2010-06-25 15:58:09 -07:00
|
|
|
/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
|
|
|
|
|
* vim: set ts=4 sw=4 et tw=99 ft=cpp:
|
|
|
|
|
*
|
2012-05-21 04:12:37 -07:00
|
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
2010-06-25 15:58:09 -07:00
|
|
|
|
2012-07-16 10:22:51 -07:00
|
|
|
#include "WaiveXrayWrapper.h"
|
2010-07-02 13:54:53 -07:00
|
|
|
#include "FilteringWrapper.h"
|
|
|
|
|
#include "XrayWrapper.h"
|
2010-06-25 15:58:09 -07:00
|
|
|
#include "AccessCheck.h"
|
2010-10-10 15:36:38 -07:00
|
|
|
#include "XPCWrapper.h"
|
2010-06-25 15:58:09 -07:00
|
|
|
|
2010-07-02 13:54:53 -07:00
|
|
|
#include "xpcprivate.h"
|
2011-05-25 08:30:50 -07:00
|
|
|
#include "dombindings.h"
|
2011-10-14 10:52:47 -07:00
|
|
|
#include "XPCMaps.h"
|
2012-05-02 21:35:38 -07:00
|
|
|
#include "mozilla/dom/BindingUtils.h"
|
2012-01-15 00:13:09 -08:00
|
|
|
#include "jsfriendapi.h"
|
2012-05-29 14:24:03 -07:00
|
|
|
#include "mozilla/Likely.h"
|
2012-01-11 00:23:08 -08:00
|
|
|
|
2011-09-08 20:29:15 -07:00
|
|
|
using namespace js;
|
|
|
|
|
|
2010-06-25 15:58:09 -07:00
|
|
|
namespace xpc {
|
|
|
|
|
|
2010-07-02 13:54:53 -07:00
|
|
|
// When chrome pulls a naked property across the membrane using
|
|
|
|
|
// .wrappedJSObject, we want it to cross the membrane into the
|
|
|
|
|
// chrome compartment without automatically being wrapped into an
|
|
|
|
|
// X-ray wrapper. We achieve this by wrapping it into a special
|
|
|
|
|
// transparent wrapper in the origin (non-chrome) compartment. When
|
|
|
|
|
// an object with that special wrapper applied crosses into chrome,
|
|
|
|
|
// we know to not apply an X-ray wrapper.
|
2012-07-16 10:28:17 -07:00
|
|
|
DirectWrapper XrayWaiver(WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG);
|
2010-07-02 13:54:53 -07:00
|
|
|
|
|
|
|
|
// When objects for which we waived the X-ray wrapper cross into
|
|
|
|
|
// chrome, we wrap them into a special cross-compartment wrapper
|
|
|
|
|
// that transitively extends the waiver to all properties we get
|
|
|
|
|
// off it.
|
2012-07-16 08:53:16 -07:00
|
|
|
WaiveXrayWrapper WaiveXrayWrapper::singleton(0);
|
2010-10-10 15:47:22 -07:00
|
|
|
|
2010-10-18 15:21:50 -07:00
|
|
|
static JSObject *
|
|
|
|
|
GetCurrentOuter(JSContext *cx, JSObject *obj)
|
|
|
|
|
{
|
2011-10-04 07:06:54 -07:00
|
|
|
obj = JS_ObjectToOuterObject(cx, obj);
|
2012-03-28 16:15:38 -07:00
|
|
|
if (!obj)
|
|
|
|
|
return nsnull;
|
|
|
|
|
|
2011-10-04 07:06:54 -07:00
|
|
|
if (IsWrapper(obj) && !js::GetObjectClass(obj)->ext.innerObject) {
|
|
|
|
|
obj = UnwrapObject(obj);
|
|
|
|
|
NS_ASSERTION(js::GetObjectClass(obj)->ext.innerObject,
|
2010-10-18 15:21:50 -07:00
|
|
|
"weird object, expecting an outer window proxy");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return obj;
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-23 06:51:18 -07:00
|
|
|
JSObject *
|
|
|
|
|
WrapperFactory::GetXrayWaiver(JSObject *obj)
|
|
|
|
|
{
|
|
|
|
|
// Object should come fully unwrapped but outerized.
|
|
|
|
|
MOZ_ASSERT(obj == UnwrapObject(obj));
|
|
|
|
|
MOZ_ASSERT(!js::GetObjectClass(obj)->ext.outerObject);
|
|
|
|
|
CompartmentPrivate *priv = GetCompartmentPrivate(obj);
|
|
|
|
|
MOZ_ASSERT(priv);
|
|
|
|
|
|
|
|
|
|
if (!priv->waiverWrapperMap)
|
|
|
|
|
return NULL;
|
|
|
|
|
return xpc_UnmarkGrayObject(priv->waiverWrapperMap->Find(obj));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
JSObject *
|
|
|
|
|
WrapperFactory::CreateXrayWaiver(JSContext *cx, JSObject *obj)
|
|
|
|
|
{
|
|
|
|
|
// The caller is required to have already done a lookup.
|
|
|
|
|
// NB: This implictly performs the assertions of GetXrayWaiver.
|
|
|
|
|
MOZ_ASSERT(!GetXrayWaiver(obj));
|
|
|
|
|
CompartmentPrivate *priv = GetCompartmentPrivate(obj);
|
|
|
|
|
|
|
|
|
|
// Get a waiver for the proto.
|
|
|
|
|
JSObject *proto = js::GetObjectProto(obj);
|
|
|
|
|
if (proto && !(proto = WaiveXray(cx, proto)))
|
|
|
|
|
return nsnull;
|
|
|
|
|
|
|
|
|
|
// Create the waiver.
