search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 470455 - test_database_sync_embed_visits.js leaks, r=sdwilsh
[wine-gecko.git] / caps / include / nsScriptSecurityManager.h
blobbca33602d0b25c6a7262285a4e4939306a85fb0a
1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* ***** BEGIN LICENSE BLOCK *****
3 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
4 *
5 * The contents of this file are subject to the Mozilla Public License Version
6 * 1.1 (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 * http://www.mozilla.org/MPL/
9 *
10 * Software distributed under the License is distributed on an "AS IS" basis,
11 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
12 * for the specific language governing rights and limitations under the
13 * License.
14 *
15 * The Original Code is mozilla.org code.
16 *
17 * The Initial Developer of the Original Code is
18 * Netscape Communications Corporation.
19 * Portions created by the Initial Developer are Copyright (C) 1998-2000
20 * the Initial Developer. All Rights Reserved.
21 *
22 * Contributor(s):
23 * Norris Boyd <nboyd@atg.com>
24 * Mitch Stoltz <mstoltz@netscape.com>
25 * Christopher A. Aillon <christopher@aillon.com>
26 * Giorgio Maone <g.maone@informaction.com>
27 *
28 * Alternatively, the contents of this file may be used under the terms of
29 * either of the GNU General Public License Version 2 or later (the "GPL"),
30 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
31 * in which case the provisions of the GPL or the LGPL are applicable instead
32 * of those above. If you wish to allow use of your version of this file only
33 * under the terms of either the GPL or the LGPL, and not to allow others to
34 * use your version of this file under the terms of the MPL, indicate your
35 * decision by deleting the provisions above and replace them with the notice
36 * and other provisions required by the GPL or the LGPL. If you do not delete
37 * the provisions above, a recipient may use your version of this file under
38 * the terms of any one of the MPL, the GPL or the LGPL.
39 *
40 * ***** END LICENSE BLOCK ***** */
41
42 #ifndef nsScriptSecurityManager_h__
43 #define nsScriptSecurityManager_h__
44
45 #include "nsIScriptSecurityManager.h"
46 #include "nsIPrincipal.h"
47 #include "jsapi.h"
48 #include "jsdbgapi.h"
49 #include "nsIXPCSecurityManager.h"
50 #include "nsInterfaceHashtable.h"
51 #include "nsHashtable.h"
52 #include "nsCOMPtr.h"
53 #include "nsIPrefService.h"
54 #include "nsISecurityPref.h"
55 #include "nsIChannelEventSink.h"
56 #include "nsIJSContextStack.h"
57 #include "nsIObserver.h"
58 #include "pldhash.h"
59 #include "plstr.h"
60
61 class nsIDocShell;
62 class nsString;
63 class nsIClassInfo;
64 class nsIIOService;
65 class nsIXPConnect;
66 class nsIStringBundle;
67 class nsSystemPrincipal;
68 struct ClassPolicy;
69 class ClassInfoData;
70 class DomainPolicy;
71
72 #if defined(DEBUG_mstoltz) || defined(DEBUG_caillon)
73 #define DEBUG_CAPS_HACKER
74 #endif
75
76 #ifdef DEBUG_CAPS_HACKER
77 #define DEBUG_CAPS_CheckPropertyAccessImpl
78 #define DEBUG_CAPS_LookupPolicy
79 #define DEBUG_CAPS_CheckComponentPermissions
80 #endif
81
82 #if 0
83 #define DEBUG_CAPS_CanCreateWrapper
84 #define DEBUG_CAPS_CanCreateInstance
85 #define DEBUG_CAPS_CanGetService
86 #define DEBUG_CAPS_DomainPolicyLifeCycle
87 #endif
88
89 /////////////////////
90 // PrincipalKey //
91 /////////////////////
92
93 class PrincipalKey : public PLDHashEntryHdr
94 {
95 public:
96 typedef const nsIPrincipal* KeyType;
97 typedef const nsIPrincipal* KeyTypePointer;
98
99 PrincipalKey(const nsIPrincipal* key)
100 : mKey(const_cast<nsIPrincipal*>(key))
101 {
102 }
103
104 PrincipalKey(const PrincipalKey& toCopy)
105 : mKey(toCopy.mKey)
106 {
107 }
108
109 ~PrincipalKey()
110 {
111 }
112
113 KeyType GetKey() const
114 {
115 return mKey;
116 }
117
118 PRBool KeyEquals(KeyTypePointer aKey) const
119 {
120 PRBool eq;
121 mKey->Equals(const_cast<nsIPrincipal*>(aKey),
122 &eq);
123 return eq;
124 }
125
126 static KeyTypePointer KeyToPointer(KeyType aKey)
127 {
128 return aKey;
129 }
130
131 static PLDHashNumber HashKey(KeyTypePointer aKey)
132 {
133 PRUint32 hash;
134 const_cast<nsIPrincipal*>(aKey)->GetHashValue(&hash);
135 return PLDHashNumber(hash);
136 }
137
138 enum { ALLOW_MEMMOVE = PR_TRUE };
139
140 private:
141 nsCOMPtr<nsIPrincipal> mKey;
142 };
143
144 ////////////////////
145 // Policy Storage //
146 ////////////////////
147
148 // Property Policy
149 union SecurityLevel
150 {
151 PRInt32 level;
152 char* capability;
153 };
154
155 // Security levels
156 // These values all have the low bit set (except UNDEFINED_ACCESS)
157 // to distinguish them from pointer values, because no pointer
158 // to allocated memory ever has the low bit set. A SecurityLevel
159 // contains either one of these constants or a pointer to a string
160 // representing the name of a capability.
