Open Bug 1915629 Opened 1 month ago Updated 3 days ago

Implement Trusted Types support for the "pre-navigation check"

Categories

(Core :: DOM: Security, task, P3)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

People

(Reporter: mbrodesser-Igalia, Assigned: mbrodesser-Igalia)

References

(Depends on 3 open bugs, Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

Attachments

(4 files)

WIP: Bug 1915629: part 3) Rename `nsJSThunk` to `JSURLNavigation` and add some documentation to the class
48 bytes, text/x-phabricator-request
Details | Review
Bug 1915629: part 2) Annotate `JSExecutionContext::ExecScript` with `MOZ_CAN_RUN_SCRIPT_BOUNDARY`. r=smaug
48 bytes, text/x-phabricator-request
Details | Review
Bug 1915629: part 0) Document some side effects of `nsIContentSecurityPolicy::getAllowsInline`. r=tschuster
48 bytes, text/x-phabricator-request
Details | Review
Bug 1915629: part 1) Document <nsJSProtocolHandler.cpp>'s `AllowedByCSP`'s relation to the spec more clearly. r=tschuster
48 bytes, text/x-phabricator-request
Details | Review
Assignee: nobody → mbrodesser
Severity: -- → S3
Priority: -- → P3
Whiteboard: [domsecurity-backlog]

https://html.spec.whatwg.org/multipage/browsing-the-web.html#the-javascript:-url-special-case, step 5.

https://searchfox.org/mozilla-central/search?path=&q=AllowedByCSP is triggered via
nsJSChannel::AsyncOpen (https://searchfox.org/mozilla-central/rev/aee7c3a0dbf33af0c4f6648f391db62b35895e50/dom/jsurl/nsJSProtocolHandler.cpp#679), from the following call stack:

#0  nsJSChannel::AsyncOpen (this=0x7c3807495280, aListener=<optimized out>) at /home/mirko/work/code/gecko/dom/jsurl/nsJSProtocolHandler.cpp:687
#1  0x00007c3812df5e31 in nsURILoader::OpenURI (this=0x7c380aeaf580, channel=0x7c3807495280, aFlags=<optimized out>, aWindowContext=<optimized out>)
    at /home/mirko/work/code/gecko/uriloader/base/nsURILoader.cpp:754
#2  0x00007c3817ff9de6 in nsDocShell::OpenInitializedChannel (this=this@entry=0x7c3807424400, aChannel=0x7c3807495280, aURILoader=0x7c380aeaf580, aOpenFlags=<optimized out>)
    at /home/mirko/work/code/gecko/docshell/base/nsDocShell.cpp:10596
#3  0x00007c3817ff43e8 in nsDocShell::DoURILoad (this=this@entry=0x7c3807424400, aLoadState=aLoadState@entry=0x7c38074b60c0, aCacheKey=..., aRequest=0x7fff4a69dc60)
    at /home/mirko/work/code/gecko/docshell/base/nsDocShell.cpp:10457
#4  0x00007c3817f94f72 in nsDocShell::InternalLoad (this=this@entry=0x7c3807424400, aLoadState=aLoadState@entry=0x7c38074b60c0, aCacheKey=...) at /home/mirko/work/code/gecko/docshell/base/nsDocShell.cpp:9499
#5  0x00007c3818003b7b in nsDocShell::OnLinkClickSync (this=0x7c3807424400, aContent=0x7c3809a16030, aLoadState=0x7c38074b60c0, aNoOpenerImplied=<optimized out>, aTriggeringPrincipal=<optimized out>)
    at /home/mirko/work/code/gecko/docshell/base/nsDocShell.cpp:13029
#6  0x00007c3815a6a687 in mozilla::dom::HTMLFormElement::SubmitSubmission (this=this@entry=0x7c3809a16030, aFormSubmission=<optimized out>) at /home/mirko/work/code/gecko/dom/html/HTMLFormElement.cpp:884
#7  0x00007c3815a68b14 in mozilla::dom::HTMLFormElement::DoSubmit (this=0x7c3809a16030, aEvent=aEvent@entry=0x0) at /home/mirko/work/code/gecko/dom/html/HTMLFormElement.cpp:742
#8  0x00007c3815a687e0 in mozilla::dom::HTMLFormElement::Submit (this=0x10, aRv=...) at /home/mirko/work/code/gecko/dom/html/HTMLFormElement.cpp:333
#9  0x00007c38151bf8dd in mozilla::dom::HTMLFormElement_Binding::submit (cx=0x7c380c136200, obj=..., void_self=0x7c3809a16030, args=...) at ./HTMLFormElementBinding.cpp:1002
#10 0x00007c3815260578 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> (cx=cx@entry=0x7c380c136200,

for https://searchfox.org/mozilla-central/rev/aee7c3a0dbf33af0c4f6648f391db62b35895e50/dom/jsurl/test/test_bug351633-1.html#33.

Tom, could you assist with finding the right place where the spec parts mentioned in comment 2 are implemented?

Flags: needinfo?(evilpies)

Btw., "Thunk" from nsJSThunk (contained in nsJSProtocolHandler) is defined at https://en.wikipedia.org/wiki/Thunk.

(In reply to Mirko Brodesser (:mbrodesser-Igalia) from comment #6)

https://searchfox.org/mozilla-central/rev/aee7c3a0dbf33af0c4f6648f391db62b35895e50/dom/jsurl/nsJSProtocolHandler.cpp#140 could be the right place.

Yes, I think that is the correct place.

Flags: needinfo?(evilpies)

Spidermonkey currently doesn't use MOZ_CAN_RUN_SCRIPT hence not
annotating the called code.

Depends on D221036

onclick="javascript:alert('x')" doesn't execute nsJSThunk::EvaluateScript, see https://jsfiddle.net/e2r8aqhw/.

I wonder if that's intended.

Typing javascript:alert('x'); in the address bar calls nsJSThunk::EvaluateScript though; it blocks execution though.

(In reply to Mirko Brodesser (:mbrodesser-Igalia) from comment #12)

onclick="javascript:alert('x')" doesn't execute nsJSThunk::EvaluateScript, see https://jsfiddle.net/e2r8aqhw/.

I wonder if that's intended.

onclick is not a navigation at all, you are adding an inline event handler for the click event. In this case javascript: is a label and not the protocol of an URL. What you are doing is roughly equivalent to:

onclick = function () { 
  javascript: alert('x');
};
Attachment #9422588 - Attachment description: Bug 1915629: part 1) Link from `nsJSThunk` to wikipedia's definition of "Thunk". r=smaug → WIP: Bug 1915629: part 3) Rename `nsJSThunk` to `JSURLNavigation` and add some documentation to the class
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: