gecko/js/xpconnect/wrappers/AccessCheck.h

/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
 * vim: set ts=4 sw=4 et tw=99 ft=cpp:
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef __AccessCheck_h__
#define __AccessCheck_h__

#include "jswrapper.h"
#include "js/Id.h"

class nsIPrincipal;

namespace xpc {

class AccessCheck {
  public:
    static bool subsumes(JSCompartment *a, JSCompartment *b);
    static bool subsumes(JSObject *a, JSObject *b);
    static bool wrapperSubsumes(JSObject *wrapper);
    static bool subsumesConsideringDomain(JSCompartment *a, JSCompartment *b);
    static bool isChrome(JSCompartment *compartment);
    static bool isChrome(JSObject *obj);
    static bool callerIsChrome();
    static nsIPrincipal *getPrincipal(JSCompartment *compartment);
    static bool isCrossOriginAccessPermitted(JSContext *cx, JSObject *obj, jsid id,
                                             js::Wrapper::Action act);

    static bool needsSystemOnlyWrapper(JSObject *obj);
};

struct Policy {
};

// This policy only allows calling the underlying callable. All other operations throw.
struct Opaque : public Policy {
    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
        return act == js::Wrapper::CALL;
    }
    static bool deny(js::Wrapper::Action act, JS::HandleId id) {
        return false;
    }
    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)
    {
        return false;
    }
};

// This policy is designed to protect privileged callers from untrusted non-
// Xrayable objects. Nothing is allowed, and nothing throws.
struct GentlyOpaque : public Policy {
    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
        return false;
    }
    static bool deny(js::Wrapper::Action act, JS::HandleId id) {
        return true;
    }
    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)
    {
        // We allow nativeCall here because the alternative is throwing (which
        // happens in SecurityWrapper::nativeCall), which we don't want. There's
        // unlikely to be too much harm to letting this through, because this
        // wrapper is only used to wrap less-privileged objects in more-privileged
        // scopes, so unwrapping here only drops privileges.
        return true;
    }
};

// This policy only permits access to properties that are safe to be used
// across origins.
struct CrossOriginAccessiblePropertiesOnly : public Policy {
    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
        return AccessCheck::isCrossOriginAccessPermitted(cx, wrapper, id, act);
    }
    static bool deny(js::Wrapper::Action act, JS::HandleId id) {
        // Silently fail for enumerate-like operations.
        if (act == js::Wrapper::ENUMERATE)
            return true;
        return false;
    }
    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)
    {
        return false;
    }
};

// This policy only permits access to properties if they appear in the
// objects exposed properties list.
struct ExposedPropertiesOnly : public Policy {
    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act);

    static bool deny(js::Wrapper::Action act, JS::HandleId id) {
        // Fail silently for GETs and ENUMERATEs.
        return act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE;
    }
    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl);
};

}

#endif /* __AccessCheck_h__ */
Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 15:58:09 -07:00			`/* -- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 --`
			`* vim: set ts=4 sw=4 et tw=99 ft=cpp:`
			`*`
Bug 716478 - update licence to MPL 2. 2012-05-21 04:12:37 -07:00			`* This Source Code Form is subject to the terms of the Mozilla Public`
			`* License, v. 2.0. If a copy of the MPL was not distributed with this`
			`* file, You can obtain one at http://mozilla.org/MPL/2.0/. */`
Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 15:58:09 -07:00
Bug 760109 - Introduce an explicit ChromeObjectWrapper. r=mrbkap For now it's identical to ChromeObjectWrapperBase. Custom behavior comes in the next patch. 2012-07-27 03:15:46 -07:00			`#ifndef __AccessCheck_h__`
			`#define __AccessCheck_h__`

Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 15:58:09 -07:00			`#include "jswrapper.h"`
Bug 912411 (part 2) - Move JSID_{VOID,EMPTY}HANDLE from jsapi.{h,cpp} to Id.{h,cpp}. r=luke. --HG-- extra : rebase_source : 5fb68bf5079e3261fdca6cb99717d3a502c878f3 2013-09-05 16:08:57 -07:00			`#include "js/Id.h"`
Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 15:58:09 -07:00
bug 580128 - Avoid using the parent chain of proxies for anything because it's often wrong. r=jst 2010-09-24 18:00:58 -07:00			`class nsIPrincipal;`

Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 15:58:09 -07:00			`namespace xpc {`

			`class AccessCheck {`
			`public:`
Bug 655649 - Use Subsumes Rather than Equals in XPConnect wrapper computation. r=mrbkap Now that we have nsExpandedPrincipal, the current way of doing things is wrong. For some reason, the old document.domain hackery was hiding the failures here. 2012-07-12 01:10:15 -07:00			`static bool subsumes(JSCompartment a, JSCompartment b);`
Bug 813901 - Validate __exposedProps__. r=mrbkap This also involves modifying test_cows to deep clone in getCOW. 2012-12-07 14:49:11 -08:00			`static bool subsumes(JSObject a, JSObject b);`
Bug 788914 - Kill the XOW flag. r=mrbkap There are really two questions to be asked: is the caller chrome, and does the caller subsume the callee. We have other, more precise ways of asking both of these questions. 2012-09-11 01:05:10 -07:00			`static bool wrapperSubsumes(JSObject *wrapper);`
Bug 956382 - Add AccessCheck::subsumesConsideringDomain and clean up other implementations. r=mrbkap We now assert that we have a principal when we enter the wrap callback, and we now have a convenient overload defined in nsIPrincipal.idl. 2014-02-13 18:57:34 -08:00			`static bool subsumesConsideringDomain(JSCompartment a, JSCompartment b);`
Implement remaining cross compartment wrappers (574924, r=mrbkap). 2010-07-02 13:54:53 -07:00			`static bool isChrome(JSCompartment *compartment);`
Bug 788914 - Kill the XOW flag. r=mrbkap There are really two questions to be asked: is the caller chrome, and does the caller subsume the callee. We have other, more precise ways of asking both of these questions. 2012-09-11 01:05:10 -07:00			`static bool isChrome(JSObject *obj);`
Bug 763433 - Clarify compartment semantics for ExposedPropertiesOnly. r=mrbkap 2012-06-18 06:47:09 -07:00			`static bool callerIsChrome();`
bug 580128 - Avoid using the parent chain of proxies for anything because it's often wrong. r=jst 2010-09-24 18:00:58 -07:00			`static nsIPrincipal getPrincipal(JSCompartment compartment);`
bug 580128 - Allow calling functions cross origin. r=gal 2010-09-17 14:54:40 -07:00			`static bool isCrossOriginAccessPermitted(JSContext cx, JSObject obj, jsid id,`
Bug 683361, part 1 - Strip JS prefix from proxy names since they are already in namespace js (r=gal) --HG-- extra : rebase_source : 5eded8e02c36991322c94fca1092970910c2ceea 2011-09-08 20:29:15 -07:00			`js::Wrapper::Action act);`
Implement remaining cross compartment wrappers (574924, r=mrbkap). 2010-07-02 13:54:53 -07:00
			`static bool needsSystemOnlyWrapper(JSObject *obj);`
			`};`

			`struct Policy {`
			`};`

Bug 823348 - Make NNXOWs use an explicitly opaque Policy. r=mrbkap There's no reason to be doing a dynamic check here, given that the JSClasses will never match. Lets be explicit and safe. 2013-01-22 21:04:38 -08:00			`// This policy only allows calling the underlying callable. All other operations throw.`
			`struct Opaque : public Policy {`
			`static bool check(JSContext cx, JSObject wrapper, jsid id, js::Wrapper::Action act) {`
			`return act == js::Wrapper::CALL;`
			`}`
Bug 885310 - 2 Rename JSHandleFoo in js directory r=bholley 2013-06-21 06:12:46 -07:00			`static bool deny(js::Wrapper::Action act, JS::HandleId id) {`
Bug 823348 - Make NNXOWs use an explicitly opaque Policy. r=mrbkap There's no reason to be doing a dynamic check here, given that the JSClasses will never match. Lets be explicit and safe. 2013-01-22 21:04:38 -08:00			`return false;`
			`}`
			`static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)`
			`{`
			`return false;`
			`}`
			`};`

