1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "AccessCheck.h"
#include "nsJSPrincipals.h"
#include "nsGlobalWindow.h"
#include "XPCWrapper.h"
#include "XrayWrapper.h"
#include "FilteringWrapper.h"
#include "jsfriendapi.h"
#include "js/Object.h" // JS::GetClass, JS::GetCompartment
#include "mozilla/BasePrincipal.h"
#include "mozilla/ErrorResult.h"
#include "mozilla/dom/BindingUtils.h"
#include "mozilla/dom/LocationBinding.h"
#include "mozilla/dom/WindowBinding.h"
#include "nsJSUtils.h"
#include "xpcprivate.h"
using namespace mozilla;
using namespace JS;
using namespace js;
namespace xpc {
BasePrincipal* GetRealmPrincipal(JS::Realm* realm) {
return BasePrincipal::Cast(
nsJSPrincipals::get(JS::GetRealmPrincipals(realm)));
}
nsIPrincipal* GetObjectPrincipal(JSObject* obj) {
return GetRealmPrincipal(js::GetNonCCWObjectRealm(obj));
}
bool AccessCheck::subsumes(JSObject* a, JSObject* b) {
return CompartmentOriginInfo::Subsumes(JS::GetCompartment(a),
JS::GetCompartment(b));
}
// Same as above, but considering document.domain.
bool AccessCheck::subsumesConsideringDomain(JS::Realm* a, JS::Realm* b) {
MOZ_ASSERT(OriginAttributes::IsRestrictOpenerAccessForFPI());
BasePrincipal* aprin = GetRealmPrincipal(a);
BasePrincipal* bprin = GetRealmPrincipal(b);
return aprin->FastSubsumesConsideringDomain(bprin);
}
bool AccessCheck::subsumesConsideringDomainIgnoringFPD(JS::Realm* a,
JS::Realm* b) {
MOZ_ASSERT(!OriginAttributes::IsRestrictOpenerAccessForFPI());
BasePrincipal* aprin = GetRealmPrincipal(a);
BasePrincipal* bprin = GetRealmPrincipal(b);
return aprin->FastSubsumesConsideringDomainIgnoringFPD(bprin);
}
// Does the compartment of the wrapper subsumes the compartment of the wrappee?
bool AccessCheck::wrapperSubsumes(JSObject* wrapper) {
MOZ_ASSERT(js::IsWrapper(wrapper));
JSObject* wrapped = js::UncheckedUnwrap(wrapper);
return CompartmentOriginInfo::Subsumes(JS::GetCompartment(wrapper),
JS::GetCompartment(wrapped));
}
bool AccessCheck::isChrome(JS::Compartment* compartment) {
return js::IsSystemCompartment(compartment);
}
bool AccessCheck::isChrome(JS::Realm* realm) {
return isChrome(JS::GetCompartmentForRealm(realm));
}
bool AccessCheck::isChrome(JSObject* obj) {
return isChrome(JS::GetCompartment(obj));
}
bool IsCrossOriginAccessibleObject(JSObject* obj) {
obj = js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false);
const JSClass* clasp = JS::GetClass(obj);
return (clasp->name[0] == 'L' && !strcmp(clasp->name, "Location")) ||
(clasp->name[0] == 'W' && !strcmp(clasp->name, "Window"));
}
bool AccessCheck::checkPassToPrivilegedCode(JSContext* cx, HandleObject wrapper,
HandleValue v) {
// Primitives are fine.
if (!v.isObject()) {
return true;
}
RootedObject obj(cx, &v.toObject());
// Non-wrappers are fine.
if (!js::IsWrapper(obj)) {
return true;
}
// Same-origin wrappers are fine.
if (AccessCheck::wrapperSubsumes(obj)) {
return true;
}
// Badness.
JS_ReportErrorASCII(cx,
"Permission denied to pass object to privileged code");
return false;
}
bool AccessCheck::checkPassToPrivilegedCode(JSContext* cx, HandleObject wrapper,
const CallArgs& args) {
if (!checkPassToPrivilegedCode(cx, wrapper, args.thisv())) {
return false;
}
for (size_t i = 0; i < args.length(); ++i) {
if (!checkPassToPrivilegedCode(cx, wrapper, args[i])) {
return false;
}
}
return true;
}
void AccessCheck::reportCrossOriginDenial(JSContext* cx, JS::HandleId id,
const nsACString& accessType) {
// This function exists because we want to report DOM SecurityErrors, not JS
// Errors, when denying access on cross-origin DOM objects. It's
// conceptually pretty similar to
// AutoEnterPolicy::reportErrorIfExceptionIsNotPending.
if (JS_IsExceptionPending(cx)) {
return;
}
nsAutoCString message;
if (id.isVoid()) {
message = "Permission denied to access object"_ns;
} else {
// We want to use JS_ValueToSource here, because that most closely
// matches what AutoEnterPolicy::reportErrorIfExceptionIsNotPending
// does.
JS::RootedValue idVal(cx, js::IdToValue(id));
nsAutoJSString propName;
JS::RootedString idStr(cx, JS_ValueToSource(cx, idVal));
if (!idStr || !propName.init(cx, idStr)) {
return;
}
message = "Permission denied to "_ns + accessType + " property "_ns +
NS_ConvertUTF16toUTF8(propName) + " on cross-origin object"_ns;
}
ErrorResult rv;
rv.ThrowSecurityError(message);
MOZ_ALWAYS_TRUE(rv.MaybeSetPendingException(cx));
}
bool OpaqueWithSilentFailing::deny(JSContext* cx, js::Wrapper::Action act,
HandleId id, bool mayThrow) {
// Fail silently for GET, ENUMERATE, and GET_PROPERTY_DESCRIPTOR.
if (act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE ||
act == js::Wrapper::GET_PROPERTY_DESCRIPTOR) {
// Note that ReportWrapperDenial doesn't do any _exception_ reporting,
// so we want to do this regardless of the value of mayThrow.
return ReportWrapperDenial(cx, id, WrapperDenialForCOW,
"Access to privileged JS object not permitted");
}
return false;
}
} // namespace xpc
|