diff options
Diffstat (limited to '')
-rw-r--r-- | js/xpconnect/wrappers/AccessCheck.cpp | 171 | ||||
-rw-r--r-- | js/xpconnect/wrappers/AccessCheck.h | 115 | ||||
-rw-r--r-- | js/xpconnect/wrappers/ChromeObjectWrapper.cpp | 41 | ||||
-rw-r--r-- | js/xpconnect/wrappers/ChromeObjectWrapper.h | 42 | ||||
-rw-r--r-- | js/xpconnect/wrappers/FilteringWrapper.cpp | 172 | ||||
-rw-r--r-- | js/xpconnect/wrappers/FilteringWrapper.h | 57 | ||||
-rw-r--r-- | js/xpconnect/wrappers/WaiveXrayWrapper.cpp | 95 | ||||
-rw-r--r-- | js/xpconnect/wrappers/WaiveXrayWrapper.h | 48 | ||||
-rw-r--r-- | js/xpconnect/wrappers/WrapperFactory.cpp | 819 | ||||
-rw-r--r-- | js/xpconnect/wrappers/WrapperFactory.h | 114 | ||||
-rw-r--r-- | js/xpconnect/wrappers/XrayWrapper.cpp | 2351 | ||||
-rw-r--r-- | js/xpconnect/wrappers/XrayWrapper.h | 495 | ||||
-rw-r--r-- | js/xpconnect/wrappers/moz.build | 32 |
13 files changed, 4552 insertions, 0 deletions
diff --git a/js/xpconnect/wrappers/AccessCheck.cpp b/js/xpconnect/wrappers/AccessCheck.cpp new file mode 100644 index 0000000000..a3c5173776 --- /dev/null +++ b/js/xpconnect/wrappers/AccessCheck.cpp @@ -0,0 +1,171 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "AccessCheck.h" + +#include "nsJSPrincipals.h" + +#include "XPCWrapper.h" +#include "XrayWrapper.h" +#include "FilteringWrapper.h" + +#include "jsfriendapi.h" +#include "js/Object.h" // JS::GetClass, JS::GetCompartment +#include "mozilla/BasePrincipal.h" +#include "mozilla/ErrorResult.h" +#include "mozilla/dom/BindingUtils.h" +#include "mozilla/dom/LocationBinding.h" +#include "mozilla/dom/WindowBinding.h" +#include "nsJSUtils.h" +#include "xpcprivate.h" + +using namespace mozilla; +using namespace JS; +using namespace js; + +namespace xpc { + +BasePrincipal* GetRealmPrincipal(JS::Realm* realm) { + return BasePrincipal::Cast( + nsJSPrincipals::get(JS::GetRealmPrincipals(realm))); +} + +nsIPrincipal* GetObjectPrincipal(JSObject* obj) { + return GetRealmPrincipal(js::GetNonCCWObjectRealm(obj)); +} + +bool AccessCheck::subsumes(JSObject* a, JSObject* b) { + return CompartmentOriginInfo::Subsumes(JS::GetCompartment(a), + JS::GetCompartment(b)); +} + +// Same as above, but considering document.domain. +bool AccessCheck::subsumesConsideringDomain(JS::Realm* a, JS::Realm* b) { + MOZ_ASSERT(OriginAttributes::IsRestrictOpenerAccessForFPI()); + BasePrincipal* aprin = GetRealmPrincipal(a); + BasePrincipal* bprin = GetRealmPrincipal(b); + return aprin->FastSubsumesConsideringDomain(bprin); +} + +bool AccessCheck::subsumesConsideringDomainIgnoringFPD(JS::Realm* a, + JS::Realm* b) { + MOZ_ASSERT(!OriginAttributes::IsRestrictOpenerAccessForFPI()); + BasePrincipal* aprin = GetRealmPrincipal(a); + BasePrincipal* bprin = GetRealmPrincipal(b); + return aprin->FastSubsumesConsideringDomainIgnoringFPD(bprin); +} + +// Does the compartment of the wrapper subsumes the compartment of the wrappee? +bool AccessCheck::wrapperSubsumes(JSObject* wrapper) { + MOZ_ASSERT(js::IsWrapper(wrapper)); + JSObject* wrapped = js::UncheckedUnwrap(wrapper); + return CompartmentOriginInfo::Subsumes(JS::GetCompartment(wrapper), + JS::GetCompartment(wrapped)); +} + +bool AccessCheck::isChrome(JS::Compartment* compartment) { + return js::IsSystemCompartment(compartment); +} + +bool AccessCheck::isChrome(JS::Realm* realm) { + return isChrome(JS::GetCompartmentForRealm(realm)); +} + +bool AccessCheck::isChrome(JSObject* obj) { + return isChrome(JS::GetCompartment(obj)); +} + +bool IsCrossOriginAccessibleObject(JSObject* obj) { + obj = js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false); + const JSClass* clasp = JS::GetClass(obj); + + return (clasp->name[0] == 'L' && !strcmp(clasp->name, "Location")) || + (clasp->name[0] == 'W' && !strcmp(clasp->name, "Window")); +} + +bool AccessCheck::checkPassToPrivilegedCode(JSContext* cx, HandleObject wrapper, + HandleValue v) { + // Primitives are fine. + if (!v.isObject()) { + return true; + } + RootedObject obj(cx, &v.toObject()); + + // Non-wrappers are fine. + if (!js::IsWrapper(obj)) { + return true; + } + + // Same-origin wrappers are fine. + if (AccessCheck::wrapperSubsumes(obj)) { + return true; + } + + // Badness. + JS_ReportErrorASCII(cx, + "Permission denied to pass object to privileged code"); + return false; +} + +bool AccessCheck::checkPassToPrivilegedCode(JSContext* cx, HandleObject wrapper, + const CallArgs& args) { + if (!checkPassToPrivilegedCode(cx, wrapper, args.thisv())) { + return false; + } + for (size_t i = 0; i < args.length(); ++i) { + if (!checkPassToPrivilegedCode(cx, wrapper, args[i])) { + return false; + } + } + return true; +} + +void AccessCheck::reportCrossOriginDenial(JSContext* cx, JS::HandleId id, + const nsACString& accessType) { + // This function exists because we want to report DOM SecurityErrors, not JS + // Errors, when denying access on cross-origin DOM objects. It's + // conceptually pretty similar to + // AutoEnterPolicy::reportErrorIfExceptionIsNotPending. + if (JS_IsExceptionPending(cx)) { + return; + } + + nsAutoCString message; + if (id.isVoid()) { + message = "Permission denied to access object"_ns; + } else { + // We want to use JS_ValueToSource here, because that most closely + // matches what AutoEnterPolicy::reportErrorIfExceptionIsNotPending + // does. + JS::RootedValue idVal(cx, js::IdToValue(id)); + nsAutoJSString propName; + JS::RootedString idStr(cx, JS_ValueToSource(cx, idVal)); + if (!idStr || !propName.init(cx, idStr)) { + return; + } + message = "Permission denied to "_ns + accessType + " property "_ns + + NS_ConvertUTF16toUTF8(propName) + " on cross-origin object"_ns; + } + ErrorResult rv; + rv.ThrowSecurityError(message); + MOZ_ALWAYS_TRUE(rv.MaybeSetPendingException(cx)); +} + +bool OpaqueWithSilentFailing::deny(JSContext* cx, js::Wrapper::Action act, + HandleId id, bool mayThrow) { + // Fail silently for GET, ENUMERATE, and GET_PROPERTY_DESCRIPTOR. + if (act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE || + act == js::Wrapper::GET_PROPERTY_DESCRIPTOR) { + // Note that ReportWrapperDenial doesn't do any _exception_ reporting, + // so we want to do this regardless of the value of mayThrow. + return ReportWrapperDenial(cx, id, WrapperDenialForCOW, + "Access to privileged JS object not permitted"); + } + + return false; +} + +} // namespace xpc diff --git a/js/xpconnect/wrappers/AccessCheck.h b/js/xpconnect/wrappers/AccessCheck.h new file mode 100644 index 0000000000..c42e56ea02 --- /dev/null +++ b/js/xpconnect/wrappers/AccessCheck.h @@ -0,0 +1,115 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef __AccessCheck_h__ +#define __AccessCheck_h__ + +#include "js/Id.h" +#include "js/Wrapper.h" +#include "nsString.h" + +#ifdef XP_MACOSX +// AssertMacros.h defines 'check' which conflicts with the method declarations +// in this file. +# undef check +#endif + +namespace xpc { + +class AccessCheck { + public: + static bool subsumes(JSObject* a, JSObject* b); + static bool wrapperSubsumes(JSObject* wrapper); + static bool subsumesConsideringDomain(JS::Realm* a, JS::Realm* b); + static bool subsumesConsideringDomainIgnoringFPD(JS::Realm* a, JS::Realm* b); + static bool isChrome(JS::Compartment* compartment); + static bool isChrome(JS::Realm* realm); + static bool isChrome(JSObject* obj); + static bool checkPassToPrivilegedCode(JSContext* cx, JS::HandleObject wrapper, + JS::HandleValue value); + static bool checkPassToPrivilegedCode(JSContext* cx, JS::HandleObject wrapper, + const JS::CallArgs& args); + // Called to report the correct sort of exception when our policy denies and + // should throw. The accessType argument should be one of "access", + // "define", "delete", depending on which operation is being denied. + static void reportCrossOriginDenial(JSContext* cx, JS::HandleId id, + const nsACString& accessType); +}; + +/** + * Returns true if the given object (which is expected to be stripped of + * cross-compartment wrappers in practice, but this function doesn't assume + * that) is a WindowProxy or Location object, which need special wrapping + * behavior due to being usable cross-origin in limited ways. + */ +bool IsCrossOriginAccessibleObject(JSObject* obj); + +struct Policy { + static bool checkCall(JSContext* cx, JS::HandleObject wrapper, + const JS::CallArgs& args) { + MOZ_CRASH("As a rule, filtering wrappers are non-callable"); + } +}; + +// This policy allows no interaction with the underlying callable. Everything +// throws. +struct