Bug 1991135, part 1 - Add support for <meta name=rating> behind a pref - r=dom-core,firefox-desktop-core-reviewers ,fluent-reviewers,bolsson,smaug,frontend-codestyle-reviewers,Gijs

bvandersloot-mozilla · bvandersloot-mozilla · commit 1f5d422cf8f6 · 2025-10-17T16:58:37.000Z
Differential Revision: https://phabricator.services.mozilla.com/D266422
diff --git a/docshell/base/BrowsingContext.cpp b/docshell/base/BrowsingContext.cpp
@@ -489,6 +489,18 @@ already_AddRefed<BrowsingContext> BrowsingContext::CreateDetached(
                                          ? inherit->GetIPAddressSpace()
                                          : nsILoadInfo::IPAddressSpace::Unknown;
 
+  bool parentalControlsEnabled;
+  if (inherit) {
+    parentalControlsEnabled = inherit->GetParentalControlsEnabled();
+  } else if (XRE_IsParentProcess()) {
+    parentalControlsEnabled =
+        CanonicalBrowsingContext::ShouldEnforceParentalControls();
+  } else {
+    parentalControlsEnabled = false;
+  }
+
+  fields.Get<IDX_ParentalControlsEnabled>() = parentalControlsEnabled;
+
   fields.Get<IDX_IsPopupRequested>() = aOptions.isPopupRequested;
 
   fields.Get<IDX_TopLevelCreatedByWebContent>() =
diff --git a/docshell/base/BrowsingContext.h b/docshell/base/BrowsingContext.h
@@ -284,7 +284,10 @@ struct EmbedderColorSchemes {
    * protections */                                                           \
   FIELD(TopInnerSizeForRFP, CSSIntSize)                                       \
   /* Used to propagate document's IPAddressSpace  */                          \
-  FIELD(IPAddressSpace, nsILoadInfo::IPAddressSpace)
+  FIELD(IPAddressSpace, nsILoadInfo::IPAddressSpace)                          \
+  /* This is true if we should redirect to an error page when inserting *     \
+   * meta tags flagging adult content into our documents */                   \
+  FIELD(ParentalControlsEnabled, bool)
 
 // BrowsingContext, in this context, is the cross process replicated
 // environment in which information about documents is stored. In
@@ -1420,6 +1423,10 @@ class BrowsingContext : public nsILoadContext, public nsWrapperCache {
     return XRE_IsParentProcess();
   }
 
+  bool CanSet(FieldIndex<IDX_ParentalControlsEnabled>, bool, ContentParent*) {
+    return XRE_IsParentProcess();
+  }
+
   // Overload `DidSet` to get notifications for a particular field being set.
   //
   // You can also overload the variant that gets the old value if you need it.
diff --git a/docshell/base/CanonicalBrowsingContext.cpp b/docshell/base/CanonicalBrowsingContext.cpp
@@ -41,8 +41,10 @@
 #include "mozilla/StaticPrefs_browser.h"
 #include "mozilla/StaticPrefs_docshell.h"
 #include "mozilla/StaticPrefs_fission.h"
+#include "mozilla/StaticPrefs_security.h"
 #include "mozilla/glean/DomMetrics.h"
 #include "nsILayoutHistoryState.h"
+#include "nsIParentalControlsService.h"
 #include "nsIPrintSettings.h"
 #include "nsIPrintSettingsService.h"
 #include "nsISupports.h"
@@ -271,6 +273,7 @@ void CanonicalBrowsingContext::ReplacedBy(
   txn.SetForceOffline(GetForceOffline());
   txn.SetTopInnerSizeForRFP(GetTopInnerSizeForRFP());
   txn.SetIPAddressSpace(GetIPAddressSpace());
+  txn.SetParentalControlsEnabled(GetParentalControlsEnabled());
 
   if (!GetLanguageOverride().IsEmpty()) {
     // Reapply language override to update the corresponding realm.
@@ -3693,6 +3696,23 @@ bool CanonicalBrowsingContext::CanOpenModalPicker() {
   return true;
 }
 
+bool CanonicalBrowsingContext::ShouldEnforceParentalControls() {
+  if (StaticPrefs::security_restrict_to_adults_always()) {
+    return true;
+  }
+  if (StaticPrefs::security_restrict_to_adults_respect_platform()) {
+    bool enabled;
+    nsCOMPtr<nsIParentalControlsService> pcs =
+        do_CreateInstance("@mozilla.org/parental-controls-service;1");
+    nsresult rv = pcs->GetParentalControlsEnabled(&enabled);
+    if (NS_FAILED(rv)) {
+      return false;
+    }
+    return enabled;
+  }
+  return false;
+}
+
 NS_IMPL_CYCLE_COLLECTION_CLASS(CanonicalBrowsingContext)
 
 NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(CanonicalBrowsingContext,
diff --git a/docshell/base/CanonicalBrowsingContext.h b/docshell/base/CanonicalBrowsingContext.h
@@ -453,6 +453,8 @@ class CanonicalBrowsingContext final : public BrowsingContext {
 
   bool CanOpenModalPicker();
 
+  static bool ShouldEnforceParentalControls();
+
  protected:
   // Called when the browsing context is being discarded.
   void CanonicalDiscard();
diff --git a/docshell/base/nsAboutRedirector.cpp b/docshell/base/nsAboutRedirector.cpp
@@ -175,6 +175,10 @@ static const RedirEntry kRedirMap[] = {
          nsIAboutModule::HIDE_FROM_ABOUTABOUT},
     {"processes", "chrome://global/content/aboutProcesses.html",
      nsIAboutModule::ALLOW_SCRIPT | nsIAboutModule::IS_SECURE_CHROME_UI},
+    {"restricted", "chrome://global/content/aboutRestricted/aboutRestricted.html",
+     nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
+         nsIAboutModule::URI_CAN_LOAD_IN_CHILD | nsIAboutModule::ALLOW_SCRIPT |
+         nsIAboutModule::HIDE_FROM_ABOUTABOUT},
     // about:serviceworkers always wants to load in the parent process because
     // the only place nsIServiceWorkerManager has any data is in the parent
     // process.
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
@@ -3566,6 +3566,12 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
     if (messageStr.IsEmpty()) {
       messageStr.AssignLiteral(u" ");
     }
+  } else if (aError == NS_ERROR_RESTRICTED_CONTENT) {
+    errorPage.AssignLiteral("restricted");
+    error = "restrictedcontent";
+    if (messageStr.IsEmpty()) {
+      messageStr.AssignLiteral(u" ");
+    }
   } else {
     // Errors requiring simple formatting
     switch (aError) {
@@ -4117,6 +4123,17 @@ nsresult nsDocShell::ReloadNavigable(
   return ReloadDocument(this, doc, loadType, bc, currentURI, referrerInfo);
 }
 
+void nsDocShell::DisplayRestrictedContentError() {
+  bool didDisplayLoadError = false;
+  RefPtr<mozilla::dom::Document> doc = GetDocument();
+  if (!doc) {
+    return;
+  }
+  doc->TerminateParserAndDisableScripts();
+  DisplayLoadError(NS_ERROR_RESTRICTED_CONTENT, doc->GetDocumentURI(), nullptr, nullptr,
+                   &didDisplayLoadError);
+}
+
 /* static */
 nsresult nsDocShell::ReloadDocument(nsDocShell* aDocShell, Document* aDocument,
                                     uint32_t aLoadType,
diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
@@ -782,6 +782,11 @@ class nsDocShell final : public nsDocLoader,
     return didDisplayLoadError;
   }
 
+  // Called when a document is recognised as content the device owner doesn't
+  // want to be displayed. Stops parsing, stops scripts, and displays an
+  // error page with DisplayLoadError.
+  void DisplayRestrictedContentError();
+
   //
   // Uncategorized
   //
diff --git a/docshell/build/components.conf b/docshell/build/components.conf
@@ -26,6 +26,7 @@ about_pages = [
     'networking',
     'performance',
     'processes',
+    'restricted',
     'serviceworkers',
     'srcdoc',
     'support',
diff --git a/dom/base/Document.cpp b/dom/base/Document.cpp
@@ -384,6 +384,7 @@
 #include "nsINodeList.h"
 #include "nsIObjectLoadingContent.h"
 #include "nsIObserverService.h"
+#include "nsIParentalControlsService.h"
 #include "nsIPermission.h"
 #include "nsIPrompt.h"
 #include "nsIPropertyBag2.h"
@@ -11857,6 +11858,34 @@ void Document::ProcessMETATag(HTMLMetaElement* aMetaElement) {
       SetHeaderData(nsGkAtoms::handheldFriendly, result);
     }
   }
+  // Check for Restricted To Adults meta tag
+  if (aMetaElement->AttrValueIs(kNameSpaceID_None, nsGkAtoms::name,
+                                nsGkAtoms::rating, eIgnoreCase)) {
+    if (aMetaElement->AttrValueIs(kNameSpaceID_None, nsGkAtoms::content,
+                                  nsGkAtoms::adult, eIgnoreCase) ||
+        aMetaElement->AttrValueIs(kNameSpaceID_None, nsGkAtoms::content,
+                                  nsGkAtoms::restrictToAdults, eIgnoreCase)) {
+      BrowsingContext* bc = GetBrowsingContext();
+      if (bc && bc->GetParentalControlsEnabled() && GetDocShell()) {
+        RefPtr<nsDocShell> docShell = nsDocShell::Cast(GetDocShell());
+        nsCOMPtr<nsIRunnable> redirect = NewRunnableMethod(
+            "Document::ProcessMETATag::DisplayRestrictedContentError", docShell,
+            &nsDocShell::DisplayRestrictedContentError);
+        nsContentUtils::AddScriptRunner(redirect.forget());
+      }
+    }
+  }
+}
+
+void Document::TerminateParserAndDisableScripts() {
+  if (mParser) {
+    Unused << mParser->Terminate();
+    MOZ_ASSERT(!mParser, "mParser should have been null'd out");
+  }
+
+  if (WindowContext* wc = GetWindowContext()) {
+    Unused << wc->SetAllowJavascript(false);
+  }
 }
 
 already_AddRefed<Element> Document::CreateElem(const nsAString& aName,
diff --git a/dom/base/Document.h b/dom/base/Document.h
@@ -2241,6 +2241,9 @@ class Document : public nsINode,
   }
 
   void ProcessMETATag(HTMLMetaElement* aMetaElement);
+
+  void TerminateParserAndDisableScripts();
+
   /**
    * Create an element with the specified name, prefix and namespace ID.
    * Returns null if element name parsing failed.
diff --git a/eslint-file-globals.config.mjs b/eslint-file-globals.config.mjs
@@ -382,6 +382,7 @@ export default [
       "toolkit/components/certviewer/content/components/about-certificate-items.mjs",
       "toolkit/components/certviewer/content/components/about-certificate-section.mjs",
       "toolkit/components/httpsonlyerror/content/errorpage.js",
+      "toolkit/content/aboutRestricted/aboutRestricted.mjs",
       "toolkit/content/aboutNetError.mjs",
       "toolkit/content/aboutNetErrorHelpers.mjs",
       "toolkit/content/net-error-card.mjs",
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
@@ -17574,6 +17574,17 @@
   value: 1
   mirror: always
 
+- name: security.restrict_to_adults.respect_platform
+  type: RelaxedAtomicBool
+  value: false
+  mirror: always
+
+- name: security.restrict_to_adults.always
+  type: bool
+  value: false
+  mirror: always
+
+
 #---------------------------------------------------------------------------
 # Prefs starting with "signon."
 #---------------------------------------------------------------------------
diff --git a/toolkit/actors/AboutRestrictedChild.sys.mjs b/toolkit/actors/AboutRestrictedChild.sys.mjs
@@ -0,0 +1,13 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { RemotePageChild } from "resource://gre/actors/RemotePageChild.sys.mjs";
+
+export class AboutRestrictedChild extends RemotePageChild {
+  actorCreated() {
+    super.actorCreated();
+    const exportableFunctions = ["RPMGetBoolPref"];
+    this.exportFunctions(exportableFunctions);
+  }
+}
diff --git a/toolkit/actors/AboutRestrictedParent.sys.mjs b/toolkit/actors/AboutRestrictedParent.sys.mjs
@@ -0,0 +1,19 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { EscapablePageParent } from "resource://gre/actors/NetErrorParent.sys.mjs";
+
+export class AboutRestrictedParent extends EscapablePageParent {
+  get browser() {
+    return this.browsingContext.top.embedderElement;
+  }
+
+  receiveMessage(aMessage) {
+    switch (aMessage.name) {
+      case "goBack":
+        this.leaveErrorPage(this.browser);
+        break;
+    }
+  }
+}
diff --git a/toolkit/actors/moz.build b/toolkit/actors/moz.build
@@ -31,6 +31,8 @@ TESTING_JS_MODULES += [
 FINAL_TARGET_FILES.actors += [
     "AboutHttpsOnlyErrorChild.sys.mjs",
     "AboutHttpsOnlyErrorParent.sys.mjs",
+    "AboutRestrictedChild.sys.mjs",
+    "AboutRestrictedParent.sys.mjs",
     "AudioPlaybackChild.sys.mjs",
     "AudioPlaybackParent.sys.mjs",
     "AutoCompleteChild.sys.mjs",
diff --git a/toolkit/content/aboutRestricted/aboutRestricted.css b/toolkit/content/aboutRestricted/aboutRestricted.css
@@ -0,0 +1,26 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+@import url("chrome://global/skin/error-pages.css");
+
+body {
+  --warning-color: #ffa436;
+}
+
+@media (prefers-color-scheme: dark) {
+  body {
+    --warning-color: #ffbd4f;
+  }
+}
+
+@media (prefers-contrast) {
+  body {
+    --warning-color: var(--text-color);
+  }
+}
+
+.title {
+  background-image: url("chrome://global/skin/icons/warning.svg");
+  fill: var(--warning-color);
+}
diff --git a/toolkit/content/aboutRestricted/aboutRestricted.html b/toolkit/content/aboutRestricted/aboutRestricted.html
@@ -0,0 +1,49 @@
