summaryrefslogtreecommitdiffstats
path: root/js/xpconnect/wrappers
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--js/xpconnect/wrappers/AccessCheck.cpp172
-rw-r--r--js/xpconnect/wrappers/AccessCheck.h115
-rw-r--r--js/xpconnect/wrappers/ChromeObjectWrapper.cpp40
-rw-r--r--js/xpconnect/wrappers/ChromeObjectWrapper.h42
-rw-r--r--js/xpconnect/wrappers/FilteringWrapper.cpp171
-rw-r--r--js/xpconnect/wrappers/FilteringWrapper.h55
-rw-r--r--js/xpconnect/wrappers/WaiveXrayWrapper.cpp116
-rw-r--r--js/xpconnect/wrappers/WaiveXrayWrapper.h48
-rw-r--r--js/xpconnect/wrappers/WrapperFactory.cpp811
-rw-r--r--js/xpconnect/wrappers/WrapperFactory.h109
-rw-r--r--js/xpconnect/wrappers/XrayWrapper.cpp2324
-rw-r--r--js/xpconnect/wrappers/XrayWrapper.h483
-rw-r--r--js/xpconnect/wrappers/moz.build35
13 files changed, 4521 insertions, 0 deletions
diff --git a/js/xpconnect/wrappers/AccessCheck.cpp b/js/xpconnect/wrappers/AccessCheck.cpp
new file mode 100644
index 0000000000..3c0c7b4680
--- /dev/null
+++ b/js/xpconnect/wrappers/AccessCheck.cpp
@@ -0,0 +1,172 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "AccessCheck.h"
+
+#include "nsJSPrincipals.h"
+#include "nsGlobalWindow.h"
+
+#include "XPCWrapper.h"
+#include "XrayWrapper.h"
+#include "FilteringWrapper.h"
+
+#include "jsfriendapi.h"
+#include "js/Object.h" // JS::GetClass, JS::GetCompartment
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/ErrorResult.h"
+#include "mozilla/dom/BindingUtils.h"
+#include "mozilla/dom/LocationBinding.h"
+#include "mozilla/dom/WindowBinding.h"
+#include "nsJSUtils.h"
+#include "xpcprivate.h"
+
+using namespace mozilla;
+using namespace JS;
+using namespace js;
+
+namespace xpc {
+
+BasePrincipal* GetRealmPrincipal(JS::Realm* realm) {
+ return BasePrincipal::Cast(
+ nsJSPrincipals::get(JS::GetRealmPrincipals(realm)));
+}
+
+nsIPrincipal* GetObjectPrincipal(JSObject* obj) {
+ return GetRealmPrincipal(js::GetNonCCWObjectRealm(obj));
+}
+
+bool AccessCheck::subsumes(JSObject* a, JSObject* b) {
+ return CompartmentOriginInfo::Subsumes(JS::GetCompartment(a),
+ JS::GetCompartment(b));
+}
+
+// Same as above, but considering document.domain.
+bool AccessCheck::subsumesConsideringDomain(JS::Realm* a, JS::Realm* b) {
+ MOZ_ASSERT(OriginAttributes::IsRestrictOpenerAccessForFPI());
+ BasePrincipal* aprin = GetRealmPrincipal(a);
+ BasePrincipal* bprin = GetRealmPrincipal(b);
+ return aprin->FastSubsumesConsideringDomain(bprin);
+}
+
+bool AccessCheck::subsumesConsideringDomainIgnoringFPD(JS::Realm* a,
+ JS::Realm* b) {
+ MOZ_ASSERT(!OriginAttributes::IsRestrictOpenerAccessForFPI());
+ BasePrincipal* aprin = GetRealmPrincipal(a);
+ BasePrincipal* bprin = GetRealmPrincipal(b);
+ return aprin->FastSubsumesConsideringDomainIgnoringFPD(bprin);
+}
+
+// Does the compartment of the wrapper subsumes the compartment of the wrappee?
+bool AccessCheck::wrapperSubsumes(JSObject* wrapper) {
+ MOZ_ASSERT(js::IsWrapper(wrapper));
+ JSObject* wrapped = js::UncheckedUnwrap(wrapper);
+ return CompartmentOriginInfo::Subsumes(JS::GetCompartment(wrapper),
+ JS::GetCompartment(wrapped));
+}
+
+bool AccessCheck::isChrome(JS::Compartment* compartment) {
+ return js::IsSystemCompartment(compartment);
+}
+
+bool AccessCheck::isChrome(JS::Realm* realm) {
+ return isChrome(JS::GetCompartmentForRealm(realm));
+}
+
+bool AccessCheck::isChrome(JSObject* obj) {
+ return isChrome(JS::GetCompartment(obj));
+}
+
+bool IsCrossOriginAccessibleObject(JSObject* obj) {
+ obj = js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false);
+ const JSClass* clasp = JS::GetClass(obj);
+
+ return (clasp->name[0] == 'L' && !strcmp(clasp->name, "Location")) ||
+ (clasp->name[0] == 'W' && !strcmp(clasp->name, "Window"));
+}
+
+bool AccessCheck::checkPassToPrivilegedCode(JSContext* cx, HandleObject wrapper,
+ HandleValue v) {
+ // Primitives are fine.
+ if (!v.isObject()) {
+ return true;
+ }
+ RootedObject obj(cx, &v.toObject());
+
+ // Non-wrappers are fine.
+ if (!js::IsWrapper(obj)) {
+ return true;
+ }
+
+ // Same-origin wrappers are fine.
+ if (AccessCheck::wrapperSubsumes(obj)) {
+ return true;
+ }
+
+ // Badness.
+ JS_ReportErrorASCII(cx,
+ "Permission denied to pass object to privileged code");
+ return false;
+}
+
+bool AccessCheck::checkPassToPrivilegedCode(JSContext* cx, HandleObject wrapper,
+ const CallArgs& args) {
+ if (!checkPassToPrivilegedCode(cx, wrapper, args.thisv())) {
+ return false;
+ }
+ for (size_t i = 0; i < args.length(); ++i) {
+ if (!checkPassToPrivilegedCode(cx, wrapper, args[i])) {
+ return false;
+ }
+ }
+ return true;
+}
+
+void AccessCheck::reportCrossOriginDenial(JSContext* cx, JS::HandleId id,
+ const nsACString& accessType) {
+ // This function exists because we want to report DOM SecurityErrors, not JS
+ // Errors, when denying access on cross-origin DOM objects. It's
+ // conceptually pretty similar to
+ // AutoEnterPolicy::reportErrorIfExceptionIsNotPending.
+ if (JS_IsExceptionPending(cx)) {
+ return;
+ }
+
+ nsAutoCString message;
+ if (JSID_IS_VOID(id)) {
+ message = "Permission denied to access object"_ns;
+ } else {
+ // We want to use JS_ValueToSource here, because that most closely
+ // matches what AutoEnterPolicy::reportErrorIfExceptionIsNotPending
+ // does.
+ JS::RootedValue idVal(cx, js::IdToValue(id));
+ nsAutoJSString propName;
+ JS::RootedString idStr(cx, JS_ValueToSource(cx, idVal));
+ if (!idStr || !propName.init(cx, idStr)) {
+ return;
+ }
+ message = "Permission denied to "_ns + accessType + " property "_ns +
+ NS_ConvertUTF16toUTF8(propName) + " on cross-origin object"_ns;
+ }
+ ErrorResult rv;
+ rv.ThrowSecurityError(message);
+ MOZ_ALWAYS_TRUE(rv.MaybeSetPendingException(cx));
+}
+
+bool OpaqueWithSilentFailing::deny(JSContext* cx, js::Wrapper::Action act,
+ HandleId id, bool mayThrow) {
+ // Fail silently for GET, ENUMERATE, and GET_PROPERTY_DESCRIPTOR.
+ if (act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE ||
+ act == js::Wrapper::GET_PROPERTY_DESCRIPTOR) {
+ // Note that ReportWrapperDenial doesn't do any _exception_ reporting,
+ // so we want to do this regardless of the value of mayThrow.
+ return ReportWrapperDenial(cx, id, WrapperDenialForCOW,
+ "Access to privileged JS object not permitted");
+ }
+
+ return false;
+}
+
+} // namespace xpc
diff --git a/js/xpconnect/wrappers/AccessCheck.h b/js/xpconnect/wrappers/AccessCheck.h
new file mode 100644
index 0000000000..c42e56ea02
--- /dev/null
+++ b/js/xpconnect/wrappers/AccessCheck.h
@@ -0,0 +1,115 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __AccessCheck_h__
+#define __AccessCheck_h__
+
+#include "js/Id.h"
+#include "js/Wrapper.h"
+#include "nsString.h"
+
+#ifdef XP_MACOSX
+// AssertMacros.h defines 'check' which conflicts with the method declarations
+// in this file.
+# undef check
+#endif
+
+namespace xpc {
+
+class AccessCheck {
+ public:
+ static bool subsumes(JSObject* a, JSObject* b);
+ static bool wrapperSubsumes(JSObject* wrapper);
+ static bool subsumesConsideringDomain(JS::Realm* a, JS::Realm* b);
+ static bool subsumesConsideringDomainIgnoringFPD(JS::Realm* a, JS::Realm* b);
+ static bool isChrome(JS::Compartment* compartment);
+ static bool isChrome(JS::Realm* realm);
+ static bool isChrome(JSObject* obj);
+ static bool checkPassToPrivilegedCode(JSContext* cx, JS::HandleObject wrapper,
+ JS::HandleValue value);
+ static bool checkPassToPrivilegedCode(JSContext* cx, JS::HandleObject wrapper,
+ const JS::CallArgs& args);
+ // Called to report the correct sort of exception when our policy denies and
+ // should throw. The accessType argument should be one of "access",
+ // "define", "delete", depending on which operation is being denied.
+ static void reportCrossOriginDenial(JSContext* cx, JS::HandleId id,
+ const nsACString& accessType);
+};
+
+/**
+ * Returns true if the given object (which is expected to be stripped of
+ * cross-compartment wrappers in practice, but this function doesn't assume
+ * that) is a WindowProxy or Location object, which need special wrapping
+ * behavior due to being usable cross-origin in limited ways.
+ */
+bool IsCrossOriginAccessibleObject(JSObject* obj);
+
+struct Policy {
+ static bool checkCall(JSContext* cx, JS::HandleObject wrapper,
+ const JS::CallArgs& args) {
+ MOZ_CRASH("As a rule, filtering wrappers are non-callable");
+ }
+};
+
+// This policy allows no interaction with the underlying callable. Everything
+// throws.
+struct Opaque : public Policy {
+ static bool check(JSContext* cx, JSObject* wrapper, jsid id,
+ js::Wrapper::Action act) {
+ return false;
+ }
+ static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id,
+ bool mayThrow) {
+ return false;
+ }
+ static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test,
+ JS::NativeImpl impl) {
+ return false;
+ }
+};
+
+// Like the above, but allows CALL.
+struct OpaqueWithCall : public Policy {
+ static bool check(JSContext* cx, JSObject* wrapper, jsid id,
+ js::Wrapper::Action act) {
+ return act == js::Wrapper::CALL;
+ }
+ static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id,
+ bool mayThrow) {
+ return false;
+ }
+ static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test,
+ JS::NativeImpl impl) {
+ return false;
+ }
+ static bool checkCall(JSContext* cx, JS::HandleObject wrapper,
+ const JS::CallArgs& args) {
+ return AccessCheck::checkPassToPrivilegedCode(cx, wrapper, args);
+ }
+};
+
+// This class used to support permitting access to properties if they
+// appeared in an access list on the object, but now it acts like an
+// Opaque wrapper, with the exception that it fails silently for GET,
+// ENUMERATE, and GET_PROPERTY_DESCRIPTOR. This is done for backwards
+// compatibility. See bug 1397513.
+struct OpaqueWithSilentFailing : public Policy {
+ static bool check(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+ js::Wrapper::Action act) {
+ return false;
+ }
+
+ static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id,
+ bool mayThrow);
+ static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test,
+ JS::NativeImpl impl) {
+ return false;
+ }
+};
+
+} // namespace xpc
+
+#endif /* __AccessCheck_h__ */
diff --git a/js/xpconnect/wrappers/ChromeObjectWrapper.cpp b/js/xpconnect/wrappers/ChromeObjectWrapper.cpp
new file mode 100644
index 0000000000..72fb4c6707
--- /dev/null
+++ b/js/xpconnect/wrappers/ChromeObjectWrapper.cpp
@@ -0,0 +1,40 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "ChromeObjectWrapper.h"
+#include "WrapperFactory.h"
+#include "AccessCheck.h"
+#include "xpcprivate.h"
+#include "jsapi.h"
+#include "js/Wrapper.h"
+#include "nsXULAppAPI.h"
+
+using namespace JS;
+
+namespace xpc {
+
+const ChromeObjectWrapper ChromeObjectWrapper::singleton;
+
+bool ChromeObjectWrapper::defineProperty(JSContext* cx, HandleObject wrapper,
+ HandleId id,
+ Handle<PropertyDescriptor> desc,
+ ObjectOpResult& result) const {
+ if (!AccessCheck::checkPassToPrivilegedCode(cx, wrapper, desc.value())) {
+ return false;
+ }
+ return ChromeObjectWrapperBase::defineProperty(cx, wrapper, id, desc, result);
+}
+
+bool ChromeObjectWrapper::set(JSContext* cx, HandleObject wrapper, HandleId id,
+ HandleValue v, HandleValue receiver,
+ ObjectOpResult& result) const {
+ if (!AccessCheck::checkPassToPrivilegedCode(cx, wrapper, v)) {
+ return false;
+ }
+ return ChromeObjectWrapperBase::set(cx, wrapper, id, v, receiver, result);
+}
+
+} // namespace xpc
diff --git a/js/xpconnect/wrappers/ChromeObjectWrapper.h b/js/xpconnect/wrappers/ChromeObjectWrapper.h
new file mode 100644
index 0000000000..49ce4fc139
--- /dev/null
+++ b/js/xpconnect/wrappers/ChromeObjectWrapper.h
@@ -0,0 +1,42 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __ChromeObjectWrapper_h__
+#define __ChromeObjectWrapper_h__
+
+#include "mozilla/Attributes.h"
+
+#include "FilteringWrapper.h"
+
+namespace xpc {
+
+struct OpaqueWithSilentFailing;
+
+// When a vanilla chrome JS object is exposed to content, we use a wrapper that
+// fails silently on GET, ENUMERATE, and GET_PROPERTY_DESCRIPTOR for legacy
+// reasons. For extra security, we override the traps that allow content to pass
+// an object to chrome, and perform extra security checks on them.
+#define ChromeObjectWrapperBase \
+ FilteringWrapper<js::CrossCompartmentSecurityWrapper, OpaqueWithSilentFailing>
+
+class ChromeObjectWrapper : public ChromeObjectWrapperBase {
+ public:
+ constexpr ChromeObjectWrapper() : ChromeObjectWrapperBase(0) {}
+
+ virtual bool defineProperty(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::Handle<jsid> id,
+ JS::Handle<JS::PropertyDescriptor> desc,
+ JS::ObjectOpResult& result) const override;
+ virtual bool set(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+ JS::HandleValue v, JS::HandleValue receiver,
+ JS::ObjectOpResult& result) const override;
+
+ static const ChromeObjectWrapper singleton;
+};
+
+} /* namespace xpc */
+
+#endif /* __ChromeObjectWrapper_h__ */
diff --git a/js/xpconnect/wrappers/FilteringWrapper.cpp b/js/xpconnect/wrappers/FilteringWrapper.cpp
new file mode 100644
index 0000000000..e824d54178
--- /dev/null
+++ b/js/xpconnect/wrappers/FilteringWrapper.cpp
@@ -0,0 +1,171 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "FilteringWrapper.h"
+#include "AccessCheck.h"
+#include "ChromeObjectWrapper.h"
+#include "XrayWrapper.h"
+#include "nsJSUtils.h"
+#include "mozilla/ErrorResult.h"
+#include "xpcpublic.h"
+
+#include "jsapi.h"
+#include "js/Symbol.h"
+
+using namespace JS;
+using namespace js;
+
+namespace xpc {
+
+static JS::SymbolCode sCrossOriginWhitelistedSymbolCodes[] = {
+ JS::SymbolCode::toStringTag, JS::SymbolCode::hasInstance,
+ JS::SymbolCode::isConcatSpreadable};
+
+static bool IsCrossOriginWhitelistedSymbol(JSContext* cx, JS::HandleId id) {
+ if (!JSID_IS_SYMBOL(id)) {
+ return false;
+ }
+
+ JS::Symbol* symbol = JSID_TO_SYMBOL(id);
+ for (auto code : sCrossOriginWhitelistedSymbolCodes) {
+ if (symbol == JS::GetWellKnownSymbol(cx, code)) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+bool IsCrossOriginWhitelistedProp(JSContext* cx, JS::HandleId id) {
+ return id == GetJSIDByIndex(cx, XPCJSContext::IDX_THEN) ||
+ IsCrossOriginWhitelistedSymbol(cx, id);
+}
+
+bool AppendCrossOriginWhitelistedPropNames(JSContext* cx,
+ JS::MutableHandleIdVector props) {
+ // Add "then" if it's not already in the list.
+ RootedIdVector thenProp(cx);
+ if (!thenProp.append(GetJSIDByIndex(cx, XPCJSContext::IDX_THEN))) {
+ return false;
+ }
+
+ if (!AppendUnique(cx, props, thenProp)) {
+ return false;
+ }
+
+ // Now add the three symbol-named props cross-origin objects have.
+#ifdef DEBUG
+ for (size_t n = 0; n < props.length(); ++n) {
+ MOZ_ASSERT(!JSID_IS_SYMBOL(props[n]),
+ "Unexpected existing symbol-name prop");
+ }
+#endif
+ if (!props.reserve(props.length() +
+ ArrayLength(sCrossOriginWhitelistedSymbolCodes))) {
+ return false;
+ }
+
+ for (auto code : sCrossOriginWhitelistedSymbolCodes) {
+ props.infallibleAppend(SYMBOL_TO_JSID(JS::GetWellKnownSymbol(cx, code)));
+ }
+
+ return true;
+}
+
+// Note: Previously, FilteringWrapper supported complex access policies where
+// certain properties on an object were accessible and others weren't. Today,
+// the only supported policies are Opaque and OpaqueWithCall, none of which need
+// that. So we just stub out the unreachable paths.
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::getOwnPropertyDescriptor(
+ JSContext* cx, HandleObject wrapper, HandleId id,
+ MutableHandle<PropertyDescriptor> desc) const {
+ MOZ_CRASH("FilteringWrappers are now always opaque");
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::ownPropertyKeys(
+ JSContext* cx, HandleObject wrapper, MutableHandleIdVector props) const {
+ MOZ_CRASH("FilteringWrappers are now always opaque");
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::getOwnEnumerablePropertyKeys(
+ JSContext* cx, HandleObject wrapper, MutableHandleIdVector props) const {
+ MOZ_CRASH("FilteringWrappers are now always opaque");
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::enumerate(
+ JSContext* cx, HandleObject wrapper,
+ JS::MutableHandleIdVector props) const {
+ MOZ_CRASH("FilteringWrappers are now always opaque");
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::call(JSContext* cx,
+ JS::Handle<JSObject*> wrapper,
+ const JS::CallArgs& args) const {
+ if (!Policy::checkCall(cx, wrapper, args)) {
+ return false;
+ }
+ return Base::call(cx, wrapper, args);
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::construct(JSContext* cx,
+ JS::Handle<JSObject*> wrapper,
+ const JS::CallArgs& args) const {
+ if (!Policy::checkCall(cx, wrapper, args)) {
+ return false;
+ }
+ return Base::construct(cx, wrapper, args);
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::nativeCall(
+ JSContext* cx, JS::IsAcceptableThis test, JS::NativeImpl impl,
+ const JS::CallArgs& args) const {
+ if (Policy::allowNativeCall(cx, test, impl)) {
+ return Base::Permissive::nativeCall(cx, test, impl, args);
+ }
+ return Base::Restrictive::nativeCall(cx, test, impl, args);
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::getPrototype(
+ JSContext* cx, JS::HandleObject wrapper,
+ JS::MutableHandleObject protop) const {
+ // Filtering wrappers do not allow access to the prototype.