|
|
|
|
|
JSAutoEnterCompartment ac;
|
|
|
|
|
if (!ac.enter(cx, obj) || !JS_WrapObject(cx, &proto))
|
|
|
|
|
return nsnull;
|
|
|
|
|
JSObject *waiver = Wrapper::New(cx, obj, proto,
|
|
|
|
|
JS_GetGlobalForObject(cx, obj),
|
|
|
|
|
&XrayWaiver);
|
|
|
|
|
if (!waiver)
|
|
|
|
|
return nsnull;
|
|
|
|
|
|
|
|
|
|
// Add the new waiver to the map. It's important that we only ever have
|
|
|
|
|
// one waiver for the lifetime of the target object.
|
|
|
|
|
if (!priv->waiverWrapperMap) {
|
|
|
|
|
priv->waiverWrapperMap = JSObject2JSObjectMap::
|
|
|
|
|
newMap(XPC_WRAPPER_MAP_SIZE);
|
|
|
|
|
MOZ_ASSERT(priv->waiverWrapperMap);
|
|
|
|
|
}
|
|
|
|
|
if (!priv->waiverWrapperMap->Add(obj, waiver))
|
|
|
|
|
return nsnull;
|
|
|
|
|
return waiver;
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-13 13:03:44 -08:00
|
|
|
JSObject *
|
|
|
|
|
WrapperFactory::WaiveXray(JSContext *cx, JSObject *obj)
|
|
|
|
|
{
|
2011-10-04 07:06:54 -07:00
|
|
|
obj = UnwrapObject(obj);
|
2011-01-20 14:41:30 -08:00
|
|
|
|
2011-01-13 13:03:44 -08:00
|
|
|
// We have to make sure that if we're wrapping an outer window, that
|
|
|
|
|
// the .wrappedJSObject also wraps the outer window.
|
|
|
|
|
obj = GetCurrentOuter(cx, obj);
|
|
|
|
|
|
2012-07-23 06:51:18 -07:00
|
|
|
JSObject *waiver = GetXrayWaiver(obj);
|
|
|
|
|
if (waiver)
|
|
|
|
|
return waiver;
|
|
|
|
|
return CreateXrayWaiver(cx, obj);
|
2011-01-13 13:03:44 -08:00
|
|
|
}
|
|
|
|
|
|
2011-05-23 08:20:28 -07:00
|
|
|
// DoubleWrap is called from PrepareForWrapping to maintain the state that
|
|
|
|
|
// we're supposed to waive Xray wrappers for the given on. On entrance, it
|
|
|
|
|
// expects |cx->compartment != obj->compartment()|. The returned object will
|
|
|
|
|
// be in the same compartment as |obj|.
|
2011-01-13 13:03:44 -08:00
|
|
|
JSObject *
|
2012-02-28 15:11:11 -08:00
|
|
|
WrapperFactory::DoubleWrap(JSContext *cx, JSObject *obj, unsigned flags)
|
2011-01-13 13:03:44 -08:00
|
|
|
{
|
|
|
|
|
if (flags & WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG) {
|
2011-01-20 14:41:30 -08:00
|
|
|
JSAutoEnterCompartment ac;
|
|
|
|
|
if (!ac.enter(cx, obj))
|
|
|
|
|
return nsnull;
|
|
|
|
|
|
2011-01-13 13:03:44 -08:00
|
|
|
return WaiveXray(cx, obj);
|
|
|
|
|
}
|
|
|
|
|
return obj;
|
|
|
|
|
}
|
|
|
|
|
|
2010-10-10 15:36:38 -07:00
|
|
|
JSObject *
|
2012-02-28 15:11:11 -08:00
|
|
|
WrapperFactory::PrepareForWrapping(JSContext *cx, JSObject *scope, JSObject *obj, unsigned flags)
|
2010-10-10 15:36:38 -07:00
|
|
|
{
|
2010-10-10 15:47:22 -07:00
|
|
|
// Don't unwrap an outer window, just double wrap it if needed.
|
2011-10-04 07:06:54 -07:00
|
|
|
if (js::GetObjectClass(obj)->ext.innerObject)
|
2010-10-10 15:47:22 -07:00
|
|
|
return DoubleWrap(cx, obj, flags);
|
|
|
|
|
|
2010-10-10 15:36:38 -07:00
|
|
|
// Here are the rules for wrapping:
|
|
|
|
|
// We should never get a proxy here (the JS engine unwraps those for us).
|
2011-10-04 07:06:54 -07:00
|
|
|
JS_ASSERT(!IsWrapper(obj));
|
2010-10-10 15:36:38 -07:00
|
|
|
|
|
|
|
|
// As soon as an object is wrapped in a security wrapper, it morphs to be
|
|
|
|
|
// a fat wrapper. (see also: bug XXX).
|
|
|
|
|
if (IS_SLIM_WRAPPER(obj) && !MorphSlimWrapper(cx, obj))
|
|
|
|
|
return nsnull;
|
|
|
|
|
|
|
|
|
|
// We only hand out outer objects to script.
|
2010-10-18 16:45:39 -07:00
|
|
|
obj = GetCurrentOuter(cx, obj);
|
2012-03-28 16:15:38 -07:00
|
|
|
if (!obj)
|
|
|
|
|
return nsnull;
|
|
|
|
|
|
2011-10-04 07:06:54 -07:00
|
|
|
if (js::GetObjectClass(obj)->ext.innerObject)
|
2010-10-18 15:21:50 -07:00
|
|
|
return DoubleWrap(cx, obj, flags);
|
2010-10-10 15:36:38 -07:00
|
|
|
|
|
|
|
|
// Now, our object is ready to be wrapped, but several objects (notably
|
|
|
|
|
// nsJSIIDs) have a wrapper per scope. If we are about to wrap one of
|
|
|
|
|
// those objects in a security wrapper, then we need to hand back the
|
2010-10-10 15:47:16 -07:00
|
|
|
// wrapper for the new scope instead. Also, global objects don't move
|
|
|
|
|
// between scopes so for those we also want to return the wrapper. So...
|
2011-10-04 07:06:54 -07:00
|
|
|
if (!IS_WN_WRAPPER(obj) || !js::GetObjectParent(obj))
|
2010-10-10 15:47:22 -07:00
|
|
|
return DoubleWrap(cx, obj, flags);
|
2010-10-10 15:36:38 -07:00
|
|
|
|
|
|
|
|
XPCWrappedNative *wn = static_cast<XPCWrappedNative *>(xpc_GetJSPrivate(obj));
|
|
|
|
|
|
|
|
|
|
JSAutoEnterCompartment ac;
|
2011-02-11 19:32:45 -08:00
|
|
|
if (!ac.enter(cx, obj))
|
2010-10-10 15:47:22 -07:00
|
|
|
return nsnull;
|
2011-02-11 19:32:45 -08:00
|
|
|
XPCCallContext ccx(JS_CALLER, cx, obj);
|
|
|
|
|
|
2011-02-05 04:56:05 -08:00
|
|
|
{
|
|
|
|
|
if (NATIVE_HAS_FLAG(&ccx, WantPreCreate)) {
|
|
|
|
|
// We have a precreate hook. This object might enforce that we only
|
|
|
|
|
// ever create JS object for it.
|
2012-05-29 14:24:03 -07:00
|
|
|
|
|
|
|
|
// Note: this penalizes objects that only have one wrapper, but are
|
|
|
|
|
// being accessed across compartments. We would really prefer to
|
|
|
|
|
// replace the above code with a test that says "do you only have one
|
|
|
|
|
// wrapper?"
|
2011-02-05 04:56:05 -08:00
|
|
|
JSObject *originalScope = scope;
|
|
|
|
|
nsresult rv = wn->GetScriptableInfo()->GetCallback()->
|
|
|
|
|
PreCreate(wn->Native(), cx, scope, &scope);
|
|
|
|
|
NS_ENSURE_SUCCESS(rv, DoubleWrap(cx, obj, flags));
|
|
|
|
|
|
|
|
|
|
// If the handed back scope differs from the passed-in scope and is in
|
|
|
|
|
// a separate compartment, then this object is explicitly requesting
|
|
|
|
|
// that we don't create a second JS object for it: create a security
|
|
|
|
|
// wrapper.
|
2011-10-04 07:06:54 -07:00
|
|
|
if (js::GetObjectCompartment(originalScope) != js::GetObjectCompartment(scope))
|
2011-02-05 04:56:05 -08:00
|
|
|
return DoubleWrap(cx, obj, flags);
|
|
|
|
|
|
2012-05-29 14:24:03 -07:00
|
|
|
JSObject *currentScope = JS_GetGlobalForObject(cx, obj);
|
|
|
|
|
if (MOZ_UNLIKELY(scope != currentScope)) {
|
|
|
|
|
// The wrapper claims it wants to be in the new scope, but
|
|
|
|
|
// currently has a reflection that lives in the old scope. This
|
|
|
|
|
// can mean one of two things, both of which are rare:
|
|
|
|
|
//
|
|
|
|
|
// 1 - The object has a PreCreate hook (we checked for it above),
|
|
|
|
|
// but is deciding to request one-wrapper-per-scope (rather than
|
|
|
|
|
// one-wrapper-per-native) for some reason. Usually, a PreCreate
|
|
|
|
|
// hook indicates one-wrapper-per-native. In this case we want to
|
|
|
|
|
// make a new wrapper in the new scope.
|
|
|
|
|
//
|
|
|
|
|
// 2 - We're midway through wrapper reparenting. The document has
|
|
|
|
|
// moved to a new scope, but |wn| hasn't been moved yet, and
|
|
|
|
|
// we ended up calling JS_WrapObject() on its JS object. In this
|
|
|
|
|
// case, we want to return the existing wrapper.
|
|
|
|
|
//
|
|
|
|
|
// So we do a trick: call PreCreate _again_, but say that we're
|
|
|
|
|
// wrapping for the old scope, rather than the new one. If (1) is
|
|
|
|
|
// the case, then PreCreate will return the scope we pass to it
|
|
|
|
|
// (the old scope). If (2) is the case, PreCreate will return the
|
|
|
|
|
// scope of the document (the new scope).
|
|
|
|
|
JSObject *probe;
|
|
|
|
|
rv = wn->GetScriptableInfo()->GetCallback()->
|
|
|
|
|
PreCreate(wn->Native(), cx, currentScope, &probe);
|
|
|
|
|
|
|
|
|
|
// Check for case (2).
|
|
|
|
|
if (probe != currentScope) {
|
|
|
|
|
MOZ_ASSERT(probe == scope);
|
|
|
|
|
return DoubleWrap(cx, obj, flags);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Ok, must be case (1). Fall through and create a new wrapper.
|
|
|
|
|
}
|
2011-02-05 04:56:05 -08:00
|
|
|
}
|
2010-10-10 15:36:38 -07:00
|
|
|
}
|
2010-10-10 15:47:22 -07:00
|
|
|
|
2010-10-29 12:49:32 -07:00
|
|
|
// NB: Passing a holder here inhibits slim wrappers under
|
|
|
|
|
// WrapNativeToJSVal.
