()));
}
return mNonce.Equals(aNonce);
}
bool
nsCSPPolicy::permits(CSPDirective aDir,
nsIURI* aUri,
const nsAString& aNonce,
bool aWasRedirected,
bool aSpecific,
nsAString& outViolatedDirective) const
{
if (CSPUTILSLOGENABLED()) {
nsAutoCString spec;
aUri->GetSpec(spec);
CSPUTILSLOG(("nsCSPPolicy::permits, aUri: %s, aDir: %d, aSpecific: %s",
spec.get(), aDir, aSpecific ? "true" : "false"));
}
NS_ASSERTION(aUri, "permits needs an uri to perform the check!");
outViolatedDirective.Truncate();
nsCSPDirective* defaultDir = nullptr;
// Try to find a relevant directive
// These directive arrays are short (1-5 elements), not worth using a hashtable.
for (uint32_t i = 0; i < mDirectives.Length(); i++) {
if (mDirectives[i]->equals(aDir)) {
if (!mDirectives[i]->permits(aUri, aNonce, aWasRedirected, mReportOnly, mUpgradeInsecDir)) {
mDirectives[i]->toString(outViolatedDirective);
return false;
}
return true;
}
if (mDirectives[i]->isDefaultDirective()) {
defaultDir = mDirectives[i];
}
}
// If the above loop runs through, we haven't found a matching directive.
// Avoid relooping, just store the result of default-src while looping.
if (!aSpecific && defaultDir) {
if (!defaultDir->permits(aUri, aNonce, aWasRedirected, mReportOnly, mUpgradeInsecDir)) {
defaultDir->toString(outViolatedDirective);
return false;
}
return true;
}
// Nothing restricts this, so we're allowing the load
// See bug 764937
return true;
}
bool
nsCSPSchemeSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected) const
{
if (CSPUTILSLOGENABLED()) {
nsAutoCString spec;
aUri->GetSpec(spec);
CSPUTILSLOG(("nsCSPSchemeSrc::permits, aUri: %s", spec.get()));
}
NS_ASSERTION((!mScheme.EqualsASCII("")), "scheme can not be the empty string");
nsAutoCString scheme;
nsresult rv = aUri->GetScheme(scheme);
NS_ENSURE_SUCCESS(rv, false);
return mScheme.EqualsASCII(scheme.get());
}
bool
nsCSPDirective::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected) const
{
if (CSPUTILSLOGENABLED()) {
nsAutoCString spec;
aUri->GetSpec(spec);
CSPUTILSLOG(("nsCSPDirective::permits, aUri: %s", spec.get()));
}
for (uint32_t i = 0; i < mSrcs.Length(); i++) {
if (mSrcs[i]->permits(aUri, aNonce, aWasRedirected)) {
return true;
}
}
return false;
}
bool
nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected,
bool aReportOnly, bool aUpgradeInsecure) const
{
if (CSPUTILSLOGENABLED()) {
nsAutoCString spec;
aUri->GetSpec(spec);
CSPUTILSLOG(("nsCSPHostSrc::permits, aUri: %s", spec.get()));
}
// we are following the enforcement rules from the spec, see:
// http://www.w3.org/TR/CSP11/#match-source-expression
// 4.3) scheme matching: Check if the scheme matches.
if (!permitsScheme(mScheme, aUri, aReportOnly, aUpgradeInsecure)) {
return false;
}
// The host in nsCSpHostSrc should never be empty. In case we are enforcing
// just a specific scheme, the parser should generate a nsCSPSchemeSource.
