| blob | 0fcc9249954ffc7a3b5fd12009c33c6b3ba3e753 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
34 #ifndef MOZ_UNIFIED_BUILD
36 Opaque>;
38 OpaqueWithCall>;
39 #endif
41 // When chrome pulls a naked property across the membrane using
42 // .wrappedJSObject, we want it to cross the membrane into the
43 // chrome compartment without automatically being wrapped into an
44 // X-ray wrapper. We achieve this by wrapping it into a special
45 // transparent wrapper in the origin (non-chrome) compartment. When
46 // an object with that special wrapper applied crosses into chrome,
47 // we know to not apply an X-ray wrapper.
50 // When objects for which we waived the X-ray wrapper cross into
51 // chrome, we wrap them into a special cross-compartment wrapper
52 // that transitively extends the waiver to all properties we get
53 // off it.
59 }
64 }
67 // Object should come fully unwrapped but outerized.
75 }
78 }
82 // The caller is required to have already done a lookup, unless it's
83 // trying to replace an existing waiver.
84 // NB: This implictly performs the assertions of GetXrayWaiver.
92 }
94 // Add the new waiver to the map. It's important that we only ever have
95 // one waiver for the lifetime of the target object.
98 }
101 }
103 }
113 }
116 }
118 /* static */
123 }
125 /* static */
130 }
137 // If the original object did not point through an Xray waiver, we're done.
140 }
142 // If the original object was not a cross-compartment wrapper, that means
143 // that the caller explicitly created a waiver. Preserve it so that things
144 // like WaiveXrayAndWrap work.
147 }
149 // Otherwise, this is a case of explicitly passing a wrapper across a
150 // compartment boundary. In that case, we only want to preserve waivers
151 // in transactions between same-origin compartments.
156 sameOrigin =
161 newCompartment) &&
163 oldCompartment);
164 }
166 }
168 // Special handling is needed when wrapping local and remote window proxies.
169 // This function returns true if it found a window proxy and dealt with it.
177 }
185 }
189 }
193 }
195 // We should only have a remote window proxy if bc is in a state where we
196 // expect remote window proxies. Otherwise, they should have been cleaned up
197 // by a call to CleanUpDanglingRemoteOuterWindowProxies().
203 // If bc is not in process, then use a remote window proxy, whether or not
204 // obj is one already.
207 }
208 }
211 }
214 HandleObject origObj,
215 HandleObject objArg,
216 HandleObject objectPassedToWrap,
217 MutableHandleObject retObj) {
218 // The JS engine calls ToWindowProxyIfWindow and deals with dead wrappers.
226 // There are a few cases related to window proxies that are handled first to
227 // allow us to assert against wrappers below.
230 // We don't put remote window proxies in a waiving wrapper.
233 }
235 }
237 // Here are the rules for wrapping:
238 // We should never get a proxy here (the JS engine unwraps those for us).
241 // Now, our object is ready to be wrapped, but several objects (notably
242 // nsJSIIDs) have a wrapper per scope. If we are about to wrap one of
243 // those objects in a security wrapper, then we need to hand back the
244 // wrapper for the new scope instead. Also, global objects don't move
245 // between scopes so for those we also want to return the wrapper. So...
249 }
258 // We have a precreate hook. This object might enforce that we only
259 // ever create JS object for it.
261 // Note: this penalizes objects that only have one wrapper, but are
262 // being accessed across compartments. We would really prefer to
263 // replace the above code with a test that says "do you only have one
264 // wrapper?"
270 }
272 // If the handed back scope differs from the passed-in scope and is in
273 // a separate compartment, then this object is explicitly requesting
274 // that we don't create a second JS object for it: create a security
275 // wrapper.
276 //
277 // Note: The only two objects that still use PreCreate are SystemGlobal
278 // and Components, both of which unconditionally request their canonical
279 // scope. Since SpiderMonkey only invokes the prewrap callback in
280 // situations where the object is nominally cross-compartment, we should
281 // always get a different scope here.
286 }
288 // This public WrapNativeToJSVal API enters the compartment of 'wrapScope'
289 // so we don't have to.
296 }
302 // Because the underlying native didn't have a PreCreate hook, we had
303 // to a new (or possibly pre-existing) XPCWN in our compartment.