+<!doctype html>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+<html data-l10n-sync="true">
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src chrome:; object-src 'none'"
+    />
+    <meta name="color-scheme" content="light dark" />
+    <title data-l10n-id="restricted-page-title"></title>
+    <link
+      rel="stylesheet"
+      href="chrome://global/content/aboutRestricted/aboutRestricted.css"
+      type="text/css"
+      media="all"
+    />
+    <link
+      rel="icon"
+      id="favicon"
+      href="chrome://global/skin/icons/warning.svg"
+    />
+    <link rel="localization" href="branding/brand.ftl" />
+    <link rel="localization" href="locales-preview/aboutRestricted.ftl" />
+  </head>
+  <body>
+    <div class="container">
+      <div id="text-container">
+        <div class="title">
+          <h1 class="title-text" data-l10n-id="restricted-page-heading"></h1>
+        </div>
+        <p id="errorShortDesc" data-l10n-id="restricted-page-explain-what"></p>
+        <p id="errorShortDesc2" data-l10n-id="restricted-page-explain-why"></p>
+      </div>
+      <div class="button-container">
+        <button
+          id="goBack"
+          class="primary"
+          data-l10n-id="restricted-go-back-button"
+        ></button>
+      </div>
+    </div>
+    <script
+      type="module"
+      src="chrome://global/content/aboutRestricted/aboutRestricted.mjs"
+    ></script>
+  </body>
+</html>
diff --git a/toolkit/content/aboutRestricted/aboutRestricted.mjs b/toolkit/content/aboutRestricted/aboutRestricted.mjs
@@ -0,0 +1,39 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+function init() {
+  document
+    .getElementById("goBack")
+    .addEventListener("click", onReturnButtonClick);
+
+  const voluntary = RPMGetBoolPref("security.restrict_to_adults.always", false);
+  if (voluntary) {
+    document
+      .getElementById("errorShortDesc2")
+      .setAttribute("data-l10n-id", "restricted-page-explain-why-always");
+  }
+  try {
+    const outerURL = URL.parse(document.documentURI);
+    const innerURL = outerURL.searchParams.get("u");
+    const url = URL.parse(innerURL);
+    const host = url.host;
+    if (host && (url.protocol == "http:" || url.protocol == "https:")) {
+      let description = document.getElementById("errorShortDesc");
+      document.l10n.setAttributes(
+        description,
+        "restricted-page-explain-what-named",
+        { host }
+      );
+    }
+  } catch (_) {}
+  document.dispatchEvent(
+    new CustomEvent("AboutRestrictedLoad", { bubbles: true })
+  );
+}
+
+function onReturnButtonClick() {
+  RPMSendAsyncMessage("goBack");
+}
+
+init();
diff --git a/toolkit/content/jar.mn b/toolkit/content/jar.mn
diff --git a/toolkit/locales-preview/aboutRestricted.ftl b/toolkit/locales-preview/aboutRestricted.ftl
diff --git a/toolkit/locales/jar.mn b/toolkit/locales/jar.mn
diff --git a/toolkit/modules/ActorManagerParent.sys.mjs b/toolkit/modules/ActorManagerParent.sys.mjs
diff --git a/toolkit/modules/RemotePageAccessManager.sys.mjs b/toolkit/modules/RemotePageAccessManager.sys.mjs
diff --git a/xpcom/base/ErrorList.py b/xpcom/base/ErrorList.py
diff --git a/xpcom/ds/StaticAtoms.py b/xpcom/ds/StaticAtoms.py

Original file line number	Diff line number	Diff line change
`@@ -2241,6 +2241,9 @@ class Document : public nsINode,`
`2241`	`2241`	`}`
`2242`	`2242`
`2243`	`2243`	`void ProcessMETATag(HTMLMetaElement* aMetaElement);`
	`2244`	`+`
	`2245`	`+ void TerminateParserAndDisableScripts();`
	`2246`	`+`
`2244`	`2247`	`/**`
`2245`	`2248`	`* Create an element with the specified name, prefix and namespace ID.`
`2246`	`2249`	`* Returns null if element name parsing failed.`