gecko-dev/dom/ipc/ProcessIsolation.h

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
 * You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef mozilla_dom_ProcessIsolation_h
#define mozilla_dom_ProcessIsolation_h

#include <stdint.h>

#include "mozilla/Logging.h"
#include "mozilla/dom/RemoteType.h"
#include "mozilla/dom/SessionHistoryEntry.h"
#include "nsString.h"
#include "nsIPrincipal.h"
#include "nsIURI.h"

namespace mozilla::dom {

class CanonicalBrowsingContext;
class WindowGlobalParent;

extern mozilla::LazyLogModule gProcessIsolationLog;

constexpr nsLiteralCString kHighValueCOOPPermission = "highValueCOOP"_ns;
constexpr nsLiteralCString kHighValueHasSavedLoginPermission =
    "highValueHasSavedLogin"_ns;
constexpr nsLiteralCString kHighValueIsLoggedInPermission =
    "highValueIsLoggedIn"_ns;

// NavigationIsolationOptions is passed through the methods to store the state
// of the possible process and/or browsing context change.
struct NavigationIsolationOptions {
  nsCString mRemoteType;
  bool mReplaceBrowsingContext = false;
  uint64_t mSpecificGroupId = 0;
  bool mTryUseBFCache = false;
  RefPtr<SessionHistoryEntry> mActiveSessionHistoryEntry;
};

/**
 * Given a specific channel, determines which process the navigation should
 * complete in, and whether or not to perform a BrowsingContext-replace load
 * or enter the BFCache.
 *
 * This method will always return a `NavigationIsolationOptions` even if the
 * current remote type is compatible. Compatibility with the current process
 * should be checked at the call-site. An error should only be returned in
 * exceptional circumstances, and should lead to the load being cancelled.
 *
 * This method is only intended for use with document navigations.
 */
Result<NavigationIsolationOptions, nsresult> IsolationOptionsForNavigation(
    CanonicalBrowsingContext* aTopBC, WindowGlobalParent* aParentWindow,
    nsIURI* aChannelCreationURI, nsIChannel* aChannel,
    const nsACString& aCurrentRemoteType, bool aHasCOOPMismatch,
    bool aForNewTab, uint32_t aLoadStateLoadType,
    const Maybe<uint64_t>& aChannelId,
    const Maybe<nsCString>& aRemoteTypeOverride);

/**
 * Adds a `highValue` permission to the permissions database, and make loads of
 * that origin isolated.
 *
 * The 'aPermissionType' parameter indicates why the site is treated as a high
 * value site. The possible values are:
 *
 * kHighValueCOOPPermission
 *     Called when a document request responds with a
 * `Cross-Origin-Opener-Policy` header.
 *
 * kHighValueHasSavedLoginPermission
 *     Called for sites that have an associated login saved in the password
 * manager.
 *
 * kHighValueIsLoggedInPermission
 *     Called when we detect a form with a password is submitted.
 */
void AddHighValuePermission(nsIPrincipal* aResultPrincipal,
                            const nsACString& aPermissionType);

void AddHighValuePermission(const nsACString& aOrigin,
                            const nsACString& aPermissionType);

/**
 * Returns true when fission is enabled and the
 * `fission.webContentIsolationStrategy` pref is set to `IsolateHighValue`.
 */
bool IsIsolateHighValueSiteEnabled();

}  // namespace mozilla::dom

#endif
Bug 1650089 - Part 3: Rework DocumentChannel-triggered process switches to support null principals, r=annyG,kmag This is a large refactoring of the DocumentChannel process switch codepath, with the end goal of being better able to support future process switch requirements such as dynamic isolation on android, as well as the immediate requirement of null principal handling. The major changes include: 1. The logic is in C++ and has less failure cases, meaning it should be harder for us to error out unexpectedly and not process switch. 2. Process selection decisions are more explicit, and tend to rely less on state such as the current remoteType when possible. This makes reasoning about where a specific load will complete easier. 3. Additional checks are made after a "WebContent" behavior is selected to ensure that if an existing document in the same BCG is found, the load will finish in the required content process. This should make dynamic checks such as Android's logged-in site isolation easier to implement. 4. ProcessIsolation logging is split out from DocumentChannel so that it's easier to log just the information related to process selection when debugging. 5. Null result principal precursors are considered when performing process selection. Other uses of E10SUtils for process selection have not yet been migrated to the new design as they have slightly different requirements. This will be done in follow-up bugs. Differential Revision: https://phabricator.services.mozilla.com/D120673 2021-08-10 14:31:17 +00:00			`/* -- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -- */`
			`/* vim: set ts=8 sts=2 et sw=2 tw=80: */`
			`/* This Source Code Form is subject to the terms of the Mozilla Public`
			`* License, v. 2.0. If a copy of the MPL was not distributed with this file,`
			`* You can obtain one at http://mozilla.org/MPL/2.0/. */`