Opaque : public Policy { + static bool check(JSContext* cx, JSObject* wrapper, jsid id, + js::Wrapper::Action act) { + return false; + } + static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id, + bool mayThrow) { + return false; + } + static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test, + JS::NativeImpl impl) { + return false; + } +}; + +// Like the above, but allows CALL. +struct OpaqueWithCall : public Policy { + static bool check(JSContext* cx, JSObject* wrapper, jsid id, + js::Wrapper::Action act) { + return act == js::Wrapper::CALL; + } + static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id, + bool mayThrow) { + return false; + } + static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test, + JS::NativeImpl impl) { + return false; + } + static bool checkCall(JSContext* cx, JS::HandleObject wrapper, + const JS::CallArgs& args) { + return AccessCheck::checkPassToPrivilegedCode(cx, wrapper, args); + } +}; + +// This class used to support permitting access to properties if they +// appeared in an access list on the object, but now it acts like an +// Opaque wrapper, with the exception that it fails silently for GET, +// ENUMERATE, and GET_PROPERTY_DESCRIPTOR. This is done for backwards +// compatibility. See bug 1397513. +struct OpaqueWithSilentFailing : public Policy { + static bool check(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id, + js::Wrapper::Action act) { + return false; + } + + static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id, + bool mayThrow); + static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test, + JS::NativeImpl impl) { + return false; + } +}; + +} // namespace xpc + +#endif /* __AccessCheck_h__ */ diff --git a/js/xpconnect/wrappers/ChromeObjectWrapper.cpp b/js/xpconnect/wrappers/ChromeObjectWrapper.cpp new file mode 100644 index 0000000000..28ea3d2c02 --- /dev/null +++ b/js/xpconnect/wrappers/ChromeObjectWrapper.cpp @@ -0,0 +1,41 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "ChromeObjectWrapper.h" +#include "WrapperFactory.h" +#include "AccessCheck.h" +#include "xpcprivate.h" +#include "jsapi.h" +#include "js/Wrapper.h" +#include "nsXULAppAPI.h" + +using namespace JS; + +namespace xpc { + +const ChromeObjectWrapper ChromeObjectWrapper::singleton; + +bool ChromeObjectWrapper::defineProperty(JSContext* cx, HandleObject wrapper, + HandleId id, + Handle<PropertyDescriptor> desc, + ObjectOpResult& result) const { + if (desc.hasValue() && + !AccessCheck::checkPassToPrivilegedCode(cx, wrapper, desc.value())) { + return false; + } + return ChromeObjectWrapperBase::defineProperty(cx, wrapper, id, desc, result); +} + +bool ChromeObjectWrapper::set(JSContext* cx, HandleObject wrapper, HandleId id, + HandleValue v, HandleValue receiver, + ObjectOpResult& result) const { + if (!AccessCheck::checkPassToPrivilegedCode(cx, wrapper, v)) { + return false; + } + return ChromeObjectWrapperBase::set(cx, wrapper, id, v, receiver, result); +} + +} // namespace xpc diff --git a/js/xpconnect/wrappers/ChromeObjectWrapper.h b/js/xpconnect/wrappers/ChromeObjectWrapper.h new file mode 100644 index 0000000000..49ce4fc139 --- /dev/null +++ b/js/xpconnect/wrappers/ChromeObjectWrapper.h @@ -0,0 +1,42 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef __ChromeObjectWrapper_h__ +#define __ChromeObjectWrapper_h__ + +#include "mozilla/Attributes.h" + +#include "FilteringWrapper.h" + +namespace xpc { + +struct OpaqueWithSilentFailing; + +// When a vanilla chrome JS object is exposed to content, we use a wrapper that +// fails silently on GET, ENUMERATE, and GET_PROPERTY_DESCRIPTOR for legacy +// reasons. For extra security, we override the traps that allow content to pass +// an object to chrome, and perform extra security checks on them. +#define ChromeObjectWrapperBase \ + FilteringWrapper<js::CrossCompartmentSecurityWrapper, OpaqueWithSilentFailing> + +class ChromeObjectWrapper : public ChromeObjectWrapperBase { + public: + constexpr ChromeObjectWrapper() : ChromeObjectWrapperBase(0) {} + + virtual bool defineProperty(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::Handle<jsid> id, + JS::Handle<JS::PropertyDescriptor> desc, + JS::ObjectOpResult& result) const override; + virtual bool set(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id, + JS::HandleValue v, JS::HandleValue receiver, + JS::ObjectOpResult& result) const override; + + static const ChromeObjectWrapper singleton; +}; + +} /* namespace xpc */ + +#endif /* __ChromeObjectWrapper_h__ */ diff --git a/js/xpconnect/wrappers/FilteringWrapper.cpp b/js/xpconnect/wrappers/FilteringWrapper.cpp new file mode 100644 index 0000000000..f4812e04ba --- /dev/null +++ b/js/xpconnect/wrappers/FilteringWrapper.cpp @@ -0,0 +1,172 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "FilteringWrapper.h" +#include "AccessCheck.h" +#include "ChromeObjectWrapper.h" +#include "XrayWrapper.h" +#include "nsJSUtils.h" +#include "mozilla/ErrorResult.h" +#include "xpcpublic.h" +#include "xpcprivate.h" + +#include "jsapi.h" +#include "js/Symbol.h" + +using namespace JS; +using namespace js; + +namespace xpc { + +static JS::SymbolCode sCrossOriginWhitelistedSymbolCodes[] = { + JS::SymbolCode::toStringTag, JS::SymbolCode::hasInstance, + JS::SymbolCode::isConcatSpreadable}; + +static bool IsCrossOriginWhitelistedSymbol(JSContext* cx, JS::HandleId id) { + if (!id.isSymbol()) { + return false; + } + + JS::Symbol* symbol = id.toSymbol(); + for (auto code : sCrossOriginWhitelistedSymbolCodes) { + if (symbol == JS::GetWellKnownSymbol(cx, code)) { + return true; + } + } + + return false; +} + +bool IsCrossOriginWhitelistedProp(JSContext* cx, JS::HandleId id) { + return id == GetJSIDByIndex(cx, XPCJSContext::IDX_THEN) || + IsCrossOriginWhitelistedSymbol(cx, id); +} + +bool AppendCrossOriginWhitelistedPropNames(JSContext* cx, + JS::MutableHandleIdVector props) { + // Add "then" if it's not already in the list. + RootedIdVector thenProp(cx); + if (!thenProp.append(GetJSIDByIndex(cx, XPCJSContext::IDX_THEN))) { + return false; + } + + if (!AppendUnique(cx, props, thenProp)) { + return false; + } + + // Now add the three symbol-named props cross-origin objects have. +#ifdef DEBUG + for (size_t n = 0; n < props.length(); ++n) { + MOZ_ASSERT(!props[n].isSymbol(), "Unexpected existing symbol-name prop"); + } +#endif + if (!props.reserve( + props.length() + + mozilla::ArrayLength(sCrossOriginWhitelistedSymbolCodes))) { + return false; + } + + for (auto code : sCrossOriginWhitelistedSymbolCodes) { + props.infallibleAppend(JS::GetWellKnownSymbolKey(cx, code)); + } + + return true; +} + +// Note: Previously, FilteringWrapper supported complex access policies where +// certain properties on an object were accessible and others weren't. Today, +// the only supported policies are Opaque and OpaqueWithCall, none of which need +// that. So we just stub out the unreachable paths. +template <typename Base, typename Policy> +bool FilteringWrapper<Base, Policy>::getOwnPropertyDescriptor( + JSContext* cx, HandleObject wrapper, HandleId id, + MutableHandle<mozilla::Maybe<PropertyDescriptor>> desc) const { + MOZ_CRASH("FilteringWrappers are now always opaque"); +} + +template <typename Base, typename Policy> +bool FilteringWrapper<Base, Policy>::ownPropertyKeys( + JSContext* cx, HandleObject wrapper, MutableHandleIdVector props) const { + MOZ_CRASH("FilteringWrappers are now always opaque"); +} + +template <typename Base, typename Policy> +bool FilteringWrapper<Base, Policy>::getOwnEnumerablePropertyKeys( + JSContext* cx, HandleObject wrapper, MutableHandleIdVector props) const { + MOZ_CRASH("FilteringWrappers are now always opaque"); +} + +template <typename Base, typename Policy> +bool FilteringWrapper<Base, Policy>::enumerate( + JSContext* cx, HandleObject wrapper, + JS::MutableHandleIdVector props) const { + MOZ_CRASH("FilteringWrappers are now always opaque"); +} + +template <typename Base, typename Policy> +bool FilteringWrapper<Base, Policy>::call(JSContext* cx, + JS::Handle<JSObject*> wrapper, + const JS::CallArgs& args) const { + if (!Policy::checkCall(cx, wrapper, args)) { + return false; + } + return Base::call(cx, wrapper, args); +} + +template <typename Base, typename Policy> +bool FilteringWrapper<Base, Policy>::construct(JSContext* cx, + JS::Handle<JSObject*> wrapper, + const JS::CallArgs& args) const { + if (!Policy::checkCall(cx, wrapper, args)) { + return false; + } + return Base::construct(cx, wrapper, args); +} + +template <typename Base, typename Policy> +bool FilteringWrapper<Base, Policy>::nativeCall( + JSContext* cx, JS::IsAcceptableThis test, JS::NativeImpl impl, + const JS::CallArgs& args) const { + if (Policy::allowNativeCall(cx, test, impl)) { + return Base::Permissive::nativeCall(cx, test, impl, args); + } + return Base::Restrictive::nativeCall(cx, test, impl, args); +} + +template <typename Base, typename Policy> +bool FilteringWrapper<Base, Policy>::getPrototype( + JSContext* cx, JS::HandleObject wrapper, + JS::MutableHandleObject protop) const { + // Filtering wrappers do not allow access to the prototype. + protop.set(nullptr); + return true; +} + +template <typename Base, typename Policy> +bool FilteringWrapper<Base, Policy>::enter(JSContext* cx, HandleObject wrapper, + HandleId id, Wrapper::Action act, + bool mayThrow, bool* bp) const { + if (!Policy::check(cx, wrapper, id, act)) { + *bp = + JS_IsExceptionPending(cx) ? false : Policy::deny(cx, act, id, mayThrow); + return false; + } + *bp = true; + return true; +} + +#define NNXOW FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque> +#define NNXOWC FilteringWrapper<CrossCompartmentSecurityWrapper, OpaqueWithCall> + +template <> +const NNXOW NNXOW::singleton(0); +template <> +const NNXOWC NNXOWC::singleton(0); + +template class NNXOW; +template class NNXOWC; +template class ChromeObjectWrapperBase; +} // namespace xpc diff --git a/js/xpconnect/wrappers/FilteringWrapper.h b/js/xpconnect/wrappers/FilteringWrapper.h new file mode 100644 index 0000000000..620837cc1b --- /dev/null +++ b/js/xpconnect/wrappers/FilteringWrapper.h @@ -0,0 +1,57 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef __FilteringWrapper_h__ +#define __FilteringWrapper_h__ + +#include "XrayWrapper.h" +#include "mozilla/Attributes.h" +#include "mozilla/Maybe.h" +#include "js/CallNonGenericMethod.h" +#include "js/Wrapper.h" + +namespace xpc { + +template <typename Base, typename Policy> +class FilteringWrapper : public Base { + public: + constexpr explicit FilteringWrapper(unsigned flags) : Base(flags) {} + + virtual bool enter(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::Handle<jsid> id, js::Wrapper::Action act, + bool mayThrow, bool* bp) const override; + + virtual bool getOwnPropertyDescriptor( + JSContext* cx, JS::Handle<JSObject*> wrapper, JS::Handle<jsid> id, + JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc) + const override; + virtual bool ownPropertyKeys(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::MutableHandleIdVector props) const override; + + virtual bool getOwnEnumerablePropertyKeys( + JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::MutableHandleIdVector props) const override; + virtual bool enumerate(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::MutableHandleIdVector props) const override; + + virtual bool call(JSContext* cx, JS::Handle<JSObject*> wrapper, + const JS::CallArgs& args) const override; + virtual bool construct(JSContext* cx, JS::Handle<JSObject*> wrapper, + const JS::CallArgs& args) const override; + + virtual bool nativeCall(JSContext* cx, JS::IsAcceptableThis test, + JS::NativeImpl impl, + const JS::CallArgs& args) const override; + + virtual bool getPrototype(JSContext* cx, JS::HandleObject wrapper, + JS::MutableHandleObject protop) const override; + + static const FilteringWrapper singleton; +}; + +} // namespace xpc + +#endif /* __FilteringWrapper_h__ */ diff --git a/js/xpconnect/wrappers/WaiveXrayWrapper.cpp b/js/xpconnect/wrappers/WaiveXrayWrapper.cpp new file mode 100644 index 0000000000..17c273a5e0 --- /dev/null +++ b/js/xpconnect/wrappers/WaiveXrayWrapper.cpp @@ -0,0 +1,95 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "WaiveXrayWrapper.h" +#include "WrapperFactory.h" +#include "jsapi.h" +#include "js/CallAndConstruct.h" // JS::IsCallable + +using namespace JS; + +namespace xpc { + +bool WaiveXrayWrapper::getOwnPropertyDescriptor( + JSContext* cx, HandleObject wrapper, HandleId id, + MutableHandle<mozilla::Maybe<PropertyDescriptor>> desc) const { + if (!CrossCompartmentWrapper::getOwnPropertyDescriptor(cx, wrapper, id, + desc)) { + return false; + } + + if (desc.isNothing()) { + return true; + } + + Rooted<PropertyDescriptor> desc_(cx, *desc); + if (desc_.hasValue()) { + if (!WrapperFactory::WaiveXrayAndWrap(cx, desc_.value())) { + return false; + } + } + if (desc_.hasGetter() && desc_.getter()) { + RootedValue v(cx, JS::ObjectValue(*desc_.getter())); + if (!WrapperFactory::WaiveXrayAndWrap(cx, &v)) { + return false; + } + desc_.setGetter(&v.toObject()); + } + if (desc_.hasSetter() && desc_.setter()) { + RootedValue v(cx, JS::ObjectValue(*desc_.setter())); + if (!WrapperFactory::WaiveXrayAndWrap(cx, &v)) { + return false; + } + desc_.setSetter(&v.toObject()); + } + + desc.set(mozilla::Some(desc_.get())); + return true; +} + +bool WaiveXrayWrapper::get(JSContext* cx, HandleObject wrapper, + HandleValue receiver, HandleId id, + MutableHandleValue vp) const { + return CrossCompartmentWrapper::get(cx, wrapper, receiver, id, vp) && + WrapperFactory::WaiveXrayAndWrap(cx, vp); +} + +bool WaiveXrayWrapper::call(JSContext* cx, HandleObject wrapper, + const JS::CallArgs& args) const { + return CrossCompartmentWrapper::call(cx, wrapper, args) && + WrapperFactory::WaiveXrayAndWrap(cx, args.rval()); +} + +bool WaiveXrayWrapper::construct(JSContext* cx, HandleObject wrapper, + const JS::CallArgs& args) const { + return CrossCompartmentWrapper::construct(cx, wrapper, args) && + WrapperFactory::WaiveXrayAndWrap(cx, args.rval()); +} + +// NB: This is important as the other side of a handshake with FieldGetter. See +// nsXBLProtoImplField.cpp. +bool WaiveXrayWrapper::nativeCall(JSContext* cx, JS::IsAcceptableThis test, + JS::NativeImpl impl, + const JS::CallArgs& args) const { + return CrossCompartmentWrapper::nativeCall(cx, test, impl, args) && + WrapperFactory::WaiveXrayAndWrap(cx, args.rval()); +} + +bool WaiveXrayWrapper::getPrototype(JSContext* cx, HandleObject wrapper, + MutableHandleObject protop) const { + return CrossCompartmentWrapper::getPrototype(cx, wrapper, protop) && + (!protop || WrapperFactory::WaiveXrayAndWrap(cx, protop)); +} + +bool WaiveXrayWrapper::getPrototypeIfOrdinary( + JSContext* cx, HandleObject wrapper, bool* isOrdinary, + MutableHandleObject protop) const { + return CrossCompartmentWrapper::getPrototypeIfOrdinary(cx, wrapper, + isOrdinary, protop) && + (!protop || WrapperFactory::WaiveXrayAndWrap(cx, protop)); +} + +} // namespace xpc diff --git a/js/xpconnect/wrappers/WaiveXrayWrapper.h b/js/xpconnect/wrappers/WaiveXrayWrapper.h new file mode 100644 index 0000000000..02784fdd8f --- /dev/null +++ b/js/xpconnect/wrappers/WaiveXrayWrapper.h @@ -0,0 +1,48 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef __CrossOriginWrapper_h__ +#define __CrossOriginWrapper_h__ + +#include "mozilla/Attributes.h" +#include "mozilla/Maybe.h" + +#include "js/Wrapper.h" + +namespace xpc { + +class WaiveXrayWrapper : public js::CrossCompartmentWrapper { + public: + explicit constexpr WaiveXrayWrapper(unsigned flags) + : js::CrossCompartmentWrapper(flags) {} + + virtual bool getOwnPropertyDescriptor( + JSContext* cx, JS::Handle<JSObject*> wrapper, JS::Handle<jsid> id, + JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc) + const override; + virtual bool getPrototype(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::MutableHandle<JSObject*> protop) const override; + virtual bool getPrototypeIfOrdinary( + JSContext* cx, JS::Handle<JSObject*> wrapper, bool* isOrdinary, + JS::MutableHandle<JSObject*> protop) const override; + virtual bool get(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::Handle<JS::Value> receiver, JS::Handle<jsid> id, + JS::MutableHandle<JS::Value> vp) const override; + virtual bool call(JSContext* cx, JS::Handle<JSObject*> wrapper, + const JS::CallArgs& args) const override; + virtual bool construct(JSContext* cx, JS::Handle<JSObject*> wrapper, + const JS::CallArgs& args) const override; + + virtual bool nativeCall(JSContext* cx, JS::IsAcceptableThis test, + JS::NativeImpl impl, + const JS::CallArgs& args) const override; + + static const WaiveXrayWrapper singleton; +}; + +} // namespace xpc + +#endif diff --git a/js/xpconnect/wrappers/WrapperFactory.cpp b/js/xpconnect/wrappers/WrapperFactory.cpp new file mode 100644 index 0000000000..1f9ab5b24c --- /dev/null +++ b/js/xpconnect/wrappers/WrapperFactory.cpp @@ -0,0 +1,819 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "WaiveXrayWrapper.h" +#include "FilteringWrapper.h" +#include "XrayWrapper.h" +#include "AccessCheck.h" +#include "XPCWrapper.h" +#include "ChromeObjectWrapper.h" +#include "WrapperFactory.h" + +#include "xpcprivate.h" +#include "XPCMaps.h" +#include "mozilla/dom/BindingUtils.h" +#include "jsfriendapi.h" +#include "js/friend/WindowProxy.h" // js::IsWindow, js::IsWindowProxy +#include "js/Object.h" // JS::GetPrivate, JS::GetCompartment +#include "mozilla/Likely.h" +#include "mozilla/dom/ScriptSettings.h" +#include "mozilla/dom/MaybeCrossOriginObject.h" +#include "nsContentUtils.h" +#include "nsGlobalWindowInner.h" +#include "nsXULAppAPI.h" + +using namespace JS; +using namespace js; +using namespace mozilla; + +namespace xpc { + +#ifndef MOZ_UNIFIED_BUILD +extern template class FilteringWrapper<js::CrossCompartmentSecurityWrapper, + Opaque>; +extern template class FilteringWrapper<js::CrossCompartmentSecurityWrapper, + OpaqueWithCall>; +#endif + +// When chrome pulls a naked property across the membrane using +// .wrappedJSObject, we want it to cross the membrane into the +// chrome compartment without automatically being wrapped into an +// X-ray wrapper. We achieve this by wrapping it into a special +// transparent wrapper in the origin (non-chrome) compartment. When +// an object with that special wrapper applied crosses into chrome, +// we know to not apply an X-ray wrapper. +const Wrapper XrayWaiver(WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG); + +// When objects for which we waived the X-ray wrapper cross into +// chrome, we wrap them into a special cross-compartment wrapper +// that transitively extends the waiver to all properties we get +// off it. +const WaiveXrayWrapper WaiveXrayWrapper::singleton(0); + +bool WrapperFactory::IsOpaqueWrapper(JSObject* obj) { + return IsWrapper(obj) && + Wrapper::wrapperHandler(obj) == &PermissiveXrayOpaque::singleton; +} + +bool WrapperFactory::IsCOW(JSObject* obj) { + return IsWrapper(obj) && + Wrapper::wrapperHandler(obj) == &ChromeObjectWrapper::singleton; +} + +JSObject* WrapperFactory::GetXrayWaiver(HandleObject obj) { + // Object should come fully unwrapped but outerized. + MOZ_ASSERT(obj == UncheckedUnwrap(obj)); + MOZ_ASSERT(!js::IsWindow(obj)); + XPCWrappedNativeScope* scope = ObjectScope(obj); + MOZ_ASSERT(scope); + + if (!scope->mWaiverWrapperMap) { + return nullptr; + } + + return scope->mWaiverWrapperMap->Find(obj); +} + +JSObject* WrapperFactory::CreateXrayWaiver(JSContext* cx, HandleObject obj, + bool allowExisting) { + // The caller is required to have already done a lookup, unless it's + // trying to replace an existing waiver. + // NB: This implictly performs the assertions of GetXrayWaiver. + MOZ_ASSERT(bool(GetXrayWaiver(obj)) == allowExisting); + XPCWrappedNativeScope* scope = ObjectScope(obj); + + JSAutoRealm ar(cx, obj); + JSObject* waiver = Wrapper::New(cx, obj, &XrayWaiver); + if (!waiver) { + return nullptr; + } + + // Add the new waiver to the map. It's important that we only ever have + // one waiver for the lifetime of the target object. + if (!scope->mWaiverWrapperMap) { + scope->mWaiverWrapperMap = mozilla::MakeUnique<JSObject2JSObjectMap>(); + } + if (!scope->mWaiverWrapperMap->Add(cx, obj, waiver)) { + return nullptr; + } + return waiver; +} + +JSObject* WrapperFactory::WaiveXray(JSContext* cx, JSObject* objArg) { + RootedObject obj(cx, objArg); + obj = UncheckedUnwrap(obj); + MOZ_ASSERT(!js::IsWindow(obj)); + + JSObject* waiver = GetXrayWaiver(obj); + if (!waiver) { + waiver = CreateXrayWaiver(cx, obj); + } + JS::AssertObjectIsNotGray(waiver); + return waiver; +} + +/* static */ +bool WrapperFactory::AllowWaiver(JS::Compartment* target, + JS::Compartment* origin) { + return CompartmentPrivate::Get(target)->allowWaivers && + CompartmentOriginInfo::Subsumes(target, origin); +} + +/* static */ +bool WrapperFactory::AllowWaiver(JSObject* wrapper) { + MOZ_ASSERT(js::IsCrossCompartmentWrapper(wrapper)); + return AllowWaiver(JS::GetCompartment(wrapper), + JS::GetCompartment(js::UncheckedUnwrap(wrapper))); +} + +inline bool ShouldWaiveXray(JSContext* cx, JSObject* originalObj) { + unsigned flags; + (void)js::UncheckedUnwrap(originalObj, /* stopAtWindowProxy = */ true, + &flags); + + // If the original object did not point through an Xray waiver, we're done. + if (!(flags & WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG)) { + return false; + } + + // If the original object was not a cross-compartment wrapper, that means + // that the caller explicitly created a waiver. Preserve it so that things + // like WaiveXrayAndWrap work. + if (!(flags & Wrapper::CROSS_COMPARTMENT)) { + return true; + } + + // Otherwise, this is a case of explicitly passing a wrapper across a + // compartment boundary. In that case, we only want to preserve waivers + // in transactions between same-origin compartments. + JS::Compartment* oldCompartment = JS::GetCompartment(originalObj); + JS::Compartment* newCompartment = js::GetContextCompartment(cx); + bool sameOrigin = false; + if (OriginAttributes::IsRestrictOpenerAccessForFPI()) { + sameOrigin = + CompartmentOriginInfo::Subsumes(oldCompartment, newCompartment) && + CompartmentOriginInfo::Subsumes(newCompartment, oldCompartment); + } else { + sameOrigin = CompartmentOriginInfo::SubsumesIgnoringFPD(oldCompartment, + newCompartment) && + CompartmentOriginInfo::SubsumesIgnoringFPD(newCompartment, + oldCompartment); + } + return sameOrigin; +} + +// Special handling is needed when wrapping local and remote window proxies. +// This function returns true if it found a window proxy and dealt with it. +static bool MaybeWrapWindowProxy(JSContext* cx, HandleObject origObj, + HandleObject obj, MutableHandleObject retObj) { + bool isWindowProxy = js::IsWindowProxy(obj); + + if (!isWindowProxy && + !dom::IsRemoteObjectProxy(obj, dom::prototypes::id::Window)) { + return false; + } + + dom::BrowsingContext* bc = nullptr; + if (isWindowProxy) { + nsGlobalWindowInner* win = + WindowOrNull(js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false)); + if (win && win->GetOuterWindow()) { + bc = win->GetOuterWindow()->GetBrowsingContext(); + } + if (!bc) { + retObj.set(obj); + return true; + } + } else { + bc = dom::GetBrowsingContext(obj); + MOZ_ASSERT(bc); + } + + // We should only have a remote window proxy if bc is in a state where we + // expect remote window proxies. Otherwise, they should have been cleaned up + // by a call to CleanUpDanglingRemoteOuterWindowProxies(). + MOZ_RELEASE_ASSERT(isWindowProxy || bc->CanHaveRemoteOuterProxies()); + + if (bc->IsInProcess()) { + retObj.set(obj); + } else { + // If bc is not in process, then use a remote window proxy, whether or not + // obj is one already. + if (!dom::GetRemoteOuterWindowProxy(cx, bc, origObj, retObj)) { + MOZ_CRASH("GetRemoteOuterWindowProxy failed"); + } + } + + return true; +} + +void WrapperFactory::PrepareForWrapping(JSContext* cx, HandleObject scope, + HandleObject origObj, + HandleObject objArg, + HandleObject objectPassedToWrap, + MutableHandleObject retObj) { + // The JS engine calls ToWindowProxyIfWindow and deals with dead wrappers. + MOZ_ASSERT(!js::IsWindow(objArg)); + MOZ_ASSERT(!JS_IsDeadWrapper(objArg)); + + bool waive = ShouldWaiveXray(cx, objectPassedToWrap); + RootedObject obj(cx, objArg); + retObj.set(nullptr); + + // There are a few cases related to window proxies that are handled first to + // allow us to assert against wrappers below. + if (MaybeWrapWindowProxy(cx, origObj, obj, retObj)) { + if (waive) { + // We don't put remote window proxies in a waiving wrapper. + MOZ_ASSERT(js::IsWindowProxy(obj)); + retObj.set(WaiveXray(cx, retObj)); + } + return; + } + + // Here are the rules for wrapping: + // We should never get a proxy here (the JS engine unwraps those for us). + MOZ_ASSERT(!IsWrapper(obj)); + + // Now, our object is ready to be wrapped, but several objects (notably + // nsJSIIDs) have a wrapper per scope. If we are about to wrap one of + // those objects in a security wrapper, then we need to hand back the + // wrapper for the new scope instead. Also, global objects don't move + // between scopes so for those we also want to return the wrapper. So... + if (!IsWrappedNativeReflector(obj) || JS_IsGlobalObject(obj)) { + retObj.set(waive ? WaiveXray(cx, obj) : obj); + return; + } + + XPCWrappedNative* wn = XPCWrappedNative::Get(obj); + + JSAutoRealm ar(cx, obj); + XPCCallContext ccx(cx, obj); + RootedObject wrapScope(cx, scope); + + if (ccx.GetScriptable() && ccx.GetScriptable()->WantPreCreate()) { + // We have a precreate hook. This object might enforce that we only + // ever create JS object for it. + + // Note: this penalizes objects that only have one wrapper, but are + // being accessed across compartments. We would really prefer to + // replace the above code with a test that says "do you only have one + // wrapper?" + nsresult rv = wn->GetScriptable()->PreCreate(wn->Native(), cx, scope, + wrapScope.address()); + if (NS_FAILED(rv)) { + retObj.set(waive ? WaiveXray(cx, obj) : obj); + return; + } + + // If the handed back scope differs from the passed-in scope and is in + // a separate compartment, then this object is explicitly requesting + // that we don't create a second JS object for it: create a security + // wrapper. + // + // Note: The only two objects that still use PreCreate are BackstagePass + // and Components, both of which unconditionally request their canonical + // scope. Since SpiderMonkey only invokes the prewrap callback in + // situations where the object is nominally cross-compartment, we should + // always get a different scope here. + MOZ_RELEASE_ASSERT(JS::GetCompartment(scope) != + JS::GetCompartment(wrapScope)); + retObj.set(waive ? WaiveXray(cx, obj) : obj); + return; + } + + // This public WrapNativeToJSVal API enters the compartment of 'wrapScope' + // so we don't have to. + RootedValue v(cx); + nsresult rv = nsXPConnect::XPConnect()->WrapNativeToJSVal( + cx, wrapScope, wn->Native(), nullptr, &NS_GET_IID(nsISupports), false, + &v); + if (NS_FAILED(rv)) { + return; + } + + obj.set(&v.toObject()); + MOZ_ASSERT(IsWrappedNativeReflector(obj), "bad object"); + JS::AssertObjectIsNotGray(obj); // We should never return gray reflectors. + + // Because the underlying native didn't have a PreCreate hook, we had + // to a new (or possibly pre-existing) XPCWN in our compartment. + // This could be a problem for chrome code that passes XPCOM objects + // across compartments, because the effects of QI would disappear across + // compartments. + // + // So whenever we pull an XPCWN across compartments in this manner, we + // give the destination object the union of the two native sets. We try + // to do this cleverly in the common case to avoid too much overhead. + XPCWrappedNative* newwn = XPCWrappedNative::Get(obj); + RefPtr<XPCNativeSet> unionSet = + XPCNativeSet::GetNewOrUsed(cx, newwn->GetSet(), wn->GetSet(), false); + if (!unionSet) { + return; + } + newwn->SetSet(unionSet.forget()); + + retObj.set(waive ? WaiveXray(cx, obj) : obj); +} + +// This check is completely symmetric, so we don't need to keep track of origin +// vs target here. Two compartments may have had transparent CCWs between them +// only if they are same-origin (ignoring document.domain) or have both had +// document.domain set at some point and are same-site. In either case they +// will have the same SiteIdentifier, so check that first. +static bool CompartmentsMayHaveHadTransparentCCWs( + CompartmentPrivate* private1, CompartmentPrivate* private2) { + auto& info1 = private1->originInfo; + auto& info2 = private2->originInfo; + + if (!info1.SiteRef().Equals(info2.SiteRef())) { + return false; + } + + return info1.GetPrincipalIgnoringDocumentDomain()->FastEquals( + info2.GetPrincipalIgnoringDocumentDomain()) || + (info1.HasChangedDocumentDomain() && info2.HasChangedDocumentDomain()); +} + +#ifdef DEBUG +static void DEBUG_CheckUnwrapSafety(HandleObject obj, + const js::Wrapper* handler, + JS::Realm* origin, JS::Realm* target) { + JS::Compartment* targetCompartment = JS::GetCompartmentForRealm(target); + if (!js::AllowNewWrapper(targetCompartment, obj)) { + // The JS engine should have returned a dead wrapper in this case and we + // shouldn't even get here. + MOZ_ASSERT_UNREACHABLE("CheckUnwrapSafety called for a dead wrapper"); + } else if (AccessCheck::isChrome(targetCompartment)) { + // If the caller is chrome (or effectively so), unwrap should always be + // allowed, but we might have a CrossOriginObjectWrapper here which allows + // it dynamically. + MOZ_ASSERT(!handler->hasSecurityPolicy() || + handler == &CrossOriginObjectWrapper::singleton); + } else { + // Otherwise, it should depend on whether the target subsumes the origin. + bool subsumes = + (OriginAttributes::IsRestrictOpenerAccessForFPI() + ? AccessCheck::subsumesConsideringDomain(target, origin) + : AccessCheck::subsumesConsideringDomainIgnoringFPD(target, + origin)); + if (!subsumes) { + // If the target (which is where the wrapper lives) does not subsume the + // origin (which is where the wrapped object lives), then we should + // generally have a security check on the wrapper here. There is one + // exception, though: things that used to be same-origin and then stopped + // due to document.domain changes. In that case we will have a + // transparent cross-compartment wrapper here even though "subsumes" is no + // longer true. + CompartmentPrivate* originCompartmentPrivate = + CompartmentPrivate::Get(origin); + CompartmentPrivate* targetCompartmentPrivate = + CompartmentPrivate::Get(target); + if (!originCompartmentPrivate->wantXrays && + !targetCompartmentPrivate->wantXrays && + CompartmentsMayHaveHadTransparentCCWs(originCompartmentPrivate, + targetCompartmentPrivate)) { + // We should have a transparent CCW, unless we have a cross-origin + // object, in which case it will be a CrossOriginObjectWrapper. + MOZ_ASSERT(handler == &CrossCompartmentWrapper::singleton || + handler == &CrossOriginObjectWrapper::singleton); + } else { + MOZ_ASSERT(handler->hasSecurityPolicy()); + } + } else { + // Even if target subsumes origin, we might have a wrapper with a security + // policy here, if it happens to be a CrossOriginObjectWrapper. + MOZ_ASSERT(!handler->hasSecurityPolicy() || + handler == &CrossOriginObjectWrapper::singleton); + } + } +} +#else +# define DEBUG_CheckUnwrapSafety(obj, handler, origin, target) \ + {} +#endif + +const CrossOriginObjectWrapper CrossOriginObjectWrapper::singleton; + +bool CrossOriginObjectWrapper::dynamicCheckedUnwrapAllowed( + HandleObject obj, JSContext* cx) const { + MOZ_ASSERT(js::GetProxyHandler(obj) == this, + "Why are we getting called for some random object?"); + JSObject* target = wrappedObject(obj); + return dom::MaybeCrossOriginObjectMixins::IsPlatformObjectSameOrigin(cx, + target); +} + +static const Wrapper* SelectWrapper(bool securityWrapper, XrayType xrayType, + bool waiveXrays, JSObject* obj) { + // Waived Xray uses a modified CCW that has transparent behavior but + // transitively waives Xrays on arguments. + if (waiveXrays) { + MOZ_ASSERT(!securityWrapper); + return &WaiveXrayWrapper::singleton; + } + + // If we don't want or can't use Xrays, select a wrapper that's either + // entirely transparent or entirely opaque. + if (xrayType == NotXray) { + if (!securityWrapper) { + return &CrossCompartmentWrapper::singleton; + } + return &FilteringWrapper<CrossCompartmentSecurityWrapper, + Opaque>::singleton; + } + + // Ok, we're using Xray. If this isn't a security wrapper, use the permissive + // version and skip the filter. + if (!securityWrapper) { + if (xrayType == XrayForDOMObject) { + return &PermissiveXrayDOM::singleton; + } else if (xrayType == XrayForJSObject) { + return &PermissiveXrayJS::singleton; + } + MOZ_ASSERT(xrayType == XrayForOpaqueObject); + return &PermissiveXrayOpaque::singleton; + } + + // There's never any reason to expose other objects to non-subsuming actors. + // Just use an opaque wrapper in these cases. + return &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton; +} + +JSObject* WrapperFactory::Rewrap(JSContext* cx, HandleObject existing, + HandleObject obj) { + MOZ_ASSERT(!IsWrapper(obj) || GetProxyHandler(obj) == &XrayWaiver || + js::IsWindowProxy(obj), + "wrapped object passed to rewrap"); + MOZ_ASSERT(!js::IsWindow(obj)); + MOZ_ASSERT(dom::IsJSAPIActive()); + + // Compute the information we need to select the right wrapper. + JS::Realm* origin = js::GetNonCCWObjectRealm(obj); + JS::Realm* target = js::GetContextRealm(cx); + MOZ_ASSERT(target, "Why is our JSContext not in a Realm?"); + bool originIsChrome = AccessCheck::isChrome(origin); + bool targetIsChrome = AccessCheck::isChrome(target); + bool originSubsumesTarget = + OriginAttributes::IsRestrictOpenerAccessForFPI() + ? AccessCheck::subsumesConsideringDomain(origin, target) + : AccessCheck::subsumesConsideringDomainIgnoringFPD(origin, target); + bool targetSubsumesOrigin = + OriginAttributes::IsRestrictOpenerAccessForFPI() + ? AccessCheck::subsumesConsideringDomain(target, origin) + : AccessCheck::subsumesConsideringDomainIgnoringFPD(target, origin); + bool sameOrigin = targetSubsumesOrigin && originSubsumesTarget; + + const Wrapper* wrapper; + + CompartmentPrivate* originCompartmentPrivate = + CompartmentPrivate::Get(origin); + CompartmentPrivate* targetCompartmentPrivate = + CompartmentPrivate::Get(target); + + // Track whether we decided to use a transparent wrapper because of + // document.domain usage, so we don't override that decision. + bool isTransparentWrapperDueToDocumentDomain = false; + + // + // First, handle the special cases. + // + + // Special handling for chrome objects being exposed to content. + if (originIsChrome && !targetIsChrome) { + // If this is a chrome function being exposed to content, we need to allow + // call (but nothing else). + JSProtoKey key = IdentifyStandardInstance(obj); + if (key == JSProto_Function || key == JSProto_BoundFunction) { + wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, + OpaqueWithCall>::singleton; + } + + // For vanilla JSObjects exposed from chrome to content, we use a wrapper + // that fails silently in a few cases. We'd like to get rid of this + // eventually, but in their current form they don't cause much trouble. + else if (key == JSProto_Object) { + wrapper = &ChromeObjectWrapper::singleton; + } + + // Otherwise we get an opaque wrapper. + else { + wrapper = + &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton; + } + } + + // Special handling for the web's cross-origin objects (WindowProxy and + // Location). We only need or want to do this in web-like contexts, where all + // security relationships are symmetric and there are no forced Xrays. + else if (originSubsumesTarget == targetSubsumesOrigin && + // Check for the more rare case of cross-origin objects before doing + // the more-likely-to-pass checks for wantXrays. + IsCrossOriginAccessibleObject(obj) && + (!targetSubsumesOrigin || (!originCompartmentPrivate->wantXrays && + !targetCompartmentPrivate->wantXrays))) { + wrapper = &CrossOriginObjectWrapper::singleton; + } + + // Special handling for other web objects. Again, we only want this in + // web-like contexts (symmetric security relationships, no forced Xrays). In + // this situation, if the two compartments may ever have had transparent CCWs + // between them, we want to keep using transparent CCWs. + else if (originSubsumesTarget == targetSubsumesOrigin && + !originCompartmentPrivate->wantXrays && + !targetCompartmentPrivate->wantXrays && + CompartmentsMayHaveHadTransparentCCWs(originCompartmentPrivate, + targetCompartmentPrivate)) { + isTransparentWrapperDueToDocumentDomain = true; + wrapper = &CrossCompartmentWrapper::singleton; + } + + // + // Now, handle the regular cases. + // + // These are wrappers we can compute using a rule-based approach. In order + // to do so, we need to compute some parameters. + // + else { + // The wrapper is a security wrapper (protecting the wrappee) if and + // only if the target does not subsume the origin. + bool securityWrapper = !targetSubsumesOrigin; + + // Xrays are warranted if either the target or the origin don't trust + // each other. This is generally the case, unless the two are same-origin + // and the caller has not requested same-origin Xrays. + // + // Xrays are a bidirectional protection, since it affords clarity to the + // caller and privacy to the callee. + bool sameOriginXrays = originCompartmentPrivate->wantXrays || + targetCompartmentPrivate->wantXrays; + bool wantXrays = !sameOrigin || sameOriginXrays; + + XrayType xrayType = wantXrays ? GetXrayType(obj) : NotXray; + + // If Xrays are warranted, the caller may waive them for non-security + // wrappers (unless explicitly forbidden from doing so). + bool waiveXrays = wantXrays && !securityWrapper && + targetCompartmentPrivate->allowWaivers && + HasWaiveXrayFlag(obj); + + wrapper = SelectWrapper(securityWrapper, xrayType, waiveXrays, obj); + } + + if (!targetSubsumesOrigin && !isTransparentWrapperDueToDocumentDomain) { + // Do a belt-and-suspenders check against exposing eval()/Function() to + // non-subsuming content. + if (JSFunction* fun = JS_GetObjectFunction(obj)) { + if (JS_IsBuiltinEvalFunction(fun) || + JS_IsBuiltinFunctionConstructor(fun)) { + NS_WARNING( + "Trying to expose eval or Function to non-subsuming content!"); + wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, + Opaque>::singleton; + } + } + } + + DEBUG_CheckUnwrapSafety(obj, wrapper, origin, target); + + if (existing) { + return Wrapper::Renew(existing, obj, wrapper); + } + + return Wrapper::New(cx, obj, wrapper); +} + +// Call WaiveXrayAndWrap when you have a JS object that you don't want to be +// wrapped in an Xray wrapper. cx->compartment is the compartment that will be +// using the returned object. If the object to be wrapped is already in the +// correct compartment, then this returns the unwrapped object. +bool WrapperFactory::WaiveXrayAndWrap(JSContext* cx, MutableHandleValue vp) { + if (vp.isPrimitive()) { + return JS_WrapValue(cx, vp); + } + + RootedObject obj(cx, &vp.toObject()); + if (!WaiveXrayAndWrap(cx, &obj)) { + return false; + } + + vp.setObject(*obj); + return true; +} + +bool WrapperFactory::WaiveXrayAndWrap(JSContext* cx, + MutableHandleObject argObj) { + MOZ_ASSERT(argObj); + RootedObject obj(cx, js::UncheckedUnwrap(argObj)); + MOZ_ASSERT(!js::IsWindow(obj)); + if (js::IsObjectInContextCompartment(obj, cx)) { + argObj.set(obj); + return true; + } + + // Even though waivers have no effect on access by scopes that don't subsume + // the underlying object, good defense-in-depth dictates that we should avoid + // handing out waivers to callers that can't use them. The transitive waiving + // machinery unconditionally calls WaiveXrayAndWrap on return values from + // waived functions, even though the return value might be not be same-origin + // with the function. So if we find ourselves trying to create a waiver for + // |cx|, we should check whether the caller has any business with waivers + // to things in |obj|'s compartment. + JS::Compartment* target = js::GetContextCompartment(cx); + JS::Compartment* origin = JS::GetCompartment(obj); + obj = AllowWaiver(target, origin) ? WaiveXray(cx, obj) : obj; + if (!obj) { + return false; + } + + if (!JS_WrapObject(cx, &obj)) { + return false; + } + argObj.set(obj); + return true; +} + +/* + * Calls to JS_TransplantObject* should go through these helpers here so that + * waivers get fixed up properly. + */ + +static bool FixWaiverAfterTransplant(JSContext* cx, HandleObject oldWaiver, + HandleObject newobj, + bool crossCompartmentTransplant) { + MOZ_ASSERT(Wrapper::wrapperHandler(oldWaiver) == &XrayWaiver); + MOZ_ASSERT(!js::IsCrossCompartmentWrapper(newobj)); + + if (crossCompartmentTransplant) { + // If the new compartment has a CCW for oldWaiver, nuke this CCW. This + // prevents confusing RemapAllWrappersForObject: it would call RemapWrapper + // with two same-compartment objects (the CCW and the new waiver). + // + // This can happen when loading a chrome page in a content frame and there + // exists a CCW from the chrome compartment to oldWaiver wrapping the window + // we just transplanted: + // + // Compartment 1 | Compartment 2 + // ---------------------------------------- + // CCW1 -----------> oldWaiver --> CCW2 --+ + // newWaiver | + // WindowProxy <--------------------------+ + js::NukeCrossCompartmentWrapperIfExists(cx, JS::GetCompartment(newobj), + oldWaiver); + } else { + // We kept the same object identity, so the waiver should be a + // waiver for our object, just in the wrong Realm. + MOZ_ASSERT(newobj == Wrapper::wrappedObject(oldWaiver)); + } + + // Create a waiver in the new compartment. We know there's not one already in + // the crossCompartmentTransplant case because we _just_ transplanted, which + // means that |newobj| was either created from scratch, or was previously + // cross-compartment wrapper (which should have no waiver). On the other hand, + // in the !crossCompartmentTransplant case we know one already exists. + // CreateXrayWaiver asserts all this. + RootedObject newWaiver( + cx, WrapperFactory::CreateXrayWaiver( + cx, newobj, /* allowExisting = */ !crossCompartmentTransplant)); + if (!newWaiver) { + return false; + } + + if (!crossCompartmentTransplant) { + // CreateXrayWaiver should have updated the map to point to the new waiver. + MOZ_ASSERT(WrapperFactory::GetXrayWaiver(newobj) == newWaiver); + } + + // Update all the cross-compartment references to oldWaiver to point to + // newWaiver. + if (!js::RemapAllWrappersForObject(cx, oldWaiver, newWaiver)) { + return false; + } + + if (crossCompartmentTransplant) { + // There should be no same-compartment references to oldWaiver, and we + // just remapped all cross-compartment references. It's dead, so we can + // remove it from the map. + XPCWrappedNativeScope* scope = ObjectScope(oldWaiver); + JSObject* key = Wrapper::wrappedObject(oldWaiver); + MOZ_ASSERT(scope->mWaiverWrapperMap->Find(key)); + scope->mWaiverWrapperMap->Remove(key); + } + + return true; +} + +JSObject* TransplantObject(JSContext* cx, JS::HandleObject origobj, + JS::HandleObject target) { + RootedObject oldWaiver(cx, WrapperFactory::GetXrayWaiver(origobj)); + MOZ_ASSERT_IF(oldWaiver, GetNonCCWObjectRealm(oldWaiver) == + GetNonCCWObjectRealm(origobj)); + RootedObject newIdentity(cx, JS_TransplantObject(cx, origobj, target)); + if (!newIdentity || !oldWaiver) { + return newIdentity; + } + + bool crossCompartmentTransplant = (newIdentity != origobj); + if (!crossCompartmentTransplant) { + // We might still have been transplanted across realms within a single + // compartment. + if (GetNonCCWObjectRealm(oldWaiver) == GetNonCCWObjectRealm(newIdentity)) { + // The old waiver is same-realm with the new object; nothing else to do + // here. + return newIdentity; + } + } + + if (!FixWaiverAfterTransplant(cx, oldWaiver, newIdentity, + crossCompartmentTransplant)) { + return nullptr; + } + return newIdentity; +} + +JSObject* TransplantObjectRetainingXrayExpandos(JSContext* cx, + JS::HandleObject origobj, + JS::HandleObject target) { + // Save the chain of objects that carry origobj's Xray expando properties + // (from all compartments). TransplantObject will blow this away; we'll + // restore it manually afterwards. + RootedObject expandoChain( + cx, GetXrayTraits(origobj)->detachExpandoChain(origobj)); + + RootedObject newIdentity(cx, TransplantObject(cx, origobj, target)); + + // Copy Xray expando properties to the new wrapper. + if (!GetXrayTraits(newIdentity) + ->cloneExpandoChain(cx, newIdentity, expandoChain)) { + // Failure here means some expandos were not copied over. The object graph + // and the Xray machinery are left in a consistent state, but mysteriously + // losing these expandos is too weird to allow. + MOZ_CRASH(); + } + + return newIdentity; +} + +static void NukeXrayWaiver(JSContext* cx, JS::HandleObject obj) { + RootedObject waiver(cx, WrapperFactory::GetXrayWaiver(obj)); + if (!waiver) { + return; + } + + XPCWrappedNativeScope* scope = ObjectScope(waiver); + JSObject* key = Wrapper::wrappedObject(waiver); + MOZ_ASSERT(scope->mWaiverWrapperMap->Find(key)); + scope->mWaiverWrapperMap->Remove(key); + + js::NukeNonCCWProxy(cx, waiver); + + // Get rid of any CCWs the waiver may have had. + if (!JS_RefreshCrossCompartmentWrappers(cx, waiver)) { + MOZ_CRASH(); + } +} + +JSObject* TransplantObjectNukingXrayWaiver(JSContext* cx, + JS::HandleObject origObj, + JS::HandleObject target) { + NukeXrayWaiver(cx, origObj); + return JS_TransplantObject(cx, origObj, target); +} + +nsIGlobalObject* NativeGlobal(JSObject* obj) { + obj = JS::GetNonCCWObjectGlobal(obj); + + // Every global needs to hold a native as its first reserved slot or be a + // WebIDL object with an nsISupports DOM object. + MOZ_ASSERT(JS::GetClass(obj)->slot0IsISupports() || + dom::UnwrapDOMObjectToISupports(obj)); + + nsISupports* native = dom::UnwrapDOMObjectToISupports(obj); + if (!native) { + native = JS::GetObjectISupports<nsISupports>(obj); + MOZ_ASSERT(native); + + // In some cases (like for windows) it is a wrapped native, + // in other cases (sandboxes, backstage passes) it's just + // a direct pointer to the native. If it's a wrapped native + // let's unwrap it first. + if (nsCOMPtr<nsIXPConnectWrappedNative> wn = do_QueryInterface(native)) { + native = wn->Native(); + } + } + + nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(native); + MOZ_ASSERT(global, + "Native held by global needs to implement nsIGlobalObject!"); + + return global; +} + +nsIGlobalObject* CurrentNativeGlobal(JSContext* cx) { + return xpc::NativeGlobal(JS::CurrentGlobalOrNull(cx)); +} + +} // namespace xpc diff --git a/js/xpconnect/wrappers/WrapperFactory.h b/js/xpconnect/wrappers/WrapperFactory.h new file mode 100644 index 0000000000..f1200bf765 --- /dev/null +++ b/js/xpconnect/wrappers/WrapperFactory.h @@ -0,0 +1,114 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _xpc_WRAPPERFACTORY_H +#define _xpc_WRAPPERFACTORY_H + +#include "js/Wrapper.h" + +namespace xpc { + +/** + * A wrapper that's only used for cross-origin objects. This should be + * just like a CrossCompartmentWrapper but (as an implementation + * detail) doesn't actually do any compartment-entering and (as an + * implementation detail) delegates all the security decisions and + * compartment-entering to the target object, which is always a + * proxy. + * + * We could also inherit from CrossCompartmentWrapper but then we + * would need to override all the proxy hooks to avoid the + * compartment-entering bits. + */ +class CrossOriginObjectWrapper : public js::Wrapper { + public: + // We want to claim to have a security policy, so code doesn't just + // CheckedUnwrap us willy-nilly. But we're OK with the BaseProxyHandler + // implementation of enter(), which allows entering. Our target is what + // really does the security checks. + // + // We don't want to inherit from CrossCompartmentWrapper, because we don't + // want the compartment-entering behavior it has. But we do want to set the + // CROSS_COMPARTMENT flag on js::Wrapper so that we test true for + // is<js::CrossCompartmentWrapperObject> and so forth. + constexpr explicit CrossOriginObjectWrapper() + : js::Wrapper(CROSS_COMPARTMENT, /* aHasPrototype = */ false, + /* aHasSecurityPolicy = */ true) {} + + bool dynamicCheckedUnwrapAllowed(JS::Handle<JSObject*> obj, + JSContext* cx) const override; + + // Cross origin objects should not participate in private fields. + virtual bool throwOnPrivateField() const override { return true; } + + static const CrossOriginObjectWrapper singleton; +}; + +class WrapperFactory { + public: + enum { + WAIVE_XRAY_WRAPPER_FLAG = js::Wrapper::LAST_USED_FLAG << 1, + IS_XRAY_WRAPPER_FLAG = WAIVE_XRAY_WRAPPER_FLAG << 1 + }; + + // Return true if any of any of the nested wrappers have the flag set. + static bool HasWrapperFlag(JSObject* wrapper, unsigned flag) { + unsigned flags = 0; + js::UncheckedUnwrap(wrapper, true, &flags); + return !!(flags & flag); + } + + static bool IsXrayWrapper(JSObject* wrapper) { + return HasWrapperFlag(wrapper, IS_XRAY_WRAPPER_FLAG); + } + + static bool IsCrossOriginWrapper(JSObject* obj) { + return (js::IsProxy(obj) && + js::GetProxyHandler(obj) == &CrossOriginObjectWrapper::singleton); + } + + static bool IsOpaqueWrapper(JSObject* obj); + + static bool HasWaiveXrayFlag(JSObject* wrapper) { + return HasWrapperFlag(wrapper, WAIVE_XRAY_WRAPPER_FLAG); + } + + static bool IsCOW(JSObject* wrapper); + + static JSObject* GetXrayWaiver(JS::Handle<JSObject*> obj); + // If allowExisting is true, there is an existing waiver for obj in + // its scope, but we want to replace it with the new one. + static JSObject* CreateXrayWaiver(JSContext* cx, JS::Handle<JSObject*> obj, + bool allowExisting = false); + static JSObject* WaiveXray(JSContext* cx, JSObject* obj); + + // Computes whether we should allow the creation of an Xray waiver from + // |target| to |origin|. + static bool AllowWaiver(JS::Compartment* target, JS::Compartment* origin); + + // Convenience method for the above, operating on a wrapper. + static bool AllowWaiver(JSObject* wrapper); + + // Prepare a given object for wrapping in a new compartment. + static void PrepareForWrapping(JSContext* cx, JS::Handle<JSObject*> scope, + JS::Handle<JSObject*> origObj, + JS::Handle<JSObject*> obj, + JS::Handle<JSObject*> objectPassedToWrap, + JS::MutableHandle<JSObject*> retObj); + + // Rewrap an object that is about to cross compartment boundaries. + static JSObject* Rewrap(JSContext* cx, JS::Handle<JSObject*> existing, + JS::Handle<JSObject*> obj); + + // Wrap wrapped object into a waiver wrapper and then re-wrap it. + static bool WaiveXrayAndWrap(JSContext* cx, JS::MutableHandle<JS::Value> vp); + static bool WaiveXrayAndWrap(JSContext* cx, + JS::MutableHandle<JSObject*> object); +}; + +} // namespace xpc + +#endif /* _xpc_WRAPPERFACTORY_H */ diff --git a/js/xpconnect/wrappers/XrayWrapper.cpp b/js/xpconnect/wrappers/XrayWrapper.cpp new file mode 100644 index 0000000000..cdedb02a5f --- /dev/null +++ b/js/xpconnect/wrappers/XrayWrapper.cpp @@ -0,0 +1,2351 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "XrayWrapper.h" +#include "AccessCheck.h" +#include "WrapperFactory.h" + +#include "nsDependentString.h" +#include "nsIConsoleService.h" +#include "nsIScriptError.h" + +#include "xpcprivate.h" + +#include "jsapi.h" +#include "js/CallAndConstruct.h" // JS::Call, JS::Construct, JS::IsCallable +#include "js/ColumnNumber.h" // JS::ColumnNumberOneOrigin +#include "js/experimental/TypedData.h" // JS_GetTypedArrayLength +#include "js/friend/WindowProxy.h" // js::IsWindowProxy +#include "js/friend/XrayJitInfo.h" // JS::XrayJitInfo +#include "js/Object.h" // JS::GetClass, JS::GetCompartment, JS::GetReservedSlot, JS::SetReservedSlot +#include "js/PropertyAndElement.h" // JS_AlreadyHasOwnPropertyById, JS_DefineProperty, JS_DefinePropertyById, JS_DeleteProperty, JS_DeletePropertyById, JS_HasProperty, JS_HasPropertyById +#include "js/PropertyDescriptor.h" // JS::PropertyDescriptor, JS_GetOwnPropertyDescriptorById, JS_GetPropertyDescriptorById +#include "js/PropertySpec.h" +#include "nsGlobalWindowInner.h" +#include "nsJSUtils.h" +#include "nsPrintfCString.h" + +#include "mozilla/FloatingPoint.h" +#include "mozilla/dom/BindingUtils.h" +#include "mozilla/dom/ProxyHandlerUtils.h" +#include "mozilla/dom/WindowProxyHolder.h" +#include "mozilla/dom/XrayExpandoClass.h" + +using namespace mozilla::dom; +using namespace JS; +using namespace mozilla; + +using js::BaseProxyHandler; +using js::CheckedUnwrapStatic; +using js::IsCrossCompartmentWrapper; +using js::UncheckedUnwrap; +using js::Wrapper; + +namespace xpc { + +#define Between(x, a, b) (a <= x && x <= b) + +static_assert(JSProto_URIError - JSProto_Error == 8, + "New prototype added in error object range"); +#define AssertErrorObjectKeyInBounds(key) \ + static_assert(Between(key, JSProto_Error, JSProto_URIError), \ + "We depend on js/ProtoKey.h ordering here"); +MOZ_FOR_EACH(AssertErrorObjectKeyInBounds, (), + (JSProto_Error, JSProto_InternalError, JSProto_AggregateError, + JSProto_EvalError, JSProto_RangeError, JSProto_ReferenceError, + JSProto_SyntaxError, JSProto_TypeError, JSProto_URIError)); + +static_assert(JSProto_Uint8ClampedArray - JSProto_Int8Array == 8, + "New prototype added in typed array range"); +#define AssertTypedArrayKeyInBounds(key) \ + static_assert(Between(key, JSProto_Int8Array, JSProto_Uint8ClampedArray), \ + "We depend on js/ProtoKey.h ordering here"); +MOZ_FOR_EACH(AssertTypedArrayKeyInBounds, (), + (JSProto_Int8Array, JSProto_Uint8Array, JSProto_Int16Array, + JSProto_Uint16Array, JSProto_Int32Array, JSProto_Uint32Array, + JSProto_Float32Array, JSProto_Float64Array, + JSProto_Uint8ClampedArray)); + +#undef Between + +inline bool IsErrorObjectKey(JSProtoKey key) { + return key >= JSProto_Error && key <= JSProto_URIError; +} + +inline bool IsTypedArrayKey(JSProtoKey key) { + return key >= JSProto_Int8Array && key <= JSProto_Uint8ClampedArray; +} + +// Whitelist for the standard ES classes we can Xray to. +static bool IsJSXraySupported(JSProtoKey key) { + if (IsTypedArrayKey(key)) { + return true; + } + if (IsErrorObjectKey(key)) { + return true; + } + switch (key) { + case JSProto_Date: + case JSProto_DataView: + case JSProto_Object: + case JSProto_Array: + case JSProto_Function: + case JSProto_BoundFunction: + case JSProto_TypedArray: + case JSProto_SavedFrame: + case JSProto_RegExp: + case JSProto_Promise: + case JSProto_ArrayBuffer: + case JSProto_SharedArrayBuffer: + case JSProto_Map: + case JSProto_Set: + case JSProto_WeakMap: + case JSProto_WeakSet: + return true; + default: + return false; + } +} + +XrayType GetXrayType(JSObject* obj) { + obj = js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false); + if (mozilla::dom::UseDOMXray(obj)) { + return XrayForDOMObject; + } + + MOZ_ASSERT(!js::IsWindowProxy(obj)); + + JSProtoKey standardProto = IdentifyStandardInstanceOrPrototype(obj); + if (IsJSXraySupported(standardProto)) { + return XrayForJSObject; + } + + // Modulo a few exceptions, everything else counts as an XrayWrapper to an + // opaque object, which means that more-privileged code sees nothing from + // the underlying object. This is very important for security. In some cases + // though, we need to make an exception for compatibility. + if (IsSandbox(obj)) { + return NotXray; + } + + return XrayForOpaqueObject; +} + +JSObject* XrayAwareCalleeGlobal(JSObject* fun) { + MOZ_ASSERT(js::IsFunctionObject(fun)); + + if (!js::FunctionHasNativeReserved(fun)) { + // Just a normal function, no Xrays involved. + return JS::GetNonCCWObjectGlobal(fun); + } + + // The functions we expect here have the Xray wrapper they're associated with + // in their XRAY_DOM_FUNCTION_PARENT_WRAPPER_SLOT and, in a debug build, + // themselves in their XRAY_DOM_FUNCTION_NATIVE_SLOT_FOR_SELF. Assert that + // last bit. + MOZ_ASSERT(&js::GetFunctionNativeReserved( + fun, XRAY_DOM_FUNCTION_NATIVE_SLOT_FOR_SELF) + .toObject() == fun); + + Value v = + js::GetFunctionNativeReserved(fun, XRAY_DOM_FUNCTION_PARENT_WRAPPER_SLOT); + MOZ_ASSERT(IsXrayWrapper(&v.toObject())); + + JSObject* xrayTarget = js::UncheckedUnwrap(&v.toObject()); + return JS::GetNonCCWObjectGlobal(xrayTarget); +} + +JSObject* XrayTraits::getExpandoChain(HandleObject obj) { + return ObjectScope(obj)->GetExpandoChain(obj); +} + +JSObject* XrayTraits::detachExpandoChain(HandleObject obj) { + return ObjectScope(obj)->DetachExpandoChain(obj); +} + +bool XrayTraits::setExpandoChain(JSContext* cx, HandleObject obj, + HandleObject chain) { + return ObjectScope(obj)->SetExpandoChain(cx, obj, chain); +} + +const JSClass XrayTraits::HolderClass = { + "XrayHolder", JSCLASS_HAS_RESERVED_SLOTS(HOLDER_SHARED_SLOT_COUNT)}; + +const JSClass JSXrayTraits::HolderClass = { + "JSXrayHolder", JSCLASS_HAS_RESERVED_SLOTS(SLOT_COUNT)}; + +bool OpaqueXrayTraits::resolveOwnProperty( + JSContext* cx, HandleObject wrapper, HandleObject target, + HandleObject holder, HandleId id, + MutableHandle<Maybe<PropertyDescriptor>> desc) { + bool ok = + XrayTraits::resolveOwnProperty(cx, wrapper, target, holder, id, desc); + if (!ok || desc.isSome()) { + return ok; + } + + return ReportWrapperDenial(cx, id, WrapperDenialForXray, + "object is not safely Xrayable"); +} + +bool ReportWrapperDenial(JSContext* cx, HandleId id, WrapperDenialType type, + const char* reason) { + RealmPrivate* priv = RealmPrivate::Get(CurrentGlobalOrNull(cx)); + bool alreadyWarnedOnce = priv->wrapperDenialWarnings[type]; + priv->wrapperDenialWarnings[type] = true; + + // The browser console warning is only emitted for the first violation, + // whereas the (debug-only) NS_WARNING is emitted for each violation. +#ifndef DEBUG + if (alreadyWarnedOnce) { + return true; + } +#endif + + nsAutoJSString propertyName; + RootedValue idval(cx); + if (!JS_IdToValue(cx, id, &idval)) { + return false; + } + JSString* str = JS_ValueToSource(cx, idval); + if (!str) { + return false; + } + if (!propertyName.init(cx, str)) { + return false; + } + AutoFilename filename; + uint32_t line = 0; + JS::ColumnNumberOneOrigin column; + DescribeScriptedCaller(cx, &filename, &line, &column); + + // Warn to the terminal for the logs. + NS_WARNING( + nsPrintfCString("Silently denied access to property %s: %s (@%s:%u:%u)", + NS_LossyConvertUTF16toASCII(propertyName).get(), reason, + filename.get(), line, column.oneOriginValue()) + .get()); + + // If this isn't the first warning on this topic for this global, we've + // already bailed out in opt builds. Now that the NS_WARNING is done, bail + // out in debug builds as well. + if (alreadyWarnedOnce) { + return true; + } + + // + // Log a message to the console service. + // + + // Grab the pieces. + nsCOMPtr<nsIConsoleService> consoleService = + do_GetService(NS_CONSOLESERVICE_CONTRACTID); + NS_ENSURE_TRUE(consoleService, true); + nsCOMPtr<nsIScriptError> errorObject = + do_CreateInstance(NS_SCRIPTERROR_CONTRACTID); + NS_ENSURE_TRUE(errