forked from mirrors/gecko-dev
4bbd01493b
Backed out changeset 1a4fe24a016c (bug 1541557)
Backed out changeset 6fc41e51bcee (bug 1561061)
Backed out changeset d916d89a5c90 (bug 1561122)
Backed out changeset 757d285aafdd (bug 1560400)
Backed out changeset a7eab5ca061d (bug 1541557)
Backed out changeset d972bbdfe039 (bug 1541557)
Backed out changeset 8802daac6779 (bug 1541557)
Backed out changeset 92c01418b96f (bug 1561150)
Backed out changeset fa5e186e1635 (bug 1561061)
Backed out changeset aa2bee0b18c3 (bug 1560400)
Backed out changeset adf832af8e48 (bug 1561150)
Backed out changeset 72630a7c6e67 (bug 1561999)
Backed out changeset c35aff2a9336 (bug 1561724)
Backed out changeset 19e0edc92077 (bug 1561150)
Backed out changeset 0b3e2164f128 (bug 1561150)
Backed out changeset 43211ebfe738 (bug 1561122)
Backed out changeset c2d0956f41d8 (bug 1561061)
Backed out changeset bf0f0e95c61c (bug 1560400)
Backed out changeset 84633034590f (bug 1560400)
Backed out changeset d5415970da5f (bug 1532795)
Backed out changeset 119caddcb066 (bug 1532795)
Backed out changeset fbbe113aeef2 (bug 1532795)
Backed out changeset 8a3d311c7fac (bug 1532795)
Backed out changeset 1471732eca80 (bug 1532795)
Backed out changeset 46ff845a7b0c (bug 1541557)
Backed out changeset c2697f04d38c (bug 1541557)
Backed out changeset 75ebd6fce136 (bug 1541557)
Backed out changeset 189dc8a35981 (bug 1541557)
Backed out changeset b4ed40bea269 (bug 1541557)
Backed out changeset 158a4000c44b (bug 1541557)
Backed out changeset 61fa2745733f (bug 1541557)
Backed out changeset d2ee912c5189 (bug 1558298)
Backed out changeset 7a0aab00327b (bug 1558298)
Backed out changeset fddf2808fedf (bug 1558298)
Backed out changeset 0f6b382f0626 (bug 1558298)
Backed out changeset 6ccaa25367f2 (bug 1558298)
Backed out changeset d27574cfbb0e (bug 1558298)
Backed out changeset 162bc1fc2730 (bug 1558298)
Backed out changeset f94500dd11e3 (bug 1558298)
Backed out changeset fb67ac962bc5 (bug 1558298)
Backed out changeset c634099abb9d (bug 1558298)
Backed out changeset 8d4419c439e1 (bug 1558298)
Backed out changeset d8b7ed5e149f (bug 1558298)
--HG--
rename : testing/mochitest/tests/SimpleTest/MozillaLogger.js => testing/specialpowers/content/MozillaLogger.js
rename : testing/specialpowers/content/SpecialPowersParent.jsm => testing/specialpowers/content/SpecialPowersObserver.jsm
rename : testing/specialpowers/content/SpecialPowersAPIParent.jsm => testing/specialpowers/content/SpecialPowersObserverAPI.js
rename : testing/specialpowers/content/SpecialPowersChild.jsm => testing/specialpowers/content/specialpowers.js
rename : testing/specialpowers/content/SpecialPowersAPI.jsm => testing/specialpowers/content/specialpowersAPI.js
185 lines
6.2 KiB
C++
185 lines
6.2 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "AccessCheck.h"
|
|
|
|
#include "nsJSPrincipals.h"
|
|
#include "nsDOMWindowList.h"
|
|
#include "nsGlobalWindow.h"
|
|
|
|
#include "XPCWrapper.h"
|
|
#include "XrayWrapper.h"
|
|
#include "FilteringWrapper.h"
|
|
|
|
#include "jsfriendapi.h"
|
|
#include "mozilla/BasePrincipal.h"
|
|
#include "mozilla/ErrorResult.h"
|
|
#include "mozilla/dom/BindingUtils.h"
|
|
#include "mozilla/dom/LocationBinding.h"
|
|
#include "mozilla/dom/WindowBinding.h"
|
|
#include "mozilla/jsipc/CrossProcessObjectWrappers.h"
|
|
#include "nsJSUtils.h"
|
|
#include "xpcprivate.h"
|
|
|
|
using namespace mozilla;
|
|
using namespace JS;
|
|
using namespace js;
|
|
|
|
namespace xpc {
|
|
|
|
BasePrincipal* GetRealmPrincipal(JS::Realm* realm) {
|
|
return BasePrincipal::Cast(
|
|
nsJSPrincipals::get(JS::GetRealmPrincipals(realm)));
|
|
}
|
|
|
|
nsIPrincipal* GetObjectPrincipal(JSObject* obj) {
|
|
return GetRealmPrincipal(js::GetNonCCWObjectRealm(obj));
|
|
}
|
|
|
|
bool AccessCheck::subsumes(JSObject* a, JSObject* b) {
|
|
return CompartmentOriginInfo::Subsumes(js::GetObjectCompartment(a),
|
|
js::GetObjectCompartment(b));
|
|
}
|
|
|
|
// Same as above, but considering document.domain.
|
|
bool AccessCheck::subsumesConsideringDomain(JS::Realm* a, JS::Realm* b) {
|
|
MOZ_ASSERT(OriginAttributes::IsRestrictOpenerAccessForFPI());
|
|
BasePrincipal* aprin = GetRealmPrincipal(a);
|
|
BasePrincipal* bprin = GetRealmPrincipal(b);
|
|
return aprin->FastSubsumesConsideringDomain(bprin);
|
|
}
|
|
|
|
bool AccessCheck::subsumesConsideringDomainIgnoringFPD(JS::Realm* a,
|
|
JS::Realm* b) {
|
|
MOZ_ASSERT(!OriginAttributes::IsRestrictOpenerAccessForFPI());
|
|
BasePrincipal* aprin = GetRealmPrincipal(a);
|
|
BasePrincipal* bprin = GetRealmPrincipal(b);
|
|
return aprin->FastSubsumesConsideringDomainIgnoringFPD(bprin);
|
|
}
|
|
|
|
// Does the compartment of the wrapper subsumes the compartment of the wrappee?
|
|
bool AccessCheck::wrapperSubsumes(JSObject* wrapper) {
|
|
MOZ_ASSERT(js::IsWrapper(wrapper));
|
|
JSObject* wrapped = js::UncheckedUnwrap(wrapper);
|
|
return CompartmentOriginInfo::Subsumes(js::GetObjectCompartment(wrapper),
|
|
js::GetObjectCompartment(wrapped));
|
|
}
|
|
|
|
bool AccessCheck::isChrome(JS::Compartment* compartment) {
|
|
return js::IsSystemCompartment(compartment);
|
|
}
|
|
|
|
bool AccessCheck::isChrome(JS::Realm* realm) {
|
|
return isChrome(JS::GetCompartmentForRealm(realm));
|
|
}
|
|
|
|
bool AccessCheck::isChrome(JSObject* obj) {
|
|
return isChrome(js::GetObjectCompartment(obj));
|
|
}
|
|
|
|
bool IsCrossOriginAccessibleObject(JSObject* obj) {
|
|
obj = js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false);
|
|
const js::Class* clasp = js::GetObjectClass(obj);
|
|
|
|
return (clasp->name[0] == 'L' && !strcmp(clasp->name, "Location")) ||
|
|
(clasp->name[0] == 'W' && !strcmp(clasp->name, "Window"));
|
|
}
|
|
|
|
bool AccessCheck::checkPassToPrivilegedCode(JSContext* cx, HandleObject wrapper,
|
|
HandleValue v) {
|
|
// Primitives are fine.
|
|
if (!v.isObject()) {
|
|
return true;
|
|
}
|
|
RootedObject obj(cx, &v.toObject());
|
|
|
|
// Non-wrappers are fine.
|
|
if (!js::IsWrapper(obj)) {
|
|
return true;
|
|
}
|
|
|
|
// CPOWs use COWs (in the unprivileged junk scope) for all child->parent
|
|
// references. Without this test, the child process wouldn't be able to
|
|
// pass any objects at all to CPOWs.
|
|
if (mozilla::jsipc::IsWrappedCPOW(obj) &&
|
|
js::GetObjectCompartment(wrapper) ==
|
|
js::GetObjectCompartment(xpc::UnprivilegedJunkScope()) &&
|
|
XRE_IsParentProcess()) {
|
|
return true;
|
|
}
|
|
|
|
// Same-origin wrappers are fine.
|
|
if (AccessCheck::wrapperSubsumes(obj)) {
|
|
return true;
|
|
}
|
|
|
|
// Badness.
|
|
JS_ReportErrorASCII(cx,
|
|
"Permission denied to pass object to privileged code");
|
|
return false;
|
|
}
|
|
|
|
bool AccessCheck::checkPassToPrivilegedCode(JSContext* cx, HandleObject wrapper,
|
|
const CallArgs& args) {
|
|
if (!checkPassToPrivilegedCode(cx, wrapper, args.thisv())) {
|
|
return false;
|
|
}
|
|
for (size_t i = 0; i < args.length(); ++i) {
|
|
if (!checkPassToPrivilegedCode(cx, wrapper, args[i])) {
|
|
return false;
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
void AccessCheck::reportCrossOriginDenial(JSContext* cx, JS::HandleId id,
|
|
const nsACString& accessType) {
|
|
// This function exists because we want to report DOM SecurityErrors, not JS
|
|
// Errors, when denying access on cross-origin DOM objects. It's
|
|
// conceptually pretty similar to
|
|
// AutoEnterPolicy::reportErrorIfExceptionIsNotPending.
|
|
if (JS_IsExceptionPending(cx)) {
|
|
return;
|
|
}
|
|
|
|
nsAutoCString message;
|
|
if (JSID_IS_VOID(id)) {
|
|
message = NS_LITERAL_CSTRING("Permission denied to access object");
|
|
} else {
|
|
// We want to use JS_ValueToSource here, because that most closely
|
|
// matches what AutoEnterPolicy::reportErrorIfExceptionIsNotPending
|
|
// does.
|
|
JS::RootedValue idVal(cx, js::IdToValue(id));
|
|
nsAutoJSString propName;
|
|
JS::RootedString idStr(cx, JS_ValueToSource(cx, idVal));
|
|
if (!idStr || !propName.init(cx, idStr)) {
|
|
return;
|
|
}
|
|
message = NS_LITERAL_CSTRING("Permission denied to ") + accessType +
|
|
NS_LITERAL_CSTRING(" property ") +
|
|
NS_ConvertUTF16toUTF8(propName) +
|
|
NS_LITERAL_CSTRING(" on cross-origin object");
|
|
}
|
|
ErrorResult rv;
|
|
rv.ThrowDOMException(NS_ERROR_DOM_SECURITY_ERR, message);
|
|
MOZ_ALWAYS_TRUE(rv.MaybeSetPendingException(cx));
|
|
}
|
|
|
|
bool OpaqueWithSilentFailing::deny(JSContext* cx, js::Wrapper::Action act,
|
|
HandleId id, bool mayThrow) {
|
|
// Fail silently for GET, ENUMERATE, and GET_PROPERTY_DESCRIPTOR.
|
|
if (act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE ||
|
|
act == js::Wrapper::GET_PROPERTY_DESCRIPTOR) {
|
|
// Note that ReportWrapperDenial doesn't do any _exception_ reporting,
|
|
// so we want to do this regardless of the value of mayThrow.
|
|
return ReportWrapperDenial(cx, id, WrapperDenialForCOW,
|
|
"Access to privileged JS object not permitted");
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
} // namespace xpc
|