Open Bug 1915629 Opened 9 months ago Updated 2 months ago

Implement Trusted Types support for the "pre-navigation check"

Categories

(Core :: DOM: Security, task, P3)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
ASSIGNED

People

(Reporter: mbrodesser, Assigned: fredw)

References

(Depends on 2 open bugs, Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

Attachments

(1 file, 4 obsolete files)

WIP: Bug 1915629 - Implement Trusted Types support for the "pre-navigation check". r=smaug
48 bytes, text/x-phabricator-request
Details | Review
Assignee: nobody → mbrodesser
Severity: -- → S3
Priority: -- → P3
Whiteboard: [domsecurity-backlog]

https://html.spec.whatwg.org/multipage/browsing-the-web.html#the-javascript:-url-special-case, step 5.

https://searchfox.org/mozilla-central/search?path=&q=AllowedByCSP is triggered via
nsJSChannel::AsyncOpen (https://searchfox.org/mozilla-central/rev/aee7c3a0dbf33af0c4f6648f391db62b35895e50/dom/jsurl/nsJSProtocolHandler.cpp#679), from the following call stack:

#0  nsJSChannel::AsyncOpen (this=0x7c3807495280, aListener=<optimized out>) at /home/mirko/work/code/gecko/dom/jsurl/nsJSProtocolHandler.cpp:687
#1  0x00007c3812df5e31 in nsURILoader::OpenURI (this=0x7c380aeaf580, channel=0x7c3807495280, aFlags=<optimized out>, aWindowContext=<optimized out>)
    at /home/mirko/work/code/gecko/uriloader/base/nsURILoader.cpp:754
#2  0x00007c3817ff9de6 in nsDocShell::OpenInitializedChannel (this=this@entry=0x7c3807424400, aChannel=0x7c3807495280, aURILoader=0x7c380aeaf580, aOpenFlags=<optimized out>)
    at /home/mirko/work/code/gecko/docshell/base/nsDocShell.cpp:10596
#3  0x00007c3817ff43e8 in nsDocShell::DoURILoad (this=this@entry=0x7c3807424400, aLoadState=aLoadState@entry=0x7c38074b60c0, aCacheKey=..., aRequest=0x7fff4a69dc60)
    at /home/mirko/work/code/gecko/docshell/base/nsDocShell.cpp:10457
#4  0x00007c3817f94f72 in nsDocShell::InternalLoad (this=this@entry=0x7c3807424400, aLoadState=aLoadState@entry=0x7c38074b60c0, aCacheKey=...) at /home/mirko/work/code/gecko/docshell/base/nsDocShell.cpp:9499
#5  0x00007c3818003b7b in nsDocShell::OnLinkClickSync (this=0x7c3807424400, aContent=0x7c3809a16030, aLoadState=0x7c38074b60c0, aNoOpenerImplied=<optimized out>, aTriggeringPrincipal=<optimized out>)
    at /home/mirko/work/code/gecko/docshell/base/nsDocShell.cpp:13029
#6  0x00007c3815a6a687 in mozilla::dom::HTMLFormElement::SubmitSubmission (this=this@entry=0x7c3809a16030, aFormSubmission=<optimized out>) at /home/mirko/work/code/gecko/dom/html/HTMLFormElement.cpp:884
#7  0x00007c3815a68b14 in mozilla::dom::HTMLFormElement::DoSubmit (this=0x7c3809a16030, aEvent=aEvent@entry=0x0) at /home/mirko/work/code/gecko/dom/html/HTMLFormElement.cpp:742
#8  0x00007c3815a687e0 in mozilla::dom::HTMLFormElement::Submit (this=0x10, aRv=...) at /home/mirko/work/code/gecko/dom/html/HTMLFormElement.cpp:333
#9  0x00007c38151bf8dd in mozilla::dom::HTMLFormElement_Binding::submit (cx=0x7c380c136200, obj=..., void_self=0x7c3809a16030, args=...) at ./HTMLFormElementBinding.cpp:1002
#10 0x00007c3815260578 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> (cx=cx@entry=0x7c380c136200,

for https://searchfox.org/mozilla-central/rev/aee7c3a0dbf33af0c4f6648f391db62b35895e50/dom/jsurl/test/test_bug351633-1.html#33.

