tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

ProcessIsolation.h (4658B)

      1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
      2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
      3 /* This Source Code Form is subject to the terms of the Mozilla Public
      4 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
      5 * You can obtain one at http://mozilla.org/MPL/2.0/. */
      6 
      7 #ifndef mozilla_dom_ProcessIsolation_h
      8 #define mozilla_dom_ProcessIsolation_h
      9 
     10 #include <stdint.h>
     11 
     12 #include "mozilla/Logging.h"
     13 #include "mozilla/dom/RemoteType.h"
     14 #include "mozilla/dom/SessionHistoryEntry.h"
     15 #include "mozilla/dom/WorkerPrivate.h"
     16 #include "nsIPrincipal.h"
     17 #include "nsIURI.h"
     18 #include "nsString.h"
     19 
     20 namespace mozilla::dom {
     21 
     22 class CanonicalBrowsingContext;
     23 class WindowGlobalParent;
     24 
     25 extern mozilla::LazyLogModule gProcessIsolationLog;
     26 
     27 constexpr nsLiteralCString kHighValueCOOPPermission = "highValueCOOP"_ns;
     28 constexpr nsLiteralCString kHighValueHasSavedLoginPermission =
     29    "highValueHasSavedLogin"_ns;
     30 constexpr nsLiteralCString kHighValueIsLoggedInPermission =
     31    "highValueIsLoggedIn"_ns;
     32 
     33 // NavigationIsolationOptions is passed through the methods to store the state
     34 // of the possible process and/or browsing context change.
     35 struct NavigationIsolationOptions {
     36  nsCString mRemoteType;
     37  bool mReplaceBrowsingContext = false;
     38  uint64_t mSpecificGroupId = 0;
     39  bool mShouldCrossOriginIsolate = false;
     40  bool mTryUseBFCache = false;
     41  RefPtr<SessionHistoryEntry> mActiveSessionHistoryEntry;
     42 };
     43 
     44 /**
     45 * Given a specific channel, determines which process the navigation should
     46 * complete in, and whether or not to perform a BrowsingContext-replace load
     47 * or enter the BFCache.
     48 *
     49 * This method will always return a `NavigationIsolationOptions` even if the
     50 * current remote type is compatible. Compatibility with the current process
     51 * should be checked at the call-site. An error should only be returned in
     52 * exceptional circumstances, and should lead to the load being cancelled.
     53 *
     54 * This method is only intended for use with document navigations.
     55 */
     56 Result<NavigationIsolationOptions, nsresult> IsolationOptionsForNavigation(
     57    CanonicalBrowsingContext* aTopBC, WindowGlobalParent* aParentWindow,
     58    nsIURI* aChannelCreationURI, nsIChannel* aChannel,
     59    const nsACString& aCurrentRemoteType, bool aHasCOOPMismatch,
     60    bool aForNewTab, uint32_t aLoadStateLoadType,
     61    const Maybe<uint64_t>& aChannelId,
     62    const Maybe<nsCString>& aRemoteTypeOverride);
     63 
     64 // WorkerIsolationOptions is passed back to the RemoteWorkerManager to store the
     65 // destination process information for remote worker loads.
     66 struct WorkerIsolationOptions {
     67  nsCString mRemoteType;
     68 };
     69 
     70 /**
     71 * Given a specific worker principal and kind, determines which process the
     72 * remote worker load should complete in.
     73 *
     74 * This method is only intended for use with remote workers.
     75 */
     76 Result<WorkerIsolationOptions, nsresult> IsolationOptionsForWorker(
     77    nsIPrincipal* aPrincipal, WorkerKind aWorkerKind,
     78    const nsACString& aCurrentRemoteType, bool aUseRemoteSubframes);
     79 
     80 /**
     81 * Adds a `highValue` permission to the permissions database, and make loads of
     82 * that origin isolated.
     83 *
     84 * The 'aPermissionType' parameter indicates why the site is treated as a high
     85 * value site. The possible values are:
     86 *
     87 * kHighValueCOOPPermission
     88 *     Called when a document request responds with a
     89 * `Cross-Origin-Opener-Policy` header.
     90 *
     91 * kHighValueHasSavedLoginPermission
     92 *     Called for sites that have an associated login saved in the password
     93 * manager.
     94 *
     95 * kHighValueIsLoggedInPermission
     96 *     Called when we detect a form with a password is submitted.
     97 */
     98 void AddHighValuePermission(nsIPrincipal* aResultPrincipal,
     99                            const nsACString& aPermissionType);
    100 
    101 void AddHighValuePermission(const nsACString& aOrigin,
    102                            const nsACString& aPermissionType);
    103 
    104 /**
    105 * Returns true when fission is enabled and the
    106 * `fission.webContentIsolationStrategy` pref is set to `IsolateHighValue`.
    107 */
    108 bool IsIsolateHighValueSiteEnabled();
    109 
    110 /**
    111 * Perform a lax check that a process with the given RemoteType could
    112 * potentially load a Document or run script with the given principal.
    113 *
    114 * WARNING: This is intentionally a lax check, to avoid false positives in
    115 * assertions, and should NOT be used for process isolation decisions.
    116 */
    117 enum class ValidatePrincipalOptions {
    118  AllowNullPtr,  // Not a NullPrincipal but a nullptr as Principal.
    119  AllowSystem,
    120  AllowExpanded,
    121 };
    122 bool ValidatePrincipalCouldPotentiallyBeLoadedBy(
    123    nsIPrincipal* aPrincipal, const nsACString& aRemoteType,
    124    const EnumSet<ValidatePrincipalOptions>& aOptions);
    125 
    126 }  // namespace mozilla::dom
    127 
    128 #endif