/** * Returns whether or not the sub-resource about to be loaded is eligible * for integrity checks. If it's not, the checks will be skipped and the * sub-resource will be loaded. */ static nsresult IsEligible(nsIChannel* aChannel, const CORSMode aCORSMode, const nsIDocument* aDocument) { NS_ENSURE_ARG_POINTER(aDocument); if (!aChannel) { SRILOG(("SRICheck::IsEligible, null channel")); return NS_ERROR_SRI_NOT_ELIGIBLE; } // Was the sub-resource loaded via CORS? if (aCORSMode != CORS_NONE) { SRILOG(("SRICheck::IsEligible, CORS mode")); return NS_OK; } nsCOMPtr<nsIURI> finalURI; nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(finalURI)); NS_ENSURE_SUCCESS(rv, rv); nsCOMPtr<nsIURI> originalURI; rv = aChannel->GetOriginalURI(getter_AddRefs(originalURI)); NS_ENSURE_SUCCESS(rv, rv); nsAutoCString requestSpec; rv = originalURI->GetSpec(requestSpec); NS_ENSURE_SUCCESS(rv, rv); if (MOZ_LOG_TEST(SRILogHelper::GetSriLog(), mozilla::LogLevel::Debug)) { nsAutoCString documentSpec, finalSpec; aDocument->GetDocumentURI()->GetAsciiSpec(documentSpec); if (finalURI) { finalURI->GetSpec(finalSpec); } SRILOG(("SRICheck::IsEligible, documentURI=%s; requestURI=%s; finalURI=%s", documentSpec.get(), requestSpec.get(), finalSpec.get())); } // Is the sub-resource same-origin? nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager(); if (NS_SUCCEEDED(ssm->CheckSameOriginURI(aDocument->GetDocumentURI(), finalURI, false))) { SRILOG(("SRICheck::IsEligible, same-origin")); return NS_OK; } SRILOG(("SRICheck::IsEligible, NOT same origin")); NS_ConvertUTF8toUTF16 requestSpecUTF16(requestSpec); const char16_t* params[] = { requestSpecUTF16.get() }; nsContentUtils::ReportToConsole(nsIScriptError::errorFlag, NS_LITERAL_CSTRING("Sub-resource Integrity"), aDocument, nsContentUtils::eSECURITY_PROPERTIES, "IneligibleResource", params, ArrayLength(params)); return NS_ERROR_SRI_NOT_ELIGIBLE; }
/** * Returns whether or not the sub-resource about to be loaded is eligible * for integrity checks. If it's not, the checks will be skipped and the * sub-resource will be loaded. */ static nsresult IsEligible(nsIChannel* aChannel, mozilla::LoadTainting aTainting, const nsACString& aSourceFileURI, nsIConsoleReportCollector* aReporter) { NS_ENSURE_ARG_POINTER(aReporter); if (!aChannel) { SRILOG(("SRICheck::IsEligible, null channel")); return NS_ERROR_SRI_NOT_ELIGIBLE; } // Was the sub-resource loaded via CORS? if (aTainting == LoadTainting::CORS) { SRILOG(("SRICheck::IsEligible, CORS mode")); return NS_OK; } nsCOMPtr<nsIURI> finalURI; nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(finalURI)); NS_ENSURE_SUCCESS(rv, rv); nsCOMPtr<nsIURI> originalURI; rv = aChannel->GetOriginalURI(getter_AddRefs(originalURI)); NS_ENSURE_SUCCESS(rv, rv); nsAutoCString requestSpec; rv = originalURI->GetSpec(requestSpec); NS_ENSURE_SUCCESS(rv, rv); if (MOZ_LOG_TEST(SRILogHelper::GetSriLog(), mozilla::LogLevel::Debug)) { SRILOG(("SRICheck::IsEligible, requestURI=%s; finalURI=%s", requestSpec.get(), finalURI ? finalURI->GetSpecOrDefault().get() : "")); } // Is the sub-resource same-origin? if (aTainting == LoadTainting::Basic) { SRILOG(("SRICheck::IsEligible, same-origin")); return NS_OK; } SRILOG(("SRICheck::IsEligible, NOT same origin")); NS_ConvertUTF8toUTF16 requestSpecUTF16(requestSpec); nsTArray<nsString> params; params.AppendElement(requestSpecUTF16); aReporter->AddConsoleReport(nsIScriptError::errorFlag, NS_LITERAL_CSTRING("Sub-resource Integrity"), nsContentUtils::eSECURITY_PROPERTIES, aSourceFileURI, 0, 0, NS_LITERAL_CSTRING("IneligibleResource"), const_cast<const nsTArray<nsString>&>(params)); return NS_ERROR_SRI_NOT_ELIGIBLE; }
/** * Returns whether or not the sub-resource about to be loaded is eligible * for integrity checks. If it's not, the checks will be skipped and the * sub-resource will be loaded. */ static nsresult IsEligible(nsIURI* aRequestURI, const CORSMode aCORSMode, const nsIDocument* aDocument) { NS_ENSURE_ARG_POINTER(aRequestURI); NS_ENSURE_ARG_POINTER(aDocument); nsAutoCString requestSpec; nsresult rv = aRequestURI->GetSpec(requestSpec); NS_ENSURE_SUCCESS(rv, rv); NS_ConvertUTF8toUTF16 requestSpecUTF16(requestSpec); // Was the sub-resource loaded via CORS? if (aCORSMode != CORS_NONE) { SRILOG(("SRICheck::IsEligible, CORS mode")); return NS_OK; } // Is the sub-resource same-origin? nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager(); if (NS_SUCCEEDED(ssm->CheckSameOriginURI(aDocument->GetDocumentURI(), aRequestURI, false))) { SRILOG(("SRICheck::IsEligible, same-origin")); return NS_OK; } if (MOZ_LOG_TEST(GetSriLog(), mozilla::LogLevel::Debug)) { nsAutoCString documentURI; aDocument->GetDocumentURI()->GetAsciiSpec(documentURI); // documentURI will be empty if GetAsciiSpec failed SRILOG(("SRICheck::IsEligible, NOT same origin: documentURI=%s; requestURI=%s", documentURI.get(), requestSpec.get())); } const char16_t* params[] = { requestSpecUTF16.get() }; nsContentUtils::ReportToConsole(nsIScriptError::errorFlag, NS_LITERAL_CSTRING("Sub-resource Integrity"), aDocument, nsContentUtils::eSECURITY_PROPERTIES, "IneligibleResource", params, ArrayLength(params)); return NS_ERROR_SRI_NOT_ELIGIBLE; }