| blob | 5c9eb227c60d0f7a820e14e477a2515a8899f214 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
26 #ifdef DEBUG
29 }
34 /* static */
38 // WindowProxy and Window must always be same-Realm, so we can do
39 // our IsPlatformObjectSameOrigin check against either one. But verify that
40 // in case we have a WindowProxy the right things happen.
42 // "true" for second arg means to unwrap WindowProxy to
43 // get at the Window.
52 // The spec effectively has an EqualsConsideringDomain check here,
53 // because the spec has no concept of asymmetric security
54 // relationships. But we shouldn't ever end up here in the
55 // asymmetric case anyway: That case should end up with Xrays, which
56 // don't call into this code.
57 //
58 // Let's assert that EqualsConsideringDomain and
59 // SubsumesConsideringDomain give the same results and use
60 // EqualsConsideringDomain for the check we actually do, since it's
61 // stricter and more closely matches the spec.
62 //
63 // That said, if the (not very well named)
64 // OriginAttributes::IsRestrictOpenerAccessForFPI() method returns
65 // false, we want to use FastSubsumesConsideringDomainIgnoringFPD
66 // instead of FastEqualsConsideringDomain, because in that case we
67 // still want to treat things which are in different first-party
68 // contexts as same-origin.
75 }
78 objectPrincipal) &&
80 subjectPrincipal);
81 }
88 // First check for an IDL-defined cross-origin property with the given name.
89 // This corresponds to
90 // https://html.spec.whatwg.org/multipage/browsers.html#crossorigingetownpropertyhelper-(-o,-p-)
91 // step 2.
95 }
98 }
100 /* static */
106 // Step 1.
108 // Spec says to return PropertyDescriptor {
109 // [[Value]]: undefined, [[Writable]]: false, [[Enumerable]]: false,
110 // [[Configurable]]: true
111 // }.
115 }
117 // Step 2.
119 }
121 /* static */
125 // This is fairly similar to BaseProxyHandler::get, but there are some
126 // differences. Most importantly, we want to throw if we have a descriptor
127 // with no getter, while BaseProxyHandler::get returns undefined. The other
128 // big difference is that we don't have to worry about prototypes (ours is
129 // always null).
131 // We want to invoke [[GetOwnProperty]] on "obj", but _without_ entering its
132 // compartment, because for the proxies we have here [[GetOwnProperty]] will
133 // do security checks based on the current Realm. Unfortunately,
134 // JS_GetPropertyDescriptorById asserts that compartments match. Luckily, we
135 // know that "obj" is a proxy here, so we can directly call its
136 // getOwnPropertyDescriptor() hook.
137 //
138 // It looks like Proxy::getOwnPropertyDescriptor is not public, so just grab
139 // the handler and call its getOwnPropertyDescriptor hook directly.
148 // Step 1.
152 }
154 // Step 2.
156 "Callees should throw in all cases when they are not finding a "
160 // Step 3.
164 }
166 // Step 4.
169 // Step 5.
172 // Step 6.
174 }
176 // Step 7.
178 }
180 /* static */
185 // We want to invoke [[GetOwnProperty]] on "obj", but _without_ entering its
186 // compartment, because for the proxies we have here [[GetOwnProperty]] will
187 // do security checks based on the current Realm. Unfortunately,
188 // JS_GetPropertyDescriptorById asserts that compartments match. Luckily, we
189 // know that "obj" is a proxy here, so we can directly call its
190 // getOwnPropertyDescriptor() hook.
191 //
192 // It looks like Proxy::getOwnPropertyDescriptor is not public, so just grab
193 // the handler and call its getOwnPropertyDescriptor hook directly.
203 // Step 1.
207 }
209 // Step 2.
211 "Callees should throw in all cases when they are not finding a "
215 // Step 3.
219 // Step 3.1.
222 }
224 // Step 3.2.
226 }
228 // Step 4.
230 }
232 /* static */
239 // We store the holders in a weakmap stored in obj's slot. Our object is
240 // always a proxy, so we can just go ahead and use GetProxyReservedSlot here.
243 // Enter the Realm of "obj" when we allocate the WeakMap, since we are going
244 // to store it in a slot on "obj" and in general we may not be
245 // same-compartment with "obj" here.
250 }
253 }
261 // We need to be in "map"'s compartment to work with it. Per spec, the key
262 // for this map is supposed to be the pair (current settings, relevant
263 // settings). The current settings corresponds to the current Realm of cx.
264 // The relevant settings corresponds to the Realm of "obj", but since all of
265 // our objects are per-Realm singletons, we are basically using "obj" itself
266 // as part of the key.
267 //
268 // To represent the current settings, we use a dedicated key object of the
269 // current-Realm.
270 //
271 // We can't use the current global, because we can't get a useful
272 // cross-compartment wrapper for it; such wrappers would always go
273 // through a WindowProxy and would not be guarantee to keep pointing to a
274 // single Realm when unwrapped. We want to grab this key before we start
275 // changing Realms.
276 //
277 // Also we can't use arbitrary object (e.g.: Object.prototype), because at
278 // this point those compartments are not same-origin, and don't have access to
279 // each other, and the object retrieved here will be wrapped by a security
280 // wrapper below, and the wrapper will be stored into the cache
281 // (see Compartment::wrap). Those compartments can get access later by
282 // modifying `document.domain`, and wrapping objects after that point
283 // shouldn't result in a security wrapper. Wrap operation looks up the
284 // existing wrapper in the cache, that contains the security wrapper created
285 // here. We should use unique/private object here, so that this doesn't
286 // affect later wrap operation.
290 }
297 }
302 }
303 }
306 // We want to do an unchecked unwrap, because the holder (and the current
307 // caller) may actually be more privileged than our map.
310 // holder might be a dead object proxy if things got nuked.
315 }
316 }
318 // We didn't find a usable holder. Go ahead and allocate one. At this point
319 // we have two options: we could allocate the holder in the current Realm and
320 // store a cross-compartment wrapper for it in the map as needed, or we could
321 // allocate the holder in the Realm of the map and have it hold
322 // cross-compartment references to all the methods it holds, since those
323 // methods need to be in our current Realm. It seems better to allocate the
324 // holder in our current Realm.
334 }
340 // Key is already in the right Realm, but we need to wrap the value.
343 }
348 }
349 }
352 }
354 /* static */
359 }
368 }
375 }
376 }
379 }
385 // Inlined version of
386 // https://tc39.github.io/ecma262/#sec-set-immutable-prototype
389 // We have to be careful how we get the prototype. In particular, we do _NOT_
390 // want to enter the Realm of "proxy" to do that, in case we're not
391 // same-origin with it here.
395 }
400 }
404 }
407 }
413 // We have a custom [[GetPrototypeOf]]
416 }
421 // We just want to disallow this.
424 }
430 // We never allow [[PreventExtensions]] to succeed.
433 }
440 }
448 }
450 // Enter the Realm of proxy and do the remaining work in there.
455 }
460 }
466 // Just get the property keys from ourselves, in whatever Realm we happen to
467 // be in. It's important to not enter the Realm of "proxy" here, because that
468 // would affect the list of keys we claim to have. We wrap the proxy in the
469 // current compartment just to be safe; it doesn't affect behavior as far as
470 // CrossOriginObjectWrapper and MaybeCrossOriginObject are concerned.
474 }
477 }
479 // Force instantiations of the out-of-line template methods we need.