+ protop.set(nullptr);
+ return true;
+}
+
+template <typename Base, typename Policy>
+bool FilteringWrapper<Base, Policy>::enter(JSContext* cx, HandleObject wrapper,
+ HandleId id, Wrapper::Action act,
+ bool mayThrow, bool* bp) const {
+ if (!Policy::check(cx, wrapper, id, act)) {
+ *bp =
+ JS_IsExceptionPending(cx) ? false : Policy::deny(cx, act, id, mayThrow);
+ return false;
+ }
+ *bp = true;
+ return true;
+}
+
+#define NNXOW FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>
+#define NNXOWC FilteringWrapper<CrossCompartmentSecurityWrapper, OpaqueWithCall>
+
+template <>
+const NNXOW NNXOW::singleton(0);
+template <>
+const NNXOWC NNXOWC::singleton(0);
+
+template class NNXOW;
+template class NNXOWC;
+template class ChromeObjectWrapperBase;
+} // namespace xpc
diff --git a/js/xpconnect/wrappers/FilteringWrapper.h b/js/xpconnect/wrappers/FilteringWrapper.h
new file mode 100644
index 0000000000..e04f334572
--- /dev/null
+++ b/js/xpconnect/wrappers/FilteringWrapper.h
@@ -0,0 +1,55 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __FilteringWrapper_h__
+#define __FilteringWrapper_h__
+
+#include "XrayWrapper.h"
+#include "mozilla/Attributes.h"
+#include "js/CallNonGenericMethod.h"
+#include "js/Wrapper.h"
+
+namespace xpc {
+
+template <typename Base, typename Policy>
+class FilteringWrapper : public Base {
+ public:
+ constexpr explicit FilteringWrapper(unsigned flags) : Base(flags) {}
+
+ virtual bool enter(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::Handle<jsid> id, js::Wrapper::Action act,
+ bool mayThrow, bool* bp) const override;
+
+ virtual bool getOwnPropertyDescriptor(
+ JSContext* cx, JS::Handle<JSObject*> wrapper, JS::Handle<jsid> id,
+ JS::MutableHandle<JS::PropertyDescriptor> desc) const override;
+ virtual bool ownPropertyKeys(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::MutableHandleIdVector props) const override;
+
+ virtual bool getOwnEnumerablePropertyKeys(
+ JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::MutableHandleIdVector props) const override;
+ virtual bool enumerate(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::MutableHandleIdVector props) const override;
+
+ virtual bool call(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ const JS::CallArgs& args) const override;
+ virtual bool construct(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ const JS::CallArgs& args) const override;
+
+ virtual bool nativeCall(JSContext* cx, JS::IsAcceptableThis test,
+ JS::NativeImpl impl,
+ const JS::CallArgs& args) const override;
+
+ virtual bool getPrototype(JSContext* cx, JS::HandleObject wrapper,
+ JS::MutableHandleObject protop) const override;
+
+ static const FilteringWrapper singleton;
+};
+
+} // namespace xpc
+
+#endif /* __FilteringWrapper_h__ */
diff --git a/js/xpconnect/wrappers/WaiveXrayWrapper.cpp b/js/xpconnect/wrappers/WaiveXrayWrapper.cpp
new file mode 100644
index 0000000000..9a4a24d8d7
--- /dev/null
+++ b/js/xpconnect/wrappers/WaiveXrayWrapper.cpp
@@ -0,0 +1,116 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "WaiveXrayWrapper.h"
+#include "WrapperFactory.h"
+#include "jsapi.h"
+
+using namespace JS;
+
+namespace xpc {
+
+static bool WaiveAccessors(JSContext* cx,
+ MutableHandle<PropertyDescriptor> desc) {
+ if (desc.hasGetterObject() && desc.getterObject()) {
+ RootedValue v(cx, JS::ObjectValue(*desc.getterObject()));
+ if (!WrapperFactory::WaiveXrayAndWrap(cx, &v)) {
+ return false;
+ }
+ desc.setGetterObject(&v.toObject());
+ }
+
+ if (desc.hasSetterObject() && desc.setterObject()) {
+ RootedValue v(cx, JS::ObjectValue(*desc.setterObject()));
+ if (!WrapperFactory::WaiveXrayAndWrap(cx, &v)) {
+ return false;
+ }
+ desc.setSetterObject(&v.toObject());
+ }
+ return true;
+}
+
+bool WaiveXrayWrapper::getOwnPropertyDescriptor(
+ JSContext* cx, HandleObject wrapper, HandleId id,
+ MutableHandle<PropertyDescriptor> desc) const {
+ return CrossCompartmentWrapper::getOwnPropertyDescriptor(cx, wrapper, id,
+ desc) &&
+ WrapperFactory::WaiveXrayAndWrap(cx, desc.value()) &&
+ WaiveAccessors(cx, desc);
+}
+
+bool WaiveXrayWrapper::get(JSContext* cx, HandleObject wrapper,
+ HandleValue receiver, HandleId id,
+ MutableHandleValue vp) const {
+ return CrossCompartmentWrapper::get(cx, wrapper, receiver, id, vp) &&
+ WrapperFactory::WaiveXrayAndWrap(cx, vp);
+}
+
+bool WaiveXrayWrapper::call(JSContext* cx, HandleObject wrapper,
+ const JS::CallArgs& args) const {
+ return CrossCompartmentWrapper::call(cx, wrapper, args) &&
+ WrapperFactory::WaiveXrayAndWrap(cx, args.rval());
+}
+
+bool WaiveXrayWrapper::construct(JSContext* cx, HandleObject wrapper,
+ const JS::CallArgs& args) const {
+ return CrossCompartmentWrapper::construct(cx, wrapper, args) &&
+ WrapperFactory::WaiveXrayAndWrap(cx, args.rval());
+}
+
+// NB: This is important as the other side of a handshake with FieldGetter. See
+// nsXBLProtoImplField.cpp.
+bool WaiveXrayWrapper::nativeCall(JSContext* cx, JS::IsAcceptableThis test,
+ JS::NativeImpl impl,
+ const JS::CallArgs& args) const {
+ return CrossCompartmentWrapper::nativeCall(cx, test, impl, args) &&
+ WrapperFactory::WaiveXrayAndWrap(cx, args.rval());
+}
+
+bool WaiveXrayWrapper::hasInstance(JSContext* cx, HandleObject wrapper,
+ MutableHandleValue v, bool* bp) const {
+ if (v.isObject() && WrapperFactory::IsXrayWrapper(&v.toObject())) {
+ // If |v| is a XrayWrapper and in the same compartment as the value
+ // wrapped by |wrapper|, then the Xrays of |v| would be waived upon
+ // calling CrossCompartmentWrapper::hasInstance. This may trigger
+ // getters and proxy traps of unwrapped |v|. To prevent that from
+ // happening, we exit early.
+
+ // |wrapper| is the right operand of "instanceof", and must either be
+ // a function or an object with a @@hasInstance method. We are not going
+ // to call @@hasInstance, so only check whether it is a function.
+ // This check is here for consistency with usual "instanceof" behavior,
+ // which throws if the right operand is not a function. Without this
+ // check, the "instanceof" operator would return false and potentially
+ // hide errors in the code that uses the "instanceof" operator.
+ if (!JS::IsCallable(wrapper)) {
+ RootedValue wrapperv(cx, JS::ObjectValue(*wrapper));
+ js::ReportIsNotFunction(cx, wrapperv);
+ return false;
+ }
+
+ *bp = false;
+ return true;
+ }
+
+ // Both |wrapper| and |v| have no Xrays here.
+ return CrossCompartmentWrapper::hasInstance(cx, wrapper, v, bp);
+}
+
+bool WaiveXrayWrapper::getPrototype(JSContext* cx, HandleObject wrapper,
+ MutableHandleObject protop) const {
+ return CrossCompartmentWrapper::getPrototype(cx, wrapper, protop) &&
+ (!protop || WrapperFactory::WaiveXrayAndWrap(cx, protop));
+}
+
+bool WaiveXrayWrapper::getPrototypeIfOrdinary(
+ JSContext* cx, HandleObject wrapper, bool* isOrdinary,
+ MutableHandleObject protop) const {
+ return CrossCompartmentWrapper::getPrototypeIfOrdinary(cx, wrapper,
+ isOrdinary, protop) &&
+ (!protop || WrapperFactory::WaiveXrayAndWrap(cx, protop));
+}
+
+} // namespace xpc
diff --git a/js/xpconnect/wrappers/WaiveXrayWrapper.h b/js/xpconnect/wrappers/WaiveXrayWrapper.h
new file mode 100644
index 0000000000..fdb70b2044
--- /dev/null
+++ b/js/xpconnect/wrappers/WaiveXrayWrapper.h
@@ -0,0 +1,48 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __CrossOriginWrapper_h__
+#define __CrossOriginWrapper_h__
+
+#include "mozilla/Attributes.h"
+
+#include "js/Wrapper.h"
+
+namespace xpc {
+
+class WaiveXrayWrapper : public js::CrossCompartmentWrapper {
+ public:
+ explicit constexpr WaiveXrayWrapper(unsigned flags)
+ : js::CrossCompartmentWrapper(flags) {}
+
+ virtual bool getOwnPropertyDescriptor(
+ JSContext* cx, JS::Handle<JSObject*> wrapper, JS::Handle<jsid> id,
+ JS::MutableHandle<JS::PropertyDescriptor> desc) const override;
+ virtual bool getPrototype(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::MutableHandle<JSObject*> protop) const override;
+ virtual bool getPrototypeIfOrdinary(
+ JSContext* cx, JS::Handle<JSObject*> wrapper, bool* isOrdinary,
+ JS::MutableHandle<JSObject*> protop) const override;
+ virtual bool get(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::Handle<JS::Value> receiver, JS::Handle<jsid> id,
+ JS::MutableHandle<JS::Value> vp) const override;
+ virtual bool call(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ const JS::CallArgs& args) const override;
+ virtual bool construct(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ const JS::CallArgs& args) const override;
+
+ virtual bool nativeCall(JSContext* cx, JS::IsAcceptableThis test,
+ JS::NativeImpl impl,
+ const JS::CallArgs& args) const override;
+ virtual bool hasInstance(JSContext* cx, JS::HandleObject wrapper,
+ JS::MutableHandleValue v, bool* bp) const override;
+
+ static const WaiveXrayWrapper singleton;
+};
+
+} // namespace xpc
+
+#endif
diff --git a/js/xpconnect/wrappers/WrapperFactory.cpp b/js/xpconnect/wrappers/WrapperFactory.cpp
new file mode 100644
index 0000000000..f338770f11
--- /dev/null
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@@ -0,0 +1,811 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "WaiveXrayWrapper.h"
+#include "FilteringWrapper.h"
+#include "XrayWrapper.h"
+#include "AccessCheck.h"
+#include "XPCWrapper.h"
+#include "ChromeObjectWrapper.h"
+#include "WrapperFactory.h"
+
+#include "xpcprivate.h"
+#include "XPCMaps.h"
+#include "mozilla/dom/BindingUtils.h"
+#include "jsfriendapi.h"
+#include "js/friend/WindowProxy.h" // js::IsWindow, js::IsWindowProxy
+#include "js/Object.h" // JS::GetPrivate, JS::GetCompartment
+#include "mozilla/Likely.h"
+#include "mozilla/dom/ScriptSettings.h"
+#include "mozilla/dom/MaybeCrossOriginObject.h"
+#include "nsContentUtils.h"
+#include "nsXULAppAPI.h"
+
+using namespace JS;
+using namespace js;
+using namespace mozilla;
+
+namespace xpc {
+
+// When chrome pulls a naked property across the membrane using
+// .wrappedJSObject, we want it to cross the membrane into the
+// chrome compartment without automatically being wrapped into an
+// X-ray wrapper. We achieve this by wrapping it into a special
+// transparent wrapper in the origin (non-chrome) compartment. When
+// an object with that special wrapper applied crosses into chrome,
+// we know to not apply an X-ray wrapper.
+const Wrapper XrayWaiver(WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG);
+
+// When objects for which we waived the X-ray wrapper cross into
+// chrome, we wrap them into a special cross-compartment wrapper
+// that transitively extends the waiver to all properties we get
+// off it.
+const WaiveXrayWrapper WaiveXrayWrapper::singleton(0);
+
+bool WrapperFactory::IsOpaqueWrapper(JSObject* obj) {
+ return IsWrapper(obj) &&
+ Wrapper::wrapperHandler(obj) == &PermissiveXrayOpaque::singleton;
+}
+
+bool WrapperFactory::IsCOW(JSObject* obj) {
+ return IsWrapper(obj) &&
+ Wrapper::wrapperHandler(obj) == &ChromeObjectWrapper::singleton;
+}
+
+JSObject* WrapperFactory::GetXrayWaiver(HandleObject obj) {
+ // Object should come fully unwrapped but outerized.
+ MOZ_ASSERT(obj == UncheckedUnwrap(obj));
+ MOZ_ASSERT(!js::IsWindow(obj));
+ XPCWrappedNativeScope* scope = ObjectScope(obj);
+ MOZ_ASSERT(scope);
+
+ if (!scope->mWaiverWrapperMap) {
+ return nullptr;
+ }
+
+ return scope->mWaiverWrapperMap->Find(obj);
+}
+
+JSObject* WrapperFactory::CreateXrayWaiver(JSContext* cx, HandleObject obj,
+ bool allowExisting) {
+ // The caller is required to have already done a lookup, unless it's
+ // trying to replace an existing waiver.
+ // NB: This implictly performs the assertions of GetXrayWaiver.
+ MOZ_ASSERT(bool(GetXrayWaiver(obj)) == allowExisting);
+ XPCWrappedNativeScope* scope = ObjectScope(obj);
+
+ JSAutoRealm ar(cx, obj);
+ JSObject* waiver = Wrapper::New(cx, obj, &XrayWaiver);
+ if (!waiver) {
+ return nullptr;
+ }
+
+ // Add the new waiver to the map. It's important that we only ever have
+ // one waiver for the lifetime of the target object.
+ if (!scope->mWaiverWrapperMap) {
+ scope->mWaiverWrapperMap = mozilla::MakeUnique<JSObject2JSObjectMap>();
+ }
+ if (!scope->mWaiverWrapperMap->Add(cx, obj, waiver)) {
+ return nullptr;
+ }
+ return waiver;
+}
+
+JSObject* WrapperFactory::WaiveXray(JSContext* cx, JSObject* objArg) {
+ RootedObject obj(cx, objArg);
+ obj = UncheckedUnwrap(obj);
+ MOZ_ASSERT(!js::IsWindow(obj));
+
+ JSObject* waiver = GetXrayWaiver(obj);
+ if (!waiver) {
+ waiver = CreateXrayWaiver(cx, obj);
+ }
+ JS::AssertObjectIsNotGray(waiver);
+ return waiver;
+}
+
+/* static */
+bool WrapperFactory::AllowWaiver(JS::Compartment* target,
+ JS::Compartment* origin) {
+ return CompartmentPrivate::Get(target)->allowWaivers &&
+ CompartmentOriginInfo::Subsumes(target, origin);
+}
+
+/* static */
+bool WrapperFactory::AllowWaiver(JSObject* wrapper) {
+ MOZ_ASSERT(js::IsCrossCompartmentWrapper(wrapper));
+ return AllowWaiver(JS::GetCompartment(wrapper),
+ JS::GetCompartment(js::UncheckedUnwrap(wrapper)));
+}
+
+inline bool ShouldWaiveXray(JSContext* cx, JSObject* originalObj) {
+ unsigned flags;
+ (void)js::UncheckedUnwrap(originalObj, /* stopAtWindowProxy = */ true,
+ &flags);
+
+ // If the original object did not point through an Xray waiver, we're done.
+ if (!(flags & WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG)) {
+ return false;
+ }
+
+ // If the original object was not a cross-compartment wrapper, that means
+ // that the caller explicitly created a waiver. Preserve it so that things
+ // like WaiveXrayAndWrap work.
+ if (!(flags & Wrapper::CROSS_COMPARTMENT)) {
+ return true;
+ }
+
+ // Otherwise, this is a case of explicitly passing a wrapper across a
+ // compartment boundary. In that case, we only want to preserve waivers
+ // in transactions between same-origin compartments.
+ JS::Compartment* oldCompartment = JS::GetCompartment(originalObj);
+ JS::Compartment* newCompartment = js::GetContextCompartment(cx);
+ bool sameOrigin = false;
+ if (OriginAttributes::IsRestrictOpenerAccessForFPI()) {
+ sameOrigin =
+ CompartmentOriginInfo::Subsumes(oldCompartment, newCompartment) &&
+ CompartmentOriginInfo::Subsumes(newCompartment, oldCompartment);
+ } else {
+ sameOrigin = CompartmentOriginInfo::SubsumesIgnoringFPD(oldCompartment,
+ newCompartment) &&
+ CompartmentOriginInfo::SubsumesIgnoringFPD(newCompartment,
+ oldCompartment);
+ }
+ return sameOrigin;
+}
+
+// Special handling is needed when wrapping local and remote window proxies.
+// This function returns true if it found a window proxy and dealt with it.
+static bool MaybeWrapWindowProxy(JSContext* cx, HandleObject origObj,
+ HandleObject obj, MutableHandleObject retObj) {
+ bool isWindowProxy = js::IsWindowProxy(obj);
+
+ if (!isWindowProxy &&
+ !dom::IsRemoteObjectProxy(obj, dom::prototypes::id::Window)) {
+ return false;
+ }
+
+ dom::BrowsingContext* bc = nullptr;
+ if (isWindowProxy) {
+ nsGlobalWindowInner* win =
+ WindowOrNull(js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false));
+ if (win && win->GetOuterWindow()) {
+ bc = win->GetOuterWindow()->GetBrowsingContext();
+ }
+ if (!bc) {
+ retObj.set(obj);
+ return true;
+ }
+ } else {
+ bc = dom::GetBrowsingContext(obj);
+ MOZ_ASSERT(bc);
+ }
+
+ // We should only have a remote window proxy if bc is in a state where we
+ // expect remote window proxies. Otherwise, they should have been cleaned up
+ // by a call to CleanUpDanglingRemoteOuterWindowProxies().
+ MOZ_RELEASE_ASSERT(isWindowProxy || bc->CanHaveRemoteOuterProxies());
+
+ if (bc->IsInProcess()) {
+ retObj.set(obj);
+ } else {
+ // If bc is not in process, then use a remote window proxy, whether or not
+ // obj is one already.
+ if (!dom::GetRemoteOuterWindowProxy(cx, bc, origObj, retObj)) {
+ MOZ_CRASH("GetRemoteOuterWindowProxy failed");
+ }
+ }
+
+ return true;
+}
+
+void WrapperFactory::PrepareForWrapping(JSContext* cx, HandleObject scope,
+ HandleObject origObj,
+ HandleObject objArg,
+ HandleObject objectPassedToWrap,
+ MutableHandleObject retObj) {
+ // The JS engine calls ToWindowProxyIfWindow and deals with dead wrappers.
+ MOZ_ASSERT(!js::IsWindow(objArg));
+ MOZ_ASSERT(!JS_IsDeadWrapper(objArg));
+
+ bool waive = ShouldWaiveXray(cx, objectPassedToWrap);
+ RootedObject obj(cx, objArg);
+ retObj.set(nullptr);
+
+ // There are a few cases related to window proxies that are handled first to
+ // allow us to assert against wrappers below.
+ if (MaybeWrapWindowProxy(cx, origObj, obj, retObj)) {
+ if (waive) {
+ // We don't put remote window proxies in a waiving wrapper.
+ MOZ_ASSERT(js::IsWindowProxy(obj));
+ retObj.set(WaiveXray(cx, retObj));
+ }
+ return;
+ }
+
+ // Here are the rules for wrapping:
+ // We should never get a proxy here (the JS engine unwraps those for us).
+ MOZ_ASSERT(!IsWrapper(obj));
+
+ // Now, our object is ready to be wrapped, but several objects (notably
+ // nsJSIIDs) have a wrapper per scope. If we are about to wrap one of
+ // those objects in a security wrapper, then we need to hand back the
+ // wrapper for the new scope instead. Also, global objects don't move
+ // between scopes so for those we also want to return the wrapper. So...
+ if (!IS_WN_REFLECTOR(obj) || JS_IsGlobalObject(obj)) {
+ retObj.set(waive ? WaiveXray(cx, obj) : obj);
+ return;
+ }
+
+ XPCWrappedNative* wn = XPCWrappedNative::Get(obj);
+
+ JSAutoRealm ar(cx, obj);
+ XPCCallContext ccx(cx, obj);
+ RootedObject wrapScope(cx, scope);
+
+ if (ccx.GetScriptable() && ccx.GetScriptable()->WantPreCreate()) {
+ // We have a precreate hook. This object might enforce that we only
+ // ever create JS object for it.
+
+ // Note: this penalizes objects that only have one wrapper, but are
+ // being accessed across compartments. We would really prefer to
+ // replace the above code with a test that says "do you only have one
+ // wrapper?"
+ nsresult rv = wn->GetScriptable()->PreCreate(wn->Native(), cx, scope,
+ wrapScope.address());
+ if (NS_FAILED(rv)) {
+ retObj.set(waive ? WaiveXray(cx, obj) : obj);
+ return;
+ }
+
+ // If the handed back scope differs from the passed-in scope and is in
+ // a separate compartment, then this object is explicitly requesting
+ // that we don't create a second JS object for it: create a security
+ // wrapper.
+ //
+ // Note: The only two objects that still use PreCreate are BackstagePass
+ // and Components, both of which unconditionally request their canonical
+ // scope. Since SpiderMonkey only invokes the prewrap callback in
+ // situations where the object is nominally cross-compartment, we should
+ // always get a different scope here.
+ MOZ_RELEASE_ASSERT(JS::GetCompartment(scope) !=
+ JS::GetCompartment(wrapScope));
+ retObj.set(waive ? WaiveXray(cx, obj) : obj);
+ return;
+ }
+
+ // This public WrapNativeToJSVal API enters the compartment of 'wrapScope'
+ // so we don't have to.
+ RootedValue v(cx);
+ nsresult rv = nsXPConnect::XPConnect()->WrapNativeToJSVal(
+ cx, wrapScope, wn->Native(), nullptr, &NS_GET_IID(nsISupports), false,
+ &v);
+ if (NS_FAILED(rv)) {
+ return;
+ }
+
+ obj.set(&v.toObject());
+ MOZ_ASSERT(IS_WN_REFLECTOR(obj), "bad object");
+ JS::AssertObjectIsNotGray(obj); // We should never return gray reflectors.
+
+ // Because the underlying native didn't have a PreCreate hook, we had
+ // to a new (or possibly pre-existing) XPCWN in our compartment.
+ // This could be a problem for chrome code that passes XPCOM objects
+ // across compartments, because the effects of QI would disappear across
+ // compartments.
+ //
+ // So whenever we pull an XPCWN across compartments in this manner, we
+ // give the destination object the union of the two native sets. We try
+ // to do this cleverly in the common case to avoid too much overhead.
+ XPCWrappedNative* newwn = XPCWrappedNative::Get(obj);
+ RefPtr<XPCNativeSet> unionSet =
+ XPCNativeSet::GetNewOrUsed(cx, newwn->GetSet(), wn->GetSet(), false);
+ if (!unionSet) {
+ return;
+ }
+ newwn->SetSet(unionSet.forget());
+
+ retObj.set(waive ? WaiveXray(cx, obj) : obj);
+}
+
+// This check is completely symmetric, so we don't need to keep track of origin
+// vs target here. Two compartments may have had transparent CCWs between them
+// only if they are same-origin (ignoring document.domain) or have both had
+// document.domain set at some point and are same-site. In either case they
+// will have the same SiteIdentifier, so check that first.
+static bool CompartmentsMayHaveHadTransparentCCWs(
+ CompartmentPrivate* private1, CompartmentPrivate* private2) {
+ auto& info1 = private1->originInfo;
+ auto& info2 = private2->originInfo;
+
+ if (!info1.SiteRef().Equals(info2.SiteRef())) {
+ return false;
+ }
+
+ return info1.GetPrincipalIgnoringDocumentDomain()->FastEquals(
+ info2.GetPrincipalIgnoringDocumentDomain()) ||
+ (info1.HasChangedDocumentDomain() && info2.HasChangedDocumentDomain());
+}
+
+#ifdef DEBUG
+static void DEBUG_CheckUnwrapSafety(HandleObject obj,
+ const js::Wrapper* handler,
+ JS::Realm* origin, JS::Realm* target) {
+ JS::Compartment* targetCompartment = JS::GetCompartmentForRealm(target);
+ if (!js::AllowNewWrapper(targetCompartment, obj)) {
+ // The JS engine should have returned a dead wrapper in this case and we
+ // shouldn't even get here.
+ MOZ_ASSERT_UNREACHABLE("CheckUnwrapSafety called for a dead wrapper");
+ } else if (AccessCheck::isChrome(targetCompartment)) {
+ // If the caller is chrome (or effectively so), unwrap should always be
+ // allowed, but we might have a CrossOriginObjectWrapper here which allows
+ // it dynamically.
+ MOZ_ASSERT(!handler->hasSecurityPolicy() ||
+ handler == &CrossOriginObjectWrapper::singleton);
+ } else {
+ // Otherwise, it should depend on whether the target subsumes the origin.
+ bool subsumes =
+ (OriginAttributes::IsRestrictOpenerAccessForFPI()
+ ? AccessCheck::subsumesConsideringDomain(target, origin)
+ : AccessCheck::subsumesConsideringDomainIgnoringFPD(target,
+ origin));
+ if (!subsumes) {
+ // If the target (which is where the wrapper lives) does not subsume the
+ // origin (which is where the wrapped object lives), then we should
+ // generally have a security check on the wrapper here. There is one
+ // exception, though: things that used to be same-origin and then stopped
+ // due to document.domain changes. In that case we will have a
+ // transparent cross-compartment wrapper here even though "subsumes" is no
+ // longer true.