|
|
|
|
|
nsCOMPtr<nsIXPConnectJSObjectHolder> holder;
|
2011-02-11 19:32:45 -08:00
|
|
|
|
|
|
|
|
// This public WrapNativeToJSVal API enters the compartment of 'scope'
|
|
|
|
|
// so we don't have to.
|
2010-10-10 15:36:38 -07:00
|
|
|
jsval v;
|
|
|
|
|
nsresult rv =
|
|
|
|
|
nsXPConnect::FastGetXPConnect()->WrapNativeToJSVal(cx, scope, wn->Native(), nsnull,
|
2011-10-17 07:59:28 -07:00
|
|
|
&NS_GET_IID(nsISupports), false,
|
2010-10-29 12:49:32 -07:00
|
|
|
&v, getter_AddRefs(holder));
|
|
|
|
|
if (NS_SUCCEEDED(rv)) {
|
2010-10-10 15:47:22 -07:00
|
|
|
obj = JSVAL_TO_OBJECT(v);
|
2010-10-29 12:49:32 -07:00
|
|
|
NS_ASSERTION(IS_WN_WRAPPER(obj), "bad object");
|
|
|
|
|
|
2012-03-16 12:47:20 -07:00
|
|
|
// Because the underlying native didn't have a PreCreate hook, we had
|
|
|
|
|
// to a new (or possibly pre-existing) XPCWN in our compartment.
|
|
|
|
|
// This could be a problem for chrome code that passes XPCOM objects
|
|
|
|
|
// across compartments, because the effects of QI would disappear across
|
|
|
|
|
// compartments.
|
|
|
|
|
//
|
|
|
|
|
// So whenever we pull an XPCWN across compartments in this manner, we
|
|
|
|
|
// give the destination object the union of the two native sets. We try
|
|
|
|
|
// to do this cleverly in the common case to avoid too much overhead.
|
2010-10-29 12:49:32 -07:00
|
|
|
XPCWrappedNative *newwn = static_cast<XPCWrappedNative *>(xpc_GetJSPrivate(obj));
|
2012-03-16 12:47:20 -07:00
|
|
|
XPCNativeSet *unionSet = XPCNativeSet::GetNewOrUsed(ccx, newwn->GetSet(),
|
|
|
|
|
wn->GetSet(), false);
|
|
|
|
|
if (!unionSet)
|
|
|
|
|
return nsnull;
|
|
|
|
|
newwn->SetSet(unionSet);
|
2010-10-29 12:49:32 -07:00
|
|
|
}
|
2010-10-10 15:47:22 -07:00
|
|
|
|
|
|
|
|
return DoubleWrap(cx, obj, flags);
|
2010-10-10 15:36:38 -07:00
|
|
|
}
|
|
|
|
|
|
2011-05-24 02:33:44 -07:00
|
|
|
static XPCWrappedNative *
|
|
|
|
|
GetWrappedNative(JSContext *cx, JSObject *obj)
|
|
|
|
|
{
|
2011-10-04 07:06:54 -07:00
|
|
|
obj = JS_ObjectToInnerObject(cx, obj);
|
2011-05-24 02:33:44 -07:00
|
|
|
return IS_WN_WRAPPER(obj)
|
2011-10-04 07:06:54 -07:00
|
|
|
? static_cast<XPCWrappedNative *>(js::GetObjectPrivate(obj))
|
2011-05-24 02:33:44 -07:00
|
|
|
: nsnull;
|
|
|
|
|
}
|
|
|
|
|
|
2012-03-30 21:42:20 -07:00
|
|
|
enum XrayType {
|
|
|
|
|
XrayForDOMObject,
|
|
|
|
|
XrayForDOMProxyObject,
|
|
|
|
|
XrayForWrappedNative,
|
|
|
|
|
NotXray
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static XrayType
|
|
|
|
|
GetXrayType(JSObject *obj)
|
2011-05-25 08:30:50 -07:00
|
|
|
{
|
2012-03-30 21:42:20 -07:00
|
|
|
js::Class* clasp = js::GetObjectClass(obj);
|
2012-05-02 21:35:38 -07:00
|
|
|
if (mozilla::dom::IsDOMClass(Jsvalify(clasp))) {
|
2012-03-30 21:42:20 -07:00
|
|
|
return XrayForDOMObject;
|
|
|
|
|
}
|
|
|
|
|
if (mozilla::dom::binding::instanceIsProxy(obj)) {
|
|
|
|
|
return XrayForDOMProxyObject;
|
2011-05-25 08:30:50 -07:00
|
|
|
}
|
2012-03-30 21:42:20 -07:00
|
|
|
if (IS_WRAPPER_CLASS(clasp) || clasp->ext.innerObject) {
|
|
|
|
|
NS_ASSERTION(clasp->ext.innerObject || IS_WN_WRAPPER_OBJECT(obj),
|
|
|
|
|
"We forgot to Morph a slim wrapper!");
|
|
|
|
|
return XrayForWrappedNative;
|
|
|
|
|
}
|
|
|
|
|
return NotXray;
|
2011-05-25 08:30:50 -07:00
|
|
|
}
|
|
|
|
|
|
2010-07-02 13:54:53 -07:00
|
|
|
JSObject *
|
2010-09-17 14:54:40 -07:00
|
|
|
WrapperFactory::Rewrap(JSContext *cx, JSObject *obj, JSObject *wrappedProto, JSObject *parent,
|
2012-02-28 15:11:11 -08:00
|
|
|
unsigned flags)
|
2010-06-25 15:58:09 -07:00
|
|
|
{
|
2011-10-04 07:06:54 -07:00
|
|
|
NS_ASSERTION(!IsWrapper(obj) ||
|
2012-07-16 10:28:17 -07:00
|
|
|
GetProxyHandler(obj) == &XrayWaiver ||
|
2011-10-04 07:06:54 -07:00
|
|
|
js::GetObjectClass(obj)->ext.innerObject,
|
2010-08-23 15:34:11 -07:00
|
|
|
"wrapped object passed to rewrap");
|
2012-02-03 16:54:57 -08:00
|
|
|
NS_ASSERTION(JS_GetClass(obj) != &XrayUtils::HolderClass, "trying to wrap a holder");
|
2010-07-02 13:54:53 -07:00
|
|
|
|
2011-10-04 07:06:54 -07:00
|
|
|
JSCompartment *origin = js::GetObjectCompartment(obj);
|
2012-01-15 00:13:09 -08:00
|
|
|
JSCompartment *target = js::GetContextCompartment(cx);
|
2012-03-23 14:59:04 -07:00
|
|
|
bool usingXray = false;
|
2010-07-02 13:54:53 -07:00
|
|
|
|
2011-09-08 20:29:15 -07:00
|
|
|
Wrapper *wrapper;
|
2012-05-25 00:18:31 -07:00
|
|
|
CompartmentPrivate *targetdata = GetCompartmentPrivate(target);
|
2010-07-02 13:54:53 -07:00
|
|
|
if (AccessCheck::isChrome(target)) {
|
2011-04-18 13:50:47 -07:00
|
|
|
if (AccessCheck::isChrome(origin)) {
|
2011-09-08 20:29:15 -07:00
|
|
|
wrapper = &CrossCompartmentWrapper::singleton;
|
2010-07-02 13:54:53 -07:00
|
|
|
} else {
|
2011-04-18 13:50:47 -07:00
|
|
|
bool isSystem;
|
|
|
|
|
{
|
|
|
|
|
JSAutoEnterCompartment ac;
|
|
|
|
|
if (!ac.enter(cx, obj))
|
2010-09-20 14:48:01 -07:00
|
|
|
return nsnull;
|
2011-04-18 13:50:47 -07:00
|
|
|
JSObject *globalObj = JS_GetGlobalForObject(cx, obj);
|
|
|
|
|
JS_ASSERT(globalObj);
|
|
|
|
|
isSystem = JS_IsSystemObject(cx, globalObj);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (isSystem) {
|
2011-09-08 20:29:15 -07:00
|
|
|
wrapper = &CrossCompartmentWrapper::singleton;
|
2011-04-18 13:50:47 -07:00
|
|
|
} else if (flags & WAIVE_XRAY_WRAPPER_FLAG) {
|
|
|
|
|
// If we waived the X-ray wrapper for this object, wrap it into a
|
|
|
|
|
// special wrapper to transitively maintain the X-ray waiver.
|
2012-07-16 08:53:16 -07:00
|
|
|
wrapper = &WaiveXrayWrapper::singleton;
|
2010-09-02 16:02:51 -07:00
|
|
|
} else {
|
2011-04-18 13:50:47 -07:00
|
|
|
// Native objects must be wrapped into an X-ray wrapper.
|
2012-03-30 21:42:20 -07:00
|
|
|
XrayType type = GetXrayType(obj);
|
|
|
|
|
if (type == XrayForDOMObject) {
|
|
|
|
|
wrapper = &XrayDOM::singleton;
|
|
|
|
|
} else if (type == XrayForDOMProxyObject) {
|
|
|
|
|
wrapper = &XrayProxy::singleton;
|
|
|
|
|
} else if (type == XrayForWrappedNative) {
|
|
|
|
|
typedef XrayWrapper<CrossCompartmentWrapper> Xray;
|
|
|
|
|
usingXray = true;
|
|
|
|
|
wrapper = &Xray::singleton;
|
2011-04-18 13:50:47 -07:00
|
|
|
} else {
|
2012-06-28 14:47:55 -07:00
|
|
|
wrapper = &CrossCompartmentWrapper::singleton;
|
2011-04-18 13:50:47 -07:00
|
|
|
}
|
2010-09-02 16:02:51 -07:00
|
|
|
}
|
2010-07-02 13:54:53 -07:00
|
|
|
}
|
|
|
|
|
} else if (AccessCheck::isChrome(origin)) {
|
2011-10-04 07:06:54 -07:00
|
|
|
JSFunction *fun = JS_GetObjectFunction(obj);
|
|
|
|
|
if (fun) {
|
2011-03-02 19:57:44 -08:00
|
|
|
if (JS_IsBuiltinEvalFunction(fun) || JS_IsBuiltinFunctionConstructor(fun)) {
|
2011-01-26 18:28:49 -08:00
|
|
|
JS_ReportError(cx, "Not allowed to access chrome eval or Function from content");
|
|
|
|
|
return nsnull;
|
|
|
|
|
}
|
|
|
|
|
}
|
2011-05-10 14:41:25 -07:00
|
|
|
|
|
|
|
|
XPCWrappedNative *wn;
|
2011-05-24 02:33:44 -07:00
|
|
|
if (targetdata &&
|
|
|
|
|
(wn = GetWrappedNative(cx, obj)) &&
|
|
|
|
|
wn->HasProto() && wn->GetProto()->ClassIsDOMObject()) {
|
2011-10-04 10:50:25 -07:00
|
|
|
typedef XrayWrapper<CrossCompartmentSecurityWrapper> Xray;
|
2012-03-23 14:59:04 -07:00
|
|
|
usingXray = true;
|
2012-03-23 14:59:19 -07:00
|
|
|
if (IsLocationObject(obj))
|
|
|
|
|
wrapper = &FilteringWrapper<Xray, LocationPolicy>::singleton;
|
|
|
|
|
else
|
|
|
|
|
wrapper = &FilteringWrapper<Xray, CrossOriginAccessiblePropertiesOnly>::singleton;
|
2012-03-30 21:42:20 -07:00
|
|
|
} else if (mozilla::dom::binding::instanceIsProxy(obj)) {
|
|
|
|
|
wrapper = &FilteringWrapper<XrayProxy, CrossOriginAccessiblePropertiesOnly>::singleton;
|
2012-05-02 21:35:38 -07:00
|
|
|
} else if (mozilla::dom::IsDOMClass(JS_GetClass(obj))) {
|
2012-03-30 21:42:20 -07:00
|
|
|
wrapper = &FilteringWrapper<XrayDOM, CrossOriginAccessiblePropertiesOnly>::singleton;
|
2012-04-28 06:12:28 -07:00
|
|
|
} else if (IsComponentsObject(obj)) {
|
|
|
|
|
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
|
|
|
|
|
ComponentsObjectPolicy>::singleton;
|
2011-05-10 14:41:25 -07:00
|
|
|
} else {
|
2011-10-04 10:50:25 -07:00
|
|
|
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
|
2011-05-10 14:41:25 -07:00
|
|
|
ExposedPropertiesOnly>::singleton;
|
|
|
|
|
}
|
2012-07-12 01:10:15 -07:00
|
|
|
} else if (AccessCheck::subsumes(target, origin)) {
|
2012-03-23 14:59:23 -07:00
|
|
|
// For the same-origin case we use a transparent wrapper, unless one
|
|
|
|
|
// of the following is true:
|
2012-04-05 12:21:12 -07:00
|
|
|
// * The object is flagged as needing a SOW.
