2010-06-25 15:58:09 -07:00
|
|
|
/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
|
|
|
|
* vim: set ts=4 sw=4 et tw=99 ft=cpp:
|
|
|
|
*
|
|
|
|
* ***** BEGIN LICENSE BLOCK *****
|
|
|
|
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
|
|
|
*
|
|
|
|
* The contents of this file are subject to the Mozilla Public License Version
|
|
|
|
* 1.1 (the "License"); you may not use this file except in compliance with
|
|
|
|
* the License. You may obtain a copy of the License at
|
|
|
|
* http://www.mozilla.org/MPL/
|
|
|
|
*
|
|
|
|
* Software distributed under the License is distributed on an "AS IS" basis,
|
|
|
|
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
|
|
|
* for the specific language governing rights and limitations under the
|
|
|
|
* License.
|
|
|
|
*
|
|
|
|
* The Original Code is mozilla.org code, released
|
|
|
|
* June 24, 2010.
|
|
|
|
*
|
|
|
|
* The Initial Developer of the Original Code is
|
|
|
|
* The Mozilla Foundation
|
|
|
|
*
|
|
|
|
* Contributor(s):
|
|
|
|
* Andreas Gal <gal@mozilla.com>
|
|
|
|
*
|
|
|
|
* Alternatively, the contents of this file may be used under the terms of
|
|
|
|
* either of the GNU General Public License Version 2 or later (the "GPL"),
|
|
|
|
* or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
|
|
|
* in which case the provisions of the GPL or the LGPL are applicable instead
|
|
|
|
* of those above. If you wish to allow use of your version of this file only
|
|
|
|
* under the terms of either the GPL or the LGPL, and not to allow others to
|
|
|
|
* use your version of this file under the terms of the MPL, indicate your
|
|
|
|
* decision by deleting the provisions above and replace them with the notice
|
|
|
|
* and other provisions required by the GPL or the LGPL. If you do not delete
|
|
|
|
* the provisions above, a recipient may use your version of this file under
|
|
|
|
* the terms of any one of the MPL, the GPL or the LGPL.
|
|
|
|
*
|
|
|
|
* ***** END LICENSE BLOCK ***** */
|
|
|
|
|
2010-07-02 13:54:53 -07:00
|
|
|
#include "jsobj.h"
|
2010-09-20 14:48:01 -07:00
|
|
|
#include "jsvalue.h"
|
2010-07-02 13:54:53 -07:00
|
|
|
|
2010-06-25 15:58:09 -07:00
|
|
|
#include "WrapperFactory.h"
|
2010-07-02 13:54:53 -07:00
|
|
|
#include "CrossOriginWrapper.h"
|
|
|
|
#include "FilteringWrapper.h"
|
|
|
|
#include "XrayWrapper.h"
|
2010-06-25 15:58:09 -07:00
|
|
|
#include "AccessCheck.h"
|
2010-10-10 15:36:38 -07:00
|
|
|
#include "XPCWrapper.h"
|
2010-06-25 15:58:09 -07:00
|
|
|
|
2010-07-02 13:54:53 -07:00
|
|
|
#include "xpcprivate.h"
|
|
|
|
|
2010-06-25 15:58:09 -07:00
|
|
|
namespace xpc {
|
|
|
|
|
2010-07-02 13:54:53 -07:00
|
|
|
// When chrome pulls a naked property across the membrane using
|
|
|
|
// .wrappedJSObject, we want it to cross the membrane into the
|
|
|
|
// chrome compartment without automatically being wrapped into an
|
|
|
|
// X-ray wrapper. We achieve this by wrapping it into a special
|
|
|
|
// transparent wrapper in the origin (non-chrome) compartment. When
|
|
|
|
// an object with that special wrapper applied crosses into chrome,
|
|
|
|
// we know to not apply an X-ray wrapper.
|
|
|
|
JSWrapper WaiveXrayWrapperWrapper(WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG);
|
|
|
|
|
|
|
|
// When objects for which we waived the X-ray wrapper cross into
|
|
|
|
// chrome, we wrap them into a special cross-compartment wrapper
|
|
|
|
// that transitively extends the waiver to all properties we get
|
|
|
|
// off it.