+ CompartmentPrivate* originCompartmentPrivate =
+ CompartmentPrivate::Get(origin);
+ CompartmentPrivate* targetCompartmentPrivate =
+ CompartmentPrivate::Get(target);
+ if (!originCompartmentPrivate->wantXrays &&
+ !targetCompartmentPrivate->wantXrays &&
+ CompartmentsMayHaveHadTransparentCCWs(originCompartmentPrivate,
+ targetCompartmentPrivate)) {
+ // We should have a transparent CCW, unless we have a cross-origin
+ // object, in which case it will be a CrossOriginObjectWrapper.
+ MOZ_ASSERT(handler == &CrossCompartmentWrapper::singleton ||
+ handler == &CrossOriginObjectWrapper::singleton);
+ } else {
+ MOZ_ASSERT(handler->hasSecurityPolicy());
+ }
+ } else {
+ // Even if target subsumes origin, we might have a wrapper with a security
+ // policy here, if it happens to be a CrossOriginObjectWrapper.
+ MOZ_ASSERT(!handler->hasSecurityPolicy() ||
+ handler == &CrossOriginObjectWrapper::singleton);
+ }
+ }
+}
+#else
+# define DEBUG_CheckUnwrapSafety(obj, handler, origin, target) \
+ {}
+#endif
+
+const CrossOriginObjectWrapper CrossOriginObjectWrapper::singleton;
+
+bool CrossOriginObjectWrapper::dynamicCheckedUnwrapAllowed(
+ HandleObject obj, JSContext* cx) const {
+ MOZ_ASSERT(js::GetProxyHandler(obj) == this,
+ "Why are we getting called for some random object?");
+ JSObject* target = wrappedObject(obj);
+ return dom::MaybeCrossOriginObjectMixins::IsPlatformObjectSameOrigin(cx,
+ target);
+}
+
+static const Wrapper* SelectWrapper(bool securityWrapper, XrayType xrayType,
+ bool waiveXrays, JSObject* obj) {
+ // Waived Xray uses a modified CCW that has transparent behavior but
+ // transitively waives Xrays on arguments.
+ if (waiveXrays) {
+ MOZ_ASSERT(!securityWrapper);
+ return &WaiveXrayWrapper::singleton;
+ }
+
+ // If we don't want or can't use Xrays, select a wrapper that's either
+ // entirely transparent or entirely opaque.
+ if (xrayType == NotXray) {
+ if (!securityWrapper) {
+ return &CrossCompartmentWrapper::singleton;
+ }
+ return &FilteringWrapper<CrossCompartmentSecurityWrapper,
+ Opaque>::singleton;
+ }
+
+ // Ok, we're using Xray. If this isn't a security wrapper, use the permissive
+ // version and skip the filter.
+ if (!securityWrapper) {
+ if (xrayType == XrayForDOMObject) {
+ return &PermissiveXrayDOM::singleton;
+ } else if (xrayType == XrayForJSObject) {
+ return &PermissiveXrayJS::singleton;
+ }
+ MOZ_ASSERT(xrayType == XrayForOpaqueObject);
+ return &PermissiveXrayOpaque::singleton;
+ }
+
+ // There's never any reason to expose other objects to non-subsuming actors.
+ // Just use an opaque wrapper in these cases.
+ return &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
+}
+
+JSObject* WrapperFactory::Rewrap(JSContext* cx, HandleObject existing,
+ HandleObject obj) {
+ MOZ_ASSERT(!IsWrapper(obj) || GetProxyHandler(obj) == &XrayWaiver ||
+ js::IsWindowProxy(obj),
+ "wrapped object passed to rewrap");
+ MOZ_ASSERT(!js::IsWindow(obj));
+ MOZ_ASSERT(dom::IsJSAPIActive());
+
+ // Compute the information we need to select the right wrapper.
+ JS::Realm* origin = js::GetNonCCWObjectRealm(obj);
+ JS::Realm* target = js::GetContextRealm(cx);
+ MOZ_ASSERT(target, "Why is our JSContext not in a Realm?");
+ bool originIsChrome = AccessCheck::isChrome(origin);
+ bool targetIsChrome = AccessCheck::isChrome(target);
+ bool originSubsumesTarget =
+ OriginAttributes::IsRestrictOpenerAccessForFPI()
+ ? AccessCheck::subsumesConsideringDomain(origin, target)
+ : AccessCheck::subsumesConsideringDomainIgnoringFPD(origin, target);
+ bool targetSubsumesOrigin =
+ OriginAttributes::IsRestrictOpenerAccessForFPI()
+ ? AccessCheck::subsumesConsideringDomain(target, origin)
+ : AccessCheck::subsumesConsideringDomainIgnoringFPD(target, origin);
+ bool sameOrigin = targetSubsumesOrigin && originSubsumesTarget;
+
+ const Wrapper* wrapper;
+
+ CompartmentPrivate* originCompartmentPrivate =
+ CompartmentPrivate::Get(origin);
+ CompartmentPrivate* targetCompartmentPrivate =
+ CompartmentPrivate::Get(target);
+
+ // Track whether we decided to use a transparent wrapper because of
+ // document.domain usage, so we don't override that decision.
+ bool isTransparentWrapperDueToDocumentDomain = false;
+
+ //
+ // First, handle the special cases.
+ //
+
+ // Special handling for chrome objects being exposed to content.
+ if (originIsChrome && !targetIsChrome) {
+ // If this is a chrome function being exposed to content, we need to allow
+ // call (but nothing else).
+ if ((IdentifyStandardInstance(obj) == JSProto_Function)) {
+ wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
+ OpaqueWithCall>::singleton;
+ }
+
+ // For vanilla JSObjects exposed from chrome to content, we use a wrapper
+ // that fails silently in a few cases. We'd like to get rid of this
+ // eventually, but in their current form they don't cause much trouble.
+ else if (IdentifyStandardInstance(obj) == JSProto_Object) {
+ wrapper = &ChromeObjectWrapper::singleton;
+ }
+
+ // Otherwise we get an opaque wrapper.
+ else {
+ wrapper =
+ &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
+ }
+ }
+
+ // Special handling for the web's cross-origin objects (WindowProxy and
+ // Location). We only need or want to do this in web-like contexts, where all
+ // security relationships are symmetric and there are no forced Xrays.
+ else if (originSubsumesTarget == targetSubsumesOrigin &&
+ // Check for the more rare case of cross-origin objects before doing
+ // the more-likely-to-pass checks for wantXrays.
+ IsCrossOriginAccessibleObject(obj) &&
+ (!targetSubsumesOrigin || (!originCompartmentPrivate->wantXrays &&
+ !targetCompartmentPrivate->wantXrays))) {
+ wrapper = &CrossOriginObjectWrapper::singleton;
+ }
+
+ // Special handling for other web objects. Again, we only want this in
+ // web-like contexts (symmetric security relationships, no forced Xrays). In
+ // this situation, if the two compartments may ever have had transparent CCWs
+ // between them, we want to keep using transparent CCWs.
+ else if (originSubsumesTarget == targetSubsumesOrigin &&
+ !originCompartmentPrivate->wantXrays &&
+ !targetCompartmentPrivate->wantXrays &&
+ CompartmentsMayHaveHadTransparentCCWs(originCompartmentPrivate,
+ targetCompartmentPrivate)) {
+ isTransparentWrapperDueToDocumentDomain = true;
+ wrapper = &CrossCompartmentWrapper::singleton;
+ }
+
+ //
+ // Now, handle the regular cases.
+ //
+ // These are wrappers we can compute using a rule-based approach. In order
+ // to do so, we need to compute some parameters.
+ //
+ else {
+ // The wrapper is a security wrapper (protecting the wrappee) if and
+ // only if the target does not subsume the origin.
+ bool securityWrapper = !targetSubsumesOrigin;
+
+ // Xrays are warranted if either the target or the origin don't trust
+ // each other. This is generally the case, unless the two are same-origin
+ // and the caller has not requested same-origin Xrays.
+ //
+ // Xrays are a bidirectional protection, since it affords clarity to the
+ // caller and privacy to the callee.
+ bool sameOriginXrays = originCompartmentPrivate->wantXrays ||
+ targetCompartmentPrivate->wantXrays;
+ bool wantXrays = !sameOrigin || sameOriginXrays;
+
+ XrayType xrayType = wantXrays ? GetXrayType(obj) : NotXray;
+
+ // If Xrays are warranted, the caller may waive them for non-security
+ // wrappers (unless explicitly forbidden from doing so).
+ bool waiveXrays = wantXrays && !securityWrapper &&
+ targetCompartmentPrivate->allowWaivers &&
+ HasWaiveXrayFlag(obj);
+
+ wrapper = SelectWrapper(securityWrapper, xrayType, waiveXrays, obj);
+ }
+
+ if (!targetSubsumesOrigin && !isTransparentWrapperDueToDocumentDomain) {
+ // Do a belt-and-suspenders check against exposing eval()/Function() to
+ // non-subsuming content.
+ if (JSFunction* fun = JS_GetObjectFunction(obj)) {
+ if (JS_IsBuiltinEvalFunction(fun) ||
+ JS_IsBuiltinFunctionConstructor(fun)) {
+ NS_WARNING(
+ "Trying to expose eval or Function to non-subsuming content!");
+ wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
+ Opaque>::singleton;
+ }
+ }
+ }
+
+ DEBUG_CheckUnwrapSafety(obj, wrapper, origin, target);
+
+ if (existing) {
+ return Wrapper::Renew(existing, obj, wrapper);
+ }
+
+ return Wrapper::New(cx, obj, wrapper);
+}
+
+// Call WaiveXrayAndWrap when you have a JS object that you don't want to be
+// wrapped in an Xray wrapper. cx->compartment is the compartment that will be
+// using the returned object. If the object to be wrapped is already in the
+// correct compartment, then this returns the unwrapped object.
+bool WrapperFactory::WaiveXrayAndWrap(JSContext* cx, MutableHandleValue vp) {
+ if (vp.isPrimitive()) {
+ return JS_WrapValue(cx, vp);
+ }
+
+ RootedObject obj(cx, &vp.toObject());
+ if (!WaiveXrayAndWrap(cx, &obj)) {
+ return false;
+ }
+
+ vp.setObject(*obj);
+ return true;
+}
+
+bool WrapperFactory::WaiveXrayAndWrap(JSContext* cx,
+ MutableHandleObject argObj) {
+ MOZ_ASSERT(argObj);
+ RootedObject obj(cx, js::UncheckedUnwrap(argObj));
+ MOZ_ASSERT(!js::IsWindow(obj));
+ if (js::IsObjectInContextCompartment(obj, cx)) {
+ argObj.set(obj);
+ return true;
+ }
+
+ // Even though waivers have no effect on access by scopes that don't subsume
+ // the underlying object, good defense-in-depth dictates that we should avoid
+ // handing out waivers to callers that can't use them. The transitive waiving
+ // machinery unconditionally calls WaiveXrayAndWrap on return values from
+ // waived functions, even though the return value might be not be same-origin
+ // with the function. So if we find ourselves trying to create a waiver for
+ // |cx|, we should check whether the caller has any business with waivers
+ // to things in |obj|'s compartment.
+ JS::Compartment* target = js::GetContextCompartment(cx);
+ JS::Compartment* origin = JS::GetCompartment(obj);
+ obj = AllowWaiver(target, origin) ? WaiveXray(cx, obj) : obj;
+ if (!obj) {
+ return false;
+ }
+
+ if (!JS_WrapObject(cx, &obj)) {
+ return false;
+ }
+ argObj.set(obj);
+ return true;
+}
+
+/*
+ * Calls to JS_TransplantObject* should go through these helpers here so that
+ * waivers get fixed up properly.
+ */
+
+static bool FixWaiverAfterTransplant(JSContext* cx, HandleObject oldWaiver,
+ HandleObject newobj,
+ bool crossCompartmentTransplant) {
+ MOZ_ASSERT(Wrapper::wrapperHandler(oldWaiver) == &XrayWaiver);
+ MOZ_ASSERT(!js::IsCrossCompartmentWrapper(newobj));
+
+ if (crossCompartmentTransplant) {
+ // If the new compartment has a CCW for oldWaiver, nuke this CCW. This
+ // prevents confusing RemapAllWrappersForObject: it would call RemapWrapper
+ // with two same-compartment objects (the CCW and the new waiver).
+ //
+ // This can happen when loading a chrome page in a content frame and there
+ // exists a CCW from the chrome compartment to oldWaiver wrapping the window
+ // we just transplanted:
+ //
+ // Compartment 1 | Compartment 2
+ // ----------------------------------------
+ // CCW1 -----------> oldWaiver --> CCW2 --+
+ // newWaiver |
+ // WindowProxy <--------------------------+
+ js::NukeCrossCompartmentWrapperIfExists(cx, JS::GetCompartment(newobj),
+ oldWaiver);
+ } else {
+ // We kept the same object identity, so the waiver should be a
+ // waiver for our object, just in the wrong Realm.
+ MOZ_ASSERT(newobj == Wrapper::wrappedObject(oldWaiver));
+ }
+
+ // Create a waiver in the new compartment. We know there's not one already in
+ // the crossCompartmentTransplant case because we _just_ transplanted, which
+ // means that |newobj| was either created from scratch, or was previously
+ // cross-compartment wrapper (which should have no waiver). On the other hand,
+ // in the !crossCompartmentTransplant case we know one already exists.
+ // CreateXrayWaiver asserts all this.
+ RootedObject newWaiver(
+ cx, WrapperFactory::CreateXrayWaiver(
+ cx, newobj, /* allowExisting = */ !crossCompartmentTransplant));
+ if (!newWaiver) {
+ return false;
+ }
+
+ if (!crossCompartmentTransplant) {
+ // CreateXrayWaiver should have updated the map to point to the new waiver.
+ MOZ_ASSERT(WrapperFactory::GetXrayWaiver(newobj) == newWaiver);
+ }
+
+ // Update all the cross-compartment references to oldWaiver to point to
+ // newWaiver.
+ if (!js::RemapAllWrappersForObject(cx, oldWaiver, newWaiver)) {
+ return false;
+ }
+
+ if (crossCompartmentTransplant) {
+ // There should be no same-compartment references to oldWaiver, and we
+ // just remapped all cross-compartment references. It's dead, so we can
+ // remove it from the map.
+ XPCWrappedNativeScope* scope = ObjectScope(oldWaiver);
+ JSObject* key = Wrapper::wrappedObject(oldWaiver);
+ MOZ_ASSERT(scope->mWaiverWrapperMap->Find(key));
+ scope->mWaiverWrapperMap->Remove(key);
+ }
+
+ return true;
+}
+
+JSObject* TransplantObject(JSContext* cx, JS::HandleObject origobj,
+ JS::HandleObject target) {
+ RootedObject oldWaiver(cx, WrapperFactory::GetXrayWaiver(origobj));
+ MOZ_ASSERT_IF(oldWaiver, GetNonCCWObjectRealm(oldWaiver) ==
+ GetNonCCWObjectRealm(origobj));
+ RootedObject newIdentity(cx, JS_TransplantObject(cx, origobj, target));
+ if (!newIdentity || !oldWaiver) {
+ return newIdentity;
+ }
+
+ bool crossCompartmentTransplant = (newIdentity != origobj);
+ if (!crossCompartmentTransplant) {
+ // We might still have been transplanted across realms within a single
+ // compartment.
+ if (GetNonCCWObjectRealm(oldWaiver) == GetNonCCWObjectRealm(newIdentity)) {
+ // The old waiver is same-realm with the new object; nothing else to do
+ // here.
+ return newIdentity;
+ }
+ }
+
+ if (!FixWaiverAfterTransplant(cx, oldWaiver, newIdentity,
+ crossCompartmentTransplant)) {
+ return nullptr;
+ }
+ return newIdentity;
+}
+
+JSObject* TransplantObjectRetainingXrayExpandos(JSContext* cx,
+ JS::HandleObject origobj,
+ JS::HandleObject target) {
+ // Save the chain of objects that carry origobj's Xray expando properties
+ // (from all compartments). TransplantObject will blow this away; we'll
+ // restore it manually afterwards.
+ RootedObject expandoChain(
+ cx, GetXrayTraits(origobj)->detachExpandoChain(origobj));
+
+ RootedObject newIdentity(cx, TransplantObject(cx, origobj, target));
+
+ // Copy Xray expando properties to the new wrapper.
+ if (!GetXrayTraits(newIdentity)
+ ->cloneExpandoChain(cx, newIdentity, expandoChain)) {
+ // Failure here means some expandos were not copied over. The object graph
+ // and the Xray machinery are left in a consistent state, but mysteriously
+ // losing these expandos is too weird to allow.
+ MOZ_CRASH();
+ }
+
+ return newIdentity;
+}
+
+static void NukeXrayWaiver(JSContext* cx, JS::HandleObject obj) {
+ RootedObject waiver(cx, WrapperFactory::GetXrayWaiver(obj));
+ if (!waiver) {
+ return;
+ }
+
+ XPCWrappedNativeScope* scope = ObjectScope(waiver);
+ JSObject* key = Wrapper::wrappedObject(waiver);
+ MOZ_ASSERT(scope->mWaiverWrapperMap->Find(key));
+ scope->mWaiverWrapperMap->Remove(key);
+
+ js::NukeNonCCWProxy(cx, waiver);
+
+ // Get rid of any CCWs the waiver may have had.
+ if (!JS_RefreshCrossCompartmentWrappers(cx, waiver)) {
+ MOZ_CRASH();
+ }
+}
+
+JSObject* TransplantObjectNukingXrayWaiver(JSContext* cx,
+ JS::HandleObject origObj,
+ JS::HandleObject target) {
+ NukeXrayWaiver(cx, origObj);
+ return JS_TransplantObject(cx, origObj, target);
+}
+
+nsIGlobalObject* NativeGlobal(JSObject* obj) {
+ obj = JS::GetNonCCWObjectGlobal(obj);
+
+ // Every global needs to hold a native as its private or be a
+ // WebIDL object with an nsISupports DOM object.
+ MOZ_ASSERT((JS::GetClass(obj)->flags &
+ (JSCLASS_PRIVATE_IS_NSISUPPORTS | JSCLASS_HAS_PRIVATE)) ||
+ dom::UnwrapDOMObjectToISupports(obj));
+
+ nsISupports* native = dom::UnwrapDOMObjectToISupports(obj);
+ if (!native) {
+ native = static_cast<nsISupports*>(JS::GetPrivate(obj));
+ MOZ_ASSERT(native);
+
+ // In some cases (like for windows) it is a wrapped native,
+ // in other cases (sandboxes, backstage passes) it's just
+ // a direct pointer to the native. If it's a wrapped native
+ // let's unwrap it first.
+ if (nsCOMPtr<nsIXPConnectWrappedNative> wn = do_QueryInterface(native)) {
+ native = wn->Native();
+ }
+ }
+
+ nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(native);
+ MOZ_ASSERT(global,
+ "Native held by global needs to implement nsIGlobalObject!");
+
+ return global;
+}
+
+nsIGlobalObject* CurrentNativeGlobal(JSContext* cx) {
+ return xpc::NativeGlobal(JS::CurrentGlobalOrNull(cx));
+}
+
+} // namespace xpc
diff --git a/js/xpconnect/wrappers/WrapperFactory.h b/js/xpconnect/wrappers/WrapperFactory.h
new file mode 100644
index 0000000000..ea1133eb55
--- /dev/null
+++ b/js/xpconnect/wrappers/WrapperFactory.h
@@ -0,0 +1,109 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _xpc_WRAPPERFACTORY_H
+#define _xpc_WRAPPERFACTORY_H
+
+#include "js/Wrapper.h"
+
+namespace xpc {
+
+/**
+ * A wrapper that's only used for cross-origin objects. This should be
+ * just like a CrossCompartmentWrapper but (as an implementation
+ * detail) doesn't actually do any compartment-entering and (as an
+ * implementation detail) delegates all the security decisions and
+ * compartment-entering to the target object, which is always a
+ * proxy.
+ *
+ * We could also inherit from CrossCompartmentWrapper but then we
+ * would need to override all the proxy hooks to avoid the
+ * compartment-entering bits.
+ */
+class CrossOriginObjectWrapper : public js::Wrapper {
+ public:
+ // We want to claim to have a security policy, so code doesn't just
+ // CheckedUnwrap us willy-nilly. But we're OK with the BaseProxyHandler
+ // implementation of enter(), which allows entering. Our target is what
+ // really does the security checks.
+ //
+ // We don't want to inherit from CrossCompartmentWrapper, because we don't
+ // want the compartment-entering behavior it has. But we do want to set the
+ // CROSS_COMPARTMENT flag on js::Wrapper so that we test true for
+ // is<js::CrossCompartmentWrapperObject> and so forth.
+ constexpr explicit CrossOriginObjectWrapper()
+ : js::Wrapper(CROSS_COMPARTMENT, /* aHasPrototype = */ false,
+ /* aHasSecurityPolicy = */ true) {}
+
+ bool dynamicCheckedUnwrapAllowed(JS::HandleObject obj,
+ JSContext* cx) const override;
+
+ static const CrossOriginObjectWrapper singleton;
+};
+
+class WrapperFactory {
+ public:
+ enum {
+ WAIVE_XRAY_WRAPPER_FLAG = js::Wrapper::LAST_USED_FLAG << 1,
+ IS_XRAY_WRAPPER_FLAG = WAIVE_XRAY_WRAPPER_FLAG << 1
+ };
+
+ // Return true if any of any of the nested wrappers have the flag set.
+ static bool HasWrapperFlag(JSObject* wrapper, unsigned flag) {
+ unsigned flags = 0;
+ js::UncheckedUnwrap(wrapper, true, &flags);
+ return !!(flags & flag);
+ }
+
+ static bool IsXrayWrapper(JSObject* wrapper) {
+ return HasWrapperFlag(wrapper, IS_XRAY_WRAPPER_FLAG);
+ }
+
+ static bool IsCrossOriginWrapper(JSObject* obj) {
+ return (js::IsProxy(obj) &&
+ js::GetProxyHandler(obj) == &CrossOriginObjectWrapper::singleton);
+ }
+
+ static bool IsOpaqueWrapper(JSObject* obj);
+
+ static bool HasWaiveXrayFlag(JSObject* wrapper) {
+ return HasWrapperFlag(wrapper, WAIVE_XRAY_WRAPPER_FLAG);
+ }
+
+ static bool IsCOW(JSObject* wrapper);
+
+ static JSObject* GetXrayWaiver(JS::HandleObject obj);
+ // If allowExisting is true, there is an existing waiver for obj in
+ // its scope, but we want to replace it with the new one.
+ static JSObject* CreateXrayWaiver(JSContext* cx, JS::HandleObject obj,
+ bool allowExisting = false);
+ static JSObject* WaiveXray(JSContext* cx, JSObject* obj);
+
+ // Computes whether we should allow the creation of an Xray waiver from
+ // |target| to |origin|.