|
2012-06-05 10:07:37 -07:00
|
|
|
// * The object is a Location object.
|
|
|
|
|
// * The object is a Components object.
|
2012-03-23 14:59:23 -07:00
|
|
|
// * The context compartment specifically requested Xray vision into
|
|
|
|
|
// same-origin compartments.
|
|
|
|
|
//
|
|
|
|
|
// The first two cases always require a security wrapper for non-chrome
|
|
|
|
|
// access, regardless of the origin of the object.
|
2012-03-30 21:42:20 -07:00
|
|
|
XrayType type;
|
2010-07-02 13:54:53 -07:00
|
|
|
if (AccessCheck::needsSystemOnlyWrapper(obj)) {
|
2011-10-04 10:50:25 -07:00
|
|
|
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
|
2010-07-02 13:54:53 -07:00
|
|
|
OnlyIfSubjectIsSystem>::singleton;
|
2012-06-05 10:07:37 -07:00
|
|
|
} else if (IsLocationObject(obj)) {
|
|
|
|
|
typedef XrayWrapper<CrossCompartmentSecurityWrapper> Xray;
|
|
|
|
|
usingXray = true;
|
|
|
|
|
wrapper = &FilteringWrapper<Xray, LocationPolicy>::singleton;
|
2012-04-28 06:12:28 -07:00
|
|
|
} else if (IsComponentsObject(obj)) {
|
|
|
|
|
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
|
|
|
|
|
ComponentsObjectPolicy>::singleton;
|
2012-03-30 21:42:20 -07:00
|
|
|
} else if (!targetdata || !targetdata->wantXrays ||
|
|
|
|
|
(type = GetXrayType(obj)) == NotXray) {
|
2011-09-08 20:29:15 -07:00
|
|
|
wrapper = &CrossCompartmentWrapper::singleton;
|
2012-03-30 21:42:20 -07:00
|
|
|
} else if (type == XrayForDOMObject) {
|
|
|
|
|
wrapper = &XrayDOM::singleton;
|
|
|
|
|
} else if (type == XrayForDOMProxyObject) {
|
|
|
|
|
wrapper = &XrayProxy::singleton;
|
|
|
|
|
} else {
|
|
|
|
|
typedef XrayWrapper<CrossCompartmentWrapper> Xray;
|
|
|
|
|
usingXray = true;
|
|
|
|
|
wrapper = &Xray::singleton;
|
2010-10-10 15:46:07 -07:00
|
|
|
}
|
2010-07-02 13:54:53 -07:00
|
|
|
} else {
|
2010-10-10 15:48:55 -07:00
|
|
|
NS_ASSERTION(!AccessCheck::needsSystemOnlyWrapper(obj),
|
|
|
|
|
"bad object exposed across origins");
|
|
|
|
|
|
2010-07-02 13:54:53 -07:00
|
|
|
// Cross origin we want to disallow scripting and limit access to
|
|
|
|
|
// a predefined set of properties. XrayWrapper adds a property
|
|
|
|
|
// (.wrappedJSObject) which allows bypassing the XrayWrapper, but
|
|
|
|
|
// we filter out access to that property.
|
2012-03-30 21:42:20 -07:00
|
|
|
XrayType type = GetXrayType(obj);
|
|
|
|
|
if (type == NotXray) {
|
2011-10-04 10:50:25 -07:00
|
|
|
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
|
2010-09-02 16:02:51 -07:00
|
|
|
CrossOriginAccessiblePropertiesOnly>::singleton;
|
2012-03-30 21:42:20 -07:00
|
|
|
} else if (type == XrayForDOMObject) {
|
|
|
|
|
wrapper = &FilteringWrapper<XrayDOM,
|
|
|
|
|
CrossOriginAccessiblePropertiesOnly>::singleton;
|
|
|
|
|
} else if (type == XrayForDOMProxyObject) {
|
|
|
|
|
wrapper = &FilteringWrapper<XrayProxy,
|
|
|
|
|
CrossOriginAccessiblePropertiesOnly>::singleton;
|
2010-09-02 16:02:51 -07:00
|
|
|
} else {
|
2012-03-30 21:42:20 -07:00
|
|
|
typedef XrayWrapper<CrossCompartmentSecurityWrapper> Xray;
|
|
|
|
|
usingXray = true;
|
2010-09-29 10:00:52 -07:00
|
|
|
|
2012-03-30 21:42:20 -07:00
|
|
|
// Location objects can become same origin after navigation, so we might
|
|
|
|
|
// have to grant transparent access later on.
