671 lines
27 KiB
C++
671 lines
27 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "WaiveXrayWrapper.h"
|
|
#include "FilteringWrapper.h"
|
|
#include "AddonWrapper.h"
|
|
#include "XrayWrapper.h"
|
|
#include "AccessCheck.h"
|
|
#include "XPCWrapper.h"
|
|
#include "ChromeObjectWrapper.h"
|
|
#include "WrapperFactory.h"
|
|
|
|
#include "xpcprivate.h"
|
|
#include "XPCMaps.h"
|
|
#include "mozilla/dom/BindingUtils.h"
|
|
#include "jsfriendapi.h"
|
|
#include "mozilla/jsipc/CrossProcessObjectWrappers.h"
|
|
#include "mozilla/Likely.h"
|
|
#include "mozilla/dom/ScriptSettings.h"
|
|
#include "nsContentUtils.h"
|
|
#include "nsXULAppAPI.h"
|
|
|
|
using namespace JS;
|
|
using namespace js;
|
|
using namespace mozilla;
|
|
|
|
namespace xpc {
|
|
|
|
// When chrome pulls a naked property across the membrane using
|
|
// .wrappedJSObject, we want it to cross the membrane into the
|
|
// chrome compartment without automatically being wrapped into an
|
|
// X-ray wrapper. We achieve this by wrapping it into a special
|
|
// transparent wrapper in the origin (non-chrome) compartment. When
|
|
// an object with that special wrapper applied crosses into chrome,
|
|
// we know to not apply an X-ray wrapper.
|
|
const Wrapper XrayWaiver(WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG);
|
|
|
|
// When objects for which we waived the X-ray wrapper cross into
|
|
// chrome, we wrap them into a special cross-compartment wrapper
|
|
// that transitively extends the waiver to all properties we get
|
|
// off it.
|
|
const WaiveXrayWrapper WaiveXrayWrapper::singleton(0);
|
|
|
|
bool
|
|
WrapperFactory::IsCOW(JSObject* obj)
|
|
{
|
|
return IsWrapper(obj) &&
|
|
Wrapper::wrapperHandler(obj) == &ChromeObjectWrapper::singleton;
|
|
}
|
|
|
|
JSObject*
|
|
WrapperFactory::GetXrayWaiver(HandleObject obj)
|
|
{
|
|
// Object should come fully unwrapped but outerized.
|
|
MOZ_ASSERT(obj == UncheckedUnwrap(obj));
|
|
MOZ_ASSERT(!js::IsWindow(obj));
|
|
XPCWrappedNativeScope* scope = ObjectScope(obj);
|
|
MOZ_ASSERT(scope);
|
|
|
|
if (!scope->mWaiverWrapperMap)
|
|
return nullptr;
|
|
|
|
return scope->mWaiverWrapperMap->Find(obj);
|
|
}
|
|
|
|
JSObject*
|
|
WrapperFactory::CreateXrayWaiver(JSContext* cx, HandleObject obj)
|
|
{
|
|
// The caller is required to have already done a lookup.
|
|
// NB: This implictly performs the assertions of GetXrayWaiver.
|
|
MOZ_ASSERT(!GetXrayWaiver(obj));
|
|
XPCWrappedNativeScope* scope = ObjectScope(obj);
|
|
|
|
JSAutoCompartment ac(cx, obj);
|
|
JSObject* waiver = Wrapper::New(cx, obj, &XrayWaiver);
|
|
if (!waiver)
|
|
return nullptr;
|
|
|
|
// Add the new waiver to the map. It's important that we only ever have
|
|
// one waiver for the lifetime of the target object.
