Commit Graph

60 Commits

Author SHA1 Message Date
Julien Levesy
d0eca42a80 Bug 1006692 - Replaced nsScriptSecurityManager::SubjectIsPrivileged and AccessCheck::IsCallerChrome by nsContentUtils::IsCallerChrome. r=bholley 2014-05-19 13:39:00 +02:00
Birunthan Mohanathas
eaba6c5a37 Bug 866289 - Make mode lines consistent in js/xpconnect/ for 4 space indented files. r=Ms2ger 2014-04-03 07:58:00 -04:00
Bobby Holley
8c3d899db2 Bug 825392 - Remove SOWs. r=bz 2014-03-19 13:35:45 -03:00
Bobby Holley
abb31827e1 Bug 976704 - Make opaque security wrappers non-callable. r=gabor,sr=mrbkap 2014-03-18 19:23:45 -03:00
Bobby Holley
2fd8b7b977 Bug 956382 - Remove usage of explicit *IgnoringDomain variants. r=mrbkap 2014-02-13 18:57:36 -08:00
Bobby Holley
7a8e0ba5b9 Bug 956382 - Add AccessCheck::subsumesConsideringDomain and clean up other implementations. r=mrbkap
We now assert that we have a principal when we enter the wrap callback, and we
now have a convenient overload defined in nsIPrincipal.idl.
2014-02-13 18:57:34 -08:00
Bobby Holley
1bb0b956eb Bug 965901 - Add an ENUMERATE policy action. r=gabor sr=mrbkap 2014-02-13 10:54:08 -08:00
Bobby Holley
30bfce6ebe Bug 951948 - Remove Components wrappers. r=mrbkap
We fix up the tests here to test the new behavior, and fix some bugs in the test
while we're at it.
2014-01-14 18:49:30 -08:00
Nicholas Nethercote
3a2ab0db3f Bug 912411 (part 2) - Move JSID_{VOID,EMPTY}HANDLE from jsapi.{h,cpp} to Id.{h,cpp}. r=luke.
--HG--
extra : rebase_source : 5fb68bf5079e3261fdca6cb99717d3a502c878f3
2013-09-05 16:08:57 -07:00
Nicholas Nethercote
9e88f47219 Bug 910109 (part 2) - Make jswrapper.h not depend on jsapi.h. r=luke.
--HG--
extra : rebase_source : 138e93b074691e9da0feab9cd24e149f4d5edf6a
2013-08-28 17:24:34 -07:00
Nicholas Nethercote
42ccf38dcd Bug 905017 (part 1) - Minimize inclusions of JS engine headers in .h and .idl files. r=billm.
--HG--
extra : rebase_source : 984c61ab12f46be0509b1ce0d458d9a6e5841c64
2013-08-17 15:50:18 -07:00
Jon Coppeard
2632590a6e Bug 885310 - 2 Rename JSHandleFoo in js directory r=bholley 2013-06-21 14:12:46 +01:00
Bobby Holley
66cef80cfe Bug 862380 - Silently fail for enumerate-like operations on XOWs. r=mrbkap 2013-05-22 22:27:15 -06:00
Bobby Holley
04fe393f0c Bug 862380 - Pass the entered id in addition to the wrapper action to Policy::deny. r=mrbkap 2013-05-22 22:27:15 -06:00
Nathan Froyd
2271a709b0 Bug 871595 - don't include WrapperFactory.h in AccessCheck.h; r=bholley 2013-05-13 12:04:23 -04:00
Bobby Holley
84aefeb108 Bug 834707 - Kill dynamic SOWs. r=gabor
Now that XBL scopes are here to stay (no more pref), we can remove all the
machinery that makes SOWs dynamic. We still need SOWs until bug 825392 is
fixed, but they can now be totally opaque.

One side effect of this patch is that, due to our usage of Opaque, we now
allow CALL on SOWs. But this shouldn't be a problem, because SOWs are used
for anonymous elements which are not callable (and we probably wouldn't mind
it even if they were).
2013-05-06 19:38:23 -07:00
Bobby Holley
eb199ec0c8 Bug 843829 - Wrap unwaived content JS objects in opaque wrappers for XBL scopes. r=mrbkap 2013-04-03 11:41:23 -07:00
Ehsan Akhgari
9df6dde4c7 Backed out 6 changesets (bug 843829, bug 845862) because of broken mochitest-5
Backed out changeset 1df3bdadb7ce (bug 843829)
Backed out changeset 64f001fe04fb (bug 843829)
Backed out changeset 57652d8f0827 (bug 843829)
Backed out changeset 2e889cd77a48 (bug 843829)
Backed out changeset 97d16e7beb27 (bug 843829)
Backed out changeset 6c6ab0e54917 (bug 845862)