|
|
|
|
|
if (IsLocationObject(obj)) {
|
|
|
|
|
wrapper = &FilteringWrapper<Xray, LocationPolicy>::singleton;
|
|
|
|
|
} else {
|
|
|
|
|
wrapper = &FilteringWrapper<Xray,
|
|
|
|
|
CrossOriginAccessiblePropertiesOnly>::singleton;
|
2011-05-25 08:30:50 -07:00
|
|
|
}
|
2010-09-02 16:02:51 -07:00
|
|
|
}
|
2010-06-25 15:58:09 -07:00
|
|
|
}
|
2010-09-20 14:48:01 -07:00
|
|
|
|
2011-09-08 20:29:15 -07:00
|
|
|
JSObject *wrapperObj = Wrapper::New(cx, obj, wrappedProto, parent, wrapper);
|
2012-03-23 14:59:04 -07:00
|
|
|
if (!wrapperObj || !usingXray)
|
2010-09-20 14:48:01 -07:00
|
|
|
return wrapperObj;
|
2010-10-10 15:35:54 -07:00
|
|
|
|
2012-03-23 14:59:04 -07:00
|
|
|
JSObject *xrayHolder = XrayUtils::createHolder(cx, obj, parent);
|
|
|
|
|
if (!xrayHolder)
|
|
|
|
|
return nsnull;
|
2011-05-23 08:39:25 -07:00
|
|
|
js::SetProxyExtra(wrapperObj, 0, js::ObjectValue(*xrayHolder));
|
2010-09-20 14:48:01 -07:00
|
|
|
return wrapperObj;
|
2010-06-25 15:58:09 -07:00
|
|
|
}
|
|
|
|
|
|
2012-05-14 14:30:07 -07:00
|
|
|
JSObject *
|
|
|
|
|
WrapperFactory::WrapForSameCompartment(JSContext *cx, JSObject *obj)
|
|
|
|
|
{
|
|
|
|
|
// Only WNs have same-compartment wrappers.
|
|
|
|
|
//
|
|
|
|
|
// NB: The contract of WrapForSameCompartment says that |obj| may or may not
|
|
|
|
|
// be a security wrapper. This check implicitly handles the security wrapper
|
|
|
|
|
// case.
|
|
|
|
|
if (!IS_WN_WRAPPER(obj))
|
|
|
|
|
return obj;
|
|
|
|
|
|
|
|
|
|
// Extract the WN. It should exist.
|
|
|
|
|
XPCWrappedNative *wn = static_cast<XPCWrappedNative *>(xpc_GetJSPrivate(obj));
|
|
|
|
|
MOZ_ASSERT(wn, "Trying to wrap a dead WN!");
|
|
|
|
|
|
|
|
|
|
// The WN knows what to do.
|
|
|
|
|
return wn->GetSameCompartmentSecurityWrapper(cx);
|
|
|
|
|
}
|
|
|
|
|
|
2012-03-23 14:59:07 -07:00
|
|
|
typedef FilteringWrapper<XrayWrapper<SameCompartmentSecurityWrapper>, LocationPolicy> LW;
|
2010-09-29 10:00:52 -07:00
|
|
|
|
|
|
|
|
bool
|
|
|
|
|
WrapperFactory::IsLocationObject(JSObject *obj)
|
|
|
|
|
{
|
2011-10-04 07:06:54 -07:00
|
|
|
const char *name = js::GetObjectClass(obj)->name;
|
2010-09-29 10:00:52 -07:00
|
|
|
return name[0] == 'L' && !strcmp(name, "Location");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
JSObject *
|
|
|
|
|
WrapperFactory::WrapLocationObject(JSContext *cx, JSObject *obj)
|
|
|
|
|
{
|
2012-03-23 14:59:04 -07:00
|
|
|
JSObject *xrayHolder = XrayUtils::createHolder(cx, obj, js::GetObjectParent(obj));
|
2010-09-29 10:00:52 -07:00
|
|
|
if (!xrayHolder)
|
2011-01-13 13:03:44 -08:00
|
|
|
return nsnull;
|
2011-10-04 07:06:54 -07:00
|
|
|
JSObject *wrapperObj = Wrapper::New(cx, obj, js::GetObjectProto(obj), js::GetObjectParent(obj),
|
2011-09-08 20:29:15 -07:00
|
|
|
&LW::singleton);
|
2010-09-29 10:00:52 -07:00
|
|
|
if (!wrapperObj)
|
2011-01-13 13:03:44 -08:00
|
|
|
return nsnull;
|
2011-05-23 08:39:25 -07:00
|
|
|
js::SetProxyExtra(wrapperObj, 0, js::ObjectValue(*xrayHolder));
|
2010-09-29 10:00:52 -07:00
|
|
|
return wrapperObj;
|
|
|
|
|
}
|
|
|
|
|
|
2011-05-23 08:20:28 -07:00
|
|
|
// Call WaiveXrayAndWrap when you have a JS object that you don't want to be
|
|
|
|
|
// wrapped in an Xray wrapper. cx->compartment is the compartment that will be
|
|
|
|
|
// using the returned object. If the object to be wrapped is already in the
|
|
|
|
|
// correct compartment, then this returns the unwrapped object.