|
|
if (!scope->mWaiverWrapperMap) {
|
|
scope->mWaiverWrapperMap =
|
|
JSObject2JSObjectMap::newMap(XPC_WRAPPER_MAP_LENGTH);
|
|
}
|
|
if (!scope->mWaiverWrapperMap->Add(cx, obj, waiver))
|
|
return nullptr;
|
|
return waiver;
|
|
}
|
|
|
|
JSObject*
|
|
WrapperFactory::WaiveXray(JSContext* cx, JSObject* objArg)
|
|
{
|
|
RootedObject obj(cx, objArg);
|
|
obj = UncheckedUnwrap(obj);
|
|
MOZ_ASSERT(!js::IsWindow(obj));
|
|
|
|
JSObject* waiver = GetXrayWaiver(obj);
|
|
if (!waiver) {
|
|
waiver = CreateXrayWaiver(cx, obj);
|
|
}
|
|
MOZ_ASSERT(!ObjectIsMarkedGray(waiver));
|
|
return waiver;
|
|
}
|
|
|
|
/* static */ bool
|
|
WrapperFactory::AllowWaiver(JSCompartment* target, JSCompartment* origin)
|
|
{
|
|
return CompartmentPrivate::Get(target)->allowWaivers &&
|
|
AccessCheck::subsumes(target, origin);
|
|
}
|
|
|
|
/* static */ bool
|
|
WrapperFactory::AllowWaiver(JSObject* wrapper) {
|
|
MOZ_ASSERT(js::IsCrossCompartmentWrapper(wrapper));
|
|
return AllowWaiver(js::GetObjectCompartment(wrapper),
|
|
js::GetObjectCompartment(js::UncheckedUnwrap(wrapper)));
|
|
}
|
|
|
|
inline bool
|
|
ShouldWaiveXray(JSContext* cx, JSObject* originalObj)
|
|
{
|
|
unsigned flags;
|
|
(void) js::UncheckedUnwrap(originalObj, /* stopAtWindowProxy = */ true, &flags);
|
|
|
|
// If the original object did not point through an Xray waiver, we're done.
|
|
if (!(flags & WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG))
|
|
return false;
|
|
|
|
// If the original object was not a cross-compartment wrapper, that means
|
|
// that the caller explicitly created a waiver. Preserve it so that things
|
|
// like WaiveXrayAndWrap work.
|
|
if (!(flags & Wrapper::CROSS_COMPARTMENT))
|
|
return true;
|
|
|
|
// Otherwise, this is a case of explicitly passing a wrapper across a
|
|
// compartment boundary. In that case, we only want to preserve waivers
|
|
// in transactions between same-origin compartments.
|
|
JSCompartment* oldCompartment = js::GetObjectCompartment(originalObj);
|
|
JSCompartment* newCompartment = js::GetContextCompartment(cx);
|
|
bool sameOrigin =
|
|
AccessCheck::subsumesConsideringDomain(oldCompartment, newCompartment) &&
|
|
AccessCheck::subsumesConsideringDomain(newCompartment, oldCompartment);
|
|
return sameOrigin;
|
|
}
|
|
|
|
void
|
|
WrapperFactory::PrepareForWrapping(JSContext* cx, HandleObject scope,
|
|
HandleObject objArg, HandleObject objectPassedToWrap,
|
|
MutableHandleObject retObj)
|
|
{
|
|
bool waive = ShouldWaiveXray(cx, objectPassedToWrap);
|
|
RootedObject obj(cx, objArg);
|
|
retObj.set(nullptr);
|
|
// Outerize any raw inner objects at the entry point here, so that we don't
|
|
// have to worry about them for the rest of the wrapping code.
|
|
if (js::IsWindow(obj)) {
|
|
JSAutoCompartment ac(cx, obj);
|
|
obj = js::ToWindowProxyIfWindow(obj);
|
|
MOZ_ASSERT(obj);
|
|
// ToWindowProxyIfWindow can return a CCW if |obj| was a
|
|
// navigated-away-from Window. Strip any CCWs.
|
|
obj = js::UncheckedUnwrap(obj);
|
|
if (JS_IsDeadWrapper(obj)) {
|
|
JS_ReportErrorASCII(cx, "Can't wrap dead object");
|
|
return;
|
|
}
|
|
MOZ_ASSERT(js::IsWindowProxy(obj));
|
|
// We crossed a compartment boundary there, so may now have a gray
|
|
// object. This function is not allowed to return gray objects, so
|
|
// don't do that.
|
|
ExposeObjectToActiveJS(obj);
|
|
}
|
|
|
|
// If we've got a WindowProxy, there's nothing special that needs to be
|
|
// done here, and we can move on to the next phase of wrapping. We handle
|
|
// this case first to allow us to assert against wrappers below.
|
|
if (js::IsWindowProxy(obj)) {
|
|
retObj.set(waive ? WaiveXray(cx, obj) : obj);
|
|
return;
|
|
}
|
|
|
|
// Here are the rules for wrapping:
|
|
// We should never get a proxy here (the JS engine unwraps those for us).
|
|
MOZ_ASSERT(!IsWrapper(obj));
|
|
|
|
// Now, our object is ready to be wrapped, but several objects (notably
|
|
// nsJSIIDs) have a wrapper per scope. If we are about to wrap one of
|
|
// those objects in a security wrapper, then we need to hand back the
|
|
// wrapper for the new scope instead. Also, global objects don't move
|
|
// between scopes so for those we also want to return the wrapper. So...
|
|
if (!IS_WN_REFLECTOR(obj) || JS_IsGlobalObject(obj)) {
|
|
retObj.set(waive ? WaiveXray(cx, obj) : obj);
|
|
return;
|
|
}
|
|
|
|
XPCWrappedNative* wn = XPCWrappedNative::Get(obj);
|
|
|
|
JSAutoCompartment ac(cx, obj);
|
|
XPCCallContext ccx(cx, obj);
|
|
RootedObject wrapScope(cx, scope);
|
|
|
|
{
|
|
if (NATIVE_HAS_FLAG(&ccx, WantPreCreate)) {
|
|
// We have a precreate hook. This object might enforce that we only
|
|
// ever create JS object for it.
|
|
|
|
// Note: this penalizes objects that only have one wrapper, but are
|
|
// being accessed across compartments. We would really prefer to
|
|
// replace the above code with a test that says "do you only have one
|
|
// wrapper?"
|
|
nsresult rv = wn->GetScriptableInfo()->GetCallback()->
|
|
PreCreate(wn->Native(), cx, scope, wrapScope.address());
|
|
if (NS_FAILED(rv)) {
|
|
retObj.set(waive ? WaiveXray(cx, obj) : obj);
|
|
return;
|
|
}
|
|
|
|
// If the handed back scope differs from the passed-in scope and is in
|
|
// a separate compartment, then this object is explicitly requesting
|
|
// that we don't create a second JS object for it: create a security
|
|
// wrapper.
|
|
if (js::GetObjectCompartment(scope) != js::GetObjectCompartment(wrapScope)) {
|
|
retObj.set(waive ? WaiveXray(cx, obj) : obj);
|
|
return;
|
|
}
|
|
|
|
RootedObject currentScope(cx, JS_GetGlobalForObject(cx, obj));
|
|
if (MOZ_UNLIKELY(wrapScope != currentScope)) {
|
|
// The wrapper claims it wants to be in the new scope, but
|
|
// currently has a reflection that lives in the old scope. This
|
|
// can mean one of two things, both of which are rare:
|
|
//
|
|
// 1 - The object has a PreCreate hook (we checked for it above),
|
|
// but is deciding to request one-wrapper-per-scope (rather than
|
|
// one-wrapper-per-native) for some reason. Usually, a PreCreate
|
|
// hook indicates one-wrapper-per-native. In this case we want to
|
|
// make a new wrapper in the new scope.
|
|
//
|
|
// 2 - We're midway through wrapper reparenting. The document has
|
|
// moved to a new scope, but |wn| hasn't been moved yet, and
|
|
// we ended up calling JS_WrapObject() on its JS object. In this
|
|
// case, we want to return the existing wrapper.
|
|
//
|
|
// So we do a trick: call PreCreate _again_, but say that we're
|
|
// wrapping for the old scope, rather than the new one. If (1) is
|
|
// the case, then PreCreate will return the scope we pass to it
|
|
// (the old scope). If (2) is the case, PreCreate will return the
|
|
// scope of the document (the new scope).
|
|
RootedObject probe(cx);
|
|
rv = wn->GetScriptableInfo()->GetCallback()->
|
|
PreCreate(wn->Native(), cx, currentScope, probe.address());
|
|
|
|
// Check for case (2).
|
|
if (probe != currentScope) {
|
|
MOZ_ASSERT(probe == wrapScope);
|
|
retObj.set(waive ? WaiveXray(cx, obj) : obj);
|
|
return;
|
|
}
|
|
|
|
// Ok, must be case (1). Fall through and create a new wrapper.
|
|
}
|
|
|
|
// Nasty hack for late-breaking bug 781476. This will confuse identity checks,
|
|
// but it's probably better than any of our alternatives.
|
|
//
|
|
// Note: We have to ignore domain here. The JS engine assumes that, given a
|
|
// compartment c, if c->wrap(x) returns a cross-compartment wrapper at time t0,
|
|
// it will also return a cross-compartment wrapper for any time t1 > t0 unless
|
|
// an explicit transplant is performed. In particular, wrapper recomputation
|
|
// assumes that recomputing a wrapper will always result in a wrapper.
|
|
//
|
|
// This doesn't actually pose a security issue, because we'll still compute
|
|
// the correct (opaque) wrapper for the object below given the security
|
|
// characteristics of the two compartments.
|
|
if (!AccessCheck::isChrome(js::GetObjectCompartment(wrapScope)) &&
|
|
AccessCheck::subsumes(js::GetObjectCompartment(wrapScope),
|
|
js::GetObjectCompartment(obj)))
|
|
{
|
|
retObj.set(waive ? WaiveXray(cx, obj) : obj);
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
|
|
// This public WrapNativeToJSVal API enters the compartment of 'wrapScope'
|
|
// so we don't have to.
|
|
RootedValue v(cx);
|
|
nsresult rv =
|
|
nsXPConnect::XPConnect()->WrapNativeToJSVal(cx, wrapScope, wn->Native(), nullptr,
|
|
&NS_GET_IID(nsISupports), false, &v);
|
|
if (NS_FAILED(rv)) {
|
|
return;
|
|
}
|
|
|
|
obj.set(&v.toObject());
|
|
MOZ_ASSERT(IS_WN_REFLECTOR(obj), "bad object");
|
|
MOZ_ASSERT(!ObjectIsMarkedGray(obj), "Should never return gray reflectors");
|
|
|
|
// Because the underlying native didn't have a PreCreate hook, we had
|
|
// to a new (or possibly pre-existing) XPCWN in our compartment.
|
|
// This could be a problem for chrome code that passes XPCOM objects
|
|
// across compartments, because the effects of QI would disappear across
|
|
// compartments.
|
|
//
|
|
// So whenever we pull an XPCWN across compartments in this manner, we
|
|
// give the destination object the union of the two native sets. We try
|
|
// to do this cleverly in the common case to avoid too much overhead.
|
|
XPCWrappedNative* newwn = XPCWrappedNative::Get(obj);
|
|
RefPtr<XPCNativeSet> unionSet = XPCNativeSet::GetNewOrUsed(newwn->GetSet(),
|
|
wn->GetSet(), false);
|
|
if (!unionSet) {
|
|
return;
|
|
}
|
|
newwn->SetSet(unionSet.forget());
|
|
|
|
retObj.set(waive ? WaiveXray(cx, obj) : obj);
|
|
}
|
|
|
|
#ifdef DEBUG
|
|
static void
|
|
DEBUG_CheckUnwrapSafety(HandleObject obj, const js::Wrapper* handler,
|
|
JSCompartment* origin, JSCompartment* target)
|
|
{
|
|
if (AccessCheck::isChrome(target) || xpc::IsUniversalXPConnectEnabled(target)) {
|
|
// If the caller is chrome (or effectively so), unwrap should always be allowed.
|
|
MOZ_ASSERT(!handler->hasSecurityPolicy());
|
|
} else if (CompartmentPrivate::Get(origin)->forcePermissiveCOWs) {
|
|
// Similarly, if this is a privileged scope that has opted to make itself
|
|
// accessible to the world (allowed only during automation), unwrap should
|
|
// be allowed.
|
|
MOZ_ASSERT(!handler->hasSecurityPolicy());
|
|
} else {
|
|
// Otherwise, it should depend on whether the target subsumes the origin.
