CSPEvalChecker.cpp

Enable keyboard shortcuts

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */

/* vim: set ts=8 sts=2 et sw=2 tw=80: */

/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "mozilla/dom/CSPEvalChecker.h"

#include "mozilla/dom/Document.h"

#include "mozilla/dom/WorkerPrivate.h"

#include "mozilla/dom/WorkerRunnable.h"

#include "mozilla/ErrorResult.h"

#include "nsGlobalWindowInner.h"

#include "nsContentSecurityUtils.h"

#include "nsContentUtils.h"

#include "nsCOMPtr.h"

using namespace mozilla;

using namespace mozilla::dom;

namespace {

// We use the subjectPrincipal to assert that eval() is never

// executed in system privileged context.

nsresult CheckInternal(nsIContentSecurityPolicy* aCSP,

                       nsICSPEventListener* aCSPEventListener,

                       nsIPrincipal* aSubjectPrincipal,

                       const nsAString& aExpression,

                       const JSCallingLocation& aCaller, bool* aAllowed) {

  MOZ_ASSERT(NS_IsMainThread());

  MOZ_ASSERT(aAllowed);

  // The value is set at any "return", but better to have a default value here.

  *aAllowed = false;

  // This is the non-CSP check for gating eval() use in the SystemPrincipal

#if !defined(ANDROID)

  JSContext* cx = nsContentUtils::GetCurrentJSContext();

  if (!nsContentSecurityUtils::IsEvalAllowed(

          cx, aSubjectPrincipal->IsSystemPrincipal(), aExpression)) {

    *aAllowed = false;

    return NS_OK;

#endif

  if (!aCSP) {

    *aAllowed = true;

    return NS_OK;

  bool reportViolation = false;

  nsresult rv = aCSP->GetAllowsEval(&reportViolation, aAllowed);

  if (NS_WARN_IF(NS_FAILED(rv))) {

    *aAllowed = false;

    return rv;

  if (reportViolation) {

    aCSP->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,

                              nullptr,  // triggering element

                              aCSPEventListener, aCaller.FileName(),

                              aExpression, aCaller.mLine, aCaller.mColumn,

                              u""_ns, u""_ns);

  return NS_OK;

class WorkerCSPCheckRunnable final : public WorkerMainThreadRunnable {

 public:

  WorkerCSPCheckRunnable(WorkerPrivate* aWorkerPrivate,

                         const nsAString& aExpression,

                         JSCallingLocation&& aCaller)

      : WorkerMainThreadRunnable(aWorkerPrivate, "CSP Eval Check"_ns),

        mExpression(aExpression),

        mCaller(std::move(aCaller)),

        mEvalAllowed(false) {}

  bool MainThreadRun() override {

    MOZ_ASSERT(mWorkerRef);

    WorkerPrivate* workerPrivate = mWorkerRef->Private();

    mResult = CheckInternal(workerPrivate->GetCsp(),

                            workerPrivate->CSPEventListener(),

                            workerPrivate->GetLoadingPrincipal(), mExpression,

                            mCaller, &mEvalAllowed);

    return true;

  nsresult GetResult(bool* aAllowed) {

    MOZ_ASSERT(aAllowed);

    *aAllowed = mEvalAllowed;

    return mResult;

 private:

  const nsString mExpression;

  const JSCallingLocation mCaller;

  bool mEvalAllowed;

  nsresult mResult;

};

}  // namespace

/* static */

nsresult CSPEvalChecker::CheckForWindow(JSContext* aCx,

                                        nsGlobalWindowInner* aWindow,

                                        const nsAString& aExpression,

                                        bool* aAllowEval) {

  MOZ_ASSERT(NS_IsMainThread());

  MOZ_ASSERT(aWindow);

  MOZ_ASSERT(aAllowEval);

  // The value is set at any "return", but better to have a default value here.

  *aAllowEval = false;

  // if CSP is enabled, and setTimeout/setInterval was called with a string,

  // disable the registration and log an error

  nsCOMPtr<Document> doc = aWindow->GetExtantDoc();

  if (!doc) {

    // if there's no document, we don't have to do anything.

    *aAllowEval = true;

    return NS_OK;

  nsresult rv = NS_OK;

  auto location = JSCallingLocation::Get(aCx);

  nsCOMPtr<nsIContentSecurityPolicy> csp = doc->GetCsp();

  rv = CheckInternal(csp, nullptr /* no CSPEventListener for window */,

                     doc->NodePrincipal(), aExpression, location, aAllowEval);

  if (NS_WARN_IF(NS_FAILED(rv))) {

    *aAllowEval = false;

    return rv;

  return NS_OK;

/* static */

nsresult CSPEvalChecker::CheckForWorker(JSContext* aCx,

                                        WorkerPrivate* aWorkerPrivate,

                                        const nsAString& aExpression,

                                        bool* aAllowEval) {

  MOZ_ASSERT(aWorkerPrivate);

  aWorkerPrivate->AssertIsOnWorkerThread();

  MOZ_ASSERT(aAllowEval);

  // The value is set at any "return", but better to have a default value here.

  *aAllowEval = false;

  RefPtr<WorkerCSPCheckRunnable> r = new WorkerCSPCheckRunnable(

      aWorkerPrivate, aExpression, JSCallingLocation::Get(aCx));

  ErrorResult error;

  r->Dispatch(aWorkerPrivate, Canceling, error);

  if (NS_WARN_IF(error.Failed())) {

    *aAllowEval = false;

    return error.StealNSResult();

  nsresult rv = r->GetResult(aAllowEval);

  if (NS_WARN_IF(NS_FAILED(rv))) {

    *aAllowEval = false;

    return rv;

  return NS_OK;