|
2010-10-10 15:48:29 -07:00
|
|
|
bool
|
|
|
|
|
WrapperFactory::WaiveXrayAndWrap(JSContext *cx, jsval *vp)
|
|
|
|
|
{
|
2010-10-14 13:41:52 -07:00
|
|
|
if (JSVAL_IS_PRIMITIVE(*vp))
|
|
|
|
|
return JS_WrapValue(cx, vp);
|
2010-10-10 15:48:29 -07:00
|
|
|
|
2011-10-04 07:06:54 -07:00
|
|
|
JSObject *obj = js::UnwrapObject(JSVAL_TO_OBJECT(*vp));
|
2011-05-23 08:20:28 -07:00
|
|
|
obj = GetCurrentOuter(cx, obj);
|
2011-12-24 00:28:55 -08:00
|
|
|
if (js::IsObjectInContextCompartment(obj, cx)) {
|
2011-05-23 08:20:28 -07:00
|
|
|
*vp = OBJECT_TO_JSVAL(obj);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
2010-10-10 15:48:29 -07:00
|
|
|
|
2011-01-13 13:03:44 -08:00
|
|
|
obj = WaiveXray(cx, obj);
|
|
|
|
|
if (!obj)
|
|
|
|
|
return false;
|
2010-10-10 15:48:29 -07:00
|
|
|
|
|
|
|
|
*vp = OBJECT_TO_JSVAL(obj);
|
|
|
|
|
return JS_WrapValue(cx, vp);
|
|
|
|
|
}
|
|
|
|
|
|
2010-10-10 15:48:55 -07:00
|
|
|
JSObject *
|
|
|
|
|
WrapperFactory::WrapSOWObject(JSContext *cx, JSObject *obj)
|
|
|
|
|
{
|
|
|
|
|
JSObject *wrapperObj =
|
2012-02-05 12:07:23 -08:00
|
|
|
Wrapper::New(cx, obj, JS_GetPrototype(obj), JS_GetGlobalForObject(cx, obj),
|
2011-10-04 10:50:25 -07:00
|
|
|
&FilteringWrapper<SameCompartmentSecurityWrapper,
|
2011-10-14 10:52:48 -07:00
|
|
|
OnlyIfSubjectIsSystem>::singleton);
|
2010-10-10 15:48:55 -07:00
|
|
|
return wrapperObj;
|
|
|
|
|
}
|
|
|
|
|
|
2012-04-28 06:12:28 -07:00
|
|
|
bool
|
|
|
|
|
WrapperFactory::IsComponentsObject(JSObject *obj)
|
|
|
|
|
{
|
|
|
|
|
const char *name = js::GetObjectClass(obj)->name;
|
|
|
|
|
return name[0] == 'n' && !strcmp(name, "nsXPCComponents");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
JSObject *
|
|
|
|
|
WrapperFactory::WrapComponentsObject(JSContext *cx, JSObject *obj)
|
|
|
|
|
{
|
|
|
|
|
JSObject *wrapperObj =
|
|
|
|
|
Wrapper::New(cx, obj, JS_GetPrototype(obj), JS_GetGlobalForObject(cx, obj),
|
|
|
|
|
&FilteringWrapper<SameCompartmentSecurityWrapper, ComponentsObjectPolicy>::singleton);
|
|
|
|
|
|
|
|
|
|
return wrapperObj;
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-18 04:51:28 -07:00
|
|
|
JSObject *
|
|
|
|
|
WrapperFactory::WrapForSameCompartmentXray(JSContext *cx, JSObject *obj)
|
|
|
|
|
{
|
|
|
|
|
// We should be same-compartment here.
|
|
|
|
|
MOZ_ASSERT(js::IsObjectInContextCompartment(obj, cx));
|
|
|
|
|
|
|
|
|
|
// Sort out what kind of Xray we can do. If we can't Xray, bail.
|
|
|
|
|
XrayType type = GetXrayType(obj);
|
|
|
|
|
if (type == NotXray)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
// Select the appropriate proxy handler.
|
|
|
|
|
Wrapper *wrapper = NULL;
|
|
|
|
|
if (type == XrayForWrappedNative)
|
|
|
|
|
wrapper = &XrayWrapper<DirectWrapper>::singleton;
|
|
|
|
|
else if (type == XrayForDOMProxyObject)
|
|
|
|
|
wrapper = &XrayWrapper<DirectWrapper, ProxyXrayTraits>::singleton;
|
|
|
|
|
else if (type == XrayForDOMObject)
|
|
|
|
|
wrapper = &XrayWrapper<DirectWrapper, DOMXrayTraits>::singleton;
|
|
|
|
|
else
|
|
|
|
|
MOZ_NOT_REACHED("Bad Xray type");
|
|
|
|
|
|
|
|
|
|
// Make the Xray.
|
|
|
|
|
JSObject *parent = JS_GetGlobalForObject(cx, obj);
|
|
|
|
|
JSObject *wrapperObj = Wrapper::New(cx, obj, NULL, parent, wrapper);
|
|
|
|
|
if (!wrapperObj)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
// Make the holder.
|
|
|
|
|
JSObject *xrayHolder = XrayUtils::createHolder(cx, obj, parent);
|
|
|
|
|
if (!xrayHolder)
|
|
|
|
|
return nsnull;
|
|
|
|
|
js::SetProxyExtra(wrapperObj, 0, js::ObjectValue(*xrayHolder));
|
|
|
|
|
return wrapperObj;
|
|
|
|
|
}
|
|
|
|
|
|
2010-06-25 15:58:09 -07:00
|
|
|
}
|