|
|
MOZ_ASSERT(handler->hasSecurityPolicy() == !AccessCheck::subsumesConsideringDomain(target, origin));
|
|
}
|
|
}
|
|
#else
|
|
#define DEBUG_CheckUnwrapSafety(obj, handler, origin, target) {}
|
|
#endif
|
|
|
|
static const Wrapper*
|
|
SelectWrapper(bool securityWrapper, bool wantXrays, XrayType xrayType,
|
|
bool waiveXrays, bool originIsXBLScope, JSObject* obj)
|
|
{
|
|
// Waived Xray uses a modified CCW that has transparent behavior but
|
|
// transitively waives Xrays on arguments.
|
|
if (waiveXrays) {
|
|
MOZ_ASSERT(!securityWrapper);
|
|
return &WaiveXrayWrapper::singleton;
|
|
}
|
|
|
|
// If we don't want or can't use Xrays, select a wrapper that's either
|
|
// entirely transparent or entirely opaque.
|
|
if (!wantXrays || xrayType == NotXray) {
|
|
if (!securityWrapper)
|
|
return &CrossCompartmentWrapper::singleton;
|
|
return &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
|
|
}
|
|
|
|
// Ok, we're using Xray. If this isn't a security wrapper, use the permissive
|
|
// version and skip the filter.
|
|
if (!securityWrapper) {
|
|
if (xrayType == XrayForWrappedNative)
|
|
return &PermissiveXrayXPCWN::singleton;
|
|
else if (xrayType == XrayForDOMObject)
|
|
return &PermissiveXrayDOM::singleton;
|
|
else if (xrayType == XrayForJSObject)
|
|
return &PermissiveXrayJS::singleton;
|
|
MOZ_ASSERT(xrayType == XrayForOpaqueObject);
|
|
return &PermissiveXrayOpaque::singleton;
|
|
}
|
|
|
|
// This is a security wrapper. Use the security versions and filter.
|
|
if (xrayType == XrayForDOMObject && IdentifyCrossOriginObject(obj) != CrossOriginOpaque)
|
|
return &FilteringWrapper<CrossOriginXrayWrapper,
|
|
CrossOriginAccessiblePropertiesOnly>::singleton;
|
|
|
|
// There's never any reason to expose other objects to non-subsuming actors.
|
|
// Just use an opaque wrapper in these cases.
|
|
//
|
|
// In general, we don't want opaque function wrappers to be callable.
|
|
// But in the case of XBL, we rely on content being able to invoke
|
|
// functions exposed from the XBL scope. We could remove this exception,
|
|
// if needed, by using ExportFunction to generate the content-side
|
|
// representations of XBL methods.
|
|
if (xrayType == XrayForJSObject && originIsXBLScope)
|
|
return &FilteringWrapper<CrossCompartmentSecurityWrapper, OpaqueWithCall>::singleton;
|
|
return &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
|
|
}
|
|
|
|
static const Wrapper*
|
|
SelectAddonWrapper(JSContext* cx, HandleObject obj, const Wrapper* wrapper)
|
|
{
|
|
JSAddonId* originAddon = JS::AddonIdOfObject(obj);
|
|
JSAddonId* targetAddon = JS::AddonIdOfObject(JS::CurrentGlobalOrNull(cx));
|
|
|
|
MOZ_ASSERT(AccessCheck::isChrome(JS::CurrentGlobalOrNull(cx)));
|
|
MOZ_ASSERT(targetAddon);
|
|
|
|
if (targetAddon == originAddon)
|
|
return wrapper;
|
|
|
|
// Add-on interposition only supports certain wrapper types, so we check if
|
|
// we would have used one of the supported ones.
|
|
if (wrapper == &CrossCompartmentWrapper::singleton)
|
|
return &AddonWrapper<CrossCompartmentWrapper>::singleton;
|
|
else if (wrapper == &PermissiveXrayXPCWN::singleton)
|
|
return &AddonWrapper<PermissiveXrayXPCWN>::singleton;
|
|
else if (wrapper == &PermissiveXrayDOM::singleton)
|
|
return &AddonWrapper<PermissiveXrayDOM>::singleton;
|
|
|
|
// |wrapper| is not supported for interposition, so we don't do it.