Tom, could you assist with finding the right place where the spec parts mentioned in comment 2 are implemented?

Flags: needinfo?(evilpies)

Btw., "Thunk" from nsJSThunk (contained in nsJSProtocolHandler) is defined at https://en.wikipedia.org/wiki/Thunk.

(In reply to Mirko Brodesser (:mbrodesser-Igalia) from comment #6)

https://searchfox.org/mozilla-central/rev/aee7c3a0dbf33af0c4f6648f391db62b35895e50/dom/jsurl/nsJSProtocolHandler.cpp#140 could be the right place.

Yes, I think that is the correct place.

Flags: needinfo?(evilpies)

It's an ancient term likely unknown to many developers.

Spidermonkey currently doesn't use MOZ_CAN_RUN_SCRIPT hence not
annotating the called code.

Depends on D221036

onclick="javascript:alert('x')" doesn't execute nsJSThunk::EvaluateScript, see https://jsfiddle.net/e2r8aqhw/.

I wonder if that's intended.

Typing javascript:alert('x'); in the address bar calls nsJSThunk::EvaluateScript though; it blocks execution though.

(In reply to Mirko Brodesser (:mbrodesser-Igalia) from comment #12)

onclick="javascript:alert('x')" doesn't execute nsJSThunk::EvaluateScript, see https://jsfiddle.net/e2r8aqhw/.

I wonder if that's intended.

onclick is not a navigation at all, you are adding an inline event handler for the click event. In this case javascript: is a label and not the protocol of an URL. What you are doing is roughly equivalent to:

onclick = function () { 
  javascript: alert('x');
};
Attachment #9422588 - Attachment description: Bug 1915629: part 1) Link from `nsJSThunk` to wikipedia's definition of "Thunk". r=smaug → WIP: Bug 1915629: part 3) Rename `nsJSThunk` to `JSURLNavigation` and add some documentation to the class
See Also: → 1557114
See Also: → 1632079
Depends on: 1919229
Depends on: 1919248
Depends on: 1921008
Depends on: 1567058
Blocks: 1903717
Depends on: 1933142
Assignee: mbrodesser → nobody
No longer blocks: 1903717
See Also: → 1903717
Assignee: nobody → fwang
Status: NEW → ASSIGNED
Depends on: 1957022
Attachment #9422589 - Attachment is obsolete: true

Comment on attachment 9424354 [details]
Bug 1915629: part 0) Document some side effects of nsIContentSecurityPolicy::getAllowsInline. r=tschuster

Revision D221929 was moved to bug 957022. Setting attachment 9424354 [details] to obsolete.

Attachment #9424354 - Attachment is obsolete: true

Comment on attachment 9424366 [details]
Bug 1915629: part 1) Document <nsJSProtocolHandler.cpp>'s AllowedByCSP's relation to the spec more clearly. r=tschuster

Revision D221938 was moved to bug 957022. Setting attachment 9424366 [details] to obsolete.

Attachment #9424366 - Attachment is obsolete: true

Comment on attachment 9422588 [details]
WIP: Bug 1915629: part 3) Rename nsJSThunk to JSURLNavigation and add some documentation to the class

Revision D221036 was moved to bug 957022. Setting attachment 9422588 [details] to obsolete.

Attachment #9422588 - Attachment is obsolete: true
Depends on: 1957116

There is only one test trusted-types/trusted-types-navigation.html (with misc subtests). Some tests potentially missing:

  • Stronger check for the clipped sample (currently we just check whether it starts with the sink name).
  • Setting window.location to a "javacript:" and click on area.href containg a "javacript:".
  • Parsing of the rewritten URL fails.
  • Default policy throwing an error.
  • One violation reported per policy with a request-trusted-types-for directive.
  • No URL rewriting if there is no request-trusted-types-for 'script' directive.
Attachment #9476058 - Attachment description: WIP: Bug 1915629 - Implement Trusted Types support for the "pre-navigation check" → WIP: Bug 1915629 - Implement Trusted Types support for the "pre-navigation check". r=smaug
Depends on: 1958311
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: