Bug 1851816: Pass PBM Status into RFPIsEnabledFor r=timhuang

Differential Revision: https://phabricator.services.mozilla.com/D192501

caps/nsIScriptSecurityManager.idl

@@ -288,6 +288,10 @@ interface nsIScriptSecurityManager : nsISupports
 
     const unsigned long DEFAULT_USER_CONTEXT_ID = 0;
 
+    /**
+     * The constant the indicates when mPrivateBrowsingId is _not_ in PBM.
+     * In other words, zero indicates Normal Browsing, and non-zero indicates PBM
+     */
     const unsigned long DEFAULT_PRIVATE_BROWSING_ID = 0;
 
     /**

dom/base/ChromeUtils.cpp

@@ -61,6 +61,7 @@
 #include "mozJSModuleLoader.h"
 #include "mozilla/ProfilerLabels.h"
 #include "mozilla/ProfilerMarkers.h"
+#include "nsDocShell.h"
 #include "nsIException.h"
 #include "VsyncSource.h"
 
@@ -1895,13 +1896,28 @@ bool ChromeUtils::ShouldResistFingerprinting(
       MOZ_CRASH("Unhandled JSRFPTarget enum value");
   }
 
+  bool isPBM = false;
+  nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(aGlobal.GetAsSupports());
+  if (global) {
+    nsPIDOMWindowInner* win = global->GetAsInnerWindow();
+    if (win) {
+      nsIDocShell* docshell = win->GetDocShell();
+      if (docshell) {
+        nsDocShell::Cast(docshell)->GetUsePrivateBrowsing(&isPBM);
+      }
+    }
+  }
+
   Maybe<RFPTarget> overriddenFingerprintingSettings;
   if (!aOverriddenFingerprintingSettings.IsNull()) {
     overriddenFingerprintingSettings.emplace(
         RFPTarget(aOverriddenFingerprintingSettings.Value()));
   }
 
-  return nsRFPService::IsRFPEnabledFor(target,
+  // This global object appears to be the global window, not for individual
+  // sites so to exempt individual sites (instead of just PBM/Not-PBM windows)
+  // more work would be needed to get the correct context.
+  return nsRFPService::IsRFPEnabledFor(isPBM, target,
                                        overriddenFingerprintingSettings);
 }
 

dom/base/Document.cpp

@@ -2820,6 +2820,8 @@ void Document::Reset(nsIChannel* aChannel, nsILoadGroup* aLoadGroup) {
   nsCOMPtr<nsIPrincipal> principal;
   nsCOMPtr<nsIPrincipal> partitionedPrincipal;
   if (aChannel) {
+    mIsInPrivateBrowsing = NS_UsePrivateBrowsing(aChannel);
+
     // Note: this code is duplicated in PrototypeDocumentContentSink::Init and
     // nsScriptSecurityManager::GetChannelResultPrincipals.
     // Note: this should match the uri used for the OnNewURI call in
@@ -2948,6 +2950,20 @@ void Document::ResetToURI(nsIURI* aURI, nsILoadGroup* aLoadGroup,
   mChromeXHRDocBaseURI = nullptr;
 
   if (aLoadGroup) {
+    nsCOMPtr<nsIInterfaceRequestor> callbacks;
+    aLoadGroup->GetNotificationCallbacks(getter_AddRefs(callbacks));
+    if (callbacks) {
+      nsCOMPtr<nsILoadContext> loadContext = do_GetInterface(callbacks);
+      if (loadContext) {
+        // This is asserting that if we previously set mIsInPrivateBrowsing
+        // to true from the channel in Document::Reset, that the loadContext
+        // also believes it to be true.
+        // MOZ_ASSERT(!mIsInPrivateBrowsing ||
+        //           mIsInPrivateBrowsing == loadContext->UsePrivateBrowsing());
+        mIsInPrivateBrowsing = loadContext->UsePrivateBrowsing();
+      }
+    }
+
     mDocumentLoadGroup = do_GetWeakReference(aLoadGroup);
     // there was an assertion here that aLoadGroup was not null.  This
     // is no longer valid: nsDocShell::SetDocument does not create a
@@ -16317,7 +16333,7 @@ bool Document::RecomputeResistFingerprinting() {
 
 bool Document::ShouldResistFingerprinting(RFPTarget aTarget) const {
   return mShouldResistFingerprinting &&
-         nsRFPService::IsRFPEnabledFor(aTarget,
+         nsRFPService::IsRFPEnabledFor(this->IsInPrivateBrowsing(), aTarget,
                                        mOverriddenFingerprintingSettings);
 }
 