+ static bool AllowWaiver(JS::Compartment* target, JS::Compartment* origin);
+
+ // Convenience method for the above, operating on a wrapper.
+ static bool AllowWaiver(JSObject* wrapper);
+
+ // Prepare a given object for wrapping in a new compartment.
+ static void PrepareForWrapping(JSContext* cx, JS::HandleObject scope,
+ JS::HandleObject origObj, JS::HandleObject obj,
+ JS::HandleObject objectPassedToWrap,
+ JS::MutableHandleObject retObj);
+
+ // Rewrap an object that is about to cross compartment boundaries.
+ static JSObject* Rewrap(JSContext* cx, JS::HandleObject existing,
+ JS::HandleObject obj);
+
+ // Wrap wrapped object into a waiver wrapper and then re-wrap it.
+ static bool WaiveXrayAndWrap(JSContext* cx, JS::MutableHandleValue vp);
+ static bool WaiveXrayAndWrap(JSContext* cx, JS::MutableHandleObject object);
+};
+
+} // namespace xpc
+
+#endif /* _xpc_WRAPPERFACTORY_H */
diff --git a/js/xpconnect/wrappers/XrayWrapper.cpp b/js/xpconnect/wrappers/XrayWrapper.cpp
new file mode 100644
index 0000000000..949cb823e1
--- /dev/null
+++ b/js/xpconnect/wrappers/XrayWrapper.cpp
@@ -0,0 +1,2324 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "XrayWrapper.h"
+#include "AccessCheck.h"
+#include "WrapperFactory.h"
+
+#include "nsDependentString.h"
+#include "nsIConsoleService.h"
+#include "nsIScriptError.h"
+#include "nsIXPConnect.h"
+#include "mozilla/dom/Element.h"
+#include "mozilla/dom/ScriptSettings.h"
+
+#include "XPCWrapper.h"
+#include "xpcprivate.h"
+
+#include "jsapi.h"
+#include "js/experimental/TypedData.h" // JS_GetTypedArrayLength
+#include "js/friend/WindowProxy.h" // js::IsWindowProxy
+#include "js/friend/XrayJitInfo.h" // JS::XrayJitInfo
+#include "js/Object.h" // JS::GetClass, JS::GetCompartment, JS::GetReservedSlot, JS::SetReservedSlot
+#include "js/PropertySpec.h"
+#include "nsJSUtils.h"
+#include "nsPrintfCString.h"
+
+#include "mozilla/FloatingPoint.h"
+#include "mozilla/dom/BindingUtils.h"
+#include "mozilla/dom/BrowsingContext.h"
+#include "mozilla/dom/WindowBinding.h"
+#include "mozilla/dom/WindowProxyHolder.h"
+#include "mozilla/dom/XrayExpandoClass.h"
+#include "nsGlobalWindow.h"
+
+using namespace mozilla::dom;
+using namespace JS;
+using namespace mozilla;
+
+using js::BaseProxyHandler;
+using js::CheckedUnwrapStatic;
+using js::IsCrossCompartmentWrapper;
+using js::UncheckedUnwrap;
+using js::Wrapper;
+
+namespace xpc {
+
+#define Between(x, a, b) (a <= x && x <= b)
+
+static_assert(JSProto_URIError - JSProto_Error == 8,
+ "New prototype added in error object range");
+#define AssertErrorObjectKeyInBounds(key) \
+ static_assert(Between(key, JSProto_Error, JSProto_URIError), \
+ "We depend on js/ProtoKey.h ordering here");
+MOZ_FOR_EACH(AssertErrorObjectKeyInBounds, (),
+ (JSProto_Error, JSProto_InternalError, JSProto_AggregateError,
+ JSProto_EvalError, JSProto_RangeError, JSProto_ReferenceError,
+ JSProto_SyntaxError, JSProto_TypeError, JSProto_URIError));
+
+static_assert(JSProto_Uint8ClampedArray - JSProto_Int8Array == 8,
+ "New prototype added in typed array range");
+#define AssertTypedArrayKeyInBounds(key) \
+ static_assert(Between(key, JSProto_Int8Array, JSProto_Uint8ClampedArray), \
+ "We depend on js/ProtoKey.h ordering here");
+MOZ_FOR_EACH(AssertTypedArrayKeyInBounds, (),
+ (JSProto_Int8Array, JSProto_Uint8Array, JSProto_Int16Array,
+ JSProto_Uint16Array, JSProto_Int32Array, JSProto_Uint32Array,
+ JSProto_Float32Array, JSProto_Float64Array,
+ JSProto_Uint8ClampedArray));
+
+#undef Between
+
+inline bool IsErrorObjectKey(JSProtoKey key) {
+ return key >= JSProto_Error && key <= JSProto_URIError;
+}
+
+inline bool IsTypedArrayKey(JSProtoKey key) {
+ return key >= JSProto_Int8Array && key <= JSProto_Uint8ClampedArray;
+}
+
+// Whitelist for the standard ES classes we can Xray to.
+static bool IsJSXraySupported(JSProtoKey key) {
+ if (IsTypedArrayKey(key)) {
+ return true;
+ }
+ if (IsErrorObjectKey(key)) {
+ return true;
+ }
+ switch (key) {
+ case JSProto_Date:
+ case JSProto_DataView:
+ case JSProto_Object:
+ case JSProto_Array:
+ case JSProto_Function:
+ case JSProto_TypedArray:
+ case JSProto_SavedFrame:
+ case JSProto_RegExp:
+ case JSProto_Promise:
+ case JSProto_ArrayBuffer:
+ case JSProto_SharedArrayBuffer:
+ case JSProto_Map:
+ case JSProto_Set:
+ case JSProto_WeakMap:
+ case JSProto_WeakSet:
+ return true;
+ default:
+ return false;
+ }
+}
+
+XrayType GetXrayType(JSObject* obj) {
+ obj = js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false);
+ if (mozilla::dom::UseDOMXray(obj)) {
+ return XrayForDOMObject;
+ }
+
+ MOZ_ASSERT(!js::IsWindowProxy(obj));
+
+ JSProtoKey standardProto = IdentifyStandardInstanceOrPrototype(obj);
+ if (IsJSXraySupported(standardProto)) {
+ return XrayForJSObject;
+ }
+
+ // Modulo a few exceptions, everything else counts as an XrayWrapper to an
+ // opaque object, which means that more-privileged code sees nothing from
+ // the underlying object. This is very important for security. In some cases
+ // though, we need to make an exception for compatibility.
+ if (IsSandbox(obj)) {
+ return NotXray;
+ }
+
+ return XrayForOpaqueObject;
+}
+
+JSObject* XrayAwareCalleeGlobal(JSObject* fun) {
+ MOZ_ASSERT(js::IsFunctionObject(fun));
+
+ if (!js::FunctionHasNativeReserved(fun)) {
+ // Just a normal function, no Xrays involved.
+ return JS::GetNonCCWObjectGlobal(fun);
+ }
+
+ // The functions we expect here have the Xray wrapper they're associated with
+ // in their XRAY_DOM_FUNCTION_PARENT_WRAPPER_SLOT and, in a debug build,
+ // themselves in their XRAY_DOM_FUNCTION_NATIVE_SLOT_FOR_SELF. Assert that
+ // last bit.
+ MOZ_ASSERT(&js::GetFunctionNativeReserved(
+ fun, XRAY_DOM_FUNCTION_NATIVE_SLOT_FOR_SELF)
+ .toObject() == fun);
+
+ Value v =
+ js::GetFunctionNativeReserved(fun, XRAY_DOM_FUNCTION_PARENT_WRAPPER_SLOT);
+ MOZ_ASSERT(IsXrayWrapper(&v.toObject()));
+
+ JSObject* xrayTarget = js::UncheckedUnwrap(&v.toObject());
+ return JS::GetNonCCWObjectGlobal(xrayTarget);
+}
+
+JSObject* XrayTraits::getExpandoChain(HandleObject obj) {
+ return ObjectScope(obj)->GetExpandoChain(obj);
+}
+
+JSObject* XrayTraits::detachExpandoChain(HandleObject obj) {
+ return ObjectScope(obj)->DetachExpandoChain(obj);
+}
+
+bool XrayTraits::setExpandoChain(JSContext* cx, HandleObject obj,
+ HandleObject chain) {
+ return ObjectScope(obj)->SetExpandoChain(cx, obj, chain);
+}
+
+const JSClass XrayTraits::HolderClass = {
+ "XrayHolder", JSCLASS_HAS_RESERVED_SLOTS(HOLDER_SHARED_SLOT_COUNT)};
+
+const JSClass JSXrayTraits::HolderClass = {
+ "JSXrayHolder", JSCLASS_HAS_RESERVED_SLOTS(SLOT_COUNT)};
+
+bool OpaqueXrayTraits::resolveOwnProperty(
+ JSContext* cx, HandleObject wrapper, HandleObject target,
+ HandleObject holder, HandleId id, MutableHandle<PropertyDescriptor> desc) {
+ bool ok =
+ XrayTraits::resolveOwnProperty(cx, wrapper, target, holder, id, desc);
+ if (!ok || desc.object()) {
+ return ok;
+ }
+
+ return ReportWrapperDenial(cx, id, WrapperDenialForXray,
+ "object is not safely Xrayable");
+}
+
+bool ReportWrapperDenial(JSContext* cx, HandleId id, WrapperDenialType type,
+ const char* reason) {
+ RealmPrivate* priv = RealmPrivate::Get(CurrentGlobalOrNull(cx));
+ bool alreadyWarnedOnce = priv->wrapperDenialWarnings[type];
+ priv->wrapperDenialWarnings[type] = true;
+
+ // The browser console warning is only emitted for the first violation,
+ // whereas the (debug-only) NS_WARNING is emitted for each violation.
+#ifndef DEBUG
+ if (alreadyWarnedOnce) {
+ return true;
+ }
+#endif
+
+ nsAutoJSString propertyName;
+ RootedValue idval(cx);
+ if (!JS_IdToValue(cx, id, &idval)) {
+ return false;
+ }
+ JSString* str = JS_ValueToSource(cx, idval);
+ if (!str) {
+ return false;
+ }
+ if (!propertyName.init(cx, str)) {
+ return false;
+ }
+ AutoFilename filename;
+ unsigned line = 0, column = 0;
+ DescribeScriptedCaller(cx, &filename, &line, &column);
+
+ // Warn to the terminal for the logs.
+ NS_WARNING(
+ nsPrintfCString("Silently denied access to property %s: %s (@%s:%u:%u)",
+ NS_LossyConvertUTF16toASCII(propertyName).get(), reason,
+ filename.get(), line, column)
+ .get());
+
+ // If this isn't the first warning on this topic for this global, we've
+ // already bailed out in opt builds. Now that the NS_WARNING is done, bail
+ // out in debug builds as well.
+ if (alreadyWarnedOnce) {
+ return true;
+ }
+
+ //
+ // Log a message to the console service.
+ //
+
+ // Grab the pieces.
+ nsCOMPtr<nsIConsoleService> consoleService =
+ do_GetService(NS_CONSOLESERVICE_CONTRACTID);
+ NS_ENSURE_TRUE(consoleService, true);
+ nsCOMPtr<nsIScriptError> errorObject =
+ do_CreateInstance(NS_SCRIPTERROR_CONTRACTID);
+ NS_ENSURE_TRUE(errorObject, true);
+
+ // Compute the current window id if any.
+ uint64_t windowId = 0;
+ if (nsGlobalWindowInner* win = CurrentWindowOrNull(cx)) {
+ windowId = win->WindowID();
+ }
+
+ Maybe<nsPrintfCString> errorMessage;
+ if (type == WrapperDenialForXray) {
+ errorMessage.emplace(
+ "XrayWrapper denied access to property %s (reason: %s). "
+ "See https://developer.mozilla.org/en-US/docs/Xray_vision "
+ "for more information. Note that only the first denied "
+ "property access from a given global object will be reported.",
+ NS_LossyConvertUTF16toASCII(propertyName).get(), reason);
+ } else {
+ MOZ_ASSERT(type == WrapperDenialForCOW);
+ errorMessage.emplace(
+ "Security wrapper denied access to property %s on privileged "
+ "Javascript object. Support for exposing privileged objects "
+ "to untrusted content via __exposedProps__ has been "
+ "removed - use WebIDL bindings or Components.utils.cloneInto "
+ "instead. Note that only the first denied property access from a "
+ "given global object will be reported.",
+ NS_LossyConvertUTF16toASCII(propertyName).get());
+ }
+ nsString filenameStr(NS_ConvertASCIItoUTF16(filename.get()));
+ nsresult rv = errorObject->InitWithWindowID(
+ NS_ConvertASCIItoUTF16(errorMessage.ref()), filenameStr, u""_ns, line,
+ column, nsIScriptError::warningFlag, "XPConnect", windowId);
+ NS_ENSURE_SUCCESS(rv, true);
+ rv = consoleService->LogMessage(errorObject);
+ NS_ENSURE_SUCCESS(rv, true);
+
+ return true;
+}
+
+bool JSXrayTraits::getOwnPropertyFromWrapperIfSafe(
+ JSContext* cx, HandleObject wrapper, HandleId id,
+ MutableHandle<PropertyDescriptor> outDesc) {
+ MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx));
+ RootedObject target(cx, getTargetObject(wrapper));
+ RootedObject wrapperGlobal(cx, JS::CurrentGlobalOrNull(cx));
+ {
+ JSAutoRealm ar(cx, target);
+ JS_MarkCrossZoneId(cx, id);
+ if (!getOwnPropertyFromTargetIfSafe(cx, target, wrapper, wrapperGlobal, id,
+ outDesc)) {
+ return false;
+ }
+ }
+ return JS_WrapPropertyDescriptor(cx, outDesc);
+}
+
+bool JSXrayTraits::getOwnPropertyFromTargetIfSafe(
+ JSContext* cx, HandleObject target, HandleObject wrapper,
+ HandleObject wrapperGlobal, HandleId id,
+ MutableHandle<PropertyDescriptor> outDesc) {
+ // Note - This function operates in the target compartment, because it
+ // avoids a bunch of back-and-forth wrapping in enumerateNames.
+ MOZ_ASSERT(getTargetObject(wrapper) == target);
+ MOZ_ASSERT(js::IsObjectInContextCompartment(target, cx));
+ MOZ_ASSERT(WrapperFactory::IsXrayWrapper(wrapper));
+ MOZ_ASSERT(JS_IsGlobalObject(wrapperGlobal));
+ js::AssertSameCompartment(wrapper, wrapperGlobal);
+ MOZ_ASSERT(outDesc.object() == nullptr);
+
+ Rooted<PropertyDescriptor> desc(cx);
+ if (!JS_GetOwnPropertyDescriptorById(cx, target, id, &desc)) {
+ return false;
+ }
+
+ // If the property doesn't exist at all, we're done.
+ if (!desc.object()) {
+ return true;
+ }
+
+ // Disallow accessor properties.
+ if (desc.hasGetterOrSetter()) {
+ JSAutoRealm ar(cx, wrapperGlobal);
+ JS_MarkCrossZoneId(cx, id);
+ return ReportWrapperDenial(cx, id, WrapperDenialForXray,
+ "property has accessor");
+ }
+
+ // Apply extra scrutiny to objects.
+ if (desc.value().isObject()) {
+ RootedObject propObj(cx, js::UncheckedUnwrap(&desc.value().toObject()));
+ JSAutoRealm ar(cx, propObj);
+
+ // Disallow non-subsumed objects.
+ if (!AccessCheck::subsumes(target, propObj)) {
+ JSAutoRealm ar(cx, wrapperGlobal);
+ JS_MarkCrossZoneId(cx, id);
+ return ReportWrapperDenial(cx, id, WrapperDenialForXray,
+ "value not same-origin with target");
+ }
+
+ // Disallow non-Xrayable objects.
+ XrayType xrayType = GetXrayType(propObj);
+ if (xrayType == NotXray || xrayType == XrayForOpaqueObject) {
+ JSAutoRealm ar(cx, wrapperGlobal);
+ JS_MarkCrossZoneId(cx, id);
+ return ReportWrapperDenial(cx, id, WrapperDenialForXray,
+ "value not Xrayable");
+ }
+
+ // Disallow callables.
+ if (JS::IsCallable(propObj)) {
+ JSAutoRealm ar(cx, wrapperGlobal);
+ JS_MarkCrossZoneId(cx, id);
+ return ReportWrapperDenial(cx, id, WrapperDenialForXray,
+ "value is callable");
+ }
+ }
+
+ // Disallow any property that shadows something on its (Xrayed)
+ // prototype chain.
+ JSAutoRealm ar2(cx, wrapperGlobal);
+ JS_MarkCrossZoneId(cx, id);
+ RootedObject proto(cx);
+ bool foundOnProto = false;
+ if (!JS_GetPrototype(cx, wrapper, &proto) ||
+ (proto && !JS_HasPropertyById(cx, proto, id, &foundOnProto))) {
+ return false;
+ }
+ if (foundOnProto) {
+ return ReportWrapperDenial(
+ cx, id, WrapperDenialForXray,
+ "value shadows a property on the standard prototype");
+ }
+
+ // We made it! Assign over the descriptor, and don't forget to wrap.
+ outDesc.assign(desc.get());
+ return true;
+}
+
+// Returns true on success (in the JSAPI sense), false on failure. If true is
+// returned, desc.object() will indicate whether we actually resolved
+// the property.
+//
+// id is the property id we're looking for.
+// holder is the object to define the property on.
+// fs is the relevant JSFunctionSpec*.
+// ps is the relevant JSPropertySpec*.
+// desc is the descriptor we're resolving into.
+static bool TryResolvePropertyFromSpecs(
+ JSContext* cx, HandleId id, HandleObject holder, const JSFunctionSpec* fs,
+ const JSPropertySpec* ps, MutableHandle<PropertyDescriptor> desc) {
+ // Scan through the functions.
+ const JSFunctionSpec* fsMatch = nullptr;
+ for (; fs && fs->name; ++fs) {
+ if (PropertySpecNameEqualsId(fs->name, id)) {
+ fsMatch = fs;
+ break;
+ }
+ }
+ if (fsMatch) {
+ // Generate an Xrayed version of the method.
+ RootedFunction fun(cx, JS::NewFunctionFromSpec(cx, fsMatch, id));
+ if (!fun) {
+ return false;
+ }
+
+ // The generic Xray machinery only defines non-own properties of the target
+ // on the holder. This is broken, and will be fixed at some point, but for
+ // now we need to cache the value explicitly. See the corresponding call to
+ // JS_GetOwnPropertyDescriptorById at the top of
+ // JSXrayTraits::resolveOwnProperty.
+ RootedObject funObj(cx, JS_GetFunctionObject(fun));
+ return JS_DefinePropertyById(cx, holder, id, funObj, 0) &&
+ JS_GetOwnPropertyDescriptorById(cx, holder, id, desc);
+ }
+
+ // Scan through the properties.
+ const JSPropertySpec* psMatch = nullptr;
+ for (; ps && ps->name; ++ps) {
+ if (PropertySpecNameEqualsId(ps->name, id)) {
+ psMatch = ps;
+ break;
+ }
+ }
+ if (psMatch) {
+ // The generic Xray machinery only defines non-own properties on the holder.
+ // This is broken, and will be fixed at some point, but for now we need to
+ // cache the value explicitly. See the corresponding call to
+ // JS_GetPropertyById at the top of JSXrayTraits::resolveOwnProperty.
+ //
+ // Note also that the public-facing API here doesn't give us a way to
+ // pass along JITInfo. It's probably ok though, since Xrays are already
+ // pretty slow.
+ desc.value().setUndefined();
+ unsigned attrs = psMatch->attributes();
+ if (psMatch->isAccessor()) {
+ if (psMatch->isSelfHosted()) {
+ JSFunction* getterFun = JS::GetSelfHostedFunction(
+ cx, psMatch->u.accessors.getter.selfHosted.funname, id, 0);
+ if (!getterFun) {
+ return false;
+ }
+ RootedObject getterObj(cx, JS_GetFunctionObject(getterFun));
+ RootedObject setterObj(cx);
+ if (psMatch->u.accessors.setter.selfHosted.funname) {
+ MOZ_ASSERT(attrs & JSPROP_SETTER);
+ JSFunction* setterFun = JS::GetSelfHostedFunction(
+ cx, psMatch->u.accessors.setter.selfHosted.funname, id, 0);
+ if (!setterFun) {
+ return false;
+ }
+ setterObj = JS_GetFunctionObject(setterFun);
+ }
+ if (!JS_DefinePropertyById(cx, holder, id, getterObj, setterObj,
+ attrs)) {
+ return false;
+ }
+ } else {
+ if (!JS_DefinePropertyById(
+ cx, holder, id, psMatch->u.accessors.getter.native.op,
+ psMatch->u.accessors.setter.native.op, attrs)) {
+ return false;
+ }
+ }
+ } else {
+ RootedValue v(cx);
+ if (!psMatch->getValue(cx, &v)) {
+ return false;
+ }
+ if (!JS_DefinePropertyById(cx, holder, id, v, attrs)) {
+ return false;
+ }
+ }
+
+ return JS_GetOwnPropertyDescriptorById(cx, holder, id, desc);
+ }
+
+ return true;
+}
+
+static bool ShouldResolvePrototypeProperty(JSProtoKey key) {
+ // Proxy constructors have no "prototype" property.
+ return key != JSProto_Proxy;
+}
+
+static bool ShouldResolveStaticProperties(JSProtoKey key) {
+ if (!IsJSXraySupported(key)) {
+ // If we can't Xray this ES class, then we can't resolve statics on it.
+ return false;
+ }
+
+ // Don't try to resolve static properties on RegExp, because they
+ // have issues. In particular, some of them grab state off the
+ // global of the RegExp constructor that describes the last regexp
+ // evaluation in that global, which is not a useful thing to do
+ // over Xrays.
+ return key != JSProto_RegExp;
+}
+
+bool JSXrayTraits::resolveOwnProperty(JSContext* cx, HandleObject wrapper,
+ HandleObject target, HandleObject holder,
+ HandleId id,
+ MutableHandle<PropertyDescriptor> desc) {
+ // Call the common code.
+ bool ok =
+ XrayTraits::resolveOwnProperty(cx, wrapper, target, holder, id, desc);
+ if (!ok || desc.object()) {
+ return ok;
+ }
+
+ // The non-HasPrototypes semantics implemented by traditional Xrays are kind
+ // of broken with respect to |own|-ness and the holder. The common code
+ // muddles through by only checking the holder for non-|own| lookups, but
+ // that doesn't work for us. So we do an explicit holder check here, and hope
+ // that this mess gets fixed up soon.
+ if (!JS_GetOwnPropertyDescriptorById(cx, holder, id, desc)) {
+ return false;
+ }
+ if (desc.object()) {
+ desc.object().set(wrapper);
+ return true;
+ }
+
+ JSProtoKey key = getProtoKey(holder);
+ if (!isPrototype(holder)) {
+ // For Object and Array instances, we expose some properties from the
+ // underlying object, but only after filtering them carefully.
