Bug 1928932 - Part 2 - Implement enforcements for untrusted script elements. r=smaug

Spec: https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts
PR: w3c/trusted-types#579

Differential Revision: https://phabricator.services.mozilla.com/D251855

Author: fred-wang

dom/interfaces/security/nsIContentSecurityPolicy.idl

@@ -160,9 +160,12 @@ interface nsIContentSecurityPolicy : nsISerializable
    * @param aParserCreated If the script element was created by the HTML Parser
    * @param aTriggeringElement The script element of the inline resource to
    *        hash. It can be null.
-   * @param aContentOfPseudoScript The content of the psuedo-script to compare
-   *                               to hash (and compare to the hashes listed in
-   *                               the policy)
+   * @param aSourceText The content of the script or pseudo-script to compare
+   *                    to hash (and compare to the hashes listed in the
+   *                    policy). For trusted inline scripts (i.e. that don't
+   *                    need to go trough the Trusted Types default policy) we
+   *                    retrieve the source text lazily for performance reasons
+   *                    (see bug 1376651) and aSourceText is void.
    * @param aLineNumber The line number of the inline resource
    *        (used for reporting)
    * @param aColumnNumber The column number of the inline resource
@@ -177,7 +180,7 @@ interface nsIContentSecurityPolicy : nsISerializable
                           in boolean aParserCreated,
                           in Element aTriggeringElement,
                           in nsICSPEventListener aCSPEventListener,
-                          in AString aContentOfPseudoScript,
+                          in AString aSourceText,
                           in unsigned long aLineNumber,
                           in unsigned long aColumnNumber);
 

dom/script/ScriptElement.cpp

@@ -14,6 +14,8 @@
 #include "mozilla/dom/Document.h"
 #include "mozilla/dom/Element.h"
 #include "mozilla/dom/MutationEventBinding.h"
+#include "mozilla/dom/TrustedTypeUtils.h"
+#include "mozilla/dom/TrustedTypesConstants.h"
 #include "nsContentSink.h"
 #include "nsContentUtils.h"
 #include "nsGkAtoms.h"
@@ -146,18 +148,52 @@ bool ScriptElement::MaybeProcessScript() {
     return false;
   }
 
-  bool hasScriptContent = HasExternalScriptContent() ||
-                          nsContentUtils::HasNonEmptyTextContent(cont);
-  if (!hasScriptContent) {
-    // In the case of an empty, non-external classic script, there is nothing
-    // to process. However, we must perform a microtask checkpoint afterwards,
-    // as per https://html.spec.whatwg.org/#clean-up-after-running-script
-    if (mKind == JS::loader::ScriptKind::eClassic && !mExternal) {
-      nsContentUtils::AddScriptRunner(NS_NewRunnableFunction(
-          "ScriptElement::MaybeProcessScript", []() { nsAutoMicroTask mt; }));
-    }
+  // https://html.spec.whatwg.org/#prepare-the-script-element
+  // The spec says we should calculate "source text" of inline scripts at the
+  // beginning of the "Prepare the script element" algorithm.
+  // - If this is an inline script that is not trusted (i.e. we must execute the
+  // Trusted Type default policy callback to obtain a trusted "source text")
+  // then we must wrap the GetTrustedTypesCompliantInlineScriptText call in a
+  // script runner.
+  // - If it is an inline script that is trusted, we will actually retrieve the
+  // "source text" lazily for performance reasons (see bug 1376651) so we just
+  //  use a void string.
+  // - If it is an external script, we similarly just pass a void string.
+  if (!HasExternalScriptContent() && !mIsTrusted) {
+    // TODO: We should likely block parser if IsClassicNonAsyncDefer() returns
+    // true but this is tricky because the default policy callback can actually
+    // change the script type.
+    nsContentUtils::AddScriptRunner(NS_NewRunnableFunction(
+        "ScriptElement::MaybeProcessScript",
+        [self = RefPtr<nsIScriptElement>(this)]()
+            MOZ_CAN_RUN_SCRIPT_BOUNDARY_LAMBDA {
+              nsString sourceText;
+              self->GetTrustedTypesCompliantInlineScriptText(sourceText);
+              ((ScriptElement*)self.get())->MaybeProcessScript(sourceText);
+            }));
     return false;
   }
+  return MaybeProcessScript(VoidString());
+}
+
+bool ScriptElement::MaybeProcessScript(const nsAString& aSourceText) {
+  nsIContent* cont = GetAsContent();
+  if (!HasExternalScriptContent()) {
+    bool hasInlineScriptContent =
+        mIsTrusted ? nsContentUtils::HasNonEmptyTextContent(cont)
+                   : !aSourceText.IsEmpty();
+    if (!hasInlineScriptContent) {
+      // In the case of an empty, non-external classic script, there is nothing
+      // to process. However, we must perform a microtask checkpoint afterwards,
+      // as per https://html.spec.whatwg.org/#clean-up-after-running-script
+      if (mKind == JS::loader::ScriptKind::eClassic && !mExternal) {
+        nsContentUtils::AddScriptRunner(NS_NewRunnableFunction(
+            "ScriptElement::MaybeProcessScript", []() { nsAutoMicroTask mt; }));
+      }
+      return false;
+    }
+    MOZ_ASSERT(mIsTrusted == aSourceText.IsVoid());
+  }
 
