| blob | 566c2c3f26e2e32194b65007d5b07583788973a3 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* vim: set ts=8 sts=4 et sw=4 tw=99: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
29 // When chrome pulls a naked property across the membrane using
30 // .wrappedJSObject, we want it to cross the membrane into the
31 // chrome compartment without automatically being wrapped into an
32 // X-ray wrapper. We achieve this by wrapping it into a special
33 // transparent wrapper in the origin (non-chrome) compartment. When
34 // an object with that special wrapper applied crosses into chrome,
35 // we know to not apply an X-ray wrapper.
38 // When objects for which we waived the X-ray wrapper cross into
39 // chrome, we wrap them into a special cross-compartment wrapper
40 // that transitively extends the waiver to all properties we get
41 // off it.
44 bool
46 {
49 }
51 JSObject*
53 {
54 // Object should come fully unwrapped but outerized.
68 }
70 JSObject*
72 {
73 // The caller is required to have already done a lookup.
74 // NB: This implictly performs the assertions of GetXrayWaiver.
85 // Add the new waiver to the map. It's important that we only ever have
86 // one waiver for the lifetime of the target object.
91 }
95 }
97 JSObject*
99 {
108 }
110 // In general, we're trying to deprecate COWs incrementally as we introduce
111 // Xrays to the corresponding object types. But switching off COWs for certain
112 // things would be too tumultuous at present, so we punt on them for later.
113 static bool
115 {
119 "We should use XrayWrappers for standard ES Object, Array, and Function "
122 }
123 // Proxies get OpaqueXrayTraits, but we still need COWs to them for now to
124 // let the SpecialPowers wrapper work.
129 }
133 {
137 // If the original object did not point through an Xray waiver, we're done.
141 // If the original object was not a cross-compartment wrapper, that means
142 // that the caller explicitly created a waiver. Preserve it so that things
143 // like WaiveXrayAndWrap work.
147 // Otherwise, this is a case of explicitly passing a wrapper across a
148 // compartment boundary. In that case, we only want to preserve waivers
149 // in transactions between same-origin compartments.
156 }
158 JSObject*
161 {
164 // Outerize any raw inner objects at the entry point here, so that we don't
165 // have to worry about them for the rest of the wrapping code.
170 // The outerization hook wraps, which means that we can end up with a
171 // CCW here if |obj| was a navigated-away-from inner. Strip any CCWs.
174 }
176 // If we've got an outer window, there's nothing special that needs to be
177 // done here, and we can move on to the next phase of wrapping. We handle
178 // this case first to allow us to assert against wrappers below.
182 // Here are the rules for wrapping:
183 // We should never get a proxy here (the JS engine unwraps those for us).
186 // If the object being wrapped is a prototype for a standard class and the
187 // wrapper does not subsumes the wrappee, use the one from the content
188 // compartment. This is generally safer all-around, and in the COW case this
189 // lets us safely take advantage of things like .forEach() via the
190 // ChromeObjectWrapper machinery.
191 //
192 // If the prototype chain of chrome object |obj| looks like this:
193 //
194 // obj => foo => bar => chromeWin.StandardClass.prototype
195 //
196 // The prototype chain of COW(obj) looks lke this:
197 //
198 // COW(obj) => COW(foo) => COW(bar) => contentWin.StandardClass.prototype
199 //
200 // NB: We now remap all non-subsuming access of standard prototypes.
201 //
202 // NB: We need to ignore domain here so that the security relationship we
203 // compute here can't change over time. See the comment above the other
204 // subsumes call below.
210 {
213 }
219 // No need to double-wrap here. We should never have waivers to
220 // COWs.
222 }
223 }
225 // Now, our object is ready to be wrapped, but several objects (notably
226 // nsJSIIDs) have a wrapper per scope. If we are about to wrap one of
227 // those objects in a security wrapper, then we need to hand back the
228 // wrapper for the new scope instead. Also, global objects don't move
229 // between scopes so for those we also want to return the wrapper. So...
239 {
241 // We have a precreate hook. This object might enforce that we only
242 // ever create JS object for it.
