Strona główna Odkrywaj Pomoc
Zaloguj się
khronosschoty
/
palemoon-dev
Obserwuj 2
Polub 1
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Drzewo: ac60e7ecec
Gałęzie Tagi
palemoon-dev
/
platform
/
devtools
/
shared
/
gcli
/
commands
/
security.js

security.js 11 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329 
  1. /* This Source Code Form is subject to the terms of the Mozilla Public
    2. 

  2.  * License, v. 2.0. If a copy of the MPL was not distributed with this
    3. 

  3.  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
    4. 

  4. 

  5. /**
    6. 

  6.  * The Security devtool supports the following arguments:
    7. 

  7.  * * Security CSP
    8. 

  8.  *   Provides feedback about the current CSP
    9. 

  9.  *
    10. 

  10.  *  * Security referrer
    11. 

  11.  *    Provides information about the current referrer policy
    12. 

  12.  */
    13. 

  13. 

  14. "use strict";
    15. 

  15. 

  16. const { Cc, Ci, Cu, CC } = require("chrome");
    17. 

  17. const l10n = require("gcli/l10n");
    18. 

  18. const CSP = Cc["@mozilla.org/cspcontext;1"].getService(Ci.nsIContentSecurityPolicy);
    19. 

  19. 

  20. const GOOD_IMG_SRC = "chrome://browser/content/gcli_sec_good.svg";
    21. 

  21. const MOD_IMG_SRC = "chrome://browser/content/gcli_sec_moderate.svg";
    22. 

  22. const BAD_IMG_SRC = "chrome://browser/content/gcli_sec_bad.svg";
    23. 

  23. 

  24. 

  25. // special handling within policy
    26. 

  26. const POLICY_REPORT_ONLY = "report-only"
    27. 

  27. 

  28. // special handling of directives
    29. 

  29. const DIR_UPGRADE_INSECURE = "upgrade-insecure-requests";
    30. 

  30. const DIR_BLOCK_ALL_MIXED_CONTENT = "block-all-mixed-content";
    31. 

  31. 

  32. // special handling of sources
    33. 

  33. const SRC_UNSAFE_INLINE = "'unsafe-inline'";
    34. 

  34. const SRC_UNSAFE_EVAL = "'unsafe-eval'";
    35. 

  35. 

  36. const WILDCARD_MSG = l10n.lookup("securityCSPRemWildCard");
    37. 

  37. const XSS_WARNING_MSG = l10n.lookup("securityCSPPotentialXSS");
    38. 

  38. const NO_CSP_ON_PAGE_MSG = l10n.lookup("securityCSPNoCSPOnPage");
    39. 

  39. const CONTENT_SECURITY_POLICY_MSG = l10n.lookup("securityCSPHeaderOnPage");
    40. 

  40. const CONTENT_SECURITY_POLICY_REPORT_ONLY_MSG = l10n.lookup("securityCSPROHeaderOnPage");
    41. 

  41. 

  42. const NEXT_URI_HEADER = l10n.lookup("securityReferrerNextURI");
    43. 

  43. const CALCULATED_REFERRER_HEADER = l10n.lookup("securityReferrerCalculatedReferrer");
    44. 

  44. /* The official names from the W3C Referrer Policy Draft http://www.w3.org/TR/referrer-policy/ */
    45. 

  45. const REFERRER_POLICY_NAMES = [ "None When Downgrade (default)", "None", "Origin Only", "Origin When Cross-Origin", "Unsafe URL" ];
    46. 

  46. 

  47. exports.items = [
    48. 

  48.   {
    49. 

  49.     // --- General Security information
    50. 

  50.     name: "security",
    51. 

  51.     description: l10n.lookup("securityPrivacyDesc"),
    52. 

  52.     manual: l10n.lookup("securityManual")
    53. 

  53.   },
    54. 

  54.   {
    55. 

  55.     // --- CSP specific Security information
    56. 

  56.     item: "command",
    57. 

  57.     runAt: "server",
    58. 

  58.     name: "security csp",
    59. 

  59.     description: l10n.lookup("securityCSPDesc"),
    60. 

  60.     manual: l10n.lookup("securityCSPManual"),
    61. 

  61.     returnType: "securityCSPInfo",
    62. 

  62.     exec: function(args, context) {
    63. 

  63. 

  64.       var cspJSON = context.environment.document.nodePrincipal.cspJSON;
    65. 

  65.       var cspOBJ = JSON.parse(cspJSON);
    66. 

  66. 

  67.       var outPolicies = [];
    68. 

  68. 

  69.       var policies = cspOBJ["csp-policies"];
    70. 

  70. 

  71.       // loop over all the different policies
    72. 