			`#ifndef mozilla_dom_ProcessIsolation_h`
			`#define mozilla_dom_ProcessIsolation_h`

			`#include <stdint.h>`

			`#include "mozilla/Logging.h"`
			`#include "mozilla/dom/RemoteType.h"`
			`#include "mozilla/dom/SessionHistoryEntry.h"`
			`#include "nsString.h"`
Bug 1729640 - P4. Setting high-value permission for sites that are considered is logged in. r=farre,sfoster,tgiles Sites that match the following heuristic are considered high-value: 1. Sites that have a password stored in the password manager 2. Sites that we detect that users submit a form with a password This patch adds LoginDetectionService to detect login attempts. When LoginDetectionService finds a site that matches any of the above heuristics, it adds the corresponding high-value permission to the permission manager. Differential Revision: https://phabricator.services.mozilla.com/D127105 2021-11-05 17:11:32 +00:00			`#include "nsIPrincipal.h"`
			`#include "nsIURI.h"`
Bug 1650089 - Part 3: Rework DocumentChannel-triggered process switches to support null principals, r=annyG,kmag This is a large refactoring of the DocumentChannel process switch codepath, with the end goal of being better able to support future process switch requirements such as dynamic isolation on android, as well as the immediate requirement of null principal handling. The major changes include: 1. The logic is in C++ and has less failure cases, meaning it should be harder for us to error out unexpectedly and not process switch. 2. Process selection decisions are more explicit, and tend to rely less on state such as the current remoteType when possible. This makes reasoning about where a specific load will complete easier. 3. Additional checks are made after a "WebContent" behavior is selected to ensure that if an existing document in the same BCG is found, the load will finish in the required content process. This should make dynamic checks such as Android's logged-in site isolation easier to implement. 4. ProcessIsolation logging is split out from DocumentChannel so that it's easier to log just the information related to process selection when debugging. 5. Null result principal precursors are considered when performing process selection. Other uses of E10SUtils for process selection have not yet been migrated to the new design as they have slightly different requirements. This will be done in follow-up bugs. Differential Revision: https://phabricator.services.mozilla.com/D120673 2021-08-10 14:31:17 +00:00
			`namespace mozilla::dom {`