NS_ASSERTION((!mHost.IsEmpty()), "host can not be the empty string");
// 2) host matching: Enforce a single *
if (mHost.EqualsASCII("*")) {
// The single ASTERISK character (*) does not match a URI's scheme of a type
// designating a globally unique identifier (such as blob:, data:, or filesystem:)
// At the moment firefox does not support filesystem; but for future compatibility
// we support it in CSP according to the spec, see: 4.2.2 Matching Source Expressions
// Note, that whitelisting any of these schemes would call nsCSPSchemeSrc::permits().
bool isBlobScheme =
(NS_SUCCEEDED(aUri->SchemeIs("blob", &isBlobScheme)) && isBlobScheme);
bool isDataScheme =
(NS_SUCCEEDED(aUri->SchemeIs("data", &isDataScheme)) && isDataScheme);
bool isFileScheme =
(NS_SUCCEEDED(aUri->SchemeIs("filesystem", &isFileScheme)) && isFileScheme);
if (isBlobScheme || isDataScheme || isFileScheme) {
return false;
}
return true;
}
// Before we can check if the host matches, we have to
// extract the host part from aUri.
nsAutoCString uriHost;
nsresult rv = aUri->GetHost(uriHost);
NS_ENSURE_SUCCESS(rv, false);
// 4.5) host matching: Check if the allowed host starts with a wilcard.
if (mHost.First() == '*') {
NS_ASSERTION(mHost[1] == '.', "Second character needs to be '.' whenever host starts with '*'");
// Eliminate leading "*", but keeping the FULL STOP (.) thereafter before checking
// if the remaining characters match
nsString wildCardHost = mHost;
wildCardHost = Substring(wildCardHost, 1, wildCardHost.Length() - 1);
if (!StringEndsWith(NS_ConvertUTF8toUTF16(uriHost), wildCardHost)) {
return false;
}
}
// 4.6) host matching: Check if hosts match.
else if (!mHost.Equals(NS_ConvertUTF8toUTF16(uriHost))) {
return false;
}
// 4.9) Path matching: If there is a path, we have to enforce
// path-level matching, unless the channel got redirected, see:
// http://www.w3.org/TR/CSP11/#source-list-paths-and-redirects
if (!aWasRedirected && !mPath.IsEmpty()) {
// converting aUri into nsIURL so we can strip query and ref
// example.com/test#foo -> example.com/test
// example.com/test?val=foo -> example.com/test
nsCOMPtr<nsIURL> url = do_QueryInterface(aUri);
if (!url) {
NS_ASSERTION(false, "can't QI into nsIURI");
return false;
}
nsAutoCString uriPath;
rv = url->GetFilePath(uriPath);
NS_ENSURE_SUCCESS(rv, false);
// check if the last character of mPath is '/'; if so
// we just have to check loading resource is within
// the allowed path.
if (mPath.Last() == '/') {
if (!StringBeginsWith(NS_ConvertUTF8toUTF16(uriPath), mPath)) {
return false;
}
}
// otherwise mPath whitelists a specific file, and we have to
// check if the loading resource matches that whitelisted file.
else {
if (!mPath.Equals(NS_ConvertUTF8toUTF16(uriPath))) {
return false;
}
}
}
// 4.8) Port matching: If port uses wildcard, allow the load.
if (mPort.EqualsASCII("*")) {
return true;
}
// Before we can check if the port matches, we have to
// query the port from aUri.
int32_t uriPort;
rv = aUri->GetPort(&uriPort);
NS_ENSURE_SUCCESS(rv, false);
nsAutoCString scheme;
rv = aUri->GetScheme(scheme);
NS_ENSURE_SUCCESS(rv, false);
uriPort = (uriPort > 0) ? uriPort : NS_GetDefaultPort(scheme.get());
// 4.7) Default port matching: If mPort is empty, we have to compare default ports.
if (mPort.IsEmpty()) {
int32_t port = NS_GetDefaultPort(NS_ConvertUTF16toUTF8(mScheme).get());
if (port != uriPort) {
// We should not return false for scheme-less sources where the protected resource
// is http and the load is https, see: http://www.w3.org/TR/CSP2/#match-source-expression
// BUT, we only allow scheme-less sources to be upgraded from http to https if CSP
// does not explicitly define a port.
if (!(uriPort == NS_GetDefaultPort("https"))) {
return false;
}
}
}
// 4.7) Port matching: Compare the ports.
else {
nsString portStr;
portStr.AppendInt(uriPort);
if (!mPort.Equals(portStr)) {
return false;
}
}
// At the end: scheme, host, path, and port match -> allow the load.
return true;
}