  72.       for (var csp in policies) {
    73. 

  73.         var curPolicy = policies[csp];
    74. 

  74. 

  75.         // loop over all the directive-values within that policy
    76. 

  76.         var outDirectives = [];
    77. 

  77.         var outHeader = CONTENT_SECURITY_POLICY_MSG;
    78. 

  78.         for (var dir in curPolicy) {
    79. 

  79.           var curDir = curPolicy[dir];
    80. 

  80. 

  81.           // when iterating properties within the obj we might also
    82. 

  82.           // encounter the 'report-only' flag, which is not a csp directive.
    83. 

  83.           if (dir === POLICY_REPORT_ONLY) {
    84. 

  84.             outHeader = curPolicy[POLICY_REPORT_ONLY] === true ?
    85. 

  85.                           CONTENT_SECURITY_POLICY_REPORT_ONLY_MSG :
    86. 

  86.                           CONTENT_SECURITY_POLICY_MSG;
    87. 

  87.             continue;
    88. 

  88.           }
    89. 

  89. 

  90.           // loop over all the directive-sources within that directive
    91. 

  91.           var outSrcs = [];
    92. 

  92. 

  93.           // special case handling for the directives
    94. 

  94.           // upgrade-insecure-requests and block-all-mixed-content
    95. 

  95.           // which do not include any srcs
    96. 

  96.           if (dir === DIR_UPGRADE_INSECURE ||
    97. 

  97.               dir === DIR_BLOCK_ALL_MIXED_CONTENT) {
    98. 

  98.             outSrcs.push({
    99. 

  99.               icon: GOOD_IMG_SRC,
    100. 

  100.               src: "", // no src
    101. 

  101.               desc: "" // no description
    102. 

  102.             });
    103. 

  103.           }
    104. 

  104. 

  105.           for (var src in curDir) {
    106. 

  106.             var curSrc = curDir[src];
    107. 

  107. 

  108.             // the default icon and descritpion of the directive-src
    109. 

  109.             var outIcon = GOOD_IMG_SRC;
    110. 

  110.             var outDesc = "";
    111. 

  111. 

  112.             if (curSrc.indexOf("*") > -1) {
    113. 

  113.               outIcon = MOD_IMG_SRC;
    114. 

  114.               outDesc = WILDCARD_MSG;
    115. 

  115.             }
    116. 

  116.             if (curSrc == SRC_UNSAFE_INLINE || curSrc == SRC_UNSAFE_EVAL) {
    117. 

  117.               outIcon = BAD_IMG_SRC;
    118. 

  118.               outDesc = XSS_WARNING_MSG;
    119. 

  119.             }
    120. 

  120.             outSrcs.push({
    121. 

  121.               icon: outIcon,
    122. 

  122.               src: curSrc,
    123. 

  123.               desc: outDesc
    124. 

  124.             });
    125. 

  125.           }
    126. 

  126.           // append info about that directive to the directives array
    127. 

  127.           outDirectives.push({
    128. 

  128.             dirValue: dir,
    129. 

  129.             dirSrc: outSrcs
    130. 

  130.           });
    131. 

  131.         }
    132. 

  132.         // append info about the policy to the policies array
    133. 

  133.         outPolicies.push({
    134. 

  134.           header: outHeader,
    135. 

  135.           directives: outDirectives
    136. 

  136.         });
    137. 

  137.       }
    138. 

  138.       return outPolicies;
    139. 

  139.     }
    140. 

  140.   },
    141. 

  141.   {
    142. 

  142.     item: "converter",
    143. 

  143.     from: "securityCSPInfo",
    144. 

  144.     to: "view",
    145. 

  145.     exec: function(cspInfo, context) {
    146. 

  146.       var url = context.environment.target.url;
    147. 

  147. 

  148.       if (cspInfo.length == 0) {
    149. 

  149.         return context.createView({
    150. 

  150.           html:
    151. 

  151.             "<table class='gcli-csp-detail' cellspacing='10' valign='top'>" +
    152. 

  152.             "  <tr>" +
    153. 

  153.             "    <td> <img src='chrome://browser/content/gcli_sec_bad.svg' width='20px' /> </td> " +
    154. 

  154.             "    <td>" + NO_CSP_ON_PAGE_MSG + " <b>" + url + "</b></td>" +
    155. 

  155.             "  </tr>" +
    156. 

  156.             "</table>"});
    157. 

  157.       }
    158. 

  158. 

  159.       return context.createView({
    160. 

  160.         html:
    161. 

  161.           "<table class='gcli-csp-detail' cellspacing='10' valign='top'>" +
    162. 

  162.           // iterate all policies
    163. 