|
2010-10-10 15:47:22 -07:00
|
|
|
CrossOriginWrapper CrossOriginWrapper::singleton(0);
|
|
|
|
|
|
|
|
static JSObject *
|
|
|
|
DoubleWrap(JSContext *cx, JSObject *obj, uintN flags)
|
|
|
|
{
|
|
|
|
if (flags & WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG) {
|
|
|
|
js::SwitchToCompartment sc(cx, obj->compartment());
|
|
|
|
return JSWrapper::New(cx, obj, NULL, obj->getParent(),
|
|
|
|
&WaiveXrayWrapperWrapper);
|
|
|
|
}
|
|
|
|
return obj;
|
|
|
|
}
|
2010-07-02 13:54:53 -07:00
|
|
|
|
2010-10-10 15:36:38 -07:00
|
|
|
JSObject *
|
|
|
|
WrapperFactory::PrepareForWrapping(JSContext *cx, JSObject *scope, JSObject *obj, uintN flags)
|
|
|
|
{
|
2010-10-10 15:47:22 -07:00
|
|
|
// Don't unwrap an outer window, just double wrap it if needed.
|
|
|
|
if (obj->getClass()->ext.innerObject)
|
|
|
|
return DoubleWrap(cx, obj, flags);
|
|
|
|
|
2010-10-10 15:36:38 -07:00
|
|
|
// Here are the rules for wrapping:
|
|
|
|
// We should never get a proxy here (the JS engine unwraps those for us).
|
2010-10-10 15:47:22 -07:00
|
|
|
JS_ASSERT(!obj->isWrapper());
|
2010-10-10 15:36:38 -07:00
|
|
|
|
|
|
|
// As soon as an object is wrapped in a security wrapper, it morphs to be
|
|
|
|
// a fat wrapper. (see also: bug XXX).
|
|
|
|
if (IS_SLIM_WRAPPER(obj) && !MorphSlimWrapper(cx, obj))
|
|
|
|
return nsnull;
|
|
|
|
|
|
|
|
// We only hand out outer objects to script.
|
|
|
|
OBJ_TO_OUTER_OBJECT(cx, obj);
|
2010-10-10 15:49:51 -07:00
|
|
|
if (!obj)
|
|
|
|
return nsnull;
|
2010-10-10 15:36:38 -07:00
|
|
|
|
|
|
|
// Now, our object is ready to be wrapped, but several objects (notably
|
|
|
|
// nsJSIIDs) have a wrapper per scope. If we are about to wrap one of
|
|
|
|
// those objects in a security wrapper, then we need to hand back the
|
2010-10-10 15:47:16 -07:00
|
|
|
// wrapper for the new scope instead. Also, global objects don't move
|
|
|
|
// between scopes so for those we also want to return the wrapper. So...
|
|
|
|
if (!IS_WN_WRAPPER(obj) || !obj->getParent())
|
2010-10-10 15:47:22 -07:00
|
|
|
return DoubleWrap(cx, obj, flags);
|
2010-10-10 15:36:38 -07:00
|
|
|
|
|
|
|
XPCWrappedNative *wn = static_cast<XPCWrappedNative *>(xpc_GetJSPrivate(obj));
|
|
|
|
|
2010-10-16 01:43:53 -07:00
|
|
|
// If the object doesn't have classinfo we want to return the same
|
|
|
|
// XPCWrappedNative so that we keep the same set of interfaces.
|
|
|
|
if (!wn->GetClassInfo())
|
|
|
|
return DoubleWrap(cx, obj, flags);
|
|
|
|
|
2010-10-10 15:36:38 -07:00
|
|
|
// We know that DOM objects only allow one object, we can return early.
|
2010-10-12 11:51:42 -07:00
|
|
|
if (wn->HasProto() && wn->GetProto()->ClassIsDOMObject())
|
2010-10-10 15:47:22 -07:00
|
|
|
return DoubleWrap(cx, obj, flags);
|
2010-10-10 15:36:38 -07:00
|
|
|
|
|
|
|
XPCCallContext ccx(JS_CALLER, cx, obj);
|
|
|
|
if (NATIVE_HAS_FLAG(&ccx, WantPreCreate)) {
|
|
|
|
// We have a precreate hook. This object might enforce that we only
|
|
|
|
// ever create JS object for it.
|
|
|
|
JSObject *originalScope = scope;
|
|
|
|
nsresult rv = wn->GetScriptableInfo()->GetCallback()->
|
|
|
|
PreCreate(wn->Native(), cx, scope, &scope);
|
2010-10-10 15:47:22 -07:00
|
|
|
NS_ENSURE_SUCCESS(rv, DoubleWrap(cx, obj, flags));
|
2010-10-10 15:36:38 -07:00
|
|
|
|
|
|
|
// If the handed back scope differs from the passed-in scope and is in
|
|
|
|
// a separate compartment, then this object is explicitly requesting
|
|
|
|
// that we don't create a second JS object for it: create a security
|
|
|
|
// wrapper.
|
|
|
|
if (originalScope->getCompartment() != scope->getCompartment())
|
2010-10-10 15:47:22 -07:00
|
|
|
return DoubleWrap(cx, obj, flags);
|
2010-10-10 15:36:38 -07:00
|
|
|
|
|
|
|
// Note: this penalizes objects that only have one wrapper, but are
|
|
|
|
// being accessed across compartments. We would really prefer to
|
|
|
|
// replace the above code with a test that says "do you only have one
|
|
|
|
// wrapper?"
|
|
|
|
}
|
|
|
|
|
|
|
|
// The object we're looking at might allow us to create a new wrapped
|
|
|
|
// native in the new scope. Try it and continue wrapping on the
|
|
|
|
// possibly-new object.
|
|
|
|
JSAutoEnterCompartment ac;
|
|
|
|
if (!ac.enter(cx, scope))
|
2010-10-10 15:47:22 -07:00
|
|
|
return nsnull;
|
|
|
|
|
2010-10-10 15:36:38 -07:00
|
|
|
jsval v;
|
|
|
|
nsresult rv =
|
|
|
|
nsXPConnect::FastGetXPConnect()->WrapNativeToJSVal(cx, scope, wn->Native(), nsnull,
|
|
|
|
&NS_GET_IID(nsISupports), PR_FALSE,
|
|
|
|
&v, nsnull);
|
2010-10-10 15:47:22 -07:00
|
|
|
if (NS_SUCCEEDED(rv))
|
|
|
|
obj = JSVAL_TO_OBJECT(v);
|
|
|
|
|
|
|
|
return DoubleWrap(cx, obj, flags);
|
2010-10-10 15:36:38 -07:00
|
|
|
}
|
|
|
|
|
2010-07-02 13:54:53 -07:00
|
|
|
JSObject *
|
2010-09-17 14:54:40 -07:00
|
|
|
WrapperFactory::Rewrap(JSContext *cx, JSObject *obj, JSObject *wrappedProto, JSObject *parent,
|
|
|
|
uintN flags)
|
2010-06-25 15:58:09 -07:00
|
|
|
{
|
2010-10-10 15:47:22 -07:00
|
|
|
NS_ASSERTION(!obj->isWrapper() ||
|
|
|
|
(obj->isWrapper() &&
|
|
|
|
obj->getProxyHandler() == &WaiveXrayWrapperWrapper) ||
|
|
|
|
obj->getClass()->ext.innerObject,
|
2010-08-23 15:34:11 -07:00
|
|
|
"wrapped object passed to rewrap");
|
2010-09-23 15:56:28 -07:00
|
|
|
NS_ASSERTION(JS_GET_CLASS(cx, obj) != &XrayUtils::HolderClass, "trying to wrap a holder");
|
2010-07-02 13:54:53 -07:00
|
|
|
|
2010-09-27 13:49:09 -07:00
|
|
|
JSCompartment *origin = obj->getCompartment();
|
2010-07-02 13:54:53 -07:00
|
|
|
JSCompartment *target = cx->compartment;
|
2010-09-20 14:48:01 -07:00
|
|
|
JSObject *xrayHolder = nsnull;
|
2010-07-02 13:54:53 -07:00
|
|
|
|
|
|
|
JSWrapper *wrapper;
|
2010-10-12 16:28:22 -07:00
|
|
|
CompartmentPrivate *targetdata = static_cast<CompartmentPrivate *>(target->data);
|
2010-07-02 13:54:53 -07:00
|
|
|
if (AccessCheck::isChrome(target)) {
|
2010-09-17 14:54:41 -07:00
|
|
|
if (AccessCheck::isChrome(origin)) {
|
2010-10-14 14:56:31 -07:00
|
|
|
wrapper = &JSCrossCompartmentWrapper::singleton;
|
2010-09-17 14:54:41 -07:00
|
|
|
} else if (flags & WAIVE_XRAY_WRAPPER_FLAG) {
|
|
|
|
// If we waived the X-ray wrapper for this object, wrap it into a
|
|
|
|
// special wrapper to transitively maintain the X-ray waiver.
|
2010-10-10 15:47:22 -07:00
|
|
|
wrapper = &CrossOriginWrapper::singleton;
|
2010-07-02 13:54:53 -07:00
|
|
|
} else {
|
|
|
|
// Native objects must be wrapped into an X-ray wrapper.
|
2010-09-02 16:02:51 -07:00
|
|
|
if (!obj->getGlobal()->isSystem() &&
|
|
|
|
(IS_WN_WRAPPER(obj) || obj->getClass()->ext.innerObject)) {
|
2010-09-20 14:48:01 -07:00
|
|
|
typedef XrayWrapper<JSCrossCompartmentWrapper, CrossCompartmentXray> Xray;
|
2010-09-02 16:02:51 -07:00
|
|
|
wrapper = &Xray::singleton;
|
2010-09-20 14:48:01 -07:00
|
|
|
xrayHolder = Xray::createHolder(cx, obj, parent);
|
|
|
|
if (!xrayHolder)
|
|
|
|
return nsnull;
|
2010-09-02 16:02:51 -07:00
|
|
|
} else {
|
|
|
|
wrapper = &JSCrossCompartmentWrapper::singleton;
|
|
|
|
}
|
2010-07-02 13:54:53 -07:00
|
|
|
}
|
|
|
|
} else if (AccessCheck::isChrome(origin)) {
|
2010-10-10 15:48:55 -07:00
|
|
|
wrapper = &FilteringWrapper<JSCrossCompartmentWrapper,
|
|
|
|
ExposedPropertiesOnly>::singleton;
|
|
|
|
} else if (AccessCheck::isSameOrigin(origin, target)) {
|
|
|
|
// Same origin we use a transparent wrapper, unless the compartment asks
|
|
|
|
// for an Xray or the wrapper needs a SOW.
|
2010-07-02 13:54:53 -07:00
|
|
|
if (AccessCheck::needsSystemOnlyWrapper(obj)) {
|
|
|
|
wrapper = &FilteringWrapper<JSCrossCompartmentWrapper,
|
|
|
|
OnlyIfSubjectIsSystem>::singleton;
|
2010-10-12 16:28:22 -07:00
|
|
|
} else if (targetdata && targetdata->preferXrays && IS_WN_WRAPPER(obj)) {
|
2010-10-10 15:46:07 -07:00
|
|
|
typedef XrayWrapper<JSCrossCompartmentWrapper, CrossCompartmentXray> Xray;
|
|
|
|
wrapper = &Xray::singleton;
|
|
|
|
xrayHolder = Xray::createHolder(cx, obj, parent);
|
|
|
|
if (!xrayHolder)
|
|
|
|
return nsnull;
|
|
|
|
} else {
|
|
|
|
wrapper = &JSCrossCompartmentWrapper::singleton;
|
|
|
|
}
|
2010-07-02 13:54:53 -07:00
|
|
|
} else {
|
2010-10-10 15:48:55 -07:00
|
|
|
NS_ASSERTION(!AccessCheck::needsSystemOnlyWrapper(obj),
|
|
|
|
"bad object exposed across origins");
|
|
|
|
|
2010-07-02 13:54:53 -07:00
|
|
|
// Cross origin we want to disallow scripting and limit access to
|
|
|
|
// a predefined set of properties. XrayWrapper adds a property
|
|
|
|
// (.wrappedJSObject) which allows bypassing the XrayWrapper, but
|
|
|
|
// we filter out access to that property.
|
2010-10-10 15:41:20 -07:00
|
|
|
if (!IS_WN_WRAPPER(obj) && !obj->getClass()->ext.innerObject) {
|
2010-09-02 16:02:51 -07:00
|
|
|
wrapper = &FilteringWrapper<JSCrossCompartmentWrapper,
|
|
|
|
CrossOriginAccessiblePropertiesOnly>::singleton;
|
|
|
|
} else {
|
2010-09-20 14:48:01 -07:00
|
|
|
typedef XrayWrapper<JSCrossCompartmentWrapper, CrossCompartmentXray> Xray;
|
2010-09-29 10:00:52 -07:00
|
|
|
|
|
|
|
// Location objects can become same origin after navigation, so we might
|
|
|
|
// have to grant transparent access later on.
|
|
|
|
if (IsLocationObject(obj)) {
|
|
|
|
wrapper = &FilteringWrapper<Xray,
|
|
|
|
SameOriginOrCrossOriginAccessiblePropertiesOnly>::singleton;
|
|
|
|
} else {
|
|
|
|
wrapper= &FilteringWrapper<Xray,
|
|
|
|
CrossOriginAccessiblePropertiesOnly>::singleton;
|
|
|
|
}
|
|
|
|
|
2010-09-20 14:48:01 -07:00
|
|
|
xrayHolder = Xray::createHolder(cx, obj, parent);
|
|
|
|
if (!xrayHolder)
|
|
|
|
return nsnull;
|
2010-09-02 16:02:51 -07:00
|
|
|
}
|
2010-06-25 15:58:09 -07:00
|
|
|
}
|
2010-09-20 14:48:01 -07:00
|
|
|
|
2010-09-24 18:00:58 -07:00
|
|
|
JSObject *wrapperObj = JSWrapper::New(cx, obj, wrappedProto, parent, wrapper);
|
2010-09-20 14:48:01 -07:00
|
|
|
if (!wrapperObj || !xrayHolder)
|
|
|
|
return wrapperObj;
|
2010-10-10 15:35:54 -07:00
|
|
|
|
|
|
|
// NB: The fact that the only wrappers to use ProxyExtra are XrayWrappers
|
|
|
|
// is relied on by XPCNativeWrapper.unwrap.
|
2010-09-20 14:48:01 -07:00
|
|
|
wrapperObj->setProxyExtra(js::ObjectValue(*xrayHolder));
|
|
|
|
return wrapperObj;
|
2010-06-25 15:58:09 -07:00
|
|
|
}
|
|
|
|
|
2010-09-29 10:00:52 -07:00
|
|
|
typedef FilteringWrapper<XrayWrapper<JSWrapper, SameCompartmentXray>,
|
|
|
|
SameOriginOrCrossOriginAccessiblePropertiesOnly> LW;
|
|
|
|
|
|
|
|
bool
|
|
|
|
WrapperFactory::IsLocationObject(JSObject *obj)
|
|
|
|
{
|
|
|
|
const char *name = obj->getClass()->name;
|
|
|
|
return name[0] == 'L' && !strcmp(name, "Location");
|
|
|
|
}
|
|
|
|
|
|
|
|
JSObject *
|
|
|
|
WrapperFactory::WrapLocationObject(JSContext *cx, JSObject *obj)
|
|
|
|
{
|
|
|
|
JSObject *xrayHolder = LW::createHolder(cx, obj, obj->getParent());
|
|
|
|
if (!xrayHolder)
|
|
|
|
return NULL;
|
|
|
|
JSObject *wrapperObj = JSWrapper::New(cx, obj, obj->getProto(), NULL, &LW::singleton);
|
|
|
|
if (!wrapperObj)
|
|
|
|
return NULL;
|
|
|
|
wrapperObj->setProxyExtra(js::ObjectValue(*xrayHolder));
|
|
|
|
return wrapperObj;
|
|
|
|
}
|
|
|
|
|
2010-10-10 15:48:29 -07:00
|
|
|
bool
|
|
|
|
WrapperFactory::WaiveXrayAndWrap(JSContext *cx, jsval *vp)
|
|
|
|
{
|
2010-10-14 13:41:52 -07:00
|
|
|
if (JSVAL_IS_PRIMITIVE(*vp))
|
|
|
|
return JS_WrapValue(cx, vp);
|
2010-10-10 15:48:29 -07:00
|
|
|
|
|
|
|
JSObject *obj = JSVAL_TO_OBJECT(*vp)->unwrap();
|
|
|
|
|
|
|
|
// We have to make sure that if we're wrapping an outer window, that
|
|
|
|
// the .wrappedJSObject also wraps the outer window.
|
|
|
|
OBJ_TO_OUTER_OBJECT(cx, obj);
|
|
|
|
if (!obj)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
{
|
|
|
|
js::SwitchToCompartment sc(cx, obj->compartment());
|
|
|
|
obj = JSWrapper::New(cx, obj, NULL, obj->getParent(), &WaiveXrayWrapperWrapper);
|
|
|
|
if (!obj)
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
*vp = OBJECT_TO_JSVAL(obj);
|
|
|
|
return JS_WrapValue(cx, vp);
|
|
|
|
}
|
|
|
|
|
2010-10-10 15:48:55 -07:00
|
|
|
JSObject *
|
|
|
|
WrapperFactory::WrapSOWObject(JSContext *cx, JSObject *obj)
|
|
|
|
{
|
|
|
|
JSObject *wrapperObj =
|
|
|
|
JSWrapper::New(cx, obj, obj->getProto(), NULL,
|
|
|
|
&FilteringWrapper<JSWrapper,
|
|
|
|
OnlyIfSubjectIsSystem>::singleton);
|
|
|
|
return wrapperObj;
|
|
|
|
}
|
|
|
|
|
2010-06-25 15:58:09 -07:00
|
|
|
}
|