Bug 843829 - Wrap unwaived content JS objects in opaque wrappers for XBL scopes. r=mrbkap 2013-04-03 11:41:23 -07:00			`// This policy is designed to protect privileged callers from untrusted non-`
			`// Xrayable objects. Nothing is allowed, and nothing throws.`
			`struct GentlyOpaque : public Policy {`
			`static bool check(JSContext cx, JSObject wrapper, jsid id, js::Wrapper::Action act) {`
			`return false;`
			`}`
Bug 885310 - 2 Rename JSHandleFoo in js directory r=bholley 2013-06-21 06:12:46 -07:00			`static bool deny(js::Wrapper::Action act, JS::HandleId id) {`
Bug 843829 - Wrap unwaived content JS objects in opaque wrappers for XBL scopes. r=mrbkap 2013-04-03 11:41:23 -07:00			`return true;`
			`}`
			`static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)`
			`{`
			`// We allow nativeCall here because the alternative is throwing (which`
			`// happens in SecurityWrapper::nativeCall), which we don't want. There's`
			`// unlikely to be too much harm to letting this through, because this`
			`// wrapper is only used to wrap less-privileged objects in more-privileged`
			`// scopes, so unwrapping here only drops privileges.`
			`return true;`
			`}`
Implement remaining cross compartment wrappers (574924, r=mrbkap). 2010-07-02 13:54:53 -07:00			`};`

			`// This policy only permits access to properties that are safe to be used`
			`// across origins.`
			`struct CrossOriginAccessiblePropertiesOnly : public Policy {`
Bug 805807 - Rearchitect filtering policies so that check() doesn't throw on denial. r=mrbkap This is another one of those annoying situaitons in XPConnect right now where we can't ask a question without potentially throwing if the answer is no. There's also a bunch of unused cruft in here (like the Perm*Access stuff), so this stuff was ripe for a spring cleaning. Unfortunately, I wasn't able to divide this patch up nicely. Sorry for the big diff. :-( In a nutshell, this patch changes things so that Policy::check() just becomes a predicate that says whether the access is allowed or not. There's the remote possibility that one of the underlying JSAPI calls in a ::check() implementation might throw, so callers to ::check() should check JS_IsExceptionPending afterwards (this doesn't catch OOM, but we can just continue along until the next OOM-triggering operation and throw there). Aside from exceptional cases, callers should call Policy::deny if they want to report the failure. Policy::deny returns success value that should be returned to the wrapper's consumer. 2012-11-02 17:47:49 -07:00			`static bool check(JSContext cx, JSObject wrapper, jsid id, js::Wrapper::Action act) {`
			`return AccessCheck::isCrossOriginAccessPermitted(cx, wrapper, id, act);`
			`}`
Bug 885310 - 2 Rename JSHandleFoo in js directory r=bholley 2013-06-21 06:12:46 -07:00			`static bool deny(js::Wrapper::Action act, JS::HandleId id) {`
Bug 862380 - Silently fail for enumerate-like operations on XOWs. r=mrbkap 2013-05-22 21:27:15 -07:00			`// Silently fail for enumerate-like operations.`
Bug 965901 - Add an ENUMERATE policy action. r=gabor sr=mrbkap 2014-02-13 10:54:08 -08:00			`if (act == js::Wrapper::ENUMERATE)`
Bug 862380 - Silently fail for enumerate-like operations on XOWs. r=mrbkap 2013-05-22 21:27:15 -07:00			`return true;`
Silenty return undefined instead of throwing when content tries to access non-exposed chrome properties (bug 594999, r=mrbkap). 2011-01-29 18:48:30 -08:00			`return false;`
Implement remaining cross compartment wrappers (574924, r=mrbkap). 2010-07-02 13:54:53 -07:00			`}`
Bug 809652 - Deny nativeCall for SecurityWrapper except under specific circumstances. r=jorendorff 2012-12-20 22:33:26 -08:00			`static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)`
			`{`
			`return false;`
			`}`
Implement remaining cross compartment wrappers (574924, r=mrbkap). 2010-07-02 13:54:53 -07:00			`};`
Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 15:58:09 -07:00
Implement remaining cross compartment wrappers (574924, r=mrbkap). 2010-07-02 13:54:53 -07:00			`// This policy only permits access to properties if they appear in the`
			`// objects exposed properties list.`
			`struct ExposedPropertiesOnly : public Policy {`
Bug 805807 - Rearchitect filtering policies so that check() doesn't throw on denial. r=mrbkap This is another one of those annoying situaitons in XPConnect right now where we can't ask a question without potentially throwing if the answer is no. There's also a bunch of unused cruft in here (like the Perm*Access stuff), so this stuff was ripe for a spring cleaning. Unfortunately, I wasn't able to divide this patch up nicely. Sorry for the big diff. :-( In a nutshell, this patch changes things so that Policy::check() just becomes a predicate that says whether the access is allowed or not. There's the remote possibility that one of the underlying JSAPI calls in a ::check() implementation might throw, so callers to ::check() should check JS_IsExceptionPending afterwards (this doesn't catch OOM, but we can just continue along until the next OOM-triggering operation and throw there). Aside from exceptional cases, callers should call Policy::deny if they want to report the failure. Policy::deny returns success value that should be returned to the wrapper's consumer. 2012-11-02 17:47:49 -07:00			`static bool check(JSContext cx, JSObject wrapper, jsid id, js::Wrapper::Action act);`

