js/xpconnect/wrappers/AccessCheck.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef __AccessCheck_h__
   8 #define __AccessCheck_h__
   9
  10 #include "js/Id.h"
  11 #include "js/Wrapper.h"
  12 #include "nsString.h"
  13
  14 #ifdef XP_MACOSX
  15 // AssertMacros.h defines 'check' which conflicts with the method declarations
  16 // in this file.
  17 #  undef check
  18 #endif
  19
  20 namespace xpc {
  21
  22 class AccessCheck {
  23  public:
  24   static bool subsumes(JSObject* a, JSObject* b);
  25   static bool wrapperSubsumes(JSObject* wrapper);
  26   static bool subsumesConsideringDomain(JS::Realm* a, JS::Realm* b);
  27   static bool subsumesConsideringDomainIgnoringFPD(JS::Realm* a, JS::Realm* b);
  28   static bool isChrome(JS::Compartment* compartment);
  29   static bool isChrome(JS::Realm* realm);
  30   static bool isChrome(JSObject* obj);
  31   static bool checkPassToPrivilegedCode(JSContext* cx, JS::HandleObject wrapper,
  32                                         JS::HandleValue value);
  33   static bool checkPassToPrivilegedCode(JSContext* cx, JS::HandleObject wrapper,
  34                                         const JS::CallArgs& args);
  35   // Called to report the correct sort of exception when our policy denies and
  36   // should throw.  The accessType argument should be one of "access",
  37   // "define", "delete", depending on which operation is being denied.
  38   static void reportCrossOriginDenial(JSContext* cx, JS::HandleId id,
  39                                       const nsACString& accessType);
  40 };
  41
  42 /**
  43  * Returns true if the given object (which is expected to be stripped of
  44  * cross-compartment wrappers in practice, but this function doesn't assume
  45  * that) is a WindowProxy or Location object, which need special wrapping
  46  * behavior due to being usable cross-origin in limited ways.
  47  */
  48 bool IsCrossOriginAccessibleObject(JSObject* obj);
  49
  50 struct Policy {
  51   static bool checkCall(JSContext* cx, JS::HandleObject wrapper,
  52                         const JS::CallArgs& args) {
  53     MOZ_CRASH("As a rule, filtering wrappers are non-callable");
  54   }
  55 };
  56
  57 // This policy allows no interaction with the underlying callable. Everything
  58 // throws.
  59 struct Opaque : public Policy {
  60   static bool check(JSContext* cx, JSObject* wrapper, jsid id,
  61                     js::Wrapper::Action act) {
  62     return false;
  63   }
  64   static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id,
  65                    bool mayThrow) {
  66     return false;
  67   }
  68   static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test,
  69                               JS::NativeImpl impl) {
  70     return false;
  71   }
  72 };
  73
  74 // Like the above, but allows CALL.
  75 struct OpaqueWithCall : public Policy {
  76   static bool check(JSContext* cx, JSObject* wrapper, jsid id,
  77                     js::Wrapper::Action act) {
  78     return act == js::Wrapper::CALL;
  79   }
  80   static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id,
  81                    bool mayThrow) {
  82     return false;
  83   }
  84   static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test,
  85                               JS::NativeImpl impl) {
  86     return false;
  87   }
  88   static bool checkCall(JSContext* cx, JS::HandleObject wrapper,
  89                         const JS::CallArgs& args) {
  90     return AccessCheck::checkPassToPrivilegedCode(cx, wrapper, args);
  91   }
  92 };
  93
  94 // This class used to support permitting access to properties if they
  95 // appeared in an access list on the object, but now it acts like an
  96 // Opaque wrapper, with the exception that it fails silently for GET,
  97 // ENUMERATE, and GET_PROPERTY_DESCRIPTOR. This is done for backwards
  98 // compatibility. See bug 1397513.
  99 struct OpaqueWithSilentFailing : public Policy {
 100   static bool check(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
 101                     js::Wrapper::Action act) {
 102     return false;
 103   }
 104
 105   static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id,
 106                    bool mayThrow);
 107   static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test,
 108                               JS::NativeImpl impl) {
 109     return false;
 110   }
 111 };
 112
 113 }  // namespace xpc
 114
 115 #endif /* __AccessCheck_h__ */