   // Check the type attribute to determine language and version. If type exists,
   // it trumps the deprecated 'language='.
@@ -214,7 +250,7 @@ bool ScriptElement::MaybeProcessScript() {
   }
 
   RefPtr<ScriptLoader> loader = ownerDoc->ScriptLoader();
-  return loader->ProcessScriptElement(this);
+  return loader->ProcessScriptElement(this, aSourceText);
 }
 
 bool ScriptElement::GetScriptType(nsAString& aType) {
@@ -250,3 +286,26 @@ void ScriptElement::UpdateTrustWorthiness(
     mIsTrusted = false;
   }
 }
+
+nsresult ScriptElement::GetTrustedTypesCompliantInlineScriptText(
+    nsString& aSourceText) {
+  MOZ_ASSERT(!mIsTrusted);
+
+  RefPtr<Element> element = GetAsContent()->AsElement();
+  nsAutoString sourceText;
+  GetScriptText(sourceText);
+
+  MOZ_ASSERT(element->IsHTMLElement() || element->IsSVGElement());
+  Maybe<nsAutoString> compliantStringHolder;
+  constexpr nsLiteralString htmlSinkName = u"HTMLScriptElement text"_ns;
+  constexpr nsLiteralString svgSinkName = u"SVGScriptElement text"_ns;
+  ErrorResult error;
+  const nsAString* compliantString =
+      TrustedTypeUtils::GetTrustedTypesCompliantStringForTrustedScript(
+          sourceText, element->IsHTMLElement() ? htmlSinkName : svgSinkName,
+          kTrustedTypesOnlySinkGroup, *element, compliantStringHolder, error);
+  if (!error.Failed()) {
+    aSourceText.Assign(*compliantString);
+  }
+  return error.StealNSResult();
+}

dom/script/ScriptElement.h

@@ -49,8 +49,14 @@ class ScriptElement : public nsIScriptElement, public nsStubMutationObserver {
 
   virtual bool MaybeProcessScript() override;
 
+  virtual MOZ_CAN_RUN_SCRIPT nsresult
+  GetTrustedTypesCompliantInlineScriptText(nsString& aSourceText) override;
+
+ private:
   // https://github.com/w3c/trusted-types/pull/579
   void UpdateTrustWorthiness(MutationEffectOnScript aMutationEffectOnScript);
+
+  bool MaybeProcessScript(const nsAString& aSourceText);
 };
 
 }  // namespace mozilla::dom

dom/script/ScriptLoadContext.cpp

@@ -49,7 +49,8 @@ NS_IMPL_ADDREF_INHERITED(ScriptLoadContext, JS::loader::LoadContextBase)
 NS_IMPL_RELEASE_INHERITED(ScriptLoadContext, JS::loader::LoadContextBase)
 
 ScriptLoadContext::ScriptLoadContext(
-    nsIScriptElement* aScriptElement /* = nullptr */)
+    nsIScriptElement* aScriptElement /* = nullptr */,
+    const nsAString& aSourceText /* = VoidString() */)
     : JS::loader::LoadContextBase(JS::loader::ContextKind::Window),
       mScriptMode(ScriptMode::eBlocking),
       mScriptFromHead(false),
@@ -65,6 +66,7 @@ ScriptLoadContext::ScriptLoadContext(
       mColumnNo(0),
       mIsPreload(false),
       mScriptElement(aScriptElement),
+      mSourceText(aSourceText),
       mUnreportedPreloadError(NS_OK) {}
 
 ScriptLoadContext::~ScriptLoadContext() {
@@ -147,7 +149,11 @@ bool ScriptLoadContext::HasScriptElement() const { return !!mScriptElement; }
 
 void ScriptLoadContext::GetInlineScriptText(nsAString& aText) const {
   MOZ_ASSERT(mIsInline);
-  mScriptElement->GetScriptText(aText);
+  if (mSourceText.IsVoid()) {
+    mScriptElement->GetScriptText(aText);
+  } else {
+    aText.Append(mSourceText);
+  }
 }
 
 void ScriptLoadContext::GetHintCharset(nsAString& aCharset) const {

dom/script/ScriptLoadContext.h

@@ -141,7 +141,8 @@ class ScriptLoadContext : public JS::loader::LoadContextBase,
   virtual ~ScriptLoadContext();
 
  public:
-  explicit ScriptLoadContext(nsIScriptElement* aScriptElement = nullptr);
+  explicit ScriptLoadContext(nsIScriptElement* aScriptElement = nullptr,
+                             const nsAString& aSourceText = VoidString());
 
   NS_DECL_ISUPPORTS_INHERITED
   NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED(ScriptLoadContext,
@@ -320,6 +321,8 @@ class ScriptLoadContext : public JS::loader::LoadContextBase,
   // This is valid only for classic script and top-level module script.
   nsCOMPtr<nsIScriptElement> mScriptElement;
 
+  nsString mSourceText;
+
   // For preload requests, we defer reporting errors to the console until the
   // request is used.
   nsresult mUnreportedPreloadError;

dom/script/ScriptLoader.cpp

@@ -1024,6 +1024,7 @@ bool ScriptLoader::PreloadURIComparator::Equals(const PreloadInfo& aPi,
 }
 
 static bool CSPAllowsInlineScript(nsIScriptElement* aElement,
+                                  const nsAString& aSourceText,
                                   const nsAString& aNonce,
                                   Document* aDocument) {
   nsCOMPtr<nsIContentSecurityPolicy> csp =
@@ -1041,7 +1042,7 @@ static bool CSPAllowsInlineScript(nsIScriptElement* aElement,
   nsresult rv = csp->GetAllowsInline(
       nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE,
       false /* aHasUnsafeHash */, aNonce, parserCreated, element,
-      nullptr /* nsICSPEventListener */, VoidString(),
+      nullptr /* nsICSPEventListener */, aSourceText,
       aElement->GetScriptLineNumber(),
       aElement->GetScriptColumnNumber().oneOriginValue(), &allowInlineScript);
   return NS_SUCCEEDED(rv) && allowInlineScript;
@@ -1102,15 +1103,17 @@ void ScriptLoader::NotifyObserversForCachedScript(
 
 already_AddRefed<ScriptLoadRequest> ScriptLoader::CreateLoadRequest(
     ScriptKind aKind, nsIURI* aURI, nsIScriptElement* aElement,
-    nsIPrincipal* aTriggeringPrincipal, CORSMode aCORSMode,
-    const nsAString& aNonce, RequestPriority aRequestPriority,
-    const SRIMetadata& aIntegrity, ReferrerPolicy aReferrerPolicy,
-    ParserMetadata aParserMetadata, ScriptLoadRequestType aRequestType) {
+    const nsAString& aScriptContent, nsIPrincipal* aTriggeringPrincipal,
+    CORSMode aCORSMode, const nsAString& aNonce,
+    RequestPriority aRequestPriority, const SRIMetadata& aIntegrity,
+    ReferrerPolicy aReferrerPolicy, ParserMetadata aParserMetadata,
+    ScriptLoadRequestType aRequestType) {
   nsIURI* referrer = mDocument->GetDocumentURIAsReferrer();
   RefPtr<ScriptFetchOptions> fetchOptions =
       new ScriptFetchOptions(aCORSMode, aNonce, aRequestPriority,
                              aParserMetadata, aTriggeringPrincipal);
-  RefPtr<ScriptLoadContext> context = new ScriptLoadContext(aElement);
+  RefPtr<ScriptLoadContext> context =
+      new ScriptLoadContext(aElement, aScriptContent);
 
   if (aKind == ScriptKind::eModule) {
     RefPtr<ModuleLoadRequest> request = mModuleLoader->CreateTopLevel(
@@ -1199,7 +1202,8 @@ void ScriptLoader::EmulateNetworkEvents(ScriptLoadRequest* aRequest) {
   }
 }
 
-bool ScriptLoader::ProcessScriptElement(nsIScriptElement* aElement) {
+bool ScriptLoader::ProcessScriptElement(nsIScriptElement* aElement,
+                                        const nsAString& aSourceText) {
   // We need a document to evaluate scripts.
   NS_ENSURE_TRUE(mDocument, false);
 
@@ -1240,7 +1244,7 @@ bool ScriptLoader::ProcessScriptElement(nsIScriptElement* aElement) {
     return ProcessExternalScript(aElement, scriptKind, scriptContent);
   }
 
-  return ProcessInlineScript(aElement, scriptKind);
+  return ProcessInlineScript(aElement, scriptKind, aSourceText);
 }
 
 static ParserMetadata GetParserMetadata(nsIScriptElement* aElement) {
@@ -1347,8 +1351,8 @@ bool ScriptLoader::ProcessExternalScript(nsIScriptElement* aElement,
     ParserMetadata parserMetadata = GetParserMetadata(aElement);
 
     request = CreateLoadRequest(
-        aScriptKind, scriptURI, aElement, principal, ourCORSMode, nonce,
-        FetchPriorityToRequestPriority(fetchPriority), sriMetadata,
+        aScriptKind, scriptURI, aElement, VoidString(), principal, ourCORSMode,
+        nonce, FetchPriorityToRequestPriority(fetchPriority), sriMetadata,
         referrerPolicy, parserMetadata, ScriptLoadRequestType::External);
     request->GetScriptLoadContext()->mIsInline = false;
     request->GetScriptLoadContext()->SetScriptMode(
@@ -1528,7 +1532,8 @@ bool ScriptLoader::ProcessExternalScript(nsIScriptElement* aElement,
 }
 
 bool ScriptLoader::ProcessInlineScript(nsIScriptElement* aElement,
-                                       ScriptKind aScriptKind) {
+                                       ScriptKind aScriptKind,
+                                       const nsAString& aSourceText) {
   // Is this document sandboxed without 'allow-scripts'?
   if (mDocument->HasScriptsBlockedBySandbox()) {
     return false;
@@ -1538,7 +1543,7 @@ bool ScriptLoader::ProcessInlineScript(nsIScriptElement* aElement,
   nsString nonce = nsContentSecurityUtils::GetIsElementNonceableNonce(*element);
 
   // Does CSP allow this inline script to run?
-  if (!CSPAllowsInlineScript(aElement, nonce, mDocument)) {
+  if (!CSPAllowsInlineScript(aElement, aSourceText, nonce, mDocument)) {
     return false;
   }
 
@@ -1581,7 +1586,7 @@ bool ScriptLoader::ProcessInlineScript(nsIScriptElement* aElement,
   // NOTE: The `nonce` as specified here is significant, because it's inherited
   // by other scripts (e.g. modules created via dynamic imports).
   RefPtr<ScriptLoadRequest> request = CreateLoadRequest(
-      aScriptKind, mDocument->GetDocumentURI(), aElement,
+      aScriptKind, mDocument->GetDocumentURI(), aElement, aSourceText,
       mDocument->NodePrincipal(), corsMode, nonce,
       FetchPriorityToRequestPriority(fetchPriority),
       SRIMetadata(),  // SRI doesn't apply
@@ -1684,9 +1689,6 @@ bool ScriptLoader::ProcessInlineScript(nsIScriptElement* aElement,
     return true;
   }
   if (aElement->GetParserCreated() == NOT_FROM_PARSER) {
-    NS_ASSERTION(
-        !nsContentUtils::IsSafeToRunScript(),
-        "A script-inserted script is inserted without an update batch?");
     RunScriptWhenSafe(request);
     return false;
   }
@@ -4597,13 +4599,13 @@ void ScriptLoader::PreloadURI(
   // We treat speculative <script> loads as parser-inserted, because they
   // come from a parser. This will also match how they should be treated
   // as a normal load.
-  RefPtr<ScriptLoadRequest> request =
-      CreateLoadRequest(scriptKind, aURI, nullptr, mDocument->NodePrincipal(),
-                        Element::StringToCORSMode(aCrossOrigin), aNonce,
-                        requestPriority, sriMetadata, aReferrerPolicy,
-                        aLinkPreload ? ParserMetadata::NotParserInserted
-                                     : ParserMetadata::ParserInserted,
-                        ScriptLoadRequestType::Preload);
+  RefPtr<ScriptLoadRequest> request = CreateLoadRequest(
+      scriptKind, aURI, nullptr, VoidString(), mDocument->NodePrincipal(),
+      Element::StringToCORSMode(aCrossOrigin), aNonce, requestPriority,
+      sriMetadata, aReferrerPolicy,
+      aLinkPreload ? ParserMetadata::NotParserInserted
+                   : ParserMetadata::ParserInserted,
+      ScriptLoadRequestType::Preload);
   request->GetScriptLoadContext()->mIsInline = false;
   request->GetScriptLoadContext()->mScriptFromHead = aScriptFromHead;
   request->GetScriptLoadContext()->SetScriptMode(aDefer, aAsync, aLinkPreload);