+ //
+ // Note that, as far as JS observables go, Arrays are just Objects with
+ // a different prototype and a magic (own, non-configurable) |.length| that
+ // serves as a non-tight upper bound on |own| indexed properties. So while
+ // it's tempting to try to impose some sort of structure on what Arrays
+ // "should" look like over Xrays, the underlying object is squishy enough
+ // that it makes sense to just treat them like Objects for Xray purposes.
+ if (key == JSProto_Object || key == JSProto_Array) {
+ return getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc);
+ }
+ if (IsTypedArrayKey(key)) {
+ if (IsArrayIndex(GetArrayIndexFromId(id))) {
+ // WebExtensions can't use cloneInto(), so we just let them do
+ // the slow thing to maximize compatibility.
+ if (CompartmentPrivate::Get(CurrentGlobalOrNull(cx))
+ ->isWebExtensionContentScript) {
+ Rooted<PropertyDescriptor> innerDesc(cx);
+ {
+ JSAutoRealm ar(cx, target);
+ JS_MarkCrossZoneId(cx, id);
+ if (!JS_GetOwnPropertyDescriptorById(cx, target, id, &innerDesc)) {
+ return false;
+ }
+ }
+ if (innerDesc.isDataDescriptor() && innerDesc.value().isNumber()) {
+ desc.setValue(innerDesc.value());
+ desc.object().set(wrapper);
+ }
+ return true;
+ }
+ JS_ReportErrorASCII(
+ cx,
+ "Accessing TypedArray data over Xrays is slow, and forbidden "
+ "in order to encourage performant code. To copy TypedArrays "
+ "across origin boundaries, consider using "
+ "Components.utils.cloneInto().");
+ return false;
+ }
+ } else if (key == JSProto_Function) {
+ if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_LENGTH)) {
+ uint16_t length;
+ RootedFunction fun(cx, JS_GetObjectFunction(target));
+ {
+ JSAutoRealm ar(cx, target);
+ if (!JS_GetFunctionLength(cx, fun, &length)) {
+ return false;
+ }
+ }
+ FillPropertyDescriptor(desc, wrapper,
+ JSPROP_PERMANENT | JSPROP_READONLY,
+ NumberValue(length));
+ return true;
+ }
+ if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_NAME)) {
+ RootedString fname(cx, JS_GetFunctionId(JS_GetObjectFunction(target)));
+ if (fname) {
+ JS_MarkCrossZoneIdValue(cx, StringValue(fname));
+ }
+ FillPropertyDescriptor(
+ desc, wrapper, JSPROP_PERMANENT | JSPROP_READONLY,
+ fname ? StringValue(fname) : JS_GetEmptyStringValue(cx));
+ } else {
+ // Look for various static properties/methods and the
+ // 'prototype' property.
+ JSProtoKey standardConstructor = constructorFor(holder);
+ if (standardConstructor != JSProto_Null) {
+ // Handle the 'prototype' property to make
+ // xrayedGlobal.StandardClass.prototype work.
+ if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_PROTOTYPE) &&
+ ShouldResolvePrototypeProperty(standardConstructor)) {
+ RootedObject standardProto(cx);
+ {
+ JSAutoRealm ar(cx, target);
+ if (!JS_GetClassPrototype(cx, standardConstructor,
+ &standardProto)) {
+ return false;
+ }
+ MOZ_ASSERT(standardProto);
+ }
+
+ if (!JS_WrapObject(cx, &standardProto)) {
+ return false;
+ }
+ FillPropertyDescriptor(desc, wrapper,
+ JSPROP_PERMANENT | JSPROP_READONLY,
+ ObjectValue(*standardProto));
+ return true;
+ }
+
+ if (ShouldResolveStaticProperties(standardConstructor)) {
+ const JSClass* clasp = js::ProtoKeyToClass(standardConstructor);
+ MOZ_ASSERT(clasp->specDefined());
+
+ if (!TryResolvePropertyFromSpecs(
+ cx, id, holder, clasp->specConstructorFunctions(),
+ clasp->specConstructorProperties(), desc)) {
+ return false;
+ }
+
+ if (desc.object()) {
+ desc.object().set(wrapper);
+ return true;
+ }
+ }
+ }
+ }
+ } else if (IsErrorObjectKey(key)) {
+ // The useful state of error objects (except for .stack) is
+ // (unfortunately) represented as own data properties per-spec. This
+ // means that we can't have a a clean representation of the data
+ // (free from tampering) without doubling the slots of Error
+ // objects, which isn't great. So we forward these properties to the
+ // underlying object and then just censor any values with the wrong
+ // type. This limits the ability of content to do anything all that
+ // confusing.
+ bool isErrorIntProperty =
+ id == GetJSIDByIndex(cx, XPCJSContext::IDX_LINENUMBER) ||
+ id == GetJSIDByIndex(cx, XPCJSContext::IDX_COLUMNNUMBER);
+ bool isErrorStringProperty =
+ id == GetJSIDByIndex(cx, XPCJSContext::IDX_FILENAME) ||
+ id == GetJSIDByIndex(cx, XPCJSContext::IDX_MESSAGE);
+ if (isErrorIntProperty || isErrorStringProperty) {
+ RootedObject waiver(cx, wrapper);
+ if (!WrapperFactory::WaiveXrayAndWrap(cx, &waiver)) {
+ return false;
+ }
+ if (!JS_GetOwnPropertyDescriptorById(cx, waiver, id, desc)) {
+ return false;
+ }
+ bool valueMatchesType =
+ (isErrorIntProperty && desc.value().isInt32()) ||
+ (isErrorStringProperty && desc.value().isString());
+ if (desc.hasGetterOrSetter() || !valueMatchesType) {
+ FillPropertyDescriptor(desc, nullptr, 0, UndefinedValue());
+ }
+ return true;
+ }
+
+ if (key == JSProto_AggregateError &&
+ id == GetJSIDByIndex(cx, XPCJSContext::IDX_ERRORS)) {
+ return getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc);
+ }
+ } else if (key == JSProto_RegExp) {
+ if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_LASTINDEX)) {
+ return getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc);
+ }
+ }
+
+ // The rest of this function applies only to prototypes.
+ return true;
+ }
+
+ // Handle the 'constructor' property.
+ if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_CONSTRUCTOR)) {
+ RootedObject constructor(cx);
+ {
+ JSAutoRealm ar(cx, target);
+ if (!JS_GetClassObject(cx, key, &constructor)) {
+ return false;
+ }
+ }
+ if (!JS_WrapObject(cx, &constructor)) {
+ return false;
+ }
+ desc.object().set(wrapper);
+ desc.setAttributes(0);
+ desc.setGetter(nullptr);
+ desc.setSetter(nullptr);
+ desc.value().setObject(*constructor);
+ return true;
+ }
+
+ if (ShouldIgnorePropertyDefinition(cx, key, id)) {
+ MOZ_ASSERT(!desc.object());
+ return true;
+ }
+
+ // Grab the JSClass. We require all Xrayable classes to have a ClassSpec.
+ const JSClass* clasp = JS::GetClass(target);
+ MOZ_ASSERT(clasp->specDefined());
+
+ // Indexed array properties are handled above, so we can just work with the
+ // class spec here.
+ if (!TryResolvePropertyFromSpecs(cx, id, holder,
+ clasp->specPrototypeFunctions(),
+ clasp->specPrototypeProperties(), desc)) {
+ return false;
+ }
+
+ if (desc.object()) {
+ desc.object().set(wrapper);
+ }
+
+ return true;
+}
+
+bool JSXrayTraits::delete_(JSContext* cx, HandleObject wrapper, HandleId id,
+ ObjectOpResult& result) {
+ MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx));
+
+ RootedObject holder(cx, ensureHolder(cx, wrapper));
+ if (!holder) {
+ return false;
+ }
+
+ // If we're using Object Xrays, we allow callers to attempt to delete any
+ // property from the underlying object that they are able to resolve. Note
+ // that this deleting may fail if the property is non-configurable.
+ JSProtoKey key = getProtoKey(holder);
+ bool isObjectOrArrayInstance =
+ (key == JSProto_Object || key == JSProto_Array) && !isPrototype(holder);
+ if (isObjectOrArrayInstance) {
+ RootedObject wrapperGlobal(cx, JS::CurrentGlobalOrNull(cx));
+ RootedObject target(cx, getTargetObject(wrapper));
+ JSAutoRealm ar(cx, target);
+ JS_MarkCrossZoneId(cx, id);
+ Rooted<PropertyDescriptor> desc(cx);
+ if (!getOwnPropertyFromTargetIfSafe(cx, target, wrapper, wrapperGlobal, id,
+ &desc)) {
+ return false;
+ }
+ if (desc.object()) {
+ return JS_DeletePropertyById(cx, target, id, result);
+ }
+ }
+ return result.succeed();
+}
+
+bool JSXrayTraits::defineProperty(JSContext* cx, HandleObject wrapper,
+ HandleId id, Handle<PropertyDescriptor> desc,
+ Handle<PropertyDescriptor> existingDesc,
+ ObjectOpResult& result, bool* defined) {
+ *defined = false;
+ RootedObject holder(cx, ensureHolder(cx, wrapper));
+ if (!holder) {
+ return false;
+ }
+
+ // Object and Array instances are special. For those cases, we forward
+ // property definitions to the underlying object if the following
+ // conditions are met:
+ // * The property being defined is a value-prop.
+ // * The property being defined is either a primitive or subsumed by the
+ // target.
+ // * As seen from the Xray, any existing property that we would overwrite
+ // is an |own| value-prop.
+ //
+ // To avoid confusion, we disallow expandos on Object and Array instances, and
+ // therefore raise an exception here if the above conditions aren't met.
+ JSProtoKey key = getProtoKey(holder);
+ bool isInstance = !isPrototype(holder);
+ bool isObjectOrArray = (key == JSProto_Object || key == JSProto_Array);
+ if (isObjectOrArray && isInstance) {
+ RootedObject target(cx, getTargetObject(wrapper));
+ if (desc.hasGetterOrSetter()) {
+ JS_ReportErrorASCII(cx,
+ "Not allowed to define accessor property on [Object] "
+ "or [Array] XrayWrapper");
+ return false;
+ }
+ if (desc.value().isObject() &&
+ !AccessCheck::subsumes(target,
+ js::UncheckedUnwrap(&desc.value().toObject()))) {
+ JS_ReportErrorASCII(cx,
+ "Not allowed to define cross-origin object as "
+ "property on [Object] or [Array] XrayWrapper");
+ return false;
+ }
+ if (existingDesc.hasGetterOrSetter()) {
+ JS_ReportErrorASCII(cx,
+ "Not allowed to overwrite accessor property on "
+ "[Object] or [Array] XrayWrapper");
+ return false;
+ }
+ if (existingDesc.object() && existingDesc.object() != wrapper) {
+ JS_ReportErrorASCII(cx,
+ "Not allowed to shadow non-own Xray-resolved "
+ "property on [Object] or [Array] XrayWrapper");
+ return false;
+ }
+
+ Rooted<PropertyDescriptor> wrappedDesc(cx, desc);
+ JSAutoRealm ar(cx, target);
+ JS_MarkCrossZoneId(cx, id);
+ if (!JS_WrapPropertyDescriptor(cx, &wrappedDesc) ||
+ !JS_DefinePropertyById(cx, target, id, wrappedDesc, result)) {
+ return false;
+ }
+ *defined = true;
+ return true;
+ }
+
+ // For WebExtensions content scripts, we forward the definition of indexed
+ // properties. By validating that the key and value are both numbers, we can
+ // avoid doing any wrapping.
+ if (isInstance && IsTypedArrayKey(key) &&
+ CompartmentPrivate::Get(JS::CurrentGlobalOrNull(cx))
+ ->isWebExtensionContentScript &&
+ desc.isDataDescriptor() &&
+ (desc.value().isNumber() || desc.value().isUndefined()) &&
+ IsArrayIndex(GetArrayIndexFromId(id))) {
+ RootedObject target(cx, getTargetObject(wrapper));
+ JSAutoRealm ar(cx, target);
+ JS_MarkCrossZoneId(cx, id);
+ if (!JS_DefinePropertyById(cx, target, id, desc, result)) {
+ return false;
+ }
+ *defined = true;
+ return true;
+ }
+
+ return true;
+}
+
+static bool MaybeAppend(jsid id, unsigned flags, MutableHandleIdVector props) {
+ MOZ_ASSERT(!(flags & JSITER_SYMBOLSONLY));
+ if (!(flags & JSITER_SYMBOLS) && JSID_IS_SYMBOL(id)) {
+ return true;
+ }
+ return props.append(id);
+}
+
+// Append the names from the given function and property specs to props.
+static bool AppendNamesFromFunctionAndPropertySpecs(
+ JSContext* cx, JSProtoKey key, const JSFunctionSpec* fs,
+ const JSPropertySpec* ps, unsigned flags, MutableHandleIdVector props) {
+ // Convert the method and property names to jsids and pass them to the caller.
+ for (; fs && fs->name; ++fs) {
+ jsid id;
+ if (!PropertySpecNameToPermanentId(cx, fs->name, &id)) {
+ return false;
+ }
+ if (!js::ShouldIgnorePropertyDefinition(cx, key, id)) {
+ if (!MaybeAppend(id, flags, props)) {
+ return false;
+ }
+ }
+ }
+ for (; ps && ps->name; ++ps) {
+ jsid id;
+ if (!PropertySpecNameToPermanentId(cx, ps->name, &id)) {
+ return false;
+ }
+ if (!js::ShouldIgnorePropertyDefinition(cx, key, id)) {
+ if (!MaybeAppend(id, flags, props)) {
+ return false;
+ }
+ }
+ }
+
+ return true;
+}
+
+bool JSXrayTraits::enumerateNames(JSContext* cx, HandleObject wrapper,
+ unsigned flags, MutableHandleIdVector props) {
+ MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx));
+
+ RootedObject target(cx, getTargetObject(wrapper));
+ RootedObject holder(cx, ensureHolder(cx, wrapper));
+ if (!holder) {
+ return false;
+ }
+
+ JSProtoKey key = getProtoKey(holder);
+ if (!isPrototype(holder)) {
+ // For Object and Array instances, we expose some properties from the
+ // underlying object, but only after filtering them carefully.
+ if (key == JSProto_Object || key == JSProto_Array) {
+ MOZ_ASSERT(props.empty());
+ RootedObject wrapperGlobal(cx, JS::CurrentGlobalOrNull(cx));
+ {
+ JSAutoRealm ar(cx, target);
+ RootedIdVector targetProps(cx);
+ if (!js::GetPropertyKeys(cx, target, flags | JSITER_OWNONLY,
+ &targetProps)) {
+ return false;
+ }
+ // Loop over the properties, and only pass along the ones that
+ // we determine to be safe.
+ if (!props.reserve(targetProps.length())) {
+ return false;
+ }
+ for (size_t i = 0; i < targetProps.length(); ++i) {
+ Rooted<PropertyDescriptor> desc(cx);
+ RootedId id(cx, targetProps[i]);
+ if (!getOwnPropertyFromTargetIfSafe(cx, target, wrapper,
+ wrapperGlobal, id, &desc)) {
+ return false;
+ }
+ if (desc.object()) {
+ props.infallibleAppend(id);
+ }
+ }
+ }
+ for (size_t i = 0; i < props.length(); ++i) {
+ JS_MarkCrossZoneId(cx, props[i]);
+ }
+ return true;
+ }
+ if (IsTypedArrayKey(key)) {
+ uint32_t length = JS_GetTypedArrayLength(target);
+ // TypedArrays enumerate every indexed property in range, but
+ // |length| is a getter that lives on the proto, like it should be.
+ if (!props.reserve(length)) {
+ return false;
+ }
+ for (int32_t i = 0; i <= int32_t(length - 1); ++i) {
+ props.infallibleAppend(INT_TO_JSID(i));
+ }
+ } else if (key == JSProto_Function) {
+ if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_LENGTH))) {
+ return false;
+ }
+ if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_NAME))) {
+ return false;
+ }
+ // Handle the .prototype property and static properties on standard
+ // constructors.
+ JSProtoKey standardConstructor = constructorFor(holder);
+ if (standardConstructor != JSProto_Null) {
+ if (ShouldResolvePrototypeProperty(standardConstructor)) {
+ if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_PROTOTYPE))) {
+ return false;
+ }
+ }
+
+ if (ShouldResolveStaticProperties(standardConstructor)) {
+ const JSClass* clasp = js::ProtoKeyToClass(standardConstructor);
+ MOZ_ASSERT(clasp->specDefined());
+
+ if (!AppendNamesFromFunctionAndPropertySpecs(
+ cx, key, clasp->specConstructorFunctions(),
+ clasp->specConstructorProperties(), flags, props)) {
+ return false;
+ }
+ }
+ }
+ } else if (IsErrorObjectKey(key)) {
+ if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_FILENAME)) ||
+ !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_LINENUMBER)) ||
+ !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_COLUMNNUMBER)) ||
+ !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_STACK)) ||
+ !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_MESSAGE))) {
+ return false;
+ }
+ } else if (key == JSProto_RegExp) {
+ if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_LASTINDEX))) {
+ return false;
+ }
+ }
+
+ // The rest of this function applies only to prototypes.
+ return true;
+ }
+
+ // Add the 'constructor' property.
+ if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_CONSTRUCTOR))) {
+ return false;
+ }
+
+ // Grab the JSClass. We require all Xrayable classes to have a ClassSpec.
+ const JSClass* clasp = JS::GetClass(target);
+ MOZ_ASSERT(clasp->specDefined());
+
+ return AppendNamesFromFunctionAndPropertySpecs(
+ cx, key, clasp->specPrototypeFunctions(),
+ clasp->specPrototypeProperties(), flags, props);
+}
+
+bool JSXrayTraits::construct(JSContext* cx, HandleObject wrapper,
+ const JS::CallArgs& args,
+ const js::Wrapper& baseInstance) {
+ JSXrayTraits& self = JSXrayTraits::singleton;
+ JS::RootedObject holder(cx, self.ensureHolder(cx, wrapper));
+ if (!holder) {
+ return false;
+ }
+
+ if (xpc::JSXrayTraits::getProtoKey(holder) == JSProto_Function) {
+ JSProtoKey standardConstructor = constructorFor(holder);
+ if (standardConstructor == JSProto_Null) {
+ return baseInstance.construct(cx, wrapper, args);
+ }
+
+ const JSClass* clasp = js::ProtoKeyToClass(standardConstructor);
+ MOZ_ASSERT(clasp);
+ if (!(clasp->flags & JSCLASS_HAS_XRAYED_CONSTRUCTOR)) {
+ return baseInstance.construct(cx, wrapper, args);
+ }
+
+ // If the JSCLASS_HAS_XRAYED_CONSTRUCTOR flag is set on the Class,
+ // we don't use the constructor at hand. Instead, we retrieve the
+ // equivalent standard constructor in the xray compartment and run
+ // it in that compartment. The newTarget isn't unwrapped, and the
+ // constructor has to be able to detect and handle this situation.
+ // See the comments in js/public/Class.h and PromiseConstructor for
+ // details and an example.
+ RootedObject ctor(cx);
+ if (!JS_GetClassObject(cx, standardConstructor, &ctor)) {
+ return false;
+ }
+
+ RootedValue ctorVal(cx, ObjectValue(*ctor));
+ HandleValueArray vals(args);
+ RootedObject result(cx);
+ if (!JS::Construct(cx, ctorVal, wrapper, vals, &result)) {
+ return false;
+ }
+ AssertSameCompartment(cx, result);
+ args.rval().setObject(*result);
+ return true;
+ }
+
+ JS::RootedValue v(cx, JS::ObjectValue(*wrapper));
+ js::ReportIsNotFunction(cx, v);
+ return false;
+}
+
+JSObject* JSXrayTraits::createHolder(JSContext* cx, JSObject* wrapper) {
+ RootedObject target(cx, getTargetObject(wrapper));
+ RootedObject holder(cx,
+ JS_NewObjectWithGivenProto(cx, &HolderClass, nullptr));
+ if (!holder) {
+ return nullptr;
+ }
+
+ // Compute information about the target.
+ bool isPrototype = false;
+ JSProtoKey key = IdentifyStandardInstance(target);
+ if (key == JSProto_Null) {
+ isPrototype = true;
+ key = IdentifyStandardPrototype(target);
+ }
+ MOZ_ASSERT(key != JSProto_Null);
+
+ // Special case: pretend Arguments objects are arrays for Xrays.
+ //
+ // Arguments objects are strange beasts - they inherit Object.prototype,
+ // and implement iteration by defining an |own| property for
+ // Symbol.iterator. Since this value is callable, Array/Object Xrays will
+ // filter it out, causing the Xray view to be non-iterable, which in turn
+ // breaks consumers.
+ //
+ // We can't trust the iterator value from the content compartment,
+ // but the generic one on Array.prototype works well enough. So we force
+ // the Xray view of Arguments objects to inherit Array.prototype, which
+ // in turn allows iteration via the inherited
+ // Array.prototype[Symbol.iterator]. This doesn't emulate any of the weird
+ // semantics of Arguments iterators, but is probably good enough.
+ //
+ // Note that there are various Xray traps that do other special behavior for
+ // JSProto_Array, but they also provide that special behavior for
+ // JSProto_Object, and since Arguments would otherwise get JSProto_Object,
+ // this does not cause any behavior change at those sites.
+ if (key == JSProto_Object && js::IsArgumentsObject(target)) {
+ key = JSProto_Array;
+ }
+
+ // Store it on the holder.
+ RootedValue v(cx);
+ v.setNumber(static_cast<uint32_t>(key));
+ JS::SetReservedSlot(holder, SLOT_PROTOKEY, v);
+ v.setBoolean(isPrototype);
+ JS::SetReservedSlot(holder, SLOT_ISPROTOTYPE, v);
+
+ // If this is a function, also compute whether it serves as a constructor
+ // for a standard class.
+ if (key == JSProto_Function) {
+ v.setNumber(static_cast<uint32_t>(IdentifyStandardConstructor(target)));
+ JS::SetReservedSlot(holder, SLOT_CONSTRUCTOR_FOR, v);
+ }
+
+ return holder;
+}
+
+DOMXrayTraits DOMXrayTraits::singleton;
+JSXrayTraits JSXrayTraits::singleton;
+OpaqueXrayTraits OpaqueXrayTraits::singleton;
+
+XrayTraits* GetXrayTraits(JSObject* obj) {
+ switch (GetXrayType(obj)) {
+ case XrayForDOMObject:
+ return &DOMXrayTraits::singleton;
+ case XrayForJSObject:
+ return &JSXrayTraits::singleton;
+ case XrayForOpaqueObject:
+ return &OpaqueXrayTraits::singleton;
+ default:
+ return nullptr;
+ }
+}
+
+/*
+ * Xray expando handling.