161
162 #define SCRIPT_SECURITY_UNDEFINED_ACCESS 0
163 #define SCRIPT_SECURITY_ACCESS_IS_SET_BIT 1
164 #define SCRIPT_SECURITY_NO_ACCESS \
165 ((1 << 0) | SCRIPT_SECURITY_ACCESS_IS_SET_BIT)
166 #define SCRIPT_SECURITY_SAME_ORIGIN_ACCESS \
167 ((1 << 1) | SCRIPT_SECURITY_ACCESS_IS_SET_BIT)
168 #define SCRIPT_SECURITY_ALL_ACCESS \
169 ((1 << 2) | SCRIPT_SECURITY_ACCESS_IS_SET_BIT)
170
171 #define SECURITY_ACCESS_LEVEL_FLAG(_sl) \
172 ((_sl.level == 0) || \
173 (_sl.level & SCRIPT_SECURITY_ACCESS_IS_SET_BIT))
174
175
176 struct PropertyPolicy : public PLDHashEntryHdr
177 {
178 jsval key; // property name as jsval
179 SecurityLevel mGet;
180 SecurityLevel mSet;
181 };
182
183 static PRBool
184 InitPropertyPolicyEntry(PLDHashTable *table,
185 PLDHashEntryHdr *entry,
186 const void *key)
187 {
188 PropertyPolicy* pp = (PropertyPolicy*)entry;
189 pp->key = (jsval)key;
190 pp->mGet.level = SCRIPT_SECURITY_UNDEFINED_ACCESS;
191 pp->mSet.level = SCRIPT_SECURITY_UNDEFINED_ACCESS;
192 return PR_TRUE;
193 }
194
195 static void
196 ClearPropertyPolicyEntry(PLDHashTable *table, PLDHashEntryHdr *entry)
197 {
198 PropertyPolicy* pp = (PropertyPolicy*)entry;
199 pp->key = JSVAL_VOID;
200 }
201
202 // Class Policy
203 #define NO_POLICY_FOR_CLASS (ClassPolicy*)1
204
205 struct ClassPolicy : public PLDHashEntryHdr
206 {
207 char* key;
208 PLDHashTable* mPolicy;
209
210 // Note: the DomainPolicy owns us, so if if dies we will too. Hence no
211 // need to refcount it here (and in fact, we'd probably leak if we tried).
212 DomainPolicy* mDomainWeAreWildcardFor;
213 };
214
215 static void
216 ClearClassPolicyEntry(PLDHashTable *table, PLDHashEntryHdr *entry)
217 {
218 ClassPolicy* cp = (ClassPolicy *)entry;
219 if (cp->key)
220 {
221 PL_strfree(cp->key);
222 cp->key = nsnull;
223 }
224 PL_DHashTableDestroy(cp->mPolicy);
225 }
226
227 // Note: actual impl is going to be after the DomainPolicy class definition,
228 // since we need to access members of DomainPolicy in the impl
229 static void
230 MoveClassPolicyEntry(PLDHashTable *table,
231 const PLDHashEntryHdr *from,
232 PLDHashEntryHdr *to);
233
234 static PRBool
235 InitClassPolicyEntry(PLDHashTable *table,
236 PLDHashEntryHdr *entry,
237 const void *key)
238 {
239 static PLDHashTableOps classPolicyOps =
240 {
241 PL_DHashAllocTable,
242 PL_DHashFreeTable,
243 PL_DHashVoidPtrKeyStub,
244 PL_DHashMatchEntryStub,
245 PL_DHashMoveEntryStub,
246 ClearPropertyPolicyEntry,
247 PL_DHashFinalizeStub,
248 InitPropertyPolicyEntry
249 };
250
251 ClassPolicy* cp = (ClassPolicy*)entry;
252 cp->mDomainWeAreWildcardFor = nsnull;
253 cp->key = PL_strdup((const char*)key);
254 if (!cp->key)
255 return PR_FALSE;
256 cp->mPolicy = PL_NewDHashTable(&classPolicyOps, nsnull,
257 sizeof(PropertyPolicy), 16);
258 if (!cp->mPolicy) {
259 PL_strfree(cp->key);
260 cp->key = nsnull;
261 return PR_FALSE;
262 }
263 return PR_TRUE;
264 }
265
266 // Domain Policy
267 class DomainPolicy : public PLDHashTable
268 {
269 public:
270 DomainPolicy() : mWildcardPolicy(nsnull),
271 mRefCount(0)
272 {
273 mGeneration = sGeneration;
274
275 #ifdef DEBUG_CAPS_DomainPolicyLifeCycle
276 ++sObjects;
277 _printPopulationInfo();
278 #endif
279
280 }
281
282 PRBool Init()
283 {
284 static const PLDHashTableOps domainPolicyOps =
285 {
286 PL_DHashAllocTable,
287 PL_DHashFreeTable,
288 PL_DHashStringKey,
289 PL_DHashMatchStringKey,
290 MoveClassPolicyEntry,
291 ClearClassPolicyEntry,
292 PL_DHashFinalizeStub,
293 InitClassPolicyEntry
294 };
295
296 return PL_DHashTableInit(this, &domainPolicyOps, nsnull,
297 sizeof(ClassPolicy), 16);
298 }
299
300 ~DomainPolicy()
301 {
302 PL_DHashTableFinish(this);
303 NS_ASSERTION(mRefCount == 0, "Wrong refcount in DomainPolicy dtor");
304 #ifdef DEBUG_CAPS_DomainPolicyLifeCycle
305 printf("DomainPolicy deleted with mRefCount = %d\n", mRefCount);
306 --sObjects;
307 _printPopulationInfo();
308 #endif
309
310 }
311
312 void Hold()
313 {
314 mRefCount++;
315 }
316
317 void Drop()
318 {
319 if (--mRefCount == 0)
320 delete this;
321 }
322
323 static void InvalidateAll()
324 {
325 sGeneration++;
326 }
327
328 PRBool IsInvalid()
329 {
330 return mGeneration != sGeneration;
331 }
332
333 ClassPolicy* mWildcardPolicy;
334
335 private:
336 PRUint32 mRefCount;
337 PRUint32 mGeneration;
338 static PRUint32 sGeneration;
339
340 #ifdef DEBUG_CAPS_DomainPolicyLifeCycle
341 static PRUint32 sObjects;
342 static void _printPopulationInfo();
343 #endif
344
345 };
346
347 static void
348 MoveClassPolicyEntry(PLDHashTable *table,
349 const PLDHashEntryHdr *from,
350 PLDHashEntryHdr *to)
351 {
352 memcpy(to, from, table->entrySize);
353
354 // Now update the mDefaultPolicy pointer that points to us, if any.
355 ClassPolicy* cp = static_cast<ClassPolicy*>(to);
356 if (cp->mDomainWeAreWildcardFor) {
357 NS_ASSERTION(cp->mDomainWeAreWildcardFor->mWildcardPolicy ==
358 static_cast<const ClassPolicy*>(from),
359 "Unexpected wildcard policy on mDomainWeAreWildcardFor");
360 cp->mDomainWeAreWildcardFor->mWildcardPolicy = cp;
361 }
362 }
363
364 /////////////////////////////
365 // nsScriptSecurityManager //
366 /////////////////////////////
367 #define NS_SCRIPTSECURITYMANAGER_CID \
368 { 0x7ee2a4c0, 0x4b93, 0x17d3, \
369 { 0xba, 0x18, 0x00, 0x60, 0xb0, 0xf1, 0x99, 0xa2 }}
370
371 class nsScriptSecurityManager : public nsIScriptSecurityManager,
372 public nsIPrefSecurityCheck,
373 public nsIChannelEventSink,
374 public nsIObserver
375 {
376 public:
377 static void Shutdown();
378
379 NS_DEFINE_STATIC_CID_ACCESSOR(NS_SCRIPTSECURITYMANAGER_CID)
380
381 NS_DECL_ISUPPORTS
382 NS_DECL_NSISCRIPTSECURITYMANAGER
383 NS_DECL_NSIXPCSECURITYMANAGER
384 NS_DECL_NSIPREFSECURITYCHECK
385 NS_DECL_NSICHANNELEVENTSINK
386 NS_DECL_NSIOBSERVER
387
388 static nsScriptSecurityManager*
389 GetScriptSecurityManager();
390
391 static nsSystemPrincipal*
392 SystemPrincipalSingletonConstructor();
393
394 JSContext* GetCurrentJSContext();
395
396 JSContext* GetSafeJSContext();
397
398 /**
399 * Utility method for comparing two URIs. For security purposes, two URIs
400 * are equivalent if their schemes, hosts, and ports (if any) match. This
401 * method returns true if aSubjectURI and aObjectURI have the same origin,
402 * false otherwise.