dom/script/ScriptLoader.h

@@ -215,10 +215,14 @@ class ScriptLoader final : public JS::loader::ScriptLoaderInterface {
    * In this case ScriptAvailable is guaranteed to be called at a later
    * point (as well as possibly ScriptEvaluated).
    *
-   * @param aElement The element representing the script to be loaded and
-   *        evaluated.
+   * @param aElement    The element representing the script to be loaded and
+   * evaluated.
+   * @param aSourceText For inline non-trusted script, the source text after
+   * application of the default Trusted Types policy, a void string otherwise.
+   * See https://html.spec.whatwg.org/#prepare-the-script-element
    */
-  bool ProcessScriptElement(nsIScriptElement* aElement);
+  bool ProcessScriptElement(nsIScriptElement* aElement,
+                            const nsAString& aSourceText);
 
   /**
    * Gets the currently executing script. This is useful if you want to
@@ -470,9 +474,10 @@ class ScriptLoader final : public JS::loader::ScriptLoaderInterface {
 
   already_AddRefed<ScriptLoadRequest> CreateLoadRequest(
       ScriptKind aKind, nsIURI* aURI, nsIScriptElement* aElement,
-      nsIPrincipal* aTriggeringPrincipal, mozilla::CORSMode aCORSMode,
-      const nsAString& aNonce, RequestPriority aRequestPriority,
-      const SRIMetadata& aIntegrity, ReferrerPolicy aReferrerPolicy,
+      const nsAString& aScriptContent, nsIPrincipal* aTriggeringPrincipal,
+      mozilla::CORSMode aCORSMode, const nsAString& aNonce,
+      RequestPriority aRequestPriority, const SRIMetadata& aIntegrity,
+      ReferrerPolicy aReferrerPolicy,
       JS::loader::ParserMetadata aParserMetadata,
       ScriptLoadRequestType aRequestType);
 
@@ -508,7 +513,8 @@ class ScriptLoader final : public JS::loader::ScriptLoaderInterface {
   bool ProcessExternalScript(nsIScriptElement* aElement, ScriptKind aScriptKind,
                              nsIContent* aScriptContent);
 
-  bool ProcessInlineScript(nsIScriptElement* aElement, ScriptKind aScriptKind);
+  bool ProcessInlineScript(nsIScriptElement* aElement, ScriptKind aScriptKind,
+                           const nsAString& aSourceText);
 
   enum class CacheBehavior : uint8_t {
     DoNothing,

dom/script/nsIScriptElement.h

@@ -252,6 +252,14 @@ class nsIScriptElement : public nsIScriptLoaderObserver {
    */
   virtual nsresult FireErrorEvent() = 0;
 
+  /**
+   * This must be called on scripts with mIsTrusted set to false in
+   * order retrieve the associated aSourceText (source text after
+   * application of the Trusted Types's default policy).
+   */
+  virtual MOZ_CAN_RUN_SCRIPT nsresult
+  GetTrustedTypesCompliantInlineScriptText(nsString& aSourceText) = 0;
+
  protected:
   /**
    * Processes the script if it's in the document-tree and links to or