Bug 647010 - Limit when HTTP authentication dialog is shown. Block cross-origin http auth prompts with pref. r=mayhemer, r=tanvi

dom/media/webaudio/test/test_mediaElementAudioSourceNodeCrossOrigin.html

@@ -11,6 +11,9 @@
 <script class="testbody" type="text/javascript">
 SimpleTest.waitForExplicitFinish();
 
+// Turn off the authentication dialog blocking for this test.
+SpecialPowers.setIntPref("network.auth.allow-subresource-auth", 2)
+
 var tests = [
   // Not the same origin no CORS asked for, should have silence
   { url: "http://example.org:80/tests/dom/media/webaudio/test/small-shot.ogg",

modules/libpref/init/all.js

@@ -1682,6 +1682,14 @@ pref("network.automatic-ntlm-auth.allow-proxies", true);
 pref("network.automatic-ntlm-auth.allow-non-fqdn", false);
 pref("network.automatic-ntlm-auth.trusted-uris", "");
 
+// Sub-resources HTTP-authentication:
+//   0 - don't allow sub-resources to open HTTP authentication credentials
+//       dialogs
+//   1 - allow sub-resources to open HTTP authentication credentials dialogs,
+//       but don't allow it for cross-origin sub-resources
+//   2 - allow the cross-origin authentication as well.
+pref("network.auth.allow-subresource-auth", 1);
+
 pref("permissions.default.image",           1); // 1-Accept, 2-Deny, 3-dontAcceptForeign
 
 pref("network.proxy.type",                  5);

netwerk/protocol/http/nsHttpChannelAuthProvider.cpp

@@ -7,6 +7,7 @@
 // HttpLog.h should generally be included first
 #include "HttpLog.h"
 
+#include "mozilla/Preferences.h"
 #include "nsHttpChannelAuthProvider.h"
 #include "nsNetUtil.h"
 #include "nsHttpHandler.h"
@@ -22,10 +23,15 @@
 #include "netCore.h"
 #include "nsIHttpAuthenticableChannel.h"
 #include "nsIURI.h"
+#include "nsContentUtils.h"
 
 namespace mozilla {
 namespace net {
 
+#define SUBRESOURCE_AUTH_DIALOG_DISALLOW_ALL 0
+#define SUBRESOURCE_AUTH_DIALOG_DISALLOW_CROSS_ORIGIN 1
+#define SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL 2
+
 static void
 GetAppIdAndBrowserStatus(nsIChannel* aChan, uint32_t* aAppId, bool* aInBrowserElem)
 {
@@ -60,6 +66,18 @@ nsHttpChannelAuthProvider::~nsHttpChannelAuthProvider()
     MOZ_ASSERT(!mAuthChannel, "Disconnect wasn't called");
 }
 
+uint32_t nsHttpChannelAuthProvider::sAuthAllowPref =
+    SUBRESOURCE_AUTH_DIALOG_DISALLOW_CROSS_ORIGIN;
+
+void
+nsHttpChannelAuthProvider::InitializePrefs()
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  mozilla::Preferences::AddUintVarCache(&sAuthAllowPref,
+                                        "network.auth.allow-subresource-auth",
+                                        SUBRESOURCE_AUTH_DIALOG_DISALLOW_CROSS_ORIGIN);
+}
+
 NS_IMETHODIMP
 nsHttpChannelAuthProvider::Init(nsIHttpAuthenticableChannel *channel)
 {
@@ -736,6 +754,14 @@ nsHttpChannelAuthProvider::GetCredentialsForChallenge(const char *challenge,
             else if (authFlags & nsIHttpAuthenticator::IDENTITY_ENCRYPTED)
                 level = nsIAuthPrompt2::LEVEL_PW_ENCRYPTED;
 