244 // Note: this penalizes objects that only have one wrapper, but are
245 // being accessed across compartments. We would really prefer to
246 // replace the above code with a test that says "do you only have one
247 // wrapper?"
252 // If the handed back scope differs from the passed-in scope and is in
253 // a separate compartment, then this object is explicitly requesting
254 // that we don't create a second JS object for it: create a security
255 // wrapper.
261 // The wrapper claims it wants to be in the new scope, but
262 // currently has a reflection that lives in the old scope. This
263 // can mean one of two things, both of which are rare:
264 //
265 // 1 - The object has a PreCreate hook (we checked for it above),
266 // but is deciding to request one-wrapper-per-scope (rather than
267 // one-wrapper-per-native) for some reason. Usually, a PreCreate
268 // hook indicates one-wrapper-per-native. In this case we want to
269 // make a new wrapper in the new scope.
270 //
271 // 2 - We're midway through wrapper reparenting. The document has
272 // moved to a new scope, but |wn| hasn't been moved yet, and
273 // we ended up calling JS_WrapObject() on its JS object. In this
274 // case, we want to return the existing wrapper.
275 //
276 // So we do a trick: call PreCreate _again_, but say that we're
277 // wrapping for the old scope, rather than the new one. If (1) is
278 // the case, then PreCreate will return the scope we pass to it
279 // (the old scope). If (2) is the case, PreCreate will return the
280 // scope of the document (the new scope).
285 // Check for case (2).
289 }
291 // Ok, must be case (1). Fall through and create a new wrapper.
292 }
294 // Nasty hack for late-breaking bug 781476. This will confuse identity checks,
295 // but it's probably better than any of our alternatives.
296 //
297 // Note: We have to ignore domain here. The JS engine assumes that, given a
298 // compartment c, if c->wrap(x) returns a cross-compartment wrapper at time t0,
299 // it will also return a cross-compartment wrapper for any time t1 > t0 unless
300 // an explicit transplant is performed. In particular, wrapper recomputation
301 // assumes that recomputing a wrapper will always result in a wrapper.
302 //
303 // This doesn't actually pose a security issue, because we'll still compute
304 // the correct (opaque) wrapper for the object below given the security
305 // characteristics of the two compartments.
309 {
311 }
312 }
313 }
315 // This public WrapNativeToJSVal API enters the compartment of 'wrapScope'
316 // so we don't have to.
318 nsresult rv =
326 // Because the underlying native didn't have a PreCreate hook, we had
327 // to a new (or possibly pre-existing) XPCWN in our compartment.
328 // This could be a problem for chrome code that passes XPCOM objects
329 // across compartments, because the effects of QI would disappear across
330 // compartments.
331 //
332 // So whenever we pull an XPCWN across compartments in this manner, we
333 // give the destination object the union of the two native sets. We try
334 // to do this cleverly in the common case to avoid too much overhead.
343 }
345 #ifdef DEBUG
346 static void
349 {
351 // If the caller is chrome (or effectively so), unwrap should always be allowed.
354 // Similarly, if this is a privileged scope that has opted to make itself
355 // accessible to the world (allowed only during automation), unwrap should
356 // be allowed.
359 // Otherwise, it should depend on whether the target subsumes the origin.
360 MOZ_ASSERT(handler->hasSecurityPolicy() == !AccessCheck::subsumesConsideringDomain(target, origin));
361 }
362 }
363 #else
364 #define DEBUG_CheckUnwrapSafety(obj, handler, origin, target) {}
365 #endif
370 {
371 // Waived Xray uses a modified CCW that has transparent behavior but
372 // transitively waives Xrays on arguments.
376 }
378 // If we don't want or can't use Xrays, select a wrapper that's either
379 // entirely transparent or entirely opaque.
384 }
386 // Ok, we're using Xray. If this isn't a security wrapper, use the permissive
387 // version and skip the filter.
397 }
399 // This is a security wrapper. Use the security versions and filter.
404 // There's never any reason to expose other objects to non-subsuming actors.
405 // Just use an opaque wrapper in these cases.
406 //
407 // In general, we don't want opaque function wrappers to be callable.
