js/xpconnect/wrappers/WrapperFactory.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef _xpc_WRAPPERFACTORY_H
   8 #define _xpc_WRAPPERFACTORY_H
   9
  10 #include "js/Wrapper.h"
  11
  12 namespace xpc {
  13
  14 /**
  15  * A wrapper that's only used for cross-origin objects. This should be
  16  * just like a CrossCompartmentWrapper but (as an implementation
  17  * detail) doesn't actually do any compartment-entering and (as an
  18  * implementation detail) delegates all the security decisions and
  19  * compartment-entering to the target object, which is always a
  20  * proxy.
  21  *
  22  * We could also inherit from CrossCompartmentWrapper but then we
  23  * would need to override all the proxy hooks to avoid the
  24  * compartment-entering bits.
  25  */
  26 class CrossOriginObjectWrapper : public js::Wrapper {
  27  public:
  28   // We want to claim to have a security policy, so code doesn't just
  29   // CheckedUnwrap us willy-nilly.  But we're OK with the BaseProxyHandler
  30   // implementation of enter(), which allows entering.  Our target is what
  31   // really does the security checks.
  32   //
  33   // We don't want to inherit from CrossCompartmentWrapper, because we don't
  34   // want the compartment-entering behavior it has.  But we do want to set the
  35   // CROSS_COMPARTMENT flag on js::Wrapper so that we test true for
  36   // is<js::CrossCompartmentWrapperObject> and so forth.
  37   constexpr explicit CrossOriginObjectWrapper()
  38       : js::Wrapper(CROSS_COMPARTMENT, /* aHasPrototype = */ false,
  39                     /* aHasSecurityPolicy = */ true) {}
  40
  41   bool dynamicCheckedUnwrapAllowed(JS::Handle<JSObject*> obj,
  42                                    JSContext* cx) const override;
  43
  44   // Cross origin objects should not participate in private fields.
  45   virtual bool throwOnPrivateField() const override { return true; }
  46
  47   static const CrossOriginObjectWrapper singleton;
  48 };
  49
  50 class WrapperFactory {
  51  public:
  52   enum {
  53     WAIVE_XRAY_WRAPPER_FLAG = js::Wrapper::LAST_USED_FLAG << 1,
  54     IS_XRAY_WRAPPER_FLAG = WAIVE_XRAY_WRAPPER_FLAG << 1
  55   };
  56
  57   // Return true if any of any of the nested wrappers have the flag set.
  58   static bool HasWrapperFlag(JSObject* wrapper, unsigned flag) {
  59     unsigned flags = 0;
  60     js::UncheckedUnwrap(wrapper, true, &flags);
  61     return !!(flags & flag);
  62   }
  63
  64   static bool IsXrayWrapper(JSObject* wrapper) {
  65     return HasWrapperFlag(wrapper, IS_XRAY_WRAPPER_FLAG);
  66   }
  67
  68   static bool IsCrossOriginWrapper(JSObject* obj) {
  69     return (js::IsProxy(obj) &&
  70             js::GetProxyHandler(obj) == &CrossOriginObjectWrapper::singleton);
  71   }
  72
  73   static bool IsOpaqueWrapper(JSObject* obj);
  74
  75   static bool HasWaiveXrayFlag(JSObject* wrapper) {
  76     return HasWrapperFlag(wrapper, WAIVE_XRAY_WRAPPER_FLAG);
  77   }
  78
  79   static bool IsCOW(JSObject* wrapper);
  80
  81   static JSObject* GetXrayWaiver(JS::Handle<JSObject*> obj);
  82   // If allowExisting is true, there is an existing waiver for obj in
  83   // its scope, but we want to replace it with the new one.
  84   static JSObject* CreateXrayWaiver(JSContext* cx, JS::Handle<JSObject*> obj,
  85                                     bool allowExisting = false);
  86   static JSObject* WaiveXray(JSContext* cx, JSObject* obj);
  87
  88   // Computes whether we should allow the creation of an Xray waiver from
  89   // |target| to |origin|.
  90   static bool AllowWaiver(JS::Compartment* target, JS::Compartment* origin);
  91
  92   // Convenience method for the above, operating on a wrapper.
  93   static bool AllowWaiver(JSObject* wrapper);
  94
  95   // Prepare a given object for wrapping in a new compartment.
  96   static void PrepareForWrapping(JSContext* cx, JS::Handle<JSObject*> scope,
  97                                  JS::Handle<JSObject*> origObj,
  98                                  JS::Handle<JSObject*> obj,
  99                                  JS::Handle<JSObject*> objectPassedToWrap,
 100                                  JS::MutableHandle<JSObject*> retObj);
 101
 102   // Rewrap an object that is about to cross compartment boundaries.
 103   static JSObject* Rewrap(JSContext* cx, JS::Handle<JSObject*> existing,
 104                           JS::Handle<JSObject*> obj);
 105
 106   // Wrap wrapped object into a waiver wrapper and then re-wrap it.
 107   static bool WaiveXrayAndWrap(JSContext* cx, JS::MutableHandle<JS::Value> vp);
 108   static bool WaiveXrayAndWrap(JSContext* cx,
 109                                JS::MutableHandle<JSObject*> object);
 110 };
 111
 112 }  // namespace xpc
 113
 114 #endif /* _xpc_WRAPPERFACTORY_H */