diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 14:29:10 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 14:29:10 +0000 |
commit | 2aa4a82499d4becd2284cdb482213d541b8804dd (patch) | |
tree | b80bf8bf13c3766139fbacc530efd0dd9d54394c /js/xpconnect/wrappers/AccessCheck.h | |
parent | Initial commit. (diff) | |
download | firefox-upstream.tar.xz firefox-upstream.zip |
Adding upstream version 86.0.1.upstream/86.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | js/xpconnect/wrappers/AccessCheck.h | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/js/xpconnect/wrappers/AccessCheck.h b/js/xpconnect/wrappers/AccessCheck.h new file mode 100644 index 0000000000..c42e56ea02 --- /dev/null +++ b/js/xpconnect/wrappers/AccessCheck.h @@ -0,0 +1,115 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef __AccessCheck_h__ +#define __AccessCheck_h__ + +#include "js/Id.h" +#include "js/Wrapper.h" +#include "nsString.h" + +#ifdef XP_MACOSX +// AssertMacros.h defines 'check' which conflicts with the method declarations +// in this file. +# undef check +#endif + +namespace xpc { + +class AccessCheck { + public: + static bool subsumes(JSObject* a, JSObject* b); + static bool wrapperSubsumes(JSObject* wrapper); + static bool subsumesConsideringDomain(JS::Realm* a, JS::Realm* b); + static bool subsumesConsideringDomainIgnoringFPD(JS::Realm* a, JS::Realm* b); + static bool isChrome(JS::Compartment* compartment); + static bool isChrome(JS::Realm* realm); + static bool isChrome(JSObject* obj); + static bool checkPassToPrivilegedCode(JSContext* cx, JS::HandleObject wrapper, + JS::HandleValue value); + static bool checkPassToPrivilegedCode(JSContext* cx, JS::HandleObject wrapper, + const JS::CallArgs& args); + // Called to report the correct sort of exception when our policy denies and + // should throw. The accessType argument should be one of "access", + // "define", "delete", depending on which operation is being denied. + static void reportCrossOriginDenial(JSContext* cx, JS::HandleId id, + const nsACString& accessType); +}; + +/** + * Returns true if the given object (which is expected to be stripped of + * cross-compartment wrappers in practice, but this function doesn't assume + * that) is a WindowProxy or Location object, which need special wrapping + * behavior due to being usable cross-origin in limited ways. + */ +bool IsCrossOriginAccessibleObject(JSObject* obj); + +struct Policy { + static bool checkCall(JSContext* cx, JS::HandleObject wrapper, + const JS::CallArgs& args) { + MOZ_CRASH("As a rule, filtering wrappers are non-callable"); + } +}; + +// This policy allows no interaction with the underlying callable. Everything +// throws. +struct Opaque : public Policy { + static bool check(JSContext* cx, JSObject* wrapper, jsid id, + js::Wrapper::Action act) { + return false; + } + static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id, + bool mayThrow) { + return false; + } + static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test, + JS::NativeImpl impl) { + return false; + } +}; + +// Like the above, but allows CALL. +struct OpaqueWithCall : public Policy { + static bool check(JSContext* cx, JSObject* wrapper, jsid id, + js::Wrapper::Action act) { + return act == js::Wrapper::CALL; + } + static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id, + bool mayThrow) { + return false; + } + static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test, + JS::NativeImpl impl) { + return false; + } + static bool checkCall(JSContext* cx, JS::HandleObject wrapper, + const JS::CallArgs& args) { + return AccessCheck::checkPassToPrivilegedCode(cx, wrapper, args); + } +}; + +// This class used to support permitting access to properties if they +// appeared in an access list on the object, but now it acts like an +// Opaque wrapper, with the exception that it fails silently for GET, +// ENUMERATE, and GET_PROPERTY_DESCRIPTOR. This is done for backwards +// compatibility. See bug 1397513. +struct OpaqueWithSilentFailing : public Policy { + static bool check(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id, + js::Wrapper::Action act) { + return false; + } + + static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id, + bool mayThrow); + static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test, + JS::NativeImpl impl) { + return false; + } +}; + +} // namespace xpc + +#endif /* __AccessCheck_h__ */ |