From ac19ae1ce7935ef7bd1e8fa78df352ec1d69c6a9 Mon Sep 17 00:00:00 2001
From: Benjamin Smedberg <benjamin@smedbergs.us>
Date: Tue, 7 Mar 2017 09:34:03 -0500
Subject: [PATCH] Bug 1335475 - Deny plugins from non-HTTP/HTTPS origins.
 r=bytesized,qdot

MozReview-Commit-ID: 3kPeycfMWVw

--HG--
extra : rebase_source : 06b53b8f39ea229431b982796d13438a54168c5d
---
 dom/base/nsDocument.cpp                       | 26 ++++++--
 dom/plugins/test/mochitest/browser.ini        |  1 +
 .../test/mochitest/browser_bug1335475.js      | 64 +++++++++++++++++++
 dom/plugins/test/mochitest/plugin_test.html   |  5 ++
 modules/libpref/init/all.js                   |  1 +
 5 files changed, 91 insertions(+), 6 deletions(-)
 create mode 100644 dom/plugins/test/mochitest/browser_bug1335475.js

diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp
index 569bca27d97f..1eb6f78a09b8 100644
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -13079,12 +13079,6 @@ nsDocument::PrincipalFlashClassification(bool aIsTopLevel)
 {
   nsresult rv;
 
-  // If flash blocking is disabled, it is equivalent to all sites being
-  // whitelisted.
-  if (!Preferences::GetBool("plugins.flashBlock.enabled")) {
-    return FlashClassification::Allowed;
-  }
-
   nsCOMPtr<nsIPrincipal> principal = GetPrincipal();
   if (principal->GetIsNullPrincipal()) {
     return FlashClassification::Denied;
@@ -13096,6 +13090,26 @@ nsDocument::PrincipalFlashClassification(bool aIsTopLevel)
     return FlashClassification::Denied;
   }
 
+  if (Preferences::GetBool("plugins.http_https_only", true)) {
+    // Only allow plugins for documents from an HTTP/HTTPS origin. This should
+    // allow dependent data: URIs to load plugins, but not:
+    // * chrome documents
+    // * "bare" data: loads
+    // * FTP/gopher/file
+    nsAutoCString scheme;
+    rv = classificationURI->GetScheme(scheme);
+    if (NS_WARN_IF(NS_FAILED(rv)) ||
+        !(scheme.EqualsLiteral("http") || scheme.EqualsLiteral("https"))) {
+      return FlashClassification::Denied;
+    }
+  }
+
+  // If flash blocking is disabled, it is equivalent to all sites being
+  // whitelisted.
+  if (!Preferences::GetBool("plugins.flashBlock.enabled")) {
+    return FlashClassification::Allowed;
+  }
+
   nsAutoCString allowTables, allowExceptionsTables,
                 denyTables, denyExceptionsTables,
                 subDocDenyTables, subDocDenyExceptionsTables,
diff --git a/dom/plugins/test/mochitest/browser.ini b/dom/plugins/test/mochitest/browser.ini
index a28a22f1082a..ddcdde8e3f7b 100644
--- a/dom/plugins/test/mochitest/browser.ini
+++ b/dom/plugins/test/mochitest/browser.ini
@@ -13,3 +13,4 @@ skip-if = (!e10s || os != "win")
 skip-if = (!e10s || os != "win")
 [browser_pluginscroll.js]
 skip-if = (true || !e10s || os != "win") # Bug 1213631
+[browser_bug1335475.js]
diff --git a/dom/plugins/test/mochitest/browser_bug1335475.js b/dom/plugins/test/mochitest/browser_bug1335475.js
new file mode 100644
index 000000000000..ebe625bbd2a3
--- /dev/null
+++ b/dom/plugins/test/mochitest/browser_bug1335475.js
@@ -0,0 +1,64 @@
+var rootDir = getRootDirectory(gTestPath);
+const gTestRoot = rootDir.replace("chrome://mochitests/content/", "http://127.0.0.1:8888/");
+
+add_task(function*() {
+  is(navigator.plugins.length, 0,
+     "plugins should not be available to chrome-privilege pages");
+  ok(!("application/x-test" in navigator.mimeTypes),
+     "plugins should not be available to chrome-privilege pages");
+
+  yield BrowserTestUtils.withNewTab({ gBrowser, url: "about:blank" }, function*(browser) {
+    // about:blank triggered from a toplevel load should not inherit permissions
+    yield ContentTask.spawn(browser, null, function*() {
+      is(content.window.navigator.plugins.length, 0,
+         "plugins should not be available to null-principal about:blank");
+      ok(!("application/x-test" in content.window.navigator.mimeTypes),
+         "plugins should not be available to null-principal about:blank");
+    });
+
+    let promise = BrowserTestUtils.browserLoaded(browser);
+    browser.loadURI(gTestRoot + "plugin_test.html");
+    yield promise;
+
+    yield ContentTask.spawn(browser, null, function*() {
+      ok(content.window.navigator.plugins.length > 0,
+         "plugins should be available to HTTP-loaded pages");
+      ok("application/x-test" in content.window.navigator.mimeTypes,
+         "plugins should be available to HTTP-loaded pages");
+
+      let subwindow = content.document.getElementById("subf").contentWindow;
+
+      ok("application/x-test" in subwindow.navigator.mimeTypes,
+         "plugins should be available to an about:blank subframe loaded from a site");
+    });
+
+    // navigate from the HTTP page to an about:blank page which ought to
+    // inherit permissions
+    promise = BrowserTestUtils.browserLoaded(browser);
+    yield ContentTask.spawn(browser, null, function*() {
+      content.document.getElementById("aboutlink").click();
+    });
+    yield promise;
+
+    yield ContentTask.spawn(browser, null, function*() {
+      is(content.window.location.href, "about:blank", "sanity-check about:blank load");
+      ok("application/x-test" in content.window.navigator.mimeTypes,
+         "plugins should be available when a site triggers an about:blank load");
+    });
+
+    // navigate to the file: URI, which shouldn't allow plugins. This might
+    // be wrapped in jar:, but that shouldn't matter for this test
+    promise = BrowserTestUtils.browserLoaded(browser);
+    let converteduri = Cc["@mozilla.org/chrome/chrome-registry;1"].getService(Ci.nsIChromeRegistry).convertChromeURL(Services.io.newURI(rootDir + "plugin_test.html"));
+    browser.loadURI(converteduri.spec);
+    yield promise;
+
+    yield ContentTask.spawn(browser, null, function*() {
+      ok(!("application/x-test" in content.window.navigator.mimeTypes),
+         "plugins should not be available to file: URI content");
+    });
+  });
+
+  // As much as it would be nice, this doesn't actually check ftp:// because
+  // we don't have a synthetic server.
+});
diff --git a/dom/plugins/test/mochitest/plugin_test.html b/dom/plugins/test/mochitest/plugin_test.html
index c7eb376cd040..88b70e8ee62c 100644
--- a/dom/plugins/test/mochitest/plugin_test.html
+++ b/dom/plugins/test/mochitest/plugin_test.html
@@ -7,5 +7,10 @@
   <embed id="testplugin" type="application/x-test" drawmode="solid" color="ff00ff00" wmode="window"
          style="position:absolute; top:50px; left:50px; width:500px; height:250px">
 <div style="display:block; height:3000px;"></div>
+
+<iframe id="subf" src="about:blank" width="300" height="300"></iframe>
+
+<a href="about:blank" id="aboutlink">Navigate to about:blank</a>
+
 </body>
 </html>
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 1349ad541012..bafdbeb8f0d7 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -5239,6 +5239,7 @@ pref("urlclassifier.flashExceptTable", "testexcept-flash-simple");
 pref("urlclassifier.flashSubDocTable", "test-flashsubdoc-simple");
 pref("urlclassifier.flashSubDocExceptTable", "testexcept-flashsubdoc-simple");
 
+pref("plugins.http_https_only", true);
 pref("plugins.flashBlock.enabled", false);
 
 // Allow users to ignore Safe Browsing warnings.