|
|
return wrapper;
|
|
}
|
|
|
|
JSObject*
|
|
WrapperFactory::Rewrap(JSContext* cx, HandleObject existing, HandleObject obj)
|
|
{
|
|
MOZ_ASSERT(!IsWrapper(obj) ||
|
|
GetProxyHandler(obj) == &XrayWaiver ||
|
|
js::IsWindowProxy(obj),
|
|
"wrapped object passed to rewrap");
|
|
MOZ_ASSERT(!XrayUtils::IsXPCWNHolderClass(JS_GetClass(obj)), "trying to wrap a holder");
|
|
MOZ_ASSERT(!js::IsWindow(obj));
|
|
MOZ_ASSERT(dom::IsJSAPIActive());
|
|
|
|
// Compute the information we need to select the right wrapper.
|
|
JSCompartment* origin = js::GetObjectCompartment(obj);
|
|
JSCompartment* target = js::GetContextCompartment(cx);
|
|
bool originIsChrome = AccessCheck::isChrome(origin);
|
|
bool targetIsChrome = AccessCheck::isChrome(target);
|
|
bool originSubsumesTarget = AccessCheck::subsumesConsideringDomain(origin, target);
|
|
bool targetSubsumesOrigin = AccessCheck::subsumesConsideringDomain(target, origin);
|
|
bool sameOrigin = targetSubsumesOrigin && originSubsumesTarget;
|
|
XrayType xrayType = GetXrayType(obj);
|
|
|
|
const Wrapper* wrapper;
|
|
|
|
//
|
|
// First, handle the special cases.
|
|
//
|
|
|
|
// If UniversalXPConnect is enabled, this is just some dumb mochitest. Use
|
|
// a vanilla CCW.
|
|
if (xpc::IsUniversalXPConnectEnabled(target)) {
|
|
CrashIfNotInAutomation();
|
|
wrapper = &CrossCompartmentWrapper::singleton;
|
|
}
|
|
|
|
// Let the SpecialPowers scope make its stuff easily accessible to content.
|
|
else if (CompartmentPrivate::Get(origin)->forcePermissiveCOWs) {
|
|
CrashIfNotInAutomation();
|
|
wrapper = &CrossCompartmentWrapper::singleton;
|
|
}
|
|
|
|
// Special handling for chrome objects being exposed to content.
|
|
else if (originIsChrome && !targetIsChrome) {
|
|
// If this is a chrome function being exposed to content, we need to allow
|
|
// call (but nothing else). We allow CPOWs that purport to be function's
|
|
// here, but only in the content process.
|
|
if ((IdentifyStandardInstance(obj) == JSProto_Function ||
|
|
(jsipc::IsCPOW(obj) && JS::IsCallable(obj) &&
|
|
XRE_IsContentProcess())))
|
|
{
|
|
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, OpaqueWithCall>::singleton;
|
|
}
|
|
|
|
// For Vanilla JSObjects exposed from chrome to content, we use a wrapper
|
|
// that supports __exposedProps__. We'd like to get rid of these eventually,
|
|
// but in their current form they don't cause much trouble.
|
|
else if (IdentifyStandardInstance(obj) == JSProto_Object) {
|
|
wrapper = &ChromeObjectWrapper::singleton;
|
|
}
|
|
|
|
// Otherwise we get an opaque wrapper.
|
|
else {
|
|
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Now, handle the regular cases.
|
|
//
|
|
// These are wrappers we can compute using a rule-based approach. In order
|
|
// to do so, we need to compute some parameters.
|
|
//
|
|
else {
|
|
|
|
// The wrapper is a security wrapper (protecting the wrappee) if and
|
|
// only if the target does not subsume the origin.
|
|
bool securityWrapper = !targetSubsumesOrigin;
|
|
|
|
// Xrays are warranted if either the target or the origin don't trust
|
|
// each other. This is generally the case, unless the two are same-origin
|
|
// and the caller has not requested same-origin Xrays.
|
|
//
|
|
// Xrays are a bidirectional protection, since it affords clarity to the
|
|
// caller and privacy to the callee.