+            // Depending on the pref setting, the authentication dialog may be
+            // blocked for all sub-resources, blocked for cross-origin
+            // sub-resources, or always allowed for sub-resources.
+            // For more details look at the bug 647010.
+            if (BlockPrompt()) {
+              return NS_ERROR_ABORT;
+            }
+
             // at this point we are forced to interact with the user to get
             // their username and password for this domain.
             rv = PromptForIdentity(level, proxyAuth, realm.get(),
@@ -779,6 +805,53 @@ nsHttpChannelAuthProvider::GetCredentialsForChallenge(const char *challenge,
     return rv;
 }
 
+bool
+nsHttpChannelAuthProvider::BlockPrompt()
+{
+    nsCOMPtr<nsIChannel> chan = do_QueryInterface(mAuthChannel);
+    nsCOMPtr<nsILoadInfo> loadInfo;
+    chan->GetLoadInfo(getter_AddRefs(loadInfo));
+    if (!loadInfo) {
+        return false;
+    }
+
+    // Allow if it is the top-level document or xhr.
+    if ((loadInfo->GetContentPolicyType() == nsIContentPolicy::TYPE_DOCUMENT) ||
+        (loadInfo->GetContentPolicyType() == nsIContentPolicy::TYPE_XMLHTTPREQUEST)) {
+        return false;
+    }
+
+    switch (sAuthAllowPref) {
+    case SUBRESOURCE_AUTH_DIALOG_DISALLOW_ALL:
+        // Do not open the http-authentication credentials dialog for
+        // the sub-resources.
+        return true;
+        break;
+    case SUBRESOURCE_AUTH_DIALOG_DISALLOW_CROSS_ORIGIN:
+        // Do not open the http-authentication credentials dialog for
+        // the sub-resources only if they are not cross-origin.
+        {
+            nsCOMPtr<nsIPrincipal> loadingPrincipal =
+                loadInfo->LoadingPrincipal();
+            if (!loadingPrincipal) {
+                return false;
+            }
+
+            if (NS_FAILED(loadingPrincipal->CheckMayLoad(mURI, false, false))) {
+                return true;
+            }
+        }
+        break;
+    case SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL:
+        // Allow the http-authentication dialog.
+        return false;
+    default:
+        // This is an invalid value.
+        MOZ_ASSERT(false, "A non valid value!");
+    }
+    return false;
+}
+
 inline void
 GetAuthType(const char *challenge, nsCString &authType)
 {

netwerk/protocol/http/nsHttpChannelAuthProvider.h

@@ -33,7 +33,7 @@ public:
     NS_DECL_NSIAUTHPROMPTCALLBACK
 
     nsHttpChannelAuthProvider();
-
+    static void InitializePrefs();
 private:
     virtual ~nsHttpChannelAuthProvider();
 
@@ -111,6 +111,12 @@ private:
      */
     nsresult ProcessSTSHeader();
 
+    // Depending on the pref setting, the authentication dialog may be blocked
+    // for all sub-resources, blocked for cross-origin sub-resources, or
+    // always allowed for sub-resources.
+    // For more details look at the bug 647010.
+    bool BlockPrompt();
+
 private:
     nsIHttpAuthenticableChannel      *mAuthChannel;  // weak ref
 
@@ -149,6 +155,11 @@ private:
     uint32_t                          mSuppressDefensiveAuth    : 1;
 
     nsRefPtr<nsHttpHandler>           mHttpHandler;  // keep gHttpHandler alive
+
+    // A variable holding the preference settings to whether to open HTTP
+    // authentication credentials dialogs for sub-resources and cross-origin
+    // sub-resources.
+    static uint32_t                   sAuthAllowPref;
 };
 
 }} // namespace mozilla::net

netwerk/protocol/http/nsHttpHandler.cpp

@@ -48,6 +48,7 @@
 #include "nsIMemoryReporter.h"
 #include "nsIParentalControlsService.h"
 #include "nsINetworkLinkService.h"
+#include "nsHttpChannelAuthProvider.h"
 
 #include "mozilla/net/NeckoChild.h"
 #include "mozilla/ipc/URIUtils.h"
@@ -286,6 +287,8 @@ nsHttpHandler::Init()
         PrefsChanged(prefBranch, nullptr);
     }
 
