tor-browser

PermissionDelegateHandler.h (7796B)

---

/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*
* Permission delegate handler provides a policy of how top-level can
* delegate permission to embedded iframes.
*
* This class includes a mechanism to delegate permission using feature
* policy. Feature policy will assure that only cross-origin iframes which
* have been explicitly granted access will have the opportunity to request
* permission.
*
* For example if an iframe has not been granted access to geolocation by
* Feature Policy, geolocation request from the iframe will be automatically
* denied. if the top-level origin already has access to geolocation and the
* iframe has been granted access to geolocation by Feature Policy, the iframe
* will also have access to geolocation. If the top-level frame did not have
* access to geolocation, and the iframe has been granted access to geolocation
* by Feature Policy, a request from the cross-origin iframe would trigger a
* prompt using of the top-level origin.
*/

#ifndef mozilla_PermissionDelegateHandler_h
#define mozilla_PermissionDelegateHandler_h

#include "mozilla/Array.h"
#include "nsCycleCollectionParticipant.h"
#include "nsISupports.h"
#include "nsIPermissionDelegateHandler.h"
#include "nsIPermissionManager.h"
#include "nsCOMPtr.h"

class nsIPrincipal;
class nsIContentPermissionRequest;

namespace mozilla {
namespace dom {
class Document;
class WindowContext;
}  // namespace dom

class PermissionDelegateHandler final : public nsIPermissionDelegateHandler {
public:
 NS_DECL_CYCLE_COLLECTING_ISUPPORTS_FINAL
 NS_DECL_CYCLE_COLLECTION_CLASS(PermissionDelegateHandler)

 NS_DECL_NSIPERMISSIONDELEGATEHANDLER

 explicit PermissionDelegateHandler() = default;
 explicit PermissionDelegateHandler(mozilla::dom::Document* aDocument);

 static constexpr size_t DELEGATED_PERMISSION_COUNT = 15;

 typedef struct DelegatedPermissionList {
   Array<uint32_t, DELEGATED_PERMISSION_COUNT> mPermissions;

   bool operator==(const DelegatedPermissionList& aOther) const {
     return mPermissions == aOther.mPermissions;
   }
 } DelegatedPermissionList;

 bool Initialize();

 /*
  * Indicates if we has the right to make permission request with aType
  */
 bool HasPermissionDelegated(const nsACString& aType) const;

 /*
  * Get permission state, which applied permission delegate policy.
  *
  * @param aType the permission type to get
  * @param aPermission out argument which will be a permission type that we
  *                    will return from this function.
  * @param aExactHostMatch whether to look for the exact host name or also for
  *                        subdomains that can have the same permission.
  */
 nsresult GetPermission(const nsACString& aType, uint32_t* aPermission,
                        bool aExactHostMatch);

 /*
  * Get permission state for permission api, which applied
  * permission delegate policy.
  *
  * @param aType the permission type to get
  * @param aExactHostMatch whether to look for the exact host name or also for
  *                        subdomains that can have the same permission.
  * @param aPermission out argument which will be a permission type that we
  *                    will return from this function.
  */
 nsresult GetPermissionForPermissionsAPI(const nsACString& aType,
                                         uint32_t* aPermission);

 enum PermissionDelegatePolicy {
   /* Always delegate permission from top level to iframe and the iframe
    * should use top level origin to get/set permission.*/
   eDelegateUseTopOrigin,

   /* Permission is delegated using Feature Policy. Permission is denied by
    * default in cross origin iframe and the iframe only could get/set
    * permission if there's allow attribute set in iframe. e.g allow =
    * "geolocation" */
   eDelegateUseFeaturePolicy,

   /* Persistent denied permissions in cross origin iframe */
   ePersistDeniedCrossOrigin,

   /* This is the old behavior of cross origin iframe permission. The
    * permission delegation should not have an effect on iframe. The cross
    * origin iframe get/set permissions by its origin */
   eDelegateUseIframeOrigin,
 };

 /*
  * Indicates matching between Feature Policy and Permissions name defined in
  * Permissions Manager, not DOM Permissions API. Permissions API exposed in
  * DOM only supports "geo" at the moment but Permissions Manager also supports
  * "camera", "microphone".
  */
 typedef struct {
   const char* mPermissionName;
   const char16_t* mFeatureName;
   PermissionDelegatePolicy mPolicy;
 } PermissionDelegateInfo;

 /**
  * The loader maintains a weak reference to the document with
  * which it is initialized. This call forces the reference to
  * be dropped.
  */
 void DropDocumentReference() { mDocument = nullptr; }

 /*
  * Helper function to return the delegate info value for aPermissionName.
  * @param aPermissionName the permission name to get
  */
 static const PermissionDelegateInfo* GetPermissionDelegateInfo(
     const nsAString& aPermissionName);

 /*
  * Helper function to return the delegate principal. This will return nullptr,
  * or request's principal or top level principal based on the delegate policy
  * will be applied for a given type.
  * We use this function when prompting, no need to perform permission check
  * (deny/allow).
  *
  * @param aType the permission type to get
  * @param aRequest  The request which the principal is get from.
  * @param aResult out argument which will be a principal that we
  *                will return from this function.
  */
 static nsresult GetDelegatePrincipal(const nsACString& aType,
                                      nsIContentPermissionRequest* aRequest,
                                      nsIPrincipal** aResult);

 /**
  * Populate all delegated permissions to the WindowContext of the associated
  * document. We only populate the permissions for the top-level content.
  */
 void PopulateAllDelegatedPermissions();

 /**
  * Update the given delegated permission to the WindowContext. We only
  * update it for the top-level content.
  */
 void UpdateDelegatedPermission(const nsACString& aType);

private:
 ~PermissionDelegateHandler() = default;

 /*
  * Check whether the permission is blocked by FeaturePolicy directive.
  * Default allowlist for a featureName of permission used in permissions
  * delegate should be set to eSelf, to ensure that permission is denied by
  * default and only have the opportunity to request permission with allow
  * attribute.
  */
 bool HasFeaturePolicyAllowed(const PermissionDelegateInfo* info) const;

 /**
  * A helper function to test the permission and set the result to the given
  * list. It will return true if the permission is changed, otherwise false.
  */
 bool UpdateDelegatePermissionInternal(
     PermissionDelegateHandler::DelegatedPermissionList& aList,
     const nsACString& aType, size_t aIdx,
     nsresult (NS_STDCALL nsIPermissionManager::*aTestFunc)(nsIPrincipal*,
                                                            const nsACString&,
                                                            uint32_t*));

 // A weak pointer to our document. Nulled out by DropDocumentReference.
 mozilla::dom::Document* mDocument;

 nsCOMPtr<nsIPrincipal> mPrincipal;
 RefPtr<nsIPermissionManager> mPermissionManager;
};

}  // namespace mozilla

#endif  // mozilla_PermissionDelegateHandler_h