408 // But in the case of XBL, we rely on content being able to invoke
409 // functions exposed from the XBL scope. We could remove this exception,
410 // if needed, by using ExportFunction to generate the content-side
411 // representations of XBL methods.
415 }
419 {
429 // Add-on interposition only supports certain wrapper types, so we check if
430 // we would have used one of the supported ones.
438 // |wrapper| is not supported for interposition, so we don't do it.
440 }
442 JSObject*
444 HandleObject parent)
445 {
452 // We sometimes end up here after nsContentUtils has been shut down but before
453 // XPConnect has been shut down, so check the context stack the roundabout way.
456 // Compute the information we need to select the right wrapper.
468 //
469 // First, handle the special cases.
470 //
472 // If UniversalXPConnect is enabled, this is just some dumb mochitest. Use
473 // a vanilla CCW.
477 }
479 // Let the SpecialPowers scope make its stuff easily accessible to content.
483 }
485 // If this is a chrome object being exposed to content without Xrays, use
486 // a COW.
487 //
488 // We make an exception for Object instances, because we still rely on COWs
489 // for those in a lot of places in the tree.
492 {
494 }
496 //
497 // Now, handle the regular cases.
498 //
499 // These are wrappers we can compute using a rule-based approach. In order
500 // to do so, we need to compute some parameters.
501 //
504 // The wrapper is a security wrapper (protecting the wrappee) if and
505 // only if the target does not subsume the origin.
508 // Xrays are warranted if either the target or the origin don't trust
509 // each other. This is generally the case, unless the two are same-origin
510 // and the caller has not requested same-origin Xrays.
511 //
512 // Xrays are a bidirectional protection, since it affords clarity to the
513 // caller and privacy to the callee.
518 // If Xrays are warranted, the caller may waive them for non-security
519 // wrappers.
522 // We have slightly different behavior for the case when the object
523 // being wrapped is in an XBL scope.
527 originIsContentXBLScope);
529 // If we want to apply add-on interposition in the target compartment,
530 // then we try to "upgrade" the wrapper to an interposing one.
533 }
536 // Do a belt-and-suspenders check against exposing eval()/Function() to
537 // non-subsuming content.
542 }
543 }
544 }
552 }
554 // Call WaiveXrayAndWrap when you have a JS object that you don't want to be
555 // wrapped in an Xray wrapper. cx->compartment is the compartment that will be
556 // using the returned object. If the object to be wrapped is already in the
557 // correct compartment, then this returns the unwrapped object.
558 bool
560 {
570 }
572 bool
574 {
581 }
583 // Even though waivers have no effect on access by scopes that don't subsume
584 // the underlying object, good defense-in-depth dictates that we should avoid
585 // handing out waivers to callers that can't use them. The transitive waiving
586 // machinery unconditionally calls WaiveXrayAndWrap on return values from
587 // waived functions, even though the return value might be not be same-origin
588 // with the function. So if we find ourselves trying to create a waiver for
589 // |cx|, we should check whether the caller has any business with waivers
590 // to things in |obj|'s compartment.
601 }
603 bool
605 {
608 }
610 /*
611 * Calls to JS_TransplantObject* should go through these helpers here so that
612 * waivers get fixed up properly.
613 */
615 static bool
617 {
621 // Create a waiver in the new compartment. We know there's not one already
622 // because we _just_ transplanted, which means that |newobj| was either
623 // created from scratch, or was previously cross-compartment wrapper (which
624 // should have no waiver). CreateXrayWaiver asserts this.
629 // Update all the cross-compartment references to oldWaiver to point to
630 // newWaiver.
634 // There should be no same-compartment references to oldWaiver, and we
635 // just remapped all cross-compartment references. It's dead, so we can
636 // remove it from the map.
642 }
644 JSObject*
646 {
655 }
657 nsIGlobalObject*
659 {
662 // Every global needs to hold a native as its private or be a
663 // WebIDL object with an nsISupports DOM object.
665 JSCLASS_HAS_PRIVATE)) ||
673 // In some cases (like for windows) it is a wrapped native,
674 // in other cases (sandboxes, backstage passes) it's just
675 // a direct pointer to the native. If it's a wrapped native
676 // let's unwrap it first.
679 }
680 }
686 }
688 }