+ *
+ * We hang expandos for Xray wrappers off a reserved slot on the target object
+ * so that same-origin compartments can share expandos for a given object. We
+ * have a linked list of expando objects, one per origin. The properties on
+ * these objects are generally wrappers pointing back to the compartment that
+ * applied them.
+ *
+ * The expando objects should _never_ be exposed to script. The fact that they
+ * live in the target compartment is a detail of the implementation, and does
+ * not imply that code in the target compartment should be allowed to inspect
+ * them. They are private to the origin that placed them.
+ */
+
+// Certain compartments do not share expandos with other compartments. Xrays in
+// these compartments cache expandos on the wrapper's holder, as there is only
+// one such wrapper which can create or access the expando. This allows for
+// faster access to the expando, including through JIT inline caches.
+static inline bool CompartmentHasExclusiveExpandos(JSObject* obj) {
+ JS::Compartment* comp = JS::GetCompartment(obj);
+ CompartmentPrivate* priv = CompartmentPrivate::Get(comp);
+ return priv && priv->hasExclusiveExpandos;
+}
+
+static inline JSObject* GetCachedXrayExpando(JSObject* wrapper);
+
+static inline void SetCachedXrayExpando(JSObject* holder,
+ JSObject* expandoWrapper);
+
+static nsIPrincipal* WrapperPrincipal(JSObject* obj) {
+ // Use the principal stored in CompartmentOriginInfo. That works because
+ // consumers are only interested in the origin-ignoring-document.domain.
+ // See expandoObjectMatchesConsumer.
+ MOZ_ASSERT(IsXrayWrapper(obj));
+ JS::Compartment* comp = JS::GetCompartment(obj);
+ CompartmentPrivate* priv = CompartmentPrivate::Get(comp);
+ return priv->originInfo.GetPrincipalIgnoringDocumentDomain();
+}
+
+static nsIPrincipal* GetExpandoObjectPrincipal(JSObject* expandoObject) {
+ Value v = JS::GetReservedSlot(expandoObject, JSSLOT_EXPANDO_ORIGIN);
+ return static_cast<nsIPrincipal*>(v.toPrivate());
+}
+
+static void ExpandoObjectFinalize(JSFreeOp* fop, JSObject* obj) {
+ // Release the principal.
+ nsIPrincipal* principal = GetExpandoObjectPrincipal(obj);
+ NS_RELEASE(principal);
+}
+
+const JSClassOps XrayExpandoObjectClassOps = {
+ nullptr, // addProperty
+ nullptr, // delProperty
+ nullptr, // enumerate
+ nullptr, // newEnumerate
+ nullptr, // resolve
+ nullptr, // mayResolve
+ ExpandoObjectFinalize, // finalize
+ nullptr, // call
+ nullptr, // hasInstance
+ nullptr, // construct
+ nullptr, // trace
+};
+
+bool XrayTraits::expandoObjectMatchesConsumer(JSContext* cx,
+ HandleObject expandoObject,
+ nsIPrincipal* consumerOrigin) {
+ MOZ_ASSERT(js::IsObjectInContextCompartment(expandoObject, cx));
+
+ // First, compare the principals.
+ nsIPrincipal* o = GetExpandoObjectPrincipal(expandoObject);
+ // Note that it's very important here to ignore document.domain. We
+ // pull the principal for the expando object off of the first consumer
+ // for a given origin, and freely share the expandos amongst multiple
+ // same-origin consumers afterwards. However, this means that we have
+ // no way to know whether _all_ consumers have opted in to collaboration
+ // by explicitly setting document.domain. So we just mandate that expando
+ // sharing is unaffected by it.
+ if (!consumerOrigin->Equals(o)) {
+ return false;
+ }
+
+ // Certain globals exclusively own the associated expandos, in which case
+ // the caller should have used the cached expando on the wrapper instead.
+ JSObject* owner = JS::GetReservedSlot(expandoObject,
+ JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER)
+ .toObjectOrNull();
+ return owner == nullptr;
+}
+
+bool XrayTraits::getExpandoObjectInternal(JSContext* cx, JSObject* expandoChain,
+ HandleObject exclusiveWrapper,
+ nsIPrincipal* origin,
+ MutableHandleObject expandoObject) {
+ MOZ_ASSERT(!JS_IsExceptionPending(cx));
+ expandoObject.set(nullptr);
+
+ // Use the cached expando if this wrapper has exclusive access to it.
+ if (exclusiveWrapper) {
+ JSObject* expandoWrapper = GetCachedXrayExpando(exclusiveWrapper);
+ expandoObject.set(expandoWrapper ? UncheckedUnwrap(expandoWrapper)
+ : nullptr);
+#ifdef DEBUG
+ // Make sure the expando we found is on the target's chain. While we
+ // don't use this chain to look up expandos for the wrapper,
+ // the expando still needs to be on the chain to keep the wrapper and
+ // expando alive.
+ if (expandoObject) {
+ JSObject* head = expandoChain;
+ while (head && head != expandoObject) {
+ head = JS::GetReservedSlot(head, JSSLOT_EXPANDO_NEXT).toObjectOrNull();
+ }
+ MOZ_ASSERT(head == expandoObject);
+ }
+#endif
+ return true;
+ }
+
+ // The expando object lives in the compartment of the target, so all our
+ // work needs to happen there.
+ RootedObject head(cx, expandoChain);
+ JSAutoRealm ar(cx, head);
+
+ // Iterate through the chain, looking for a same-origin object.
+ while (head) {
+ if (expandoObjectMatchesConsumer(cx, head, origin)) {
+ expandoObject.set(head);
+ return true;
+ }
+ head = JS::GetReservedSlot(head, JSSLOT_EXPANDO_NEXT).toObjectOrNull();
+ }
+
+ // Not found.
+ return true;
+}
+
+bool XrayTraits::getExpandoObject(JSContext* cx, HandleObject target,
+ HandleObject consumer,
+ MutableHandleObject expandoObject) {
+ // Return early if no expando object has ever been attached, which is
+ // usually the case.
+ JSObject* chain = getExpandoChain(target);
+ if (!chain) {
+ return true;
+ }
+
+ bool isExclusive = CompartmentHasExclusiveExpandos(consumer);
+ return getExpandoObjectInternal(cx, chain, isExclusive ? consumer : nullptr,
+ WrapperPrincipal(consumer), expandoObject);
+}
+
+// Wrappers which have exclusive access to the expando on their target object
+// need to be kept alive as long as the target object exists. This is done by
+// keeping the expando in the expando chain on the target (even though it will
+// not be used while looking up the expando for the wrapper), and keeping a
+// strong reference from that expando to the wrapper itself, via the
+// JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER reserved slot. This slot does not
+// point to the wrapper itself, because it is a cross compartment edge and we
+// can't create a wrapper for a wrapper. Instead, the slot points to an
+// instance of the holder class below in the wrapper's compartment, and the
+// wrapper is held via this holder object's reserved slot.
+static const JSClass gWrapperHolderClass = {"XrayExpandoWrapperHolder",
+ JSCLASS_HAS_RESERVED_SLOTS(1)};
+static const size_t JSSLOT_WRAPPER_HOLDER_CONTENTS = 0;
+
+JSObject* XrayTraits::attachExpandoObject(JSContext* cx, HandleObject target,
+ HandleObject exclusiveWrapper,
+ HandleObject exclusiveWrapperGlobal,
+ nsIPrincipal* origin) {
+ // Make sure the compartments are sane.
+ MOZ_ASSERT(js::IsObjectInContextCompartment(target, cx));
+ if (exclusiveWrapper) {
+ MOZ_ASSERT(!js::IsObjectInContextCompartment(exclusiveWrapper, cx));
+ MOZ_ASSERT(JS_IsGlobalObject(exclusiveWrapperGlobal));
+ js::AssertSameCompartment(exclusiveWrapper, exclusiveWrapperGlobal);
+ }
+
+ // No duplicates allowed.
+#ifdef DEBUG
+ {
+ JSObject* chain = getExpandoChain(target);
+ if (chain) {
+ RootedObject existingExpandoObject(cx);
+ if (getExpandoObjectInternal(cx, chain, exclusiveWrapper, origin,
+ &existingExpandoObject)) {
+ MOZ_ASSERT(!existingExpandoObject);
+ } else {
+ JS_ClearPendingException(cx);
+ }
+ }
+ }
+#endif
+
+ // Create the expando object.
+ const JSClass* expandoClass = getExpandoClass(cx, target);
+ MOZ_ASSERT(!strcmp(expandoClass->name, "XrayExpandoObject"));
+ RootedObject expandoObject(
+ cx, JS_NewObjectWithGivenProto(cx, expandoClass, nullptr));
+ if (!expandoObject) {
+ return nullptr;
+ }
+
+ // AddRef and store the principal.
+ NS_ADDREF(origin);
+ JS_SetReservedSlot(expandoObject, JSSLOT_EXPANDO_ORIGIN,
+ JS::PrivateValue(origin));
+
+ // Note the exclusive wrapper, if there is one.
+ RootedObject wrapperHolder(cx);
+ if (exclusiveWrapper) {
+ JSAutoRealm ar(cx, exclusiveWrapperGlobal);
+ wrapperHolder =
+ JS_NewObjectWithGivenProto(cx, &gWrapperHolderClass, nullptr);
+ if (!wrapperHolder) {
+ return nullptr;
+ }
+ JS_SetReservedSlot(wrapperHolder, JSSLOT_WRAPPER_HOLDER_CONTENTS,
+ ObjectValue(*exclusiveWrapper));
+ }
+ if (!JS_WrapObject(cx, &wrapperHolder)) {
+ return nullptr;
+ }
+ JS_SetReservedSlot(expandoObject, JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER,
+ ObjectOrNullValue(wrapperHolder));
+
+ // Store it on the exclusive wrapper, if there is one.
+ if (exclusiveWrapper) {
+ RootedObject cachedExpandoObject(cx, expandoObject);
+ JSAutoRealm ar(cx, exclusiveWrapperGlobal);
+ if (!JS_WrapObject(cx, &cachedExpandoObject)) {
+ return nullptr;
+ }
+ JSObject* holder = ensureHolder(cx, exclusiveWrapper);
+ if (!holder) {
+ return nullptr;
+ }
+ SetCachedXrayExpando(holder, cachedExpandoObject);
+ }
+
+ // If this is our first expando object, take the opportunity to preserve
+ // the wrapper. This keeps our expandos alive even if the Xray wrapper gets
+ // collected.
+ RootedObject chain(cx, getExpandoChain(target));
+ if (!chain) {
+ preserveWrapper(target);
+ }
+
+ // Insert it at the front of the chain.
+ JS_SetReservedSlot(expandoObject, JSSLOT_EXPANDO_NEXT,
+ ObjectOrNullValue(chain));
+ setExpandoChain(cx, target, expandoObject);
+
+ return expandoObject;
+}
+
+JSObject* XrayTraits::ensureExpandoObject(JSContext* cx, HandleObject wrapper,
+ HandleObject target) {
+ MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx));
+ RootedObject wrapperGlobal(cx, JS::CurrentGlobalOrNull(cx));
+
+ // Expando objects live in the target compartment.
+ JSAutoRealm ar(cx, target);
+ RootedObject expandoObject(cx);
+ if (!getExpandoObject(cx, target, wrapper, &expandoObject)) {
+ return nullptr;
+ }
+ if (!expandoObject) {
+ bool isExclusive = CompartmentHasExclusiveExpandos(wrapper);
+ expandoObject =
+ attachExpandoObject(cx, target, isExclusive ? wrapper : nullptr,
+ wrapperGlobal, WrapperPrincipal(wrapper));
+ }
+ return expandoObject;
+}
+
+bool XrayTraits::cloneExpandoChain(JSContext* cx, HandleObject dst,
+ HandleObject srcChain) {
+ MOZ_ASSERT(js::IsObjectInContextCompartment(dst, cx));
+ MOZ_ASSERT(getExpandoChain(dst) == nullptr);
+
+ RootedObject oldHead(cx, srcChain);
+ while (oldHead) {
+ // If movingIntoXrayCompartment is true, then our new reflector is in a
+ // compartment that used to have an Xray-with-expandos to the old reflector
+ // and we should copy the expandos to the new reflector directly.
+ bool movingIntoXrayCompartment;
+
+ // exclusiveWrapper is only used if movingIntoXrayCompartment ends up true.
+ RootedObject exclusiveWrapper(cx);
+ RootedObject exclusiveWrapperGlobal(cx);
+ RootedObject wrapperHolder(
+ cx,
+ JS::GetReservedSlot(oldHead, JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER)
+ .toObjectOrNull());
+ if (wrapperHolder) {
+ RootedObject unwrappedHolder(cx, UncheckedUnwrap(wrapperHolder));
+ // unwrappedHolder is the compartment of the relevant Xray, so check
+ // whether that matches the compartment of cx (which matches the
+ // compartment of dst).
+ movingIntoXrayCompartment =
+ js::IsObjectInContextCompartment(unwrappedHolder, cx);
+
+ if (!movingIntoXrayCompartment) {
+ // The global containing this wrapper holder has an xray for |src|
+ // with expandos. Create an xray in the global for |dst| which
+ // will be associated with a clone of |src|'s expando object.
+ JSAutoRealm ar(cx, unwrappedHolder);
+ exclusiveWrapper = dst;
+ if (!JS_WrapObject(cx, &exclusiveWrapper)) {
+ return false;
+ }
+ exclusiveWrapperGlobal = JS::CurrentGlobalOrNull(cx);
+ }
+ } else {
+ JSAutoRealm ar(cx, oldHead);
+ movingIntoXrayCompartment =
+ expandoObjectMatchesConsumer(cx, oldHead, GetObjectPrincipal(dst));
+ }
+
+ if (movingIntoXrayCompartment) {
+ // Just copy properties directly onto dst.
+ if (!JS_CopyOwnPropertiesAndPrivateFields(cx, dst, oldHead)) {
+ return false;
+ }
+ } else {
+ // Create a new expando object in the compartment of dst to replace
+ // oldHead.
+ RootedObject newHead(
+ cx,
+ attachExpandoObject(cx, dst, exclusiveWrapper, exclusiveWrapperGlobal,
+ GetExpandoObjectPrincipal(oldHead)));
+ if (!JS_CopyOwnPropertiesAndPrivateFields(cx, newHead, oldHead)) {
+ return false;
+ }
+ }
+ oldHead =
+ JS::GetReservedSlot(oldHead, JSSLOT_EXPANDO_NEXT).toObjectOrNull();
+ }
+ return true;
+}
+
+void ClearXrayExpandoSlots(JSObject* target, size_t slotIndex) {
+ if (!NS_IsMainThread()) {
+ // No Xrays
+ return;
+ }
+
+ MOZ_ASSERT(slotIndex != JSSLOT_EXPANDO_NEXT);
+ MOZ_ASSERT(slotIndex != JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER);
+ MOZ_ASSERT(GetXrayTraits(target) == &DOMXrayTraits::singleton);
+ RootingContext* rootingCx = RootingCx();
+ RootedObject rootedTarget(rootingCx, target);
+ RootedObject head(rootingCx,
+ DOMXrayTraits::singleton.getExpandoChain(rootedTarget));
+ while (head) {
+ MOZ_ASSERT(JSCLASS_RESERVED_SLOTS(JS::GetClass(head)) > slotIndex);
+ JS::SetReservedSlot(head, slotIndex, UndefinedValue());
+ head = JS::GetReservedSlot(head, JSSLOT_EXPANDO_NEXT).toObjectOrNull();
+ }
+}
+
+JSObject* EnsureXrayExpandoObject(JSContext* cx, JS::HandleObject wrapper) {
+ MOZ_ASSERT(NS_IsMainThread());
+ MOZ_ASSERT(GetXrayTraits(wrapper) == &DOMXrayTraits::singleton);
+ MOZ_ASSERT(IsXrayWrapper(wrapper));
+
+ RootedObject target(cx, DOMXrayTraits::getTargetObject(wrapper));
+ return DOMXrayTraits::singleton.ensureExpandoObject(cx, wrapper, target);
+}
+
+const JSClass* XrayTraits::getExpandoClass(JSContext* cx,
+ HandleObject target) const {
+ return &DefaultXrayExpandoObjectClass;
+}
+
+static const size_t JSSLOT_XRAY_HOLDER = 0;
+
+/* static */
+JSObject* XrayTraits::getHolder(JSObject* wrapper) {
+ MOZ_ASSERT(WrapperFactory::IsXrayWrapper(wrapper));
+ JS::Value v = js::GetProxyReservedSlot(wrapper, JSSLOT_XRAY_HOLDER);
+ return v.isObject() ? &v.toObject() : nullptr;
+}
+
+JSObject* XrayTraits::ensureHolder(JSContext* cx, HandleObject wrapper) {
+ RootedObject holder(cx, getHolder(wrapper));
+ if (holder) {
+ return holder;
+ }
+ holder = createHolder(cx, wrapper); // virtual trap.
+ if (holder) {
+ js::SetProxyReservedSlot(wrapper, JSSLOT_XRAY_HOLDER, ObjectValue(*holder));
+ }
+ return holder;
+}
+
+static inline JSObject* GetCachedXrayExpando(JSObject* wrapper) {
+ JSObject* holder = XrayTraits::getHolder(wrapper);
+ if (!holder) {
+ return nullptr;
+ }
+ Value v = JS::GetReservedSlot(holder, XrayTraits::HOLDER_SLOT_EXPANDO);
+ return v.isObject() ? &v.toObject() : nullptr;
+}
+
+static inline void SetCachedXrayExpando(JSObject* holder,
+ JSObject* expandoWrapper) {
+ MOZ_ASSERT(JS::GetCompartment(holder) == JS::GetCompartment(expandoWrapper));
+ JS_SetReservedSlot(holder, XrayTraits::HOLDER_SLOT_EXPANDO,
+ ObjectValue(*expandoWrapper));
+}
+
+static nsGlobalWindowInner* AsWindow(JSContext* cx, JSObject* wrapper) {
+ // We want to use our target object here, since we don't want to be
+ // doing a security check while unwrapping.
+ JSObject* target = XrayTraits::getTargetObject(wrapper);
+ return WindowOrNull(target);
+}
+
+static bool IsWindow(JSContext* cx, JSObject* wrapper) {
+ return !!AsWindow(cx, wrapper);
+}
+
+static bool wrappedJSObject_getter(JSContext* cx, unsigned argc, Value* vp) {
+ CallArgs args = CallArgsFromVp(argc, vp);
+ if (!args.thisv().isObject()) {
+ JS_ReportErrorASCII(cx, "This value not an object");
+ return false;
+ }
+ RootedObject wrapper(cx, &args.thisv().toObject());
+ if (!IsWrapper(wrapper) || !WrapperFactory::IsXrayWrapper(wrapper) ||
+ !WrapperFactory::AllowWaiver(wrapper)) {
+ JS_ReportErrorASCII(cx, "Unexpected object");
+ return false;
+ }
+
+ args.rval().setObject(*wrapper);
+
+ return WrapperFactory::WaiveXrayAndWrap(cx, args.rval());
+}
+
+bool XrayTraits::resolveOwnProperty(JSContext* cx, HandleObject wrapper,
+ HandleObject target, HandleObject holder,
+ HandleId id,
+ MutableHandle<PropertyDescriptor> desc) {
+ desc.object().set(nullptr);
+ RootedObject expando(cx);
+ if (!getExpandoObject(cx, target, wrapper, &expando)) {
+ return false;
+ }
+
+ // Check for expando properties first. Note that the expando object lives
+ // in the target compartment.
+ bool found = false;
+ if (expando) {
+ JSAutoRealm ar(cx, expando);
+ JS_MarkCrossZoneId(cx, id);
+ if (!JS_GetOwnPropertyDescriptorById(cx, expando, id, desc)) {
+ return false;
+ }
+ found = !!desc.object();
+ }
+
+ // Next, check for ES builtins.
+ if (!found && JS_IsGlobalObject(target)) {
+ JSProtoKey key = JS_IdToProtoKey(cx, id);
+ JSAutoRealm ar(cx, target);
+ if (key != JSProto_Null) {
+ MOZ_ASSERT(key < JSProto_LIMIT);
+ RootedObject constructor(cx);
+ if (!JS_GetClassObject(cx, key, &constructor)) {
+ return false;
+ }
+ MOZ_ASSERT(constructor);
+ desc.value().set(ObjectValue(*constructor));
+ found = true;
+ } else if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_EVAL)) {
+ RootedObject eval(cx);
+ if (!js::GetRealmOriginalEval(cx, &eval)) {
+ return false;
+ }
+ desc.value().set(ObjectValue(*eval));
+ found = true;
+ } else if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_INFINITY)) {
+ desc.value().setNaN();
+ desc.setAttributes(JSPROP_PERMANENT | JSPROP_READONLY);
+ found = true;
+ } else if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_NAN)) {
+ desc.value().setDouble(PositiveInfinity<double>());
+ desc.setAttributes(JSPROP_PERMANENT | JSPROP_READONLY);
+ found = true;
+ }
+ }
+
+ if (found) {
+ if (!JS_WrapPropertyDescriptor(cx, desc)) {
+ return false;
+ }
+ // Pretend the property lives on the wrapper.
+ desc.object().set(wrapper);
+ return true;
+ }
+
+ // Handle .wrappedJSObject for subsuming callers. This should move once we
+ // sort out own-ness for the holder.
+ if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_WRAPPED_JSOBJECT) &&
+ WrapperFactory::AllowWaiver(wrapper)) {
+ if (!JS_AlreadyHasOwnPropertyById(cx, holder, id, &found)) {
+ return false;
+ }
+ if (!found && !JS_DefinePropertyById(cx, holder, id, wrappedJSObject_getter,
+ nullptr, JSPROP_ENUMERATE)) {
+ return false;
+ }
+ if (!JS_GetOwnPropertyDescriptorById(cx, holder, id, desc)) {
+ return false;
+ }
+ desc.object().set(wrapper);
+ return true;
+ }
+
+ return true;
+}
+
+bool DOMXrayTraits::resolveOwnProperty(JSContext* cx, HandleObject wrapper,
+ HandleObject target, HandleObject holder,
+ HandleId id,
+ MutableHandle<PropertyDescriptor> desc) {
+ // Call the common code.
+ bool ok =
+ XrayTraits::resolveOwnProperty(cx, wrapper, target, holder, id, desc);
+ if (!ok || desc.object()) {
+ return ok;
+ }
+
+ // Check for indexed access on a window.
+ uint32_t index = GetArrayIndexFromId(id);
+ if (IsArrayIndex(index)) {
+ nsGlobalWindowInner* win = AsWindow(cx, wrapper);
+ // Note: As() unwraps outer windows to get to the inner window.
+ if (win) {
+ Nullable<WindowProxyHolder> subframe = win->IndexedGetter(index);
+ if (!subframe.IsNull()) {
+ if (MOZ_UNLIKELY(!WrapObject(cx, subframe.Value(), desc.value()))) {
+ // It's gone?
+ return xpc::Throw(cx, NS_ERROR_FAILURE);
+ }
+ FillPropertyDescriptor(desc, wrapper, true);
+ return JS_WrapPropertyDescriptor(cx, desc);
+ }
+ }
+ }
+
+ if (!JS_GetOwnPropertyDescriptorById(cx, holder, id, desc)) {
+ return false;
+ }
+ if (desc.object()) {
+ desc.object().set(wrapper);
+ return true;
+ }
+
+ bool cacheOnHolder;
+ if (!XrayResolveOwnProperty(cx, wrapper, target, id, desc, cacheOnHolder)) {
+ return false;
+ }
+
+ MOZ_ASSERT(!desc.object() || desc.object() == wrapper,
+ "What did we resolve this on?");
+
+ if (!desc.object() || !cacheOnHolder) {
+ return true;
+ }
+
+ return JS_DefinePropertyById(cx, holder, id, desc) &&
+ JS_GetOwnPropertyDescriptorById(cx, holder, id, desc);
+}
+
+bool DOMXrayTraits::delete_(JSContext* cx, JS::HandleObject wrapper,
+ JS::HandleId id, JS::ObjectOpResult& result) {
+ RootedObject target(cx, getTargetObject(wrapper));
+ return XrayDeleteNamedProperty(cx, wrapper, target, id, result);
+}
+
+bool DOMXrayTraits::defineProperty(JSContext* cx, HandleObject wrapper,
+ HandleId id, Handle<PropertyDescriptor> desc,
+ Handle<PropertyDescriptor> existingDesc,
+ JS::ObjectOpResult& result, bool* done) {
+ // Check for an indexed property on a Window. If that's happening, do
+ // nothing but set done to tru so it won't get added as an expando.
+ if (IsWindow(cx, wrapper)) {
+ if (IsArrayIndex(GetArrayIndexFromId(id))) {
+ *done = true;
+ return result.succeed();
+ }
+ }
+
+ JS::Rooted<JSObject*> obj(cx, getTargetObject(wrapper));
+ return XrayDefineProperty(cx, wrapper, obj, id, desc, result, done);
+}
+
+bool DOMXrayTraits::enumerateNames(JSContext* cx, HandleObject wrapper,
+ unsigned flags,
+ MutableHandleIdVector props) {
+ // Put the indexed properties for a window first.
+ nsGlobalWindowInner* win = AsWindow(cx, wrapper);
+ if (win) {
+ uint32_t length = win->Length();
+ if (!props.reserve(props.length() + length)) {
+ return false;
+ }
+ JS::RootedId indexId(cx);
+ for (uint32_t i = 0; i < length; ++i) {
+ if (!JS_IndexToId(cx, i, &indexId)) {
+ return false;
+ }
+ props.infallibleAppend(indexId);
+ }
+ }
+
+ JS::Rooted<JSObject*> obj(cx, getTargetObject(wrapper));
+ if (JS_IsGlobalObject(obj)) {
+ // We could do this in a shared enumerateNames with JSXrayTraits, but we
+ // don't really have globals we expose via those.
+ JSAutoRealm ar(cx, obj);
+ if (!JS_NewEnumerateStandardClassesIncludingResolved(
+ cx, obj, props, !(flags & JSITER_HIDDEN))) {
+ return false;
+ }
+ }
+ return XrayOwnPropertyKeys(cx, wrapper, obj, flags, props);
+}
+
+bool DOMXrayTraits::call(JSContext* cx, HandleObject wrapper,
+ const JS::CallArgs& args,
+ const js::Wrapper& baseInstance) {
+ RootedObject obj(cx, getTargetObject(wrapper));
+ const JSClass* clasp = JS::GetClass(obj);
+ // What we have is either a WebIDL interface object, a WebIDL prototype
+ // object, or a WebIDL instance object. WebIDL prototype objects never have
+ // a clasp->call. WebIDL interface objects we want to invoke on the xray
+ // compartment. WebIDL instance objects either don't have a clasp->call or
+ // are using "legacycaller". At this time for all the legacycaller users it
+ // makes more sense to invoke on the xray compartment, so we just go ahead
+ // and do that for everything.
+ if (JSNative call = clasp->getCall()) {
+ // call it on the Xray compartment
+ return call(cx, args.length(), args.base());
+ }
+
+ RootedValue v(cx, ObjectValue(*wrapper));
+ js::ReportIsNotFunction(cx, v);
+ return false;
+}
+
+bool DOMXrayTraits::construct(JSContext* cx, HandleObject wrapper,
+ const JS::CallArgs& args,
+ const js::Wrapper& baseInstance) {
+ RootedObject obj(cx, getTargetObject(wrapper));
+ MOZ_ASSERT(mozilla::dom::HasConstructor(obj));
+ const JSClass* clasp = JS::GetClass(obj);
+ // See comments in DOMXrayTraits::call() explaining what's going on here.
+ if (clasp->flags & JSCLASS_IS_DOMIFACEANDPROTOJSCLASS) {
+ if (JSNative construct = clasp->getConstruct()) {
+ if (!construct(cx, args.length(), args.base())) {
+ return false;
+ }
+ } else {
+ RootedValue v(cx, ObjectValue(*wrapper));
+ js::ReportIsNotFunction(cx, v);
+ return false;
+ }
+ } else {
+ if (!baseInstance.construct(cx, wrapper, args)) {
+ return false;
+ }
+ }
+ if (!args.rval().isObject() || !JS_WrapValue(cx, args.rval())) {
+ return false;
+ }
+ return true;
+}
+
+bool DOMXrayTraits::getPrototype(JSContext* cx, JS::HandleObject wrapper,
+ JS::HandleObject target,
+ JS::MutableHandleObject protop) {
+ return mozilla::dom::XrayGetNativeProto(cx, target, protop);
+}
+
+void DOMXrayTraits::preserveWrapper(JSObject* target) {
+ nsISupports* identity = mozilla::dom::UnwrapDOMObjectToISupports(target);
+ if (!identity) {
+ return;
+ }
+ nsWrapperCache* cache = nullptr;
+ CallQueryInterface(identity, &cache);
+ if (cache) {
+ cache->PreserveWrapper(identity);
+ }
+}
+
+JSObject* DOMXrayTraits::createHolder(JSContext* cx, JSObject* wrapper) {
+ return JS_NewObjectWithGivenProto(cx, &HolderClass, nullptr);
+}
+
+const JSClass* DOMXrayTraits::getExpandoClass(JSContext* cx,
+ HandleObject target) const {
+ return XrayGetExpandoClass(cx, target);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::preventExtensions(
+ JSContext* cx, HandleObject wrapper, ObjectOpResult& result) const {
+ // Xray wrappers are supposed to provide a clean view of the target
+ // reflector, hiding any modifications by script in the target scope. So
+ // even if that script freezes the reflector, we don't want to make that
+ // visible to the caller. DOM reflectors are always extensible by default,
+ // so we can just return failure here.
+ return result.failCantPreventExtensions();
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::isExtensible(JSContext* cx,
+ JS::Handle<JSObject*> wrapper,
+ bool* extensible) const {
+ // See above.
+ *extensible = true;
+ return true;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::getOwnPropertyDescriptor(
+ JSContext* cx, HandleObject wrapper, HandleId id,
+ JS::MutableHandle<PropertyDescriptor> desc) const {
+ assertEnteredPolicy(cx, wrapper, id,
+ BaseProxyHandler::GET | BaseProxyHandler::SET |
+ BaseProxyHandler::GET_PROPERTY_DESCRIPTOR);
+ RootedObject target(cx, Traits::getTargetObject(wrapper));
+ RootedObject holder(cx, Traits::singleton.ensureHolder(cx, wrapper));
+ if (!holder) {
+ return false;
+ }
+
+ if (!Traits::singleton.resolveOwnProperty(cx, wrapper, target, holder, id,
+ desc)) {
+ return false;
+ }
+ if (desc.object()) {
+ desc.object().set(wrapper);
+ }
+ return true;
+}
+
+// Consider what happens when chrome does |xray.expando = xray.wrappedJSObject|.
+//
+// Since the expando comes from the target compartment, wrapping it back into
+// the target compartment to define it on the expando object ends up stripping
+// off the Xray waiver that gives |xray| and |xray.wrappedJSObject| different
+// identities. This is generally the right thing to do when wrapping across
+// compartments, but is incorrect in the special case of the Xray expando
+// object. Manually re-apply Xrays if necessary.
+//
+// NB: In order to satisfy the invariants of WaiveXray, we need to pass
+// in an object sans security wrapper, which means we need to strip off any
+// potential same-compartment security wrapper that may have been applied
+// to the content object. This is ok, because the the expando object is only
+// ever accessed by code across the compartment boundary.
+static bool RecreateLostWaivers(JSContext* cx, const PropertyDescriptor* orig,
+ MutableHandle<PropertyDescriptor> wrapped) {
+ // Compute whether the original objects were waived, and implicitly, whether
+ // they were objects at all.
+ bool valueWasWaived =
+ orig->value.isObject() &&
+ WrapperFactory::HasWaiveXrayFlag(&orig->value.toObject());
+ bool getterWasWaived = (orig->attrs & JSPROP_GETTER) && orig->getter &&
+ WrapperFactory::HasWaiveXrayFlag(
+ JS_FUNC_TO_DATA_PTR(JSObject*, orig->getter));
+ bool setterWasWaived = (orig->attrs & JSPROP_SETTER) && orig->setter &&
+ WrapperFactory::HasWaiveXrayFlag(
+ JS_FUNC_TO_DATA_PTR(JSObject*, orig->setter));
+
+ // Recreate waivers. Note that for value, we need an extra UncheckedUnwrap
+ // to handle same-compartment security wrappers (see above). This should
+ // never happen for getters/setters.
+
+ RootedObject rewaived(cx);
+ if (valueWasWaived &&
+ !IsCrossCompartmentWrapper(&wrapped.value().toObject())) {
+ rewaived = &wrapped.value().toObject();
+ rewaived = WrapperFactory::WaiveXray(cx, UncheckedUnwrap(rewaived));
+ NS_ENSURE_TRUE(rewaived, false);
+ wrapped.value().set(ObjectValue(*rewaived));
+ }
+ if (getterWasWaived && !IsCrossCompartmentWrapper(wrapped.getterObject())) {
+ // We can't end up with WindowProxy or Location as getters.
+ MOZ_ASSERT(CheckedUnwrapStatic(wrapped.getterObject()));
+ rewaived = WrapperFactory::WaiveXray(cx, wrapped.getterObject());
+ NS_ENSURE_TRUE(rewaived, false);
+ wrapped.setGetterObject(rewaived);
+ }
+ if (setterWasWaived && !IsCrossCompartmentWrapper(wrapped.setterObject())) {
+ // We can't end up with WindowProxy or Location as setters.
+ MOZ_ASSERT(CheckedUnwrapStatic(wrapped.setterObject()));
+ rewaived = WrapperFactory::WaiveXray(cx, wrapped.setterObject());
+ NS_ENSURE_TRUE(rewaived, false);
+ wrapped.setSetterObject(rewaived);
+ }
+
+ return true;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::defineProperty(JSContext* cx,
+ HandleObject wrapper,
+ HandleId id,
+ Handle<PropertyDescriptor> desc,
+ ObjectOpResult& result) const {
+ assertEnteredPolicy(cx, wrapper, id, BaseProxyHandler::SET);
+
+ Rooted<PropertyDescriptor> existing_desc(cx);
+ if (!JS_GetPropertyDescriptorById(cx, wrapper, id, &existing_desc)) {
+ return false;
+ }
+
+ // Note that the check here is intended to differentiate between own and
+ // non-own properties, since the above lookup is not limited to own
+ // properties. At present, this may not always do the right thing because
+ // we often lie (sloppily) about where we found properties and set
+ // desc.object() to |wrapper|. Once we fully fix our Xray prototype semantics,
+ // this should work as intended.
+ if (existing_desc.object() == wrapper && !existing_desc.configurable()) {
+ // We have a non-configurable property. See if the caller is trying to
+ // re-configure it in any way other than making it non-writable.
+ if (existing_desc.isAccessorDescriptor() || desc.isAccessorDescriptor() ||
+ (desc.hasEnumerable() &&
+ existing_desc.enumerable() != desc.enumerable()) ||
+ (desc.hasWritable() && !existing_desc.writable() && desc.writable())) {
+ // We should technically report non-configurability in strict mode, but
+ // doing that via JSAPI used to be a lot of trouble. See bug 1135997.
+ return result.succeed();
+ }
+ if (!existing_desc.writable()) {
+ // Same as the above for non-writability.
+ return result.succeed();
+ }
+ }
+
+ bool done = false;
+ if (!Traits::singleton.defineProperty(cx, wrapper, id, desc, existing_desc,
+ result, &done)) {
+ return false;
+ }
+ if (done) {
+ return true;
+ }
+
+ // Grab the relevant expando object.
+ RootedObject target(cx, Traits::getTargetObject(wrapper));
+ RootedObject expandoObject(
+ cx, Traits::singleton.ensureExpandoObject(cx, wrapper, target));
+ if (!expandoObject) {
+ return false;
+ }
+
+ // We're placing an expando. The expando objects live in the target
+ // compartment, so we need to enter it.
+ JSAutoRealm ar(cx, target);
+ JS_MarkCrossZoneId(cx, id);
+
+ // Wrap the property descriptor for the target compartment.
+ Rooted<PropertyDescriptor> wrappedDesc(cx, desc);
+ if (!JS_WrapPropertyDescriptor(cx, &wrappedDesc)) {
+ return false;
+ }
+
+ // Fix up Xray waivers.
+ if (!RecreateLostWaivers(cx, desc.address(), &wrappedDesc)) {
+ return false;
+ }
+
+ return JS_DefinePropertyById(cx, expandoObject, id, wrappedDesc, result);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::ownPropertyKeys(
+ JSContext* cx, HandleObject wrapper, MutableHandleIdVector props) const {
+ assertEnteredPolicy(cx, wrapper, JSID_VOID, BaseProxyHandler::ENUMERATE);
+ return getPropertyKeys(
+ cx, wrapper, JSITER_OWNONLY | JSITER_HIDDEN | JSITER_SYMBOLS, props);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::delete_(JSContext* cx, HandleObject wrapper,
+ HandleId id,
+ ObjectOpResult& result) const {
+ assertEnteredPolicy(cx, wrapper, id, BaseProxyHandler::SET);
+
+ // Check the expando object.
+ RootedObject target(cx, Traits::getTargetObject(wrapper));
+ RootedObject expando(cx);
+ if (!Traits::singleton.getExpandoObject(cx, target, wrapper, &expando)) {
+ return false;
+ }
+
+ if (expando) {
+ JSAutoRealm ar(cx, expando);
+ JS_MarkCrossZoneId(cx, id);
+ bool hasProp;
+ if (!JS_HasPropertyById(cx, expando, id, &hasProp)) {
+ return false;
+ }
+ if (hasProp) {
+ return JS_DeletePropertyById(cx, expando, id, result);
+ }
+ }
+
+ return Traits::singleton.delete_(cx, wrapper, id, result);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::get(JSContext* cx, HandleObject wrapper,
+ HandleValue receiver, HandleId id,
+ MutableHandleValue vp) const {
+ // This is called by Proxy::get, but since we return true for hasPrototype()
+ // it's only called for properties that hasOwn() claims we have as own
+ // properties. Since we only need to worry about own properties, we can use
+ // getOwnPropertyDescriptor here.
+ Rooted<PropertyDescriptor> desc(cx);
+ if (!getOwnPropertyDescriptor(cx, wrapper, id, &desc)) {
+ return false;
+ }
+ desc.assertCompleteIfFound();
+
+ MOZ_ASSERT(desc.object(),
+ "hasOwn() claimed we have this property, so why would we not get "
+ "a descriptor here?");
+
+ // Everything after here follows [[Get]] for ordinary objects.
+ if (desc.isDataDescriptor()) {
+ vp.set(desc.value());
+ return true;
+ }
+
+ MOZ_ASSERT(desc.isAccessorDescriptor());
+ RootedObject getter(cx, desc.getterObject());
+
+ if (!getter) {
+ vp.setUndefined();
+ return true;
+ }
+
+ return Call(cx, receiver, getter, HandleValueArray::empty(), vp);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::set(JSContext* cx, HandleObject wrapper,
+ HandleId id, HandleValue v,
+ HandleValue receiver,
+ ObjectOpResult& result) const {
+ MOZ_CRASH("Shouldn't be called: we return true for hasPrototype()");
+ return false;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::has(JSContext* cx, HandleObject wrapper,
+ HandleId id, bool* bp) const {
+ MOZ_CRASH("Shouldn't be called: we return true for hasPrototype()");
+ return false;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::hasOwn(JSContext* cx, HandleObject wrapper,
+ HandleId id, bool* bp) const {
+ // Skip our Base if it isn't already ProxyHandler.
+ return js::BaseProxyHandler::hasOwn(cx, wrapper, id, bp);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::getOwnEnumerablePropertyKeys(
+ JSContext* cx, HandleObject wrapper, MutableHandleIdVector props) const {
+ // Skip our Base if it isn't already ProxyHandler.
+ return js::BaseProxyHandler::getOwnEnumerablePropertyKeys(cx, wrapper, props);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::enumerate(
+ JSContext* cx, HandleObject wrapper,
+ JS::MutableHandleIdVector props) const {
+ MOZ_CRASH("Shouldn't be called: we return true for hasPrototype()");
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::call(JSContext* cx, HandleObject wrapper,
+ const JS::CallArgs& args) const {
+ assertEnteredPolicy(cx, wrapper, JSID_VOID, BaseProxyHandler::CALL);
+ // Hard cast the singleton since SecurityWrapper doesn't have one.
+ return Traits::call(cx, wrapper, args, Base::singleton);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::construct(JSContext* cx, HandleObject wrapper,
+ const JS::CallArgs& args) const {
+ assertEnteredPolicy(cx, wrapper, JSID_VOID, BaseProxyHandler::CALL);
+ // Hard cast the singleton since SecurityWrapper doesn't have one.
+ return Traits::construct(cx, wrapper, args, Base::singleton);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::getBuiltinClass(JSContext* cx,
+ JS::HandleObject wrapper,
+ js::ESClass* cls) const {
+ return Traits::getBuiltinClass(cx, wrapper, Base::singleton, cls);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::hasInstance(JSContext* cx,
+ JS::HandleObject wrapper,
+ JS::MutableHandleValue v,
+ bool* bp) const {
+ assertEnteredPolicy(cx, wrapper, JSID_VOID, BaseProxyHandler::GET);
+
+ // CrossCompartmentWrapper::hasInstance unwraps |wrapper|'s Xrays and enters
+ // its compartment. Any present XrayWrappers should be preserved, so the
+ // standard "instanceof" implementation is called without unwrapping first.
+ return JS::InstanceofOperator(cx, wrapper, v, bp);
+}
+
+template <typename Base, typename Traits>
+const char* XrayWrapper<Base, Traits>::className(JSContext* cx,
+ HandleObject wrapper) const {
+ return Traits::className(cx, wrapper, Base::singleton);
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::getPrototype(
+ JSContext* cx, JS::HandleObject wrapper,
+ JS::MutableHandleObject protop) const {
+ // We really only want this override for non-SecurityWrapper-inheriting
+ // |Base|. But doing that statically with templates requires partial method
+ // specializations (and therefore a helper class), which is all more trouble
+ // than it's worth. Do a dynamic check.
+ if (Base::hasSecurityPolicy()) {
+ return Base::getPrototype(cx, wrapper, protop);
+ }
+
+ RootedObject target(cx, Traits::getTargetObject(wrapper));
+ RootedObject expando(cx);
+ if (!Traits::singleton.getExpandoObject(cx, target, wrapper, &expando)) {
+ return false;
+ }
+
+ // We want to keep the Xray's prototype distinct from that of content, but
+ // only if there's been a set. If there's not an expando, or the expando
+ // slot is |undefined|, hand back the default proto, appropriately wrapped.
+
+ if (expando) {
+ RootedValue v(cx);
+ { // Scope for JSAutoRealm
+ JSAutoRealm ar(cx, expando);
+ v = JS::GetReservedSlot(expando, JSSLOT_EXPANDO_PROTOTYPE);
+ }
+ if (!v.isUndefined()) {
+ protop.set(v.toObjectOrNull());
+ return JS_WrapObject(cx, protop);
+ }
+ }
+
+ // Check our holder, and cache there if we don't have it cached already.
+ RootedObject holder(cx, Traits::singleton.ensureHolder(cx, wrapper));
+ if (!holder) {
+ return false;
+ }
+
+ Value cached = JS::GetReservedSlot(holder, Traits::HOLDER_SLOT_CACHED_PROTO);
+ if (cached.isUndefined()) {
+ if (!Traits::singleton.getPrototype(cx, wrapper, target, protop)) {
+ return false;
+ }
+
+ JS::SetReservedSlot(holder, Traits::HOLDER_SLOT_CACHED_PROTO,
+ ObjectOrNullValue(protop));
+ } else {
+ protop.set(cached.toObjectOrNull());
+ }
+ return true;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::setPrototype(JSContext* cx,
+ JS::HandleObject wrapper,
+ JS::HandleObject proto,
+ JS::ObjectOpResult& result) const {
+ // Do this only for non-SecurityWrapper-inheriting |Base|. See the comment
+ // in getPrototype().
+ if (Base::hasSecurityPolicy()) {
+ return Base::setPrototype(cx, wrapper, proto, result);
+ }
+
+ RootedObject target(cx, Traits::getTargetObject(wrapper));
+ RootedObject expando(
+ cx, Traits::singleton.ensureExpandoObject(cx, wrapper, target));
+ if (!expando) {
+ return false;
+ }
+
+ // The expando lives in the target's realm, so do our installation there.
+ JSAutoRealm ar(cx, target);
+
+ RootedValue v(cx, ObjectOrNullValue(proto));
+ if (!JS_WrapValue(cx, &v)) {
+ return false;
+ }
+ JS_SetReservedSlot(expando, JSSLOT_EXPANDO_PROTOTYPE, v);
+ return result.succeed();
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::getPrototypeIfOrdinary(
+ JSContext* cx, JS::HandleObject wrapper, bool* isOrdinary,
+ JS::MutableHandleObject protop) const {
+ // We want to keep the Xray's prototype distinct from that of content, but
+ // only if there's been a set. This different-prototype-over-time behavior
+ // means that the [[GetPrototypeOf]] trap *can't* be ECMAScript's ordinary
+ // [[GetPrototypeOf]]. This also covers cross-origin Window behavior that
+ // per
+ // <https://html.spec.whatwg.org/multipage/browsers.html#windowproxy-getprototypeof>
+ // must be non-ordinary.
+ *isOrdinary = false;
+ return true;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::setImmutablePrototype(JSContext* cx,
+ JS::HandleObject wrapper,
+ bool* succeeded) const {
+ // For now, lacking an obvious place to store a bit, prohibit making an
+ // Xray's [[Prototype]] immutable. We can revisit this (or maybe give all
+ // Xrays immutable [[Prototype]], because who does this, really?) later if
+ // necessary.