			`class CanonicalBrowsingContext;`
			`class WindowGlobalParent;`

			`extern mozilla::LazyLogModule gProcessIsolationLog;`

Bug 1723797 - Add a separate pref to control process isolation strategy when fission.autostart is enabled, r=farre,johannh,necko-reviewers,dragana This new pref will be used on android to enable high-value-only process isolation. An initial version of high-value-only process isolation is also implemented in this bug, using the permission manager to track whether a site is high-value due to having served a `Cross-Origin-Opener-Policy` header. Future high-value permissions due to things like logging into a site and OAuth flows can be tracked in the same way, by adding the permission to the permissions database. In the future, it might be valuable to provide UI for visualizing what sites are considered high-value at any point in time, but this works fine for now. Differential Revision: https://phabricator.services.mozilla.com/D123127 2021-09-08 17:45:31 +00:00			`constexpr nsLiteralCString kHighValueCOOPPermission = "highValueCOOP"_ns;`
Bug 1729640 - P1. Extend AddHighValuePermission to support 'highValueHasSavedLogin' and 'highValueIsLoggedIn' permission. r=necko-reviewers,farre,kershaw This patch: 1. adds two 'highValueHasSavedLogin' and 'highValueIsLoggedIn' permission 2. moves 'AddHighValuePermission' from HttpBaseChannel to ProcessIsolation to support more high-value permission type. Differential Revision: https://phabricator.services.mozilla.com/D127101 2021-11-05 17:11:31 +00:00			`constexpr nsLiteralCString kHighValueHasSavedLoginPermission =`
			`"highValueHasSavedLogin"_ns;`
			`constexpr nsLiteralCString kHighValueIsLoggedInPermission =`
			`"highValueIsLoggedIn"_ns;`
Bug 1723797 - Add a separate pref to control process isolation strategy when fission.autostart is enabled, r=farre,johannh,necko-reviewers,dragana This new pref will be used on android to enable high-value-only process isolation. An initial version of high-value-only process isolation is also implemented in this bug, using the permission manager to track whether a site is high-value due to having served a `Cross-Origin-Opener-Policy` header. Future high-value permissions due to things like logging into a site and OAuth flows can be tracked in the same way, by adding the permission to the permissions database. In the future, it might be valuable to provide UI for visualizing what sites are considered high-value at any point in time, but this works fine for now. Differential Revision: https://phabricator.services.mozilla.com/D123127 2021-09-08 17:45:31 +00:00
Bug 1650089 - Part 3: Rework DocumentChannel-triggered process switches to support null principals, r=annyG,kmag This is a large refactoring of the DocumentChannel process switch codepath, with the end goal of being better able to support future process switch requirements such as dynamic isolation on android, as well as the immediate requirement of null principal handling. The major changes include: 1. The logic is in C++ and has less failure cases, meaning it should be harder for us to error out unexpectedly and not process switch. 2. Process selection decisions are more explicit, and tend to rely less on state such as the current remoteType when possible. This makes reasoning about where a specific load will complete easier. 3. Additional checks are made after a "WebContent" behavior is selected to ensure that if an existing document in the same BCG is found, the load will finish in the required content process. This should make dynamic checks such as Android's logged-in site isolation easier to implement. 4. ProcessIsolation logging is split out from DocumentChannel so that it's easier to log just the information related to process selection when debugging. 5. Null result principal precursors are considered when performing process selection. Other uses of E10SUtils for process selection have not yet been migrated to the new design as they have slightly different requirements. This will be done in follow-up bugs. Differential Revision: https://phabricator.services.mozilla.com/D120673 2021-08-10 14:31:17 +00:00			`// NavigationIsolationOptions is passed through the methods to store the state`
			`// of the possible process and/or browsing context change.`
			`struct NavigationIsolationOptions {`
			`nsCString mRemoteType;`
			`bool mReplaceBrowsingContext = false;`
			`uint64_t mSpecificGroupId = 0;`
			`bool mTryUseBFCache = false;`
			`RefPtr<SessionHistoryEntry> mActiveSessionHistoryEntry;`
			`};`

			`/**`
			`* Given a specific channel, determines which process the navigation should`
			`* complete in, and whether or not to perform a BrowsingContext-replace load`
			`* or enter the BFCache.`
			`*`
			* This method will always return a `NavigationIsolationOptions` even if the
			`* current remote type is compatible. Compatibility with the current process`
			`* should be checked at the call-site. An error should only be returned in`
			`* exceptional circumstances, and should lead to the load being cancelled.`
			`*`
			`* This method is only intended for use with document navigations.`
			`*/`
			`Result<NavigationIsolationOptions, nsresult> IsolationOptionsForNavigation(`
			`CanonicalBrowsingContext* aTopBC, WindowGlobalParent* aParentWindow,`
			`nsIURI* aChannelCreationURI, nsIChannel* aChannel,`
			`const nsACString& aCurrentRemoteType, bool aHasCOOPMismatch,`
Bug 1756980 - Part 1: Redirect internally-handled attachment loads into new tabs, r=Gijs,smaug,necko-reviewers,dragana This patch changes how we handle document loads which are being handled internally but have Content-Disposition: attachment specified at the DocumentLoadListener layer. This was done as process switching is currently the only place during a load where we can change the target BrowsingContext which the load will complete in. The only situation where we should currently continue to deliver a successful request to the default content-viewer despite Content-Disposition: attachment being specified is when we choose to handle a downloaded PDF internally, so this shouldn't impact other cases. The change is handled by forcing a process switch under the hood, and opening a new browser window asynchronously to handle the process switch, similar to how object and embed load upgrades are handled. This is done using nsIBrowserDOMWindow to attempt to respect the user's window opening preferences. A small change to browser.js was also made to try to encourage the new tab to be opened next to the previous tab, as well as to avoid starting unnecessary new processes when creating the new browser window. Differential Revision: https://phabricator.services.mozilla.com/D143675 2022-04-27 15:22:00 +00:00			`bool aForNewTab, uint32_t aLoadStateLoadType,`
			`const Maybe<uint64_t>& aChannelId,`
Bug 1650089 - Part 3: Rework DocumentChannel-triggered process switches to support null principals, r=annyG,kmag This is a large refactoring of the DocumentChannel process switch codepath, with the end goal of being better able to support future process switch requirements such as dynamic isolation on android, as well as the immediate requirement of null principal handling. The major changes include: 1. The logic is in C++ and has less failure cases, meaning it should be harder for us to error out unexpectedly and not process switch. 2. Process selection decisions are more explicit, and tend to rely less on state such as the current remoteType when possible. This makes reasoning about where a specific load will complete easier. 3. Additional checks are made after a "WebContent" behavior is selected to ensure that if an existing document in the same BCG is found, the load will finish in the required content process. This should make dynamic checks such as Android's logged-in site isolation easier to implement. 4. ProcessIsolation logging is split out from DocumentChannel so that it's easier to log just the information related to process selection when debugging. 5. Null result principal precursors are considered when performing process selection. Other uses of E10SUtils for process selection have not yet been migrated to the new design as they have slightly different requirements. This will be done in follow-up bugs. Differential Revision: https://phabricator.services.mozilla.com/D120673 2021-08-10 14:31:17 +00:00			`const Maybe<nsCString>& aRemoteTypeOverride);`

Bug 1729640 - P1. Extend AddHighValuePermission to support 'highValueHasSavedLogin' and 'highValueIsLoggedIn' permission. r=necko-reviewers,farre,kershaw This patch: 1. adds two 'highValueHasSavedLogin' and 'highValueIsLoggedIn' permission 2. moves 'AddHighValuePermission' from HttpBaseChannel to ProcessIsolation to support more high-value permission type. Differential Revision: https://phabricator.services.mozilla.com/D127101 2021-11-05 17:11:31 +00:00			`/**`
			* Adds a `highValue` permission to the permissions database, and make loads of
			`* that origin isolated.`
			`*`
			`* The 'aPermissionType' parameter indicates why the site is treated as a high`
			`* value site. The possible values are:`
			`*`
			`* kHighValueCOOPPermission`
			`* Called when a document request responds with a`
			* `Cross-Origin-Opener-Policy` header.
			`*`
			`* kHighValueHasSavedLoginPermission`
			`* Called for sites that have an associated login saved in the password`
			`* manager.`
			`*`
			`* kHighValueIsLoggedInPermission`
			`* Called when we detect a form with a password is submitted.`
			`*/`
			`void AddHighValuePermission(nsIPrincipal* aResultPrincipal,`
			`const nsACString& aPermissionType);`

Bug 1729640 - P4. Setting high-value permission for sites that are considered is logged in. r=farre,sfoster,tgiles Sites that match the following heuristic are considered high-value: 1. Sites that have a password stored in the password manager 2. Sites that we detect that users submit a form with a password This patch adds LoginDetectionService to detect login attempts. When LoginDetectionService finds a site that matches any of the above heuristics, it adds the corresponding high-value permission to the permission manager. Differential Revision: https://phabricator.services.mozilla.com/D127105 2021-11-05 17:11:32 +00:00			`void AddHighValuePermission(const nsACString& aOrigin,`
			`const nsACString& aPermissionType);`

			`/**`
			`* Returns true when fission is enabled and the`
			* `fission.webContentIsolationStrategy` pref is set to `IsolateHighValue`.
			`*/`
			`bool IsIsolateHighValueSiteEnabled();`

Bug 1650089 - Part 3: Rework DocumentChannel-triggered process switches to support null principals, r=annyG,kmag This is a large refactoring of the DocumentChannel process switch codepath, with the end goal of being better able to support future process switch requirements such as dynamic isolation on android, as well as the immediate requirement of null principal handling. The major changes include: 1. The logic is in C++ and has less failure cases, meaning it should be harder for us to error out unexpectedly and not process switch. 2. Process selection decisions are more explicit, and tend to rely less on state such as the current remoteType when possible. This makes reasoning about where a specific load will complete easier. 3. Additional checks are made after a "WebContent" behavior is selected to ensure that if an existing document in the same BCG is found, the load will finish in the required content process. This should make dynamic checks such as Android's logged-in site isolation easier to implement. 4. ProcessIsolation logging is split out from DocumentChannel so that it's easier to log just the information related to process selection when debugging. 5. Null result principal precursors are considered when performing process selection. Other uses of E10SUtils for process selection have not yet been migrated to the new design as they have slightly different requirements. This will be done in follow-up bugs. Differential Revision: https://phabricator.services.mozilla.com/D120673 2021-08-10 14:31:17 +00:00			`} // namespace mozilla::dom`

			`#endif`