+    nsHttpChannelAuthProvider::InitializePrefs();
+
     mMisc.AssignLiteral("rv:" MOZILLA_UAVERSION);
 
     mCompatFirefox.AssignLiteral("Firefox/" MOZILLA_UAVERSION);

netwerk/test/unit/test_auth_dialog_permission.js

@@ -0,0 +1,256 @@
+// This file tests authentication prompt depending on pref
+// network.auth.allow-subresource-auth:
+//   0 - don't allow sub-resources to open HTTP authentication credentials
+//       dialogs
+//   1 - allow sub-resources to open HTTP authentication credentials dialogs,
+//       but don't allow it for cross-origin sub-resources
+//   2 - allow the cross-origin authentication as well.
+
+Cu.import("resource://testing-common/httpd.js");
+
+var prefs = Cc["@mozilla.org/preferences-service;1"].
+              getService(Ci.nsIPrefBranch);
+
+function authHandler(metadata, response) {
+  // btoa("guest:guest"), but that function is not available here
+  var expectedHeader = "Basic Z3Vlc3Q6Z3Vlc3Q=";
+
+  var body;
+  if (metadata.hasHeader("Authorization") &&
+      metadata.getHeader("Authorization") == expectedHeader) {
+
+    response.setStatusLine(metadata.httpVersion, 200, "OK, authorized");
+    response.setHeader("WWW-Authenticate", 'Basic realm="secret"', false);
+
+    body = "success";
+  } else {
+    // didn't know guest:guest, failure
+    response.setStatusLine(metadata.httpVersion, 401, "Unauthorized");
+    response.setHeader("WWW-Authenticate", 'Basic realm="secret"', false);
+
+    body = "failed";
+  }
+
+  response.bodyOutputStream.write(body, body.length);
+}
+
+var httpserv = new HttpServer();
+httpserv.registerPathHandler("/auth", authHandler);
+httpserv.start(-1);
+
+XPCOMUtils.defineLazyGetter(this, "URL", function() {
+  return "http://localhost:" + httpserv.identity.primaryPort;
+});
+
+XPCOMUtils.defineLazyGetter(this, "PORT", function() {
+  return httpserv.identity.primaryPort;
+});
+
+function AuthPrompt(promptExpected) {
+  this.promptExpected = promptExpected;
+}
+
+AuthPrompt.prototype = {
+  user: "guest",
+  pass: "guest",
+
+  QueryInterface: function authprompt_qi(iid) {
+    if (iid.equals(Components.interfaces.nsISupports) ||
+        iid.equals(Components.interfaces.nsIAuthPrompt))
+      return this;
+    throw Components.results.NS_ERROR_NO_INTERFACE;
+  },
+
+  prompt: function(title, text, realm, save, defaultText, result) {
+    do_throw("unexpected prompt call");
+  },
+
+  promptUsernameAndPassword: function(title, text, realm, savePW, user, pw) {
+    do_check_true(this.promptExpected,
+                  "Not expected the authentication prompt.");
+
+    user.value = this.user;
+    pw.value = this.pass;
+    return true;
+  },
+
+  promptPassword: function(title, text, realm, save, pwd) {
+    do_throw("unexpected promptPassword call");
+  }
+
+};
+
+function Requestor(promptExpected) {
+  this.promptExpected = promptExpected;
+}
+
+Requestor.prototype = {
+  QueryInterface: function(iid) {
+    if (iid.equals(Components.interfaces.nsISupports) ||
+        iid.equals(Components.interfaces.nsIInterfaceRequestor))
+      return this;
+    throw Components.results.NS_ERROR_NO_INTERFACE;
+  },
+
+  getInterface: function(iid) {
+    if (iid.equals(Components.interfaces.nsIAuthPrompt)) {
+      this.prompter = new AuthPrompt(this.promptExpected);
+      return this.prompter;
+    }
+
+    throw Components.results.NS_ERROR_NO_INTERFACE;
+  },
+
+  prompter: null
+};
+
+function make_uri(url) {
+  var ios = Cc["@mozilla.org/network/io-service;1"].
+              getService(Ci.nsIIOService);
+  return ios.newURI(url, null, null);
+}
+
+function makeChan(loadingUrl, url, contentPolicy) {
+  var loadingUri = make_uri(loadingUrl);
+  var principal = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                    .getService(Ci.nsIScriptSecurityManager)
+                    .getNoAppCodebasePrincipal(loadingUri);
+
+  var ios = Components.classes["@mozilla.org/network/io-service;1"]
+                      .getService(Components.interfaces.nsIIOService);
+  var chan = ios.newChannel2(url,
+                             null,
+                             null,
+                             null,
+                             principal,
+                             null,
+                             Ci.nsILoadInfo.SEC_NORMAL,
+                             contentPolicy)
+                .QueryInterface(Components.interfaces.nsIHttpChannel);
+
+  return chan;
+}
+
+function Test(allow_subresource_auth_pref, loadingUri, uri, contentPolicy,
+              expectedCode) {
+  this._allow_subresource_auth_pref = allow_subresource_auth_pref;
+  this._loadingUri = loadingUri;
+  this._uri = uri;
+  this._contentPolicy = contentPolicy;
+  this._expectedCode = expectedCode;
+}
+
+Test.prototype = {
+  _allow_subresource_auth_pref: 1,
+  _loadingUri: null,
+  _uri: null,
+  _contentPolicy: Ci.nsIContentPolicy.TYPE_OTHER,
+  _expectedCode: 200,
+
+  onStartRequest: function(request, ctx) {
+    try {
+      if (!Components.isSuccessCode(request.status)) {
+        do_throw("Channel should have a success code!");
+      }
+
+      if (!(request instanceof Components.interfaces.nsIHttpChannel)) {
+        do_throw("Expecting an HTTP channel");
+      }
+
+      do_check_eq(request.responseStatus, this._expectedCode);
+      // The request should be succeeded iff we expect 200
+      do_check_eq(request.requestSucceeded, this._expectedCode == 200);
+
+    } catch (e) {
+      do_throw("Unexpected exception: " + e);
+    }
+
+    throw Components.results.NS_ERROR_ABORT;
+  },
+
+  onDataAvailable: function(request, context, stream, offset, count) {
+    do_throw("Should not get any data!");
+  },
+
+  onStopRequest: function(request, ctx, status) {
+    do_check_eq(status, Components.results.NS_ERROR_ABORT);
+
+    // Clear the auth cache.
+    Components.classes["@mozilla.org/network/http-auth-manager;1"]
+              .getService(Components.interfaces.nsIHttpAuthManager)
+              .clearAll();
+
+    do_timeout(0, run_next_test);
+  },
+
+  run: function() {
+    dump("Run test: " + this._allow_subresource_auth_pref
+                      + this._loadingUri
+                      + this._uri
+                      + this._contentPolicy
+                      + this._expectedCode + " \n");
+
+    prefs.setIntPref("network.auth.allow-subresource-auth",
+                     this._allow_subresource_auth_pref);
+    let chan = makeChan(this._loadingUri, this._uri, this._contentPolicy);
+    chan.notificationCallbacks = new Requestor(this._expectedCode == 200);
+    chan.asyncOpen(this, null);
+  }
+};
+
+var tests = [
+  // For the next 3 tests the preference is set to 2 - allow the cross-origin
+  // authentication as well.
+
+  // A cross-origin request.
+  new Test(2, "https://example.com", URL + "/auth",
+           Ci.nsIContentPolicy.TYPE_OTHER, 200),
+  // A non cross-origin sub-resource request.
+  new Test(2, URL + "/", URL + "/auth",
+           Ci.nsIContentPolicy.TYPE_OTHER, 200),
+  // A top level document.
+  new Test(2, URL + "/auth", URL + "/auth",
+           Ci.nsIContentPolicy.TYPE_DOCUMENT, 200),
+
+  // For the next 3 tests the preference is set to 1 - allow sub-resources to
+  // open HTTP authentication credentials dialogs, but don't allow it for
+  // cross-origin sub-resources
+
+  // A cross-origin request.
+  new Test(1, "https://example.com", URL + "/auth",
+           Ci.nsIContentPolicy.TYPE_OTHER, 401),
+  // A non cross-origin sub-resource request.
+  new Test(1, URL + "/", URL + "/auth",
+           Ci.nsIContentPolicy.TYPE_OTHER, 200),
+  // A top level document.
+  new Test(1, URL + "/auth", URL + "/auth",
+           Ci.nsIContentPolicy.TYPE_DOCUMENT, 200),
+
+  // For the next 3 tests the preference is set to 0 - don't allow sub-resources
+  // to open HTTP authentication credentials dialogs.
+
+  // A cross-origin request.
+  new Test(0, "https://example.com", URL + "/auth",
+           Ci.nsIContentPolicy.TYPE_OTHER, 401),
+  // A sub-resource request.
+  new Test(0, URL + "/", URL + "/auth",
+           Ci.nsIContentPolicy.TYPE_OTHER, 401),
+  // A top level request.
+  new Test(0, URL + "/auth", URL + "/auth",
+           Ci.nsIContentPolicy.TYPE_DOCUMENT, 200),
+];
+
+function run_next_test() {
+  var nextTest = tests.shift();
+  if (!nextTest) {
+    httpserv.stop(do_test_finished);
+    return;
+  }
+
+  nextTest.run();
+}
+
+function run_test() {
+  do_test_pending();
+  run_next_test();
+}