Landed on a CLOSED TREE
2013-04-02 23:05:48 -04:00
Bobby Holley
b7d2424ff1 Bug 843829 - Wrap unwaived content JS objects in opaque wrappers for XBL scopes. r=mrbkap 2013-04-02 18:51:20 -07:00
Bobby Holley
ad352a027b Bug 854480 - Remove SCRIPT_ACCESS_ONLY. r=mrbkap 2013-04-01 15:17:51 -07:00
Bobby Holley
5c2f6cfd84 Bug 658909 - Make isSafeToUnwrap pseudo-dynamic for SOWs. r=mrbkap
This can go away as soon as XBL scopes are no longer behind a pref.
2013-03-21 08:20:41 -07:00
Ryan VanderMeulen
75a33a8191 Backed out 22 changesets (bug 658909) for Windows debug bustage. 2013-03-21 15:24:54 -04:00
Bobby Holley
d6a9021608 Bug 658909 - Make isSafeToUnwrap pseudo-dynamic for SOWs. r=mrbkap
This can go away as soon as XBL scopes are no longer behind a pref.
2013-03-21 08:20:41 -07:00
Ms2ger
0fcece12d8 Backout bug 658909 for Marionette bustage. 2013-03-17 10:44:33 +01:00
Bobby Holley
11ee47784a Bug 658909 - Make isSafeToUnwrap pseudo-dynamic for SOWs. r=mrbkap
This can go away as soon as XBL scopes are no longer behind a pref.
2013-03-16 22:58:13 -07:00
Bobby Holley
83a57c8d91 Bug 836301 - Introduce an RAII class for entering policies. r=mrbkap
This will allow us to make some hard assertions that a given policy has been
entered exactly once.
2013-02-25 13:54:18 -08:00
Phil Ringnalda
f3f16b4069 Back out 4d301b2bcad0:e0632e639097 (bug 836301) for Windows build bustage
CLOSED TREE
2013-02-22 08:41:37 -08:00
Bobby Holley
c9d462848e Bug 836301 - Introduce an RAII class for entering policies. r=mrbkap
This will allow us to make some hard assertions that a given policy has been
entered exactly once.
2013-02-22 08:14:33 -08:00
Bobby Holley
33983c1d00 Bug 823348 - Make NNXOWs use an explicitly opaque Policy. r=mrbkap
There's no reason to be doing a dynamic check here, given that the JSClasses
will never match. Lets be explicit and safe.
2013-01-23 06:04:38 +01:00
Bobby Holley
2ca33ed4e3 Bug 809652 - Deny nativeCall for SecurityWrapper except under specific circumstances. r=jorendorff 2012-12-20 22:33:26 -08:00
Bobby Holley
3fcdd84451 Bug 818716 - Move XBL detection into nsContentUtils and remove filename hack. r=mrbkap 2012-12-12 17:09:37 -08:00
Bobby Holley
2db9f70258 Bug 813901 - Validate __exposedProps__. r=mrbkap
This also involves modifying test_cows to deep clone in getCOW.
2012-12-07 14:49:11 -08:00
Bobby Holley
f56e3f9249 Bug 808608 - Remove specialized Location security wrappers. r=mrbkap 2012-11-21 13:20:05 -08:00
Bobby Holley
1352e469d8 Bug 800915 - Reimplement PUNCTURE consumers in terms of isSafeToUnwrap() and remove PUNCTURE API. r=mrbkap 2012-11-14 09:56:25 -08:00
Bobby Holley
8b06fa3c7e Bug 805807 - Rearchitect filtering policies so that check() doesn't throw on denial. r=mrbkap
This is another one of those annoying situaitons in XPConnect right now where we
can't ask a question without potentially throwing if the answer is no. There's
also a bunch of unused cruft in here (like the Perm*Access stuff), so this stuff
was ripe for a spring cleaning. Unfortunately, I wasn't able to divide this patch
up nicely. Sorry for the big diff. :-(

In a nutshell, this patch changes things so that Policy::check() just becomes
a predicate that says whether the access is allowed or not. There's the remote
possibility that one of the underlying JSAPI calls in a ::check() implementation
might throw, so callers to ::check() should check JS_IsExceptionPending
afterwards (this doesn't catch OOM, but we can just continue along until the
next OOM-triggering operation and throw there).

Aside from exceptional cases, callers should call Policy::deny if they want to
report the failure. Policy::deny returns success value that should be returned
to the wrapper's consumer.
2012-11-02 21:47:49 -03:00
Ed Morley
b159aab211 Backout 23c9f61a243b & 6ca11f4b470c (bug 805807) for mochitest-1 orange in test_contextmenu.html 2012-11-02 14:12:51 +00:00
Bobby Holley
2d408f61a6 Bug 805807 - Rearchitect filtering policies so that check() doesn't throw on denial. r=mrbkap
This is another one of those annoying situaitons in XPConnect right now where we
can't ask a question without potentially throwing if the answer is no. There's
also a bunch of unused cruft in here (like the Perm*Access stuff), so this stuff
was ripe for a spring cleaning. Unfortunately, I wasn't able to divide this patch
up nicely. Sorry for the big diff. :-(

In a nutshell, this patch changes things so that Policy::check() just becomes
a predicate that says whether the access is allowed or not. There's the remote
possibility that one of the underlying JSAPI calls in a ::check() implementation
might throw, so callers to ::check() should check JS_IsExceptionPending
afterwards (this doesn't catch OOM, but we can just continue along until the
next OOM-triggering operation and throw there).

Aside from exceptional cases, callers should call Policy::deny if they want to
report the failure. Policy::deny returns success value that should be returned
to the wrapper's consumer.
2012-11-02 13:27:59 +01:00
Bobby Holley
b9afeeb542 Bug 795275 - Introduce an explicit mechanism for determining if a script is from XBL. r=mrbkap
We want this right now so that we can avoid the scary warning when content Components
access happens in XBL (which we're allowing going forward). This patch would be overkill
just for that, but I also have plans to introduce a SOW-like protection of the Components
wrapper filtering policy. I can't just do the filename hack for that though, because real-
world XBL filenames might be all over the place. So let's just be safe here.
2012-10-03 11:44:18 +02:00
Bobby Holley
f1fd4b30db Bug 789713 - Ignore domain when computing whether to share non-PreCreate WNs cross-compartment. r=mrbkap 2012-09-11 10:23:20 -07:00
Bobby Holley
4473d2369c Bug 788914 - Kill the XOW flag. r=mrbkap
There are really two questions to be asked: is the caller chrome, and does the
caller subsume the callee. We have other, more precise ways of asking both of
these questions.
2012-09-11 01:05:10 -07:00
Ryan VanderMeulen
bdca80da9c Backout bug 788914 and bug 789494 because they were backed out on inbound. 2012-09-07 19:40:57 -04:00
Bobby Holley
cd6c993710 Bug 788914 - Kill the XOW flag. r=mrbkap
There are really two questions to be asked: is the caller chrome, and does the
caller subsume the callee. We have other, more precise ways of asking both of
these questions.
2012-09-07 11:28:56 -07:00
Ed Morley
38c6f2fdd8 Backout 5853df66d488, e8fadd906232, d787279d282c, 8c1ed6327355, 94cfcf5da7c8, 87aa103d7e87 (bug 585922) for failures in test_bug411236.html 2012-09-07 09:15:34 +01:00
Bobby Holley
27358249f4 Bug 788914 - Kill the XOW flag. r=mrbkap
There are really two questions to be asked: is the caller chrome, and does the
caller subsume the callee. We have other, more precise ways of asking both of
these questions.
2012-09-06 22:55:18 -07:00
Luke Wagner
94264a0bc8 Bug 625199 - s/JSAutoEnterCompartment/JSAutoCompartment/ and make it infallible (r=bholley)
--HG--
extra : rebase_source : 12acf2288285f5caefd7fecea8207de3a47eab5b
2012-08-21 18:42:53 -07:00
Bobby Holley
ea5054b136 Bug 760109 - Introduce an explicit ChromeObjectWrapper. r=mrbkap
For now it's identical to ChromeObjectWrapperBase. Custom behavior comes in the next patch.
2012-07-27 12:15:46 +02:00
Bobby Holley
bf7c218243 Bug 655649 - Stop doing dynamic security checks for document.domain. r=mrbkap 2012-07-12 10:10:15 +02:00
Bobby Holley
63851e7543 Bug 655649 - Use Subsumes Rather than Equals in XPConnect wrapper computation. r=mrbkap
Now that we have nsExpandedPrincipal, the current way of doing things is wrong. For some reason, the old document.domain hackery was hiding the failures here.
2012-07-12 10:10:15 +02:00
Bobby Holley
f729fb1536 Bug 763433 - Clarify compartment semantics for ExposedPropertiesOnly. r=mrbkap 2012-06-18 15:47:09 +02:00
Blake Kaplan
f14f44ff14 Bug 751858 - Actually throw when we deny access. r=bholley 2012-05-04 14:22:55 +02:00