@@ -16354,6 +16370,8 @@ void Document::RecordFontFingerprinting() {
   nsRFPService::MaybeReportFontFingerprinter(GetChannel(), originNoSuffix);
 }
 
+bool Document::IsInPrivateBrowsing() const { return mIsInPrivateBrowsing; }
+
 WindowContext* Document::GetWindowContextForPageUseCounters() const {
   if (mDisplayDocument) {
     // If we are a resource document, then go through it to find the

dom/base/Document.h

@@ -4089,6 +4089,7 @@ class Document : public nsINode,
   class HighlightRegistry& HighlightRegistry();
 
   bool ShouldResistFingerprinting(RFPTarget aTarget) const;
+  bool IsInPrivateBrowsing() const;
 
   const Maybe<RFPTarget>& GetOverriddenFingerprintingSettings() const {
     return mOverriddenFingerprintingSettings;
@@ -4841,6 +4842,9 @@ class Document : public nsINode,
   // Whether we should resist fingerprinting.
   bool mShouldResistFingerprinting : 1;
 
+  // Whether we are in private browsing mode.
+  bool mIsInPrivateBrowsing : 1;
+
   // Whether we're cloning the contents of an SVG use element.
   bool mCloningForSVGUse : 1;
 

dom/base/nsContentUtils.cpp

@@ -2223,8 +2223,9 @@ bool nsContentUtils::IsCallerChromeOrElementTransformGettersEnabled(
 // Older Should RFP Functions ----------------------------------
 
 /* static */
-bool nsContentUtils::ShouldResistFingerprinting(RFPTarget aTarget) {
+bool nsContentUtils::ShouldResistFingerprinting(bool aIsPrivateMode,
-  return nsRFPService::IsRFPEnabledFor(aTarget, Nothing());
+                                                RFPTarget aTarget) {
+  return nsRFPService::IsRFPEnabledFor(aIsPrivateMode, aTarget, Nothing());
 }
 
 /* static */
@@ -2277,6 +2278,7 @@ bool ETPSaysShouldNotResistFingerprinting(nsIChannel* aChannel,
   // A positive return from this function should always be obeyed.
   // A negative return means we should keep checking things.
 
+  bool isPBM = NS_UsePrivateBrowsing(aChannel);
   // We do not want this check to apply to RFP, only to FPP
   // There is one problematic combination of prefs; however:
   // If RFP is enabled in PBMode only and FPP is enabled globally
@@ -2286,13 +2288,14 @@ bool ETPSaysShouldNotResistFingerprinting(nsIChannel* aChannel,
   if (StaticPrefs::privacy_fingerprintingProtection_DoNotUseDirectly() &&
       !StaticPrefs::privacy_resistFingerprinting_DoNotUseDirectly() &&
       StaticPrefs::privacy_resistFingerprinting_pbmode_DoNotUseDirectly()) {
-    if (NS_UsePrivateBrowsing(aChannel)) {
+    if (isPBM) {
       // In PBM (where RFP is enabled) do not exempt based on the ETP toggle
       return false;
     }
   } else if (StaticPrefs::privacy_resistFingerprinting_DoNotUseDirectly() ||
-             StaticPrefs::
+             (isPBM &&
-                 privacy_resistFingerprinting_pbmode_DoNotUseDirectly()) {
+              StaticPrefs::
+                  privacy_resistFingerprinting_pbmode_DoNotUseDirectly())) {
     // In RFP, never use the ETP toggle to exempt.
     // We can safely return false here even if we are not in PBM mode
     // and RFP_pbmode is enabled because we will later see that and
@@ -2390,9 +2393,21 @@ inline bool PartionKeyIsAlsoExempted(
 bool nsContentUtils::ShouldResistFingerprinting(const char* aJustification,
                                                 RFPTarget aTarget) {
   // See comment in header file for information about usage
-  return ShouldResistFingerprinting(aTarget);
+  // We hardcode PBM to true to be the more restrictive option.
+  return nsContentUtils::ShouldResistFingerprinting(true, aTarget);
 }
 
+namespace {
+
+// This function is only called within this file for Positive Return Checks
+bool ShouldResistFingerprinting_(const char* aJustification,
+                                 bool aIsPrivateMode, RFPTarget aTarget) {
+  // See comment in header file for information about usage
+  return nsContentUtils::ShouldResistFingerprinting(aIsPrivateMode, aTarget);
+}
+
+}  // namespace
+
 /* static */
 bool nsContentUtils::ShouldResistFingerprinting(CallerType aCallerType,
                                                 nsIGlobalObject* aGlobalObject,
@@ -2416,7 +2431,7 @@ bool nsContentUtils::ShouldResistFingerprinting(nsIDocShell* aDocShell,
     MOZ_LOG(nsContentUtils::ResistFingerprintingLog(), LogLevel::Info,
             ("Called nsContentUtils::ShouldResistFingerprinting(nsIDocShell*) "
              "with NULL doc"));
-    return ShouldResistFingerprinting(aTarget);
+    return ShouldResistFingerprinting("Null Object", aTarget);
   }
   return doc->ShouldResistFingerprinting(aTarget);
 }
@@ -2441,7 +2456,12 @@ bool nsContentUtils::ShouldResistFingerprinting(nsIChannel* aChannel,
 
   // With this check, we can ensure that the prefs and target say yes, so only
   // an exemption would cause us to return false.
-  if (!ShouldResistFingerprinting("Positive return check", aTarget)) {
+  bool isPBM = NS_UsePrivateBrowsing(aChannel);
+  if (!ShouldResistFingerprinting_("Positive return check", isPBM, aTarget)) {
+    MOZ_LOG(nsContentUtils::ResistFingerprintingLog(), LogLevel::Debug,
+            ("Inside ShouldResistFingerprinting(nsIChannel*)"
+             " Positive return check said false (PBM: %s)",
+             isPBM ? "Yes" : "No"));
     return false;
   }
 
@@ -2524,7 +2544,13 @@ bool nsContentUtils::ShouldResistFingerprinting_dangerous(
     const char* aJustification, RFPTarget aTarget) {
   // With this check, we can ensure that the prefs and target say yes, so only
   // an exemption would cause us to return false.
-  if (!ShouldResistFingerprinting("Positive return check", aTarget)) {
+  bool isPBM = aOriginAttributes.mPrivateBrowsingId !=
+               nsIScriptSecurityManager::DEFAULT_PRIVATE_BROWSING_ID;
+  if (!ShouldResistFingerprinting_("Positive return check", isPBM, aTarget)) {
+    MOZ_LOG(nsContentUtils::ResistFingerprintingLog(), LogLevel::Debug,
+            ("Inside ShouldResistFingerprinting_dangerous(nsIURI*,"
+             " OriginAttributes) Positive return check said false (PBM: %s)",
+             isPBM ? "Yes" : "No"));
     return false;
   }
 
@@ -2538,7 +2564,11 @@ bool nsContentUtils::ShouldResistFingerprinting_dangerous(
     // If neither of the 'regular' RFP prefs are set, then one (or both)
     // of the PBM-Only prefs are set (or we would have failed the
     // Positive return check.)  Therefore, if we are not in PBM, return false
-    if (aOriginAttributes.mPrivateBrowsingId == 0) {
+    if (aOriginAttributes.mPrivateBrowsingId ==
+        nsIScriptSecurityManager::DEFAULT_PRIVATE_BROWSING_ID) {
+      MOZ_LOG(nsContentUtils::ResistFingerprintingLog(), LogLevel::Debug,
+              ("Inside ShouldResistFingerprinting_dangerous(nsIURI*,"
+               " OriginAttributes) OA PBM Check said false"));
       return false;
     }
   }
@@ -2581,28 +2611,27 @@ bool nsContentUtils::ShouldResistFingerprinting_dangerous(
     return ShouldResistFingerprinting("Null object", aTarget);
   }
 
+  auto originAttributes =
+      BasePrincipal::Cast(aPrincipal)->OriginAttributesRef();
   // With this check, we can ensure that the prefs and target say yes, so only
   // an exemption would cause us to return false.
-  if (!ShouldResistFingerprinting("Positive return check", aTarget)) {
+  bool isPBM = originAttributes.mPrivateBrowsingId ==
+               nsIScriptSecurityManager::DEFAULT_PRIVATE_BROWSING_ID;
+  if (!ShouldResistFingerprinting_("Positive return check", isPBM, aTarget)) {
+    MOZ_LOG(nsContentUtils::ResistFingerprintingLog(), LogLevel::Debug,
+            ("Inside ShouldResistFingerprinting(nsIPrincipal*) Positive return "
+             "check said false (PBM: %s)",
+             isPBM ? "Yes" : "No"));
     return false;
   }
 
   if (aPrincipal->IsSystemPrincipal()) {
+    MOZ_LOG(nsContentUtils::ResistFingerprintingLog(), LogLevel::Debug,
+            ("Inside ShouldResistFingerprinting(nsIPrincipal*) System "
+             "Principal said false"));
     return false;
   }
 
-  auto originAttributes =
-      BasePrincipal::Cast(aPrincipal)->OriginAttributesRef();
-  if (!StaticPrefs::privacy_resistFingerprinting_DoNotUseDirectly() &&
-      !StaticPrefs::privacy_fingerprintingProtection_DoNotUseDirectly()) {
-    // If neither of the 'regular' RFP prefs are set, then one (or both)
-    // of the PBM-Only prefs are set (or we would have failed the
-    // Positive return check.)  Therefore, if we are not in PBM, return false
-    if (originAttributes.mPrivateBrowsingId == 0) {
-      return false;
-    }
-  }
-
   // Exclude internal schemes and web extensions
   if (SchemeSaysShouldNotResistFingerprinting(aPrincipal)) {
     MOZ_LOG(nsContentUtils::ResistFingerprintingLog(), LogLevel::Debug,
@@ -2614,7 +2643,7 @@ bool nsContentUtils::ShouldResistFingerprinting_dangerous(
   // Web extension principals are also excluded
   if (BasePrincipal::Cast(aPrincipal)->AddonPolicy()) {
     MOZ_LOG(nsContentUtils::ResistFingerprintingLog(), LogLevel::Debug,
-            ("Inside ShouldResistFingerprinting_dangerous(nsIPrincipal*)"
+            ("Inside ShouldResistFingerprinting(nsIPrincipal*)"
              " and AddonPolicy said false"));
     return false;
   }
@@ -3878,12 +3907,14 @@ bool nsContentUtils::CanLoadImage(nsIURI* aURI, nsINode* aNode,
 }
 
 // static
-bool nsContentUtils::IsInPrivateBrowsing(Document* aDoc) {
+bool nsContentUtils::IsInPrivateBrowsing(const Document* aDoc) {
   if (!aDoc) {
     return false;
   }
 
   nsCOMPtr<nsILoadGroup> loadGroup = aDoc->GetDocumentLoadGroup();
+  // See duplicated code below in IsInPrivateBrowsing(nsILoadGroup*)
+  // and Document::Reset/ResetToURI
   if (loadGroup) {
     nsCOMPtr<nsIInterfaceRequestor> callbacks;
     loadGroup->GetNotificationCallbacks(getter_AddRefs(callbacks));

dom/base/nsContentUtils.h

@@ -350,7 +350,8 @@ class nsContentUtils {
 
   // Check whether we should avoid leaking distinguishing information to JS/CSS.
   // This function can be called both in the main thread and worker threads.
-  static bool ShouldResistFingerprinting(RFPTarget aTarget);
+  static bool ShouldResistFingerprinting(bool aIsPrivateMode,
+                                         RFPTarget aTarget);
   static bool ShouldResistFingerprinting(nsIGlobalObject* aGlobalObject,
                                          RFPTarget aTarget);
   // Similar to the function above, but always allows CallerType::System
@@ -1088,7 +1089,7 @@ class nsContentUtils {
   /**
    * Returns true if this document is in a Private Browsing window.
    */
-  static bool IsInPrivateBrowsing(Document* aDoc);
+  static bool IsInPrivateBrowsing(const Document* aDoc);
 
   /**
    * Returns true if this loadGroup uses Private Browsing.

dom/workers/WorkerPrivate.cpp

@@ -5847,6 +5847,8 @@ PerformanceStorage* WorkerPrivate::GetPerformanceStorage() {
 bool WorkerPrivate::ShouldResistFingerprinting(RFPTarget aTarget) const {
   return mLoadInfo.mShouldResistFingerprinting &&
          nsRFPService::IsRFPEnabledFor(
+             mLoadInfo.mOriginAttributes.mPrivateBrowsingId >
+                 nsIScriptSecurityManager::DEFAULT_PRIVATE_BROWSING_ID,
              aTarget, mLoadInfo.mOverriddenFingerprintingSettings);
 }
 

dom/worklet/WorkletImpl.cpp

@@ -46,6 +46,7 @@ WorkletImpl::WorkletImpl(nsPIDOMWindowInner* aWindow, nsIPrincipal* aPrincipal)
       mWorkletLoadInfo(aWindow),
       mTerminated(false),
       mFinishedOnExecutionThread(false),
+      mIsPrivateBrowsing(false),
       mTrials(OriginTrials::FromWindow(nsGlobalWindowInner::Cast(aWindow))) {
   Unused << NS_WARN_IF(
       NS_FAILED(ipc::PrincipalToPrincipalInfo(mPrincipal, &mPrincipalInfo)));
@@ -62,6 +63,7 @@ WorkletImpl::WorkletImpl(nsPIDOMWindowInner* aWindow, nsIPrincipal* aPrincipal)
 
   RefPtr<dom::Document> doc = nsGlobalWindowInner::Cast(aWindow)->GetDocument();
   if (doc) {
+    mIsPrivateBrowsing = doc->IsInPrivateBrowsing();
     mOverriddenFingerprintingSettings =
         doc->GetOverriddenFingerprintingSettings();
   }

dom/worklet/WorkletImpl.h

@@ -85,7 +85,7 @@ class WorkletImpl {
   bool IsSystemPrincipal() const { return mPrincipal->IsSystemPrincipal(); }
   bool ShouldResistFingerprinting(RFPTarget aTarget) const {
     return mShouldResistFingerprinting &&
-           nsRFPService::IsRFPEnabledFor(aTarget,
+           nsRFPService::IsRFPEnabledFor(mIsPrivateBrowsing, aTarget,
                                          mOverriddenFingerprintingSettings);
   }
 
@@ -113,16 +113,17 @@ class WorkletImpl {
 
   // Parent thread only.
   RefPtr<dom::WorkletThread> mWorkletThread;
-  bool mTerminated;
+  bool mTerminated : 1;
 
   // Execution thread only.
   RefPtr<dom::WorkletGlobalScope> mGlobalScope;
-  bool mFinishedOnExecutionThread;
+  bool mFinishedOnExecutionThread : 1;
 
   Maybe<nsID> mAgentClusterId;
 
-  bool mSharedMemoryAllowed;
+  bool mSharedMemoryAllowed : 1;
-  bool mShouldResistFingerprinting;
+  bool mShouldResistFingerprinting : 1;
+  bool mIsPrivateBrowsing : 1;
   // The granular fingerprinting protection overrides applied to the worklet.
   // This will only get populated if these is one that comes from the local
   // granular override pref or WebCompat. Otherwise, a value of Nothing()

netwerk/streamconv/converters/nsIndexedToHTML.cpp

@@ -643,7 +643,8 @@ static nsresult FormatTime(
   // instead of local time zone name (e.g. CEST).
   // To avoid this case when ResistFingerprinting is disabled, use
   // |FormatPRTime| to show exact time zone name.
-  if (!nsContentUtils::ShouldResistFingerprinting(RFPTarget::JSDateTimeUTC)) {
+  if (!nsContentUtils::ShouldResistFingerprinting(true,
+                                                  RFPTarget::JSDateTimeUTC)) {
     return mozilla::intl::AppDateTimeFormat::Format(aStyleBag, aPrTime,
                                                     aStringOut);
   }

toolkit/components/resistfingerprinting/nsRFPService.cpp

@@ -197,12 +197,13 @@ bool nsRFPService::IsRFPPrefEnabled(bool aIsPrivateMode) {
 
 /* static */
 bool nsRFPService::IsRFPEnabledFor(
-    RFPTarget aTarget,
+    bool aIsPrivateMode, RFPTarget aTarget,
     const Maybe<RFPTarget>& aOverriddenFingerprintingSettings) {
   MOZ_ASSERT(aTarget != RFPTarget::AllTargets);
 
   if (StaticPrefs::privacy_resistFingerprinting_DoNotUseDirectly() ||
-      StaticPrefs::privacy_resistFingerprinting_pbmode_DoNotUseDirectly()) {
+      (aIsPrivateMode &&
+       StaticPrefs::privacy_resistFingerprinting_pbmode_DoNotUseDirectly())) {
     if (aTarget == RFPTarget::JSLocale) {
       return StaticPrefs::privacy_spoof_english() == 2;
     }
@@ -210,7 +211,9 @@ bool nsRFPService::IsRFPEnabledFor(
   }
 
   if (StaticPrefs::privacy_fingerprintingProtection_DoNotUseDirectly() ||
-      StaticPrefs::privacy_fingerprintingProtection_pbmode_DoNotUseDirectly()) {
+      (aIsPrivateMode &&
+       StaticPrefs::
+           privacy_fingerprintingProtection_pbmode_DoNotUseDirectly())) {
     if (aTarget == RFPTarget::IsAlwaysEnabledForPrecompute) {
       return true;
     }

toolkit/components/resistfingerprinting/nsRFPService.h

@@ -214,8 +214,9 @@ class nsRFPService final : public nsIObserver, public nsIRFPService {
   // 98% of the time you should use nsContentUtils::ShouldResistFingerprinting
   // as the difference will not matter to you.
   static bool IsRFPPrefEnabled(bool aIsPrivateMode);
+
   static bool IsRFPEnabledFor(
-      RFPTarget aTarget,
+      bool aIsPrivateMode, RFPTarget aTarget,
       const Maybe<RFPTarget>& aOverriddenFingerprintingSettings);
 
   // --------------------------------------------------------------------------