Bug 885310 - 2 Rename JSHandleFoo in js directory r=bholley 2013-06-21 06:12:46 -07:00			`static bool deny(js::Wrapper::Action act, JS::HandleId id) {`
Bug 965901 - Add an ENUMERATE policy action. r=gabor sr=mrbkap 2014-02-13 10:54:08 -08:00			`// Fail silently for GETs and ENUMERATEs.`
			`return act == js::Wrapper::GET \|\| act == js::Wrapper::ENUMERATE;`
Bug 805807 - Rearchitect filtering policies so that check() doesn't throw on denial. r=mrbkap This is another one of those annoying situaitons in XPConnect right now where we can't ask a question without potentially throwing if the answer is no. There's also a bunch of unused cruft in here (like the Perm*Access stuff), so this stuff was ripe for a spring cleaning. Unfortunately, I wasn't able to divide this patch up nicely. Sorry for the big diff. :-( In a nutshell, this patch changes things so that Policy::check() just becomes a predicate that says whether the access is allowed or not. There's the remote possibility that one of the underlying JSAPI calls in a ::check() implementation might throw, so callers to ::check() should check JS_IsExceptionPending afterwards (this doesn't catch OOM, but we can just continue along until the next OOM-triggering operation and throw there). Aside from exceptional cases, callers should call Policy::deny if they want to report the failure. Policy::deny returns success value that should be returned to the wrapper's consumer. 2012-11-02 17:47:49 -07:00			`}`
Bug 809652 - Deny nativeCall for SecurityWrapper except under specific circumstances. r=jorendorff 2012-12-20 22:33:26 -08:00			`static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl);`
Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 15:58:09 -07:00			`};`

			`}`
Bug 760109 - Introduce an explicit ChromeObjectWrapper. r=mrbkap For now it's identical to ChromeObjectWrapperBase. Custom behavior comes in the next patch. 2012-07-27 03:15:46 -07:00
			`#endif /* __AccessCheck_h__ */`