403 */
404 static PRBool SecurityCompareURIs(nsIURI* aSourceURI, nsIURI* aTargetURI);
405 static PRUint32 SecurityHashURI(nsIURI* aURI);
406
407 static nsresult
408 ReportError(JSContext* cx, const nsAString& messageTag,
409 nsIURI* aSource, nsIURI* aTarget);
410
411 static nsresult
412 CheckSameOriginPrincipal(nsIPrincipal* aSubject,
413 nsIPrincipal* aObject,
414 PRBool aIsCheckConnect);
415 static PRUint32
416 HashPrincipalByOrigin(nsIPrincipal* aPrincipal);
417
418 static PRBool
419 GetStrictFileOriginPolicy()
420 {
421 return sStrictFileOriginPolicy;
422 }
423
424 private:
425
426 // GetScriptSecurityManager is the only call that can make one
427 nsScriptSecurityManager();
428 virtual ~nsScriptSecurityManager();
429
430 static JSBool
431 CheckObjectAccess(JSContext *cx, JSObject *obj,
432 jsval id, JSAccessMode mode,
433 jsval *vp);
434
435 // Returns null if a principal cannot be found; generally callers
436 // should error out at that point.
437 static nsIPrincipal*
438 doGetObjectPrincipal(JSObject *obj
439 #ifdef DEBUG
440 , PRBool aAllowShortCircuit = PR_TRUE
441 #endif
442 );
443
444 // Returns null if a principal cannot be found. Note that rv can be NS_OK
445 // when this happens -- this means that there was no JS running.
446 nsIPrincipal*
447 doGetSubjectPrincipal(nsresult* rv);
448
449 nsresult
450 CheckPropertyAccessImpl(PRUint32 aAction,
451 nsAXPCNativeCallContext* aCallContext,
452 JSContext* cx, JSObject* aJSObject,
453 nsISupports* aObj, nsIURI* aTargetURI,
454 nsIClassInfo* aClassInfo,
455 const char* aClassName, jsval aProperty,
456 void** aCachedClassPolicy);
457
458 nsresult
459 CheckSameOriginDOMProp(nsIPrincipal* aSubject,
460 nsIPrincipal* aObject,
461 PRUint32 aAction,
462 PRBool aIsCheckConnect);
463
464 nsresult
465 LookupPolicy(nsIPrincipal* principal,
466 ClassInfoData& aClassData, jsval aProperty,
467 PRUint32 aAction,
468 ClassPolicy** aCachedClassPolicy,
469 SecurityLevel* result);
470
471 nsresult
472 CreateCodebasePrincipal(nsIURI* aURI, nsIPrincipal** result);
473
474 // This is just like the API method, but it doesn't check that the subject
475 // name is non-empty or aCertificate is non-null, and it doesn't change the
476 // certificate in the table (if any) in any way if aModifyTable is false.
477 nsresult
478 DoGetCertificatePrincipal(const nsACString& aCertFingerprint,
479 const nsACString& aSubjectName,
480 const nsACString& aPrettyName,
481 nsISupports* aCertificate,
482 nsIURI* aURI,
483 PRBool aModifyTable,
484 nsIPrincipal **result);
485
486 // Returns null if a principal cannot be found. Note that rv can be NS_OK
487 // when this happens -- this means that there was no script for the
488 // context. Callers MUST pass in a non-null rv here.
489 static nsIPrincipal*
490 GetSubjectPrincipal(JSContext* cx, nsresult* rv);
491
492 // Returns null if a principal cannot be found. Note that rv can be NS_OK
493 // when this happens -- this means that there was no script for the frame.
494 // Callers MUST pass in a non-null rv here.