  163.           "  <tr foreach='csp in ${cspinfo}' >" +
    164. 

  164.           "    <td> ${csp.header} <b>" + url + "</b><br/><br/>" +
    165. 

  165.           "      <table class='gcli-csp-dir-detail' valign='top'>" +
    166. 

  166.           // >> iterate all directives
    167. 

  167.           "        <tr foreach='dir in ${csp.directives}' >" +
    168. 

  168.           "          <td valign='top'> ${dir.dirValue} </td>" +
    169. 

  169.           "          <td valign='top'>" +
    170. 

  170.           "            <table class='gcli-csp-src-detail' valign='top'>" +
    171. 

  171.           // >> >> iterate all srs
    172. 

  172.           "              <tr foreach='src in ${dir.dirSrc}' >" +
    173. 

  173.           "                <td valign='center' width='20px'> <img src= \"${src.icon}\" width='20px' /> </td> " +
    174. 

  174.           "                <td valign='center' width='200px'> ${src.src} </td>" +
    175. 

  175.           "                <td valign='center'> ${src.desc} </td>" +
    176. 

  176.           "              </tr>" +
    177. 

  177.           "            </table>" +
    178. 

  178.           "          </td>" +
    179. 

  179.           "        </tr>" +
    180. 

  180.           "      </table>" +
    181. 

  181.           "    </td>" +
    182. 

  182.           "  </tr>" +
    183. 

  183.           "</table>",
    184. 

  184.           data: {
    185. 

  185.             cspinfo: cspInfo,
    186. 

  186.           }
    187. 

  187.         });
    188. 

  188.     }
    189. 

  189.   },
    190. 

  190.   {
    191. 

  191.     // --- Referrer Policy specific Security information
    192. 

  192.     item: "command",
    193. 

  193.     runAt: "server",
    194. 

  194.     name: "security referrer",
    195. 

  195.     description: l10n.lookup("securityReferrerPolicyDesc"),
    196. 

  196.     manual: l10n.lookup("securityReferrerPolicyManual"),
    197. 

  197.     returnType: "securityReferrerPolicyInfo",
    198. 

  198.     exec: function(args, context) {
    199. 

  199.       var doc = context.environment.document;
    200. 

  200. 

  201.       var referrerPolicy = doc.referrerPolicy;
    202. 

  202. 

  203.       var pageURI = doc.documentURIObject;
    204. 

  204.       var sameDomainReferrer = "";
    205. 

  205.       var otherDomainReferrer = "";
    206. 

  206.       var downgradeReferrer = "";
    207. 

  207.       var otherDowngradeReferrer = "";
    208. 

  208.       var origin = pageURI.prePath;
    209. 

  209. 

  210.       switch (referrerPolicy) {
    211. 

  211.         case Ci.nsIHttpChannel.REFERRER_POLICY_NO_REFERRER:
    212. 

  212.           // sends no referrer
    213. 

  213.           sameDomainReferrer
    214. 

  214.             = otherDomainReferrer
    215. 

  215.             = downgradeReferrer
    216. 

  216.             = otherDowngradeReferrer
    217. 

  217.             = "(no referrer)";
    218. 

  218.           break;
    219. 

  219.         case Ci.nsIHttpChannel.REFERRER_POLICY_ORIGIN:
    220. 

  220.           // only sends the origin of the referring URL
    221. 

  221.           sameDomainReferrer
    222. 

  222.             = otherDomainReferrer
    223. 

  223.             = downgradeReferrer
    224. 

  224.             = otherDowngradeReferrer
    225. 

  225.             = origin;
    226. 

  226.           break;
    227. 

  227.         case Ci.nsIHttpChannel.REFERRER_POLICY_ORIGIN_WHEN_XORIGIN:
    228. 

  228.           // same as default, but reduced to ORIGIN when cross-origin.
    229. 

  229.           sameDomainReferrer = pageURI.spec;
    230. 

  230.           otherDomainReferrer
    231. 

  231.             = downgradeReferrer
    232. 

  232.             = otherDowngradeReferrer
    233. 

  233.             = origin;
    234. 

  234.           break;
    235. 

  235.         case Ci.nsIHttpChannel.REFERRER_POLICY_UNSAFE_URL:
    236. 

  236.           // always sends the referrer, even on downgrade.
    237. 

  237.           sameDomainReferrer
    238. 

  238.             = otherDomainReferrer
    239. 

  239.             = downgradeReferrer
    240. 

  240.             = otherDowngradeReferrer
    241. 

  241.             = pageURI.spec;
    242. 

  242.           break;
    243. 