|
|
bool sameOriginXrays = CompartmentPrivate::Get(origin)->wantXrays ||
|
|
CompartmentPrivate::Get(target)->wantXrays;
|
|
bool wantXrays = !sameOrigin || sameOriginXrays;
|
|
|
|
// If Xrays are warranted, the caller may waive them for non-security
|
|
// wrappers (unless explicitly forbidden from doing so).
|
|
bool waiveXrays = wantXrays && !securityWrapper &&
|
|
CompartmentPrivate::Get(target)->allowWaivers &&
|
|
HasWaiveXrayFlag(obj);
|
|
|
|
// We have slightly different behavior for the case when the object
|
|
// being wrapped is in an XBL scope.
|
|
bool originIsContentXBLScope = IsContentXBLScope(origin);
|
|
|
|
wrapper = SelectWrapper(securityWrapper, wantXrays, xrayType, waiveXrays,
|
|
originIsContentXBLScope, obj);
|
|
|
|
// If we want to apply add-on interposition in the target compartment,
|
|
// then we try to "upgrade" the wrapper to an interposing one.
|
|
if (CompartmentPrivate::Get(target)->scope->HasInterposition())
|
|
wrapper = SelectAddonWrapper(cx, obj, wrapper);
|
|
}
|
|
|
|
if (!targetSubsumesOrigin) {
|
|
// Do a belt-and-suspenders check against exposing eval()/Function() to
|
|
// non-subsuming content.
|
|
if (JSFunction* fun = JS_GetObjectFunction(obj)) {
|
|
if (JS_IsBuiltinEvalFunction(fun) || JS_IsBuiltinFunctionConstructor(fun)) {
|
|
NS_WARNING("Trying to expose eval or Function to non-subsuming content!");
|
|
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
|
|
}
|
|
}
|
|
}
|
|
|
|
DEBUG_CheckUnwrapSafety(obj, wrapper, origin, target);
|
|
|
|
if (existing)
|
|
return Wrapper::Renew(existing, obj, wrapper);
|
|
|
|
return Wrapper::New(cx, obj, wrapper);
|
|
}
|
|
|
|
// Call WaiveXrayAndWrap when you have a JS object that you don't want to be
|
|
// wrapped in an Xray wrapper. cx->compartment is the compartment that will be
|
|
// using the returned object. If the object to be wrapped is already in the
|
|
// correct compartment, then this returns the unwrapped object.
|
|
bool
|
|
WrapperFactory::WaiveXrayAndWrap(JSContext* cx, MutableHandleValue vp)
|
|
{
|
|
if (vp.isPrimitive())
|
|
return JS_WrapValue(cx, vp);
|
|
|
|
RootedObject obj(cx, &vp.toObject());
|
|
if (!WaiveXrayAndWrap(cx, &obj))
|
|
return false;
|
|
|
|
vp.setObject(*obj);
|
|
return true;
|
|
}
|
|
|
|
bool
|
|
WrapperFactory::WaiveXrayAndWrap(JSContext* cx, MutableHandleObject argObj)
|
|
{
|
|
MOZ_ASSERT(argObj);
|
|
RootedObject obj(cx, js::UncheckedUnwrap(argObj));
|
|
MOZ_ASSERT(!js::IsWindow(obj));
|
|
if (js::IsObjectInContextCompartment(obj, cx)) {
|
|
argObj.set(obj);
|
|
return true;
|
|
}
|
|
|
|
// Even though waivers have no effect on access by scopes that don't subsume
|
|
// the underlying object, good defense-in-depth dictates that we should avoid
|
|
// handing out waivers to callers that can't use them. The transitive waiving
|
|
// machinery unconditionally calls WaiveXrayAndWrap on return values from
|
|
// waived functions, even though the return value might be not be same-origin
|
|
// with the function. So if we find ourselves trying to create a waiver for
|
|
// |cx|, we should check whether the caller has any business with waivers
|
|
// to things in |obj|'s compartment.