netwerk/test/unit/test_auth_proxy.js

@@ -244,6 +244,9 @@ function run_test() {
   prefs.setCharPref("network.proxy.no_proxies_on", "");
   prefs.setIntPref("network.proxy.type", 1);
 
+  // Turn off the authentication dialog blocking for this test.
+  prefs.setIntPref("network.auth.allow-subresource-auth", 2);
+
   tests[current_test]();
 }
 

netwerk/test/unit/test_authentication.js

@@ -4,6 +4,11 @@
 Cu.import("resource://testing-common/httpd.js");
 Cu.import("resource://gre/modules/Services.jsm");
 
+// Turn off the authentication dialog blocking for this test.
+var prefs = Cc["@mozilla.org/preferences-service;1"].
+              getService(Ci.nsIPrefBranch);
+prefs.setIntPref("network.auth.allow-subresource-auth", 2);
+
 XPCOMUtils.defineLazyGetter(this, "URL", function() {
   return "http://localhost:" + httpserv.identity.primaryPort;
 });

netwerk/test/unit/xpcshell.ini

@@ -80,6 +80,7 @@ skip-if = true
 [test_auth_proxy.js]
 [test_authentication.js]
 [test_authpromptwrapper.js]
+[test_auth_dialog_permission.js]
 [test_backgroundfilesaver.js]
 [test_bug203271.js]
 [test_bug248970_cache.js]

toolkit/components/passwordmgr/test/test_prompt_async.html

@@ -11,6 +11,9 @@
         SimpleTest.waitForExplicitFinish();
         SimpleTest.requestFlakyTimeout("untriaged");
 
+        var prefs = Cc["@mozilla.org/preferences-service;1"].
+                        getService(Ci.nsIPrefBranch);
+        prefs.setIntPref("network.auth.allow-subresource-auth", 2);
         // Class monitoring number of open dialog windows
         // It checks there is always open just a single dialog per application
         function dialogMonitor() {

toolkit/mozapps/extensions/test/xpinstall/browser_auth.js

@@ -8,6 +8,10 @@ function test() {
   Harness.installsCompletedCallback = finish_test;
   Harness.setup();
 
+  var prefs = Cc["@mozilla.org/preferences-service;1"].
+                        getService(Ci.nsIPrefBranch);
+  prefs.setIntPref("network.auth.allow-subresource-auth", 2);
+
   var pm = Services.perms;
   pm.add(makeURI("http://example.com/"), "install", pm.ALLOW_ACTION);