  243.         case Ci.nsIHttpChannel.REFERRER_POLICY_NO_REFERRER_WHEN_DOWNGRADE:
    244. 

  244.           // default state, doesn't send referrer from https->http
    245. 

  245.           sameDomainReferrer = otherDomainReferrer = pageURI.spec;
    246. 

  246.           downgradeReferrer = otherDowngradeReferrer = "(no referrer)";
    247. 

  247.           break;
    248. 

  248.         default:
    249. 

  249.           // this is a new referrer policy which we do not know about
    250. 

  250.           sameDomainReferrer
    251. 

  251.             = otherDomainReferrer
    252. 

  252.             = downgradeReferrer
    253. 

  253.             = otherDowngradeReferrer
    254. 

  254.             = "(unknown Referrer Policy)";
    255. 

  255.           break;
    256. 

  256.       }
    257. 

  257. 

  258.       var sameDomainUri = origin + "/*";
    259. 

  259. 

  260.       var referrerUrls = [
    261. 

  261.         // add the referrer uri 'referrer' we would send when visiting 'uri'
    262. 

  262.         {
    263. 

  263.           uri: pageURI.scheme+'://example.com/',
    264. 

  264.           referrer: otherDomainReferrer,
    265. 

  265.           description: l10n.lookup('securityReferrerPolicyOtherDomain')},
    266. 

  266.         {
    267. 

  267.           uri: sameDomainUri,
    268. 

  268.           referrer: sameDomainReferrer,
    269. 

  269.           description: l10n.lookup('securityReferrerPolicySameDomain')}
    270. 

  270.       ];
    271. 

  271. 

  272.       if (pageURI.schemeIs('https')) {
    273. 

  273.         // add the referrer we would send on downgrading http->https
    274. 

  274.         if (sameDomainReferrer != downgradeReferrer) {
    275. 

  275.           referrerUrls.push({
    276. 

  276.             uri: "http://"+pageURI.hostPort+"/*",
    277. 

  277.             referrer: downgradeReferrer,
    278. 

  278.             description:
    279. 

  279.               l10n.lookup('securityReferrerPolicySameDomainDowngrade')
    280. 

  280.           });
    281. 

  281.         }
    282. 

  282.         if (otherDomainReferrer != otherDowngradeReferrer) {
    283. 

  283.           referrerUrls.push({
    284. 

  284.             uri: "http://example.com/",
    285. 

  285.             referrer: otherDowngradeReferrer,
    286. 

  286.             description:
    287. 

  287.               l10n.lookup('securityReferrerPolicyOtherDomainDowngrade')
    288. 

  288.           });
    289. 

  289.         }
    290. 

  290.       }
    291. 

  291. 

  292.       return {
    293. 

  293.         header: l10n.lookupFormat("securityReferrerPolicyReportHeader",
    294. 

  294.                                   [pageURI.spec]),
    295. 

  295.         policyName: REFERRER_POLICY_NAMES[referrerPolicy],
    296. 

  296.         urls: referrerUrls
    297. 

  297.       }
    298. 

  298.     }
    299. 

  299.   },
    300. 

  300.   {
    301. 

  301.     item: "converter",
    302. 

  302.     from: "securityReferrerPolicyInfo",
    303. 

  303.     to: "view",
    304. 

  304.     exec: function(referrerPolicyInfo, context) {
    305. 

  305.       return context.createView({
    306. 

  306.           html:
    307. 

  307.           "<div class='gcli-referrer-policy'>" +
    308. 

  308.           "  <strong> ${rpi.header} </strong> <br />" +
    309. 

  309.           "  ${rpi.policyName} <br />" +
    310. 

  310.           "  <table class='gcli-referrer-policy-detail' cellspacing='10' >" +
    311. 

  311.           "    <tr>" +
    312. 

  312.           "      <th> " + NEXT_URI_HEADER + " </th>" +
    313. 

  313.           "      <th> " + CALCULATED_REFERRER_HEADER + " </th>" +
    314. 

  314.           "    </tr>" +
    315. 

  315.           // iterate all policies
    316. 

  316.           "    <tr foreach='nextURI in ${rpi.urls}' >" +
    317. 

  317.           "      <td> ${nextURI.description} (e.g., ${nextURI.uri}) </td>" +
    318. 

  318.           "      <td> ${nextURI.referrer} </td>" +
    319. 

  319.           "    </tr>" +
    320. 

  320.           "  </table>" +
    321. 

  321.           "</div>",
    322. 

  322.           data: {
    323. 

  323.             rpi: referrerPolicyInfo,
    324. 

  324.           }
    325. 

  325.         });
    326. 

  326.      }
    327. 

  327.   }
    328. 

  328. ];
    329. 

  329.