|
|
JSCompartment* target = js::GetContextCompartment(cx);
|
|
JSCompartment* origin = js::GetObjectCompartment(obj);
|
|
obj = AllowWaiver(target, origin) ? WaiveXray(cx, obj) : obj;
|
|
if (!obj)
|
|
return false;
|
|
|
|
if (!JS_WrapObject(cx, &obj))
|
|
return false;
|
|
argObj.set(obj);
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* Calls to JS_TransplantObject* should go through these helpers here so that
|
|
* waivers get fixed up properly.
|
|
*/
|
|
|
|
static bool
|
|
FixWaiverAfterTransplant(JSContext* cx, HandleObject oldWaiver, HandleObject newobj)
|
|
{
|
|
MOZ_ASSERT(Wrapper::wrapperHandler(oldWaiver) == &XrayWaiver);
|
|
MOZ_ASSERT(!js::IsCrossCompartmentWrapper(newobj));
|
|
|
|
// Create a waiver in the new compartment. We know there's not one already
|
|
// because we _just_ transplanted, which means that |newobj| was either
|
|
// created from scratch, or was previously cross-compartment wrapper (which
|
|
// should have no waiver). CreateXrayWaiver asserts this.
|
|
JSObject* newWaiver = WrapperFactory::CreateXrayWaiver(cx, newobj);
|
|
if (!newWaiver)
|
|
return false;
|
|
|
|
// Update all the cross-compartment references to oldWaiver to point to
|
|
// newWaiver.
|
|
if (!js::RemapAllWrappersForObject(cx, oldWaiver, newWaiver))
|
|
return false;
|
|
|
|
// There should be no same-compartment references to oldWaiver, and we
|
|
// just remapped all cross-compartment references. It's dead, so we can
|
|
// remove it from the map.
|
|
XPCWrappedNativeScope* scope = ObjectScope(oldWaiver);
|
|
JSObject* key = Wrapper::wrappedObject(oldWaiver);
|
|
MOZ_ASSERT(scope->mWaiverWrapperMap->Find(key));
|
|
scope->mWaiverWrapperMap->Remove(key);
|
|
return true;
|
|
}
|
|
|
|
JSObject*
|
|
TransplantObject(JSContext* cx, JS::HandleObject origobj, JS::HandleObject target)
|
|
{
|
|
RootedObject oldWaiver(cx, WrapperFactory::GetXrayWaiver(origobj));
|
|
RootedObject newIdentity(cx, JS_TransplantObject(cx, origobj, target));
|
|
if (!newIdentity || !oldWaiver)
|
|
return newIdentity;
|
|
|
|
if (!FixWaiverAfterTransplant(cx, oldWaiver, newIdentity))
|
|
return nullptr;
|
|
return newIdentity;
|
|
}
|
|
|
|
nsIGlobalObject*
|
|
NativeGlobal(JSObject* obj)
|
|
{
|
|
obj = js::GetGlobalForObjectCrossCompartment(obj);
|
|
|
|
// Every global needs to hold a native as its private or be a
|
|
// WebIDL object with an nsISupports DOM object.
|
|
MOZ_ASSERT((GetObjectClass(obj)->flags & (JSCLASS_PRIVATE_IS_NSISUPPORTS |
|
|
JSCLASS_HAS_PRIVATE)) ||
|
|
dom::UnwrapDOMObjectToISupports(obj));
|
|
|
|
nsISupports* native = dom::UnwrapDOMObjectToISupports(obj);
|
|
if (!native) {
|
|
native = static_cast<nsISupports*>(js::GetObjectPrivate(obj));
|
|
MOZ_ASSERT(native);
|
|
|
|
// In some cases (like for windows) it is a wrapped native,
|
|
// in other cases (sandboxes, backstage passes) it's just
|
|
// a direct pointer to the native. If it's a wrapped native
|
|
// let's unwrap it first.
|
|
if (nsCOMPtr<nsIXPConnectWrappedNative> wn = do_QueryInterface(native)) {
|
|
native = wn->Native();
|
|
}
|
|
}
|
|
|
|
nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(native);
|
|
MOZ_ASSERT(global, "Native held by global needs to implement nsIGlobalObject!");
|
|
|
|
return global;
|
|
}
|
|
|
|
} // namespace xpc
|