304 // This could be a problem for chrome code that passes XPCOM objects
305 // across compartments, because the effects of QI would disappear across
306 // compartments.
307 //
308 // So whenever we pull an XPCWN across compartments in this manner, we
309 // give the destination object the union of the two native sets. We try
310 // to do this cleverly in the common case to avoid too much overhead.
316 }
320 }
322 // This check is completely symmetric, so we don't need to keep track of origin
323 // vs target here. Two compartments may have had transparent CCWs between them
324 // only if they are same-origin (ignoring document.domain) or have both had
325 // document.domain set at some point and are same-site. In either case they
326 // will have the same SiteIdentifier, so check that first.
334 }
339 }
341 #ifdef DEBUG
347 // The JS engine should have returned a dead wrapper in this case and we
348 // shouldn't even get here.
351 // If the caller is chrome (or effectively so), unwrap should always be
352 // allowed, but we might have a CrossOriginObjectWrapper here which allows
353 // it dynamically.
357 // Otherwise, it should depend on whether the target subsumes the origin.
362 origin));
364 // If the target (which is where the wrapper lives) does not subsume the
365 // origin (which is where the wrapped object lives), then we should
366 // generally have a security check on the wrapper here. There is one
367 // exception, though: things that used to be same-origin and then stopped
368 // due to document.domain changes. In that case we will have a
369 // transparent cross-compartment wrapper here even though "subsumes" is no
370 // longer true.
378 targetCompartmentPrivate)) {
379 // We should have a transparent CCW, unless we have a cross-origin
380 // object, in which case it will be a CrossOriginObjectWrapper.
385 }
387 // Even if target subsumes origin, we might have a wrapper with a security
388 // policy here, if it happens to be a CrossOriginObjectWrapper.
391 }
392 }
393 }
394 #else
395 # define DEBUG_CheckUnwrapSafety(obj, handler, origin, target) \
396 { \
397 }
398 #endif
408 target);
409 }
413 // Waived Xray uses a modified CCW that has transparent behavior but
414 // transitively waives Xrays on arguments.
418 }
420 // If we don't want or can't use Xrays, select a wrapper that's either
421 // entirely transparent or entirely opaque.
425 }
428 }
430 // Ok, we're using Xray. If this isn't a security wrapper, use the permissive
431 // version and skip the filter.
437 }
440 }
442 // There's never any reason to expose other objects to non-subsuming actors.
443 // Just use an opaque wrapper in these cases.
445 }
448 HandleObject obj) {
455 // Compute the information we need to select the right wrapper.
478 // Track whether we decided to use a transparent wrapper because of
479 // document.domain usage, so we don't override that decision.
482 //
483 // First, handle the special cases.
484 //
486 // Special handling for chrome objects being exposed to content.
488 // If this is a chrome function being exposed to content, we need to allow
489 // call (but nothing else).
494 }
496 // For vanilla JSObjects exposed from chrome to content, we use a wrapper
497 // that fails silently in a few cases. We'd like to get rid of this
498 // eventually, but in their current form they don't cause much trouble.
501 }
503 // Otherwise we get an opaque wrapper.
505 wrapper =
507 }
508 }
510 // Special handling for the web's cross-origin objects (WindowProxy and
511 // Location). We only need or want to do this in web-like contexts, where all
512 // security relationships are symmetric and there are no forced Xrays.
514 // Check for the more rare case of cross-origin objects before doing
515 // the more-likely-to-pass checks for wantXrays.
520 }
522 // Special handling for other web objects. Again, we only want this in
523 // web-like contexts (symmetric security relationships, no forced Xrays). In
524 // this situation, if the two compartments may ever have had transparent CCWs
525 // between them, we want to keep using transparent CCWs.
530 targetCompartmentPrivate)) {
533 }
535 //
536 // Now, handle the regular cases.
537 //
538 // These are wrappers we can compute using a rule-based approach. In order
539 // to do so, we need to compute some parameters.
540 //
542 // The wrapper is a security wrapper (protecting the wrappee) if and
543 // only if the target does not subsume the origin.