+ *succeeded = false;
+ return true;
+}
+
+template <typename Base, typename Traits>
+bool XrayWrapper<Base, Traits>::getPropertyKeys(
+ JSContext* cx, HandleObject wrapper, unsigned flags,
+ MutableHandleIdVector props) const {
+ assertEnteredPolicy(cx, wrapper, JSID_VOID, BaseProxyHandler::ENUMERATE);
+
+ // Enumerate expando properties first. Note that the expando object lives
+ // in the target compartment.
+ RootedObject target(cx, Traits::getTargetObject(wrapper));
+ RootedObject expando(cx);
+ if (!Traits::singleton.getExpandoObject(cx, target, wrapper, &expando)) {
+ return false;
+ }
+
+ if (expando) {
+ JSAutoRealm ar(cx, expando);
+ if (!js::GetPropertyKeys(cx, expando, flags, props)) {
+ return false;
+ }
+ }
+ for (size_t i = 0; i < props.length(); ++i) {
+ JS_MarkCrossZoneId(cx, props[i]);
+ }
+
+ return Traits::singleton.enumerateNames(cx, wrapper, flags, props);
+}
+
+/*
+ * The Permissive / Security variants should be used depending on whether the
+ * compartment of the wrapper is guranteed to subsume the compartment of the
+ * wrapped object (i.e. - whether it is safe from a security perspective to
+ * unwrap the wrapper).
+ */
+
+template <typename Base, typename Traits>
+const xpc::XrayWrapper<Base, Traits> xpc::XrayWrapper<Base, Traits>::singleton(
+ 0);
+
+template class PermissiveXrayDOM;
+template class PermissiveXrayJS;
+template class PermissiveXrayOpaque;
+
+/*
+ * This callback is used by the JS engine to test if a proxy handler is for a
+ * cross compartment xray with no security requirements.
+ */
+static bool IsCrossCompartmentXrayCallback(
+ const js::BaseProxyHandler* handler) {
+ return handler == &PermissiveXrayDOM::singleton;
+}
+
+JS::XrayJitInfo gXrayJitInfo = {
+ IsCrossCompartmentXrayCallback, CompartmentHasExclusiveExpandos,
+ JSSLOT_XRAY_HOLDER, XrayTraits::HOLDER_SLOT_EXPANDO,
+ JSSLOT_EXPANDO_PROTOTYPE};
+
+} // namespace xpc
diff --git a/js/xpconnect/wrappers/XrayWrapper.h b/js/xpconnect/wrappers/XrayWrapper.h
new file mode 100644
index 0000000000..5204590ad8
--- /dev/null
+++ b/js/xpconnect/wrappers/XrayWrapper.h
@@ -0,0 +1,483 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef XrayWrapper_h
+#define XrayWrapper_h
+
+#include "mozilla/Attributes.h"
+
+#include "WrapperFactory.h"
+
+#include "jsapi.h"
+#include "jsfriendapi.h"
+#include "js/friend/XrayJitInfo.h" // JS::XrayJitInfo
+#include "js/Object.h" // JS::GetReservedSlot
+#include "js/Proxy.h"
+#include "js/Wrapper.h"
+
+// Slot where Xray functions for Web IDL methods store a pointer to
+// the Xray wrapper they're associated with.
+#define XRAY_DOM_FUNCTION_PARENT_WRAPPER_SLOT 0
+// Slot where in debug builds Xray functions for Web IDL methods store
+// a pointer to their themselves, just so we can assert that they're the
+// sort of functions we expect.
+#define XRAY_DOM_FUNCTION_NATIVE_SLOT_FOR_SELF 1
+
+// Xray wrappers re-resolve the original native properties on the native
+// object and always directly access to those properties.
+// Because they work so differently from the rest of the wrapper hierarchy,
+// we pull them out of the Wrapper inheritance hierarchy and create a
+// little world around them.
+
+class nsIPrincipal;
+
+namespace xpc {
+
+enum XrayType {
+ XrayForDOMObject,
+ XrayForJSObject,
+ XrayForOpaqueObject,
+ NotXray
+};
+
+class XrayTraits {
+ public:
+ constexpr XrayTraits() = default;
+
+ static JSObject* getTargetObject(JSObject* wrapper) {
+ JSObject* target =
+ js::UncheckedUnwrap(wrapper, /* stopAtWindowProxy = */ false);
+ if (target) {
+ JS::ExposeObjectToActiveJS(target);
+ }
+ return target;
+ }
+
+ // NB: resolveOwnProperty may decide whether or not to cache what it finds
+ // on the holder. If the result is not cached, the lookup will happen afresh
+ // for each access, which is the right thing for things like dynamic NodeList
+ // properties.
+ virtual bool resolveOwnProperty(
+ JSContext* cx, JS::HandleObject wrapper, JS::HandleObject target,
+ JS::HandleObject holder, JS::HandleId id,
+ JS::MutableHandle<JS::PropertyDescriptor> desc);
+
+ bool delete_(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+ JS::ObjectOpResult& result) {
+ return result.succeed();
+ }
+
+ static bool getBuiltinClass(JSContext* cx, JS::HandleObject wrapper,
+ const js::Wrapper& baseInstance,
+ js::ESClass* cls) {
+ return baseInstance.getBuiltinClass(cx, wrapper, cls);
+ }
+
+ static const char* className(JSContext* cx, JS::HandleObject wrapper,
+ const js::Wrapper& baseInstance) {
+ return baseInstance.className(cx, wrapper);
+ }
+
+ virtual void preserveWrapper(JSObject* target) = 0;
+
+ bool getExpandoObject(JSContext* cx, JS::HandleObject target,
+ JS::HandleObject consumer,
+ JS::MutableHandleObject expandObject);
+ JSObject* ensureExpandoObject(JSContext* cx, JS::HandleObject wrapper,
+ JS::HandleObject target);
+
+ // Slots for holder objects.
+ enum {
+ HOLDER_SLOT_CACHED_PROTO = 0,
+ HOLDER_SLOT_EXPANDO = 1,
+ HOLDER_SHARED_SLOT_COUNT
+ };
+
+ static JSObject* getHolder(JSObject* wrapper);
+ JSObject* ensureHolder(JSContext* cx, JS::HandleObject wrapper);
+ virtual JSObject* createHolder(JSContext* cx, JSObject* wrapper) = 0;
+
+ JSObject* getExpandoChain(JS::HandleObject obj);
+ JSObject* detachExpandoChain(JS::HandleObject obj);
+ bool setExpandoChain(JSContext* cx, JS::HandleObject obj,
+ JS::HandleObject chain);
+ bool cloneExpandoChain(JSContext* cx, JS::HandleObject dst,
+ JS::HandleObject srcChain);
+
+ protected:
+ static const JSClass HolderClass;
+
+ // Get the JSClass we should use for our expando object.
+ virtual const JSClass* getExpandoClass(JSContext* cx,
+ JS::HandleObject target) const;
+
+ private:
+ bool expandoObjectMatchesConsumer(JSContext* cx,
+ JS::HandleObject expandoObject,
+ nsIPrincipal* consumerOrigin);
+
+ // |expandoChain| is the expando chain in the wrapped object's compartment.
+ // |exclusiveWrapper| is any xray that has exclusive use of the expando.
+ // |cx| may be in any compartment.
+ bool getExpandoObjectInternal(JSContext* cx, JSObject* expandoChain,
+ JS::HandleObject exclusiveWrapper,
+ nsIPrincipal* origin,
+ JS::MutableHandleObject expandoObject);
+
+ // |cx| is in the target's compartment, and |exclusiveWrapper| is any xray
+ // that has exclusive use of the expando. |exclusiveWrapperGlobal| is the
+ // caller's global and must be same-compartment with |exclusiveWrapper|.
+ JSObject* attachExpandoObject(JSContext* cx, JS::HandleObject target,
+ JS::HandleObject exclusiveWrapper,
+ JS::HandleObject exclusiveWrapperGlobal,
+ nsIPrincipal* origin);
+
+ XrayTraits(XrayTraits&) = delete;
+ const XrayTraits& operator=(XrayTraits&) = delete;
+};
+
+class DOMXrayTraits : public XrayTraits {
+ public:
+ constexpr DOMXrayTraits() = default;
+
+ static const XrayType Type = XrayForDOMObject;
+
+ virtual bool resolveOwnProperty(
+ JSContext* cx, JS::HandleObject wrapper, JS::HandleObject target,
+ JS::HandleObject holder, JS::HandleId id,
+ JS::MutableHandle<JS::PropertyDescriptor> desc) override;
+
+ bool delete_(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+ JS::ObjectOpResult& result);
+
+ bool defineProperty(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+ JS::Handle<JS::PropertyDescriptor> desc,
+ JS::Handle<JS::PropertyDescriptor> existingDesc,
+ JS::ObjectOpResult& result, bool* done);
+ virtual bool enumerateNames(JSContext* cx, JS::HandleObject wrapper,
+ unsigned flags, JS::MutableHandleIdVector props);
+ static bool call(JSContext* cx, JS::HandleObject wrapper,
+ const JS::CallArgs& args, const js::Wrapper& baseInstance);
+ static bool construct(JSContext* cx, JS::HandleObject wrapper,
+ const JS::CallArgs& args,
+ const js::Wrapper& baseInstance);
+
+ static bool getPrototype(JSContext* cx, JS::HandleObject wrapper,
+ JS::HandleObject target,
+ JS::MutableHandleObject protop);
+
+ virtual void preserveWrapper(JSObject* target) override;
+
+ virtual JSObject* createHolder(JSContext* cx, JSObject* wrapper) override;
+
+ static DOMXrayTraits singleton;
+
+ protected:
+ virtual const JSClass* getExpandoClass(
+ JSContext* cx, JS::HandleObject target) const override;
+};
+
+class JSXrayTraits : public XrayTraits {
+ public:
+ static const XrayType Type = XrayForJSObject;
+
+ virtual bool resolveOwnProperty(
+ JSContext* cx, JS::HandleObject wrapper, JS::HandleObject target,
+ JS::HandleObject holder, JS::HandleId id,
+ JS::MutableHandle<JS::PropertyDescriptor> desc) override;
+
+ bool delete_(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+ JS::ObjectOpResult& result);
+
+ bool defineProperty(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+ JS::Handle<JS::PropertyDescriptor> desc,
+ JS::Handle<JS::PropertyDescriptor> existingDesc,
+ JS::ObjectOpResult& result, bool* defined);
+
+ virtual bool enumerateNames(JSContext* cx, JS::HandleObject wrapper,
+ unsigned flags, JS::MutableHandleIdVector props);
+
+ static bool call(JSContext* cx, JS::HandleObject wrapper,
+ const JS::CallArgs& args, const js::Wrapper& baseInstance) {
+ JSXrayTraits& self = JSXrayTraits::singleton;
+ JS::RootedObject holder(cx, self.ensureHolder(cx, wrapper));
+ if (xpc::JSXrayTraits::getProtoKey(holder) == JSProto_Function) {
+ return baseInstance.call(cx, wrapper, args);
+ }
+
+ JS::RootedValue v(cx, JS::ObjectValue(*wrapper));
+ js::ReportIsNotFunction(cx, v);
+ return false;
+ }
+
+ static bool construct(JSContext* cx, JS::HandleObject wrapper,
+ const JS::CallArgs& args,
+ const js::Wrapper& baseInstance);
+
+ bool getPrototype(JSContext* cx, JS::HandleObject wrapper,
+ JS::HandleObject target, JS::MutableHandleObject protop) {
+ JS::RootedObject holder(cx, ensureHolder(cx, wrapper));
+ JSProtoKey key = getProtoKey(holder);
+ if (isPrototype(holder)) {
+ JSProtoKey protoKey = js::InheritanceProtoKeyForStandardClass(key);
+ if (protoKey == JSProto_Null) {
+ protop.set(nullptr);
+ return true;
+ }
+ key = protoKey;
+ }
+
+ {
+ JSAutoRealm ar(cx, target);
+ if (!JS_GetClassPrototype(cx, key, protop)) {
+ return false;
+ }
+ }
+ return JS_WrapObject(cx, protop);
+ }
+
+ virtual void preserveWrapper(JSObject* target) override {
+ // In the case of pure JS objects, there is no underlying object, and
+ // the target is the canonical representation of state. If it gets
+ // collected, then expandos and such should be collected too. So there's
+ // nothing to do here.
+ }
+
+ enum {
+ SLOT_PROTOKEY = HOLDER_SHARED_SLOT_COUNT,
+ SLOT_ISPROTOTYPE,
+ SLOT_CONSTRUCTOR_FOR,
+ SLOT_COUNT
+ };
+ virtual JSObject* createHolder(JSContext* cx, JSObject* wrapper) override;
+
+ static JSProtoKey getProtoKey(JSObject* holder) {
+ int32_t key = JS::GetReservedSlot(holder, SLOT_PROTOKEY).toInt32();
+ return static_cast<JSProtoKey>(key);
+ }
+
+ static bool isPrototype(JSObject* holder) {
+ return JS::GetReservedSlot(holder, SLOT_ISPROTOTYPE).toBoolean();
+ }
+
+ static JSProtoKey constructorFor(JSObject* holder) {
+ int32_t key = JS::GetReservedSlot(holder, SLOT_CONSTRUCTOR_FOR).toInt32();
+ return static_cast<JSProtoKey>(key);
+ }
+
+ // Operates in the wrapper compartment.
+ static bool getOwnPropertyFromWrapperIfSafe(
+ JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+ JS::MutableHandle<JS::PropertyDescriptor> desc);
+
+ // Like the above, but operates in the target compartment. wrapperGlobal is
+ // the caller's global (must be in the wrapper compartment).
+ static bool getOwnPropertyFromTargetIfSafe(
+ JSContext* cx, JS::HandleObject target, JS::HandleObject wrapper,
+ JS::HandleObject wrapperGlobal, JS::HandleId id,
+ JS::MutableHandle<JS::PropertyDescriptor> desc);
+
+ static const JSClass HolderClass;
+ static JSXrayTraits singleton;
+};
+
+// These traits are used when the target is not Xrayable and we therefore want
+// to make it opaque modulo the usual Xray machinery (like expandos and
+// .wrappedJSObject).
+class OpaqueXrayTraits : public XrayTraits {
+ public:
+ static const XrayType Type = XrayForOpaqueObject;
+
+ virtual bool resolveOwnProperty(
+ JSContext* cx, JS::HandleObject wrapper, JS::HandleObject target,
+ JS::HandleObject holder, JS::HandleId id,
+ JS::MutableHandle<JS::PropertyDescriptor> desc) override;
+
+ bool defineProperty(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
+ JS::Handle<JS::PropertyDescriptor> desc,
+ JS::Handle<JS::PropertyDescriptor> existingDesc,
+ JS::ObjectOpResult& result, bool* defined) {
+ *defined = false;
+ return true;
+ }
+
+ virtual bool enumerateNames(JSContext* cx, JS::HandleObject wrapper,
+ unsigned flags, JS::MutableHandleIdVector props) {
+ return true;
+ }
+
+ static bool call(JSContext* cx, JS::HandleObject wrapper,
+ const JS::CallArgs& args, const js::Wrapper& baseInstance) {
+ JS::RootedValue v(cx, JS::ObjectValue(*wrapper));
+ js::ReportIsNotFunction(cx, v);
+ return false;
+ }
+
+ static bool construct(JSContext* cx, JS::HandleObject wrapper,
+ const JS::CallArgs& args,
+ const js::Wrapper& baseInstance) {
+ JS::RootedValue v(cx, JS::ObjectValue(*wrapper));
+ js::ReportIsNotFunction(cx, v);
+ return false;
+ }
+
+ bool getPrototype(JSContext* cx, JS::HandleObject wrapper,
+ JS::HandleObject target, JS::MutableHandleObject protop) {
+ // Opaque wrappers just get targetGlobal.Object.prototype as their
+ // prototype. This is preferable to using a null prototype because it
+ // lets things like |toString| and |__proto__| work.
+ {
+ JSAutoRealm ar(cx, target);
+ if (!JS_GetClassPrototype(cx, JSProto_Object, protop)) {
+ return false;
+ }
+ }
+ return JS_WrapObject(cx, protop);
+ }
+
+ static bool getBuiltinClass(JSContext* cx, JS::HandleObject wrapper,
+ const js::Wrapper& baseInstance,
+ js::ESClass* cls) {
+ *cls = js::ESClass::Other;
+ return true;
+ }
+
+ static const char* className(JSContext* cx, JS::HandleObject wrapper,
+ const js::Wrapper& baseInstance) {
+ return "Opaque";
+ }
+
+ virtual void preserveWrapper(JSObject* target) override {}
+
+ virtual JSObject* createHolder(JSContext* cx, JSObject* wrapper) override {
+ return JS_NewObjectWithGivenProto(cx, &HolderClass, nullptr);
+ }
+
+ static OpaqueXrayTraits singleton;
+};
+
+XrayType GetXrayType(JSObject* obj);
+XrayTraits* GetXrayTraits(JSObject* obj);
+
+template <typename Base, typename Traits>
+class XrayWrapper : public Base {
+ static_assert(std::is_base_of_v<js::BaseProxyHandler, Base>,
+ "Base *must* derive from js::BaseProxyHandler");
+
+ public:
+ constexpr explicit XrayWrapper(unsigned flags)
+ : Base(flags | WrapperFactory::IS_XRAY_WRAPPER_FLAG,
+ /* aHasPrototype = */ true){};
+
+ /* Standard internal methods. */
+ virtual bool getOwnPropertyDescriptor(
+ JSContext* cx, JS::Handle<JSObject*> wrapper, JS::Handle<jsid> id,
+ JS::MutableHandle<JS::PropertyDescriptor> desc) const override;
+ virtual bool defineProperty(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::Handle<jsid> id,
+ JS::Handle<JS::PropertyDescriptor> desc,
+ JS::ObjectOpResult& result) const override;
+ virtual bool ownPropertyKeys(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::MutableHandleIdVector props) const override;
+ virtual bool delete_(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::Handle<jsid> id,
+ JS::ObjectOpResult& result) const override;
+ virtual bool enumerate(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::MutableHandleIdVector props) const override;
+ virtual bool getPrototype(JSContext* cx, JS::HandleObject wrapper,
+ JS::MutableHandleObject protop) const override;
+ virtual bool setPrototype(JSContext* cx, JS::HandleObject wrapper,
+ JS::HandleObject proto,
+ JS::ObjectOpResult& result) const override;
+ virtual bool getPrototypeIfOrdinary(
+ JSContext* cx, JS::HandleObject wrapper, bool* isOrdinary,
+ JS::MutableHandleObject protop) const override;
+ virtual bool setImmutablePrototype(JSContext* cx, JS::HandleObject wrapper,
+ bool* succeeded) const override;
+ virtual bool preventExtensions(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::ObjectOpResult& result) const override;
+ virtual bool isExtensible(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ bool* extensible) const override;
+ virtual bool has(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::Handle<jsid> id, bool* bp) const override;
+ virtual bool get(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::HandleValue receiver, JS::Handle<jsid> id,
+ JS::MutableHandle<JS::Value> vp) const override;
+ virtual bool set(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::Handle<jsid> id, JS::Handle<JS::Value> v,
+ JS::Handle<JS::Value> receiver,
+ JS::ObjectOpResult& result) const override;
+ virtual bool call(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ const JS::CallArgs& args) const override;
+ virtual bool construct(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ const JS::CallArgs& args) const override;
+
+ /* SpiderMonkey extensions. */
+ virtual bool hasOwn(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::Handle<jsid> id, bool* bp) const override;
+ virtual bool getOwnEnumerablePropertyKeys(
+ JSContext* cx, JS::Handle<JSObject*> wrapper,
+ JS::MutableHandleIdVector props) const override;
+
+ virtual bool getBuiltinClass(JSContext* cx, JS::HandleObject wapper,
+ js::ESClass* cls) const override;
+ virtual bool hasInstance(JSContext* cx, JS::HandleObject wrapper,
+ JS::MutableHandleValue v, bool* bp) const override;
+ virtual const char* className(JSContext* cx,
+ JS::HandleObject proxy) const override;
+
+ static const XrayWrapper singleton;
+
+ protected:
+ bool getPropertyKeys(JSContext* cx, JS::Handle<JSObject*> wrapper,
+ unsigned flags, JS::MutableHandleIdVector props) const;
+};
+
+#define PermissiveXrayDOM \
+ xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>
+#define PermissiveXrayJS \
+ xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::JSXrayTraits>
+#define PermissiveXrayOpaque \
+ xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::OpaqueXrayTraits>
+
+extern template class PermissiveXrayDOM;
+extern template class PermissiveXrayJS;
+extern template class PermissiveXrayOpaque;
+
+/*
+ * Slots for Xray expando objects. See comments in XrayWrapper.cpp for details
+ * of how these get used; we mostly want the value of JSSLOT_EXPANDO_COUNT here.
+ */
+enum ExpandoSlots {
+ JSSLOT_EXPANDO_NEXT = 0,
+ JSSLOT_EXPANDO_ORIGIN,
+ JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER,
+ JSSLOT_EXPANDO_PROTOTYPE,
+ JSSLOT_EXPANDO_COUNT
+};
+
+extern const JSClassOps XrayExpandoObjectClassOps;
+
+/*
+ * Clear the given slot on all Xray expandos for the given object.
+ *
+ * No-op when called on non-main threads (where Xrays don't exist).
+ */
+void ClearXrayExpandoSlots(JSObject* target, size_t slotIndex);
+
+/*
+ * Ensure the given wrapper has an expando object and return it. This can
+ * return null on failure. Will only be called when "wrapper" is an Xray for a
+ * DOM object.
+ */
+JSObject* EnsureXrayExpandoObject(JSContext* cx, JS::HandleObject wrapper);
+
+// Information about xrays for use by the JITs.
+extern JS::XrayJitInfo gXrayJitInfo;
+
+} // namespace xpc
+
+#endif
diff --git a/js/xpconnect/wrappers/moz.build b/js/xpconnect/wrappers/moz.build
new file mode 100644
index 0000000000..8515350877
--- /dev/null
+++ b/js/xpconnect/wrappers/moz.build
@@ -0,0 +1,35 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+EXPORTS += [
+ "WrapperFactory.h",
+]
+
+UNIFIED_SOURCES += [
+ "AccessCheck.cpp",
+ "ChromeObjectWrapper.cpp",
+ "FilteringWrapper.cpp",
+ "WaiveXrayWrapper.cpp",
+ "WrapperFactory.cpp",
+]
+
+# XrayWrapper needs to be built separately becaue of template instantiations.
+SOURCES += [
+ "XrayWrapper.cpp",
+]
+
+include("/ipc/chromium/chromium-config.mozbuild")
+
+FINAL_LIBRARY = "xul"
+
+LOCAL_INCLUDES += [
+ "../../../dom/base",
+ "../src",
+ "/caps",
+]
+
+if CONFIG["CC_TYPE"] in ("clang", "gcc"):
+ CXXFLAGS += ["-Wno-shadow"]