495 static nsIPrincipal*
496 GetFramePrincipal(JSContext* cx, JSStackFrame* fp, nsresult* rv);
497
498 // Returns null if a principal cannot be found. Note that rv can be NS_OK
499 // when this happens -- this means that there was no script. Callers MUST
500 // pass in a non-null rv here.
501 static nsIPrincipal*
502 GetScriptPrincipal(JSContext* cx, JSScript* script, nsresult* rv);
503
504 // Returns null if a principal cannot be found. Note that rv can be NS_OK
505 // when this happens -- this means that there was no script associated
506 // with the function object, and no global object associated with the scope
507 // of obj (the last object on its parent chain). If the caller is walking
508 // the JS stack, fp must point to the current frame in the stack iteration.
509 // Callers MUST pass in a non-null rv here.
510 static nsIPrincipal*
511 GetFunctionObjectPrincipal(JSContext* cx, JSObject* obj, JSStackFrame *fp,
512 nsresult* rv);
513
514 // Returns null if a principal cannot be found. Note that rv can be NS_OK
515 // when this happens -- this means that there was no script
516 // running. Callers MUST pass in a non-null rv here.
517 static nsIPrincipal*
518 GetPrincipalAndFrame(JSContext *cx,
519 JSStackFrame** frameResult,
520 nsresult* rv);
521
522 static PRBool
523 CheckConfirmDialog(JSContext* cx, nsIPrincipal* aPrincipal,
524 const char* aCapability, PRBool *checkValue);
525
526 static void
527 FormatCapabilityString(nsAString& aCapability);
528
529 nsresult
530 SavePrincipal(nsIPrincipal* aToSave);
531
532 nsresult
533 CheckXPCPermissions(nsISupports* aObj,
534 const char* aObjectSecurityLevel);
535
536 nsresult
537 Init();
538
539 nsresult
540 InitPrefs();
541
542 static nsresult
543 GetPrincipalPrefNames(const char* prefBase,
544 nsCString& grantedPref,
545 nsCString& deniedPref,
546 nsCString& subjectNamePref);
547
548 nsresult
549 InitPolicies();
550
551 nsresult
552 InitDomainPolicy(JSContext* cx, const char* aPolicyName,
553 DomainPolicy* aDomainPolicy);
554
555 nsresult
556 InitPrincipals(PRUint32 prefCount, const char** prefNames,
557 nsISecurityPref* securityPref);
558
559
560 #ifdef XPC_IDISPATCH_SUPPORT
561 // While this header is included outside of caps, this class isn't
562 // referenced so this should be fine.
563 nsresult
564 CheckComponentPermissions(JSContext *cx, const nsCID &aCID);
565 #endif
566 #ifdef DEBUG_CAPS_HACKER
567 void
568 PrintPolicyDB();
569 #endif
570
571 // JS strings we need to clean up on shutdown
572 static jsval sEnabledID;
573
574 inline void
575 ScriptSecurityPrefChanged();
576
577 static const char sJSEnabledPrefName[];
578 static const char sJSMailEnabledPrefName[];
579 static const char sFileOriginPolicyPrefName[];
580
581 nsObjectHashtable* mOriginToPolicyMap;
582 DomainPolicy* mDefaultPolicy;
583 nsObjectHashtable* mCapabilities;
584
585 nsCOMPtr<nsIPrefBranch> mPrefBranch;
586 nsCOMPtr<nsISecurityPref> mSecurityPref;
587 nsCOMPtr<nsIPrincipal> mSystemPrincipal;
588 nsCOMPtr<nsIPrincipal> mSystemCertificate;
589 nsInterfaceHashtable<PrincipalKey, nsIPrincipal> mPrincipals;
590 PRPackedBool mIsJavaScriptEnabled;
591 PRPackedBool mIsMailJavaScriptEnabled;
592 PRPackedBool mIsWritingPrefs;
593 PRPackedBool mPolicyPrefsChanged;
594 #ifdef XPC_IDISPATCH_SUPPORT
595 PRPackedBool mXPCDefaultGrantAll;
596 static const char sXPCDefaultGrantAllName[];
597 #endif
598
599 static PRBool sStrictFileOriginPolicy;
600
601 static nsIIOService *sIOService;
602 static nsIXPConnect *sXPConnect;
603 static nsIThreadJSContextStack* sJSContextStack;
604 static nsIStringBundle *sStrBundle;
605 static JSRuntime *sRuntime;
606 };
607
608 #endif // nsScriptSecurityManager_h__
Wine Gecko package