546 // Xrays are warranted if either the target or the origin don't trust
547 // each other. This is generally the case, unless the two are same-origin
548 // and the caller has not requested same-origin Xrays.
549 //
550 // Xrays are a bidirectional protection, since it affords clarity to the
551 // caller and privacy to the callee.
558 // If Xrays are warranted, the caller may waive them for non-security
559 // wrappers (unless explicitly forbidden from doing so).
565 }
568 // Do a belt-and-suspenders check against exposing eval()/Function() to
569 // non-subsuming content.
577 }
578 }
579 }
585 }
588 }
590 // Call WaiveXrayAndWrap when you have a JS object that you don't want to be
591 // wrapped in an Xray wrapper. cx->compartment is the compartment that will be
592 // using the returned object. If the object to be wrapped is already in the
593 // correct compartment, then this returns the unwrapped object.
597 }
602 }
606 }
609 MutableHandleObject argObj) {
616 }
618 // Even though waivers have no effect on access by scopes that don't subsume
619 // the underlying object, good defense-in-depth dictates that we should avoid
620 // handing out waivers to callers that can't use them. The transitive waiving
621 // machinery unconditionally calls WaiveXrayAndWrap on return values from
622 // waived functions, even though the return value might be not be same-origin
623 // with the function. So if we find ourselves trying to create a waiver for
624 // |cx|, we should check whether the caller has any business with waivers
625 // to things in |obj|'s compartment.
631 }
635 }
638 }
640 /*
641 * Calls to JS_TransplantObject* should go through these helpers here so that
642 * waivers get fixed up properly.
643 */
646 HandleObject newobj,
652 // If the new compartment has a CCW for oldWaiver, nuke this CCW. This
653 // prevents confusing RemapAllWrappersForObject: it would call RemapWrapper
654 // with two same-compartment objects (the CCW and the new waiver).
655 //
656 // This can happen when loading a chrome page in a content frame and there
657 // exists a CCW from the chrome compartment to oldWaiver wrapping the window
658 // we just transplanted:
659 //
660 // Compartment 1 | Compartment 2
661 // ----------------------------------------
662 // CCW1 -----------> oldWaiver --> CCW2 --+
663 // newWaiver |
664 // WindowProxy <--------------------------+
666 oldWaiver);
668 // We kept the same object identity, so the waiver should be a
669 // waiver for our object, just in the wrong Realm.
671 }
673 // Create a waiver in the new compartment. We know there's not one already in
674 // the crossCompartmentTransplant case because we _just_ transplanted, which
675 // means that |newobj| was either created from scratch, or was previously
676 // cross-compartment wrapper (which should have no waiver). On the other hand,
677 // in the !crossCompartmentTransplant case we know one already exists.
678 // CreateXrayWaiver asserts all this.
684 }
687 // CreateXrayWaiver should have updated the map to point to the new waiver.
689 }
691 // Update all the cross-compartment references to oldWaiver to point to
692 // newWaiver.
695 }
698 // There should be no same-compartment references to oldWaiver, and we
699 // just remapped all cross-compartment references. It's dead, so we can
700 // remove it from the map.
705 }
708 }
718 }
722 // We might still have been transplanted across realms within a single
723 // compartment.
725 // The old waiver is same-realm with the new object; nothing else to do
726 // here.
728 }
729 }
732 crossCompartmentTransplant)) {
734 }
736 }
741 // Save the chain of objects that carry origobj's Xray expando properties
742 // (from all compartments). TransplantObject will blow this away; we'll
743 // restore it manually afterwards.
749 // Copy Xray expando properties to the new wrapper.
752 // Failure here means some expandos were not copied over. The object graph
753 // and the Xray machinery are left in a consistent state, but mysteriously
754 // losing these expandos is too weird to allow.
756 }
759 }
765 }
774 // Get rid of any CCWs the waiver may have had.
777 }
778 }
785 }
790 // Every global needs to hold a native as its first reserved slot or be a
791 // WebIDL object with an nsISupports DOM object.
800 // In some cases (like for windows) it is a wrapped native,
801 // in other cases (sandboxes, system globals) it's just
802 // a direct pointer to the native. If it's a wrapped native
803 // let's unwrap it first.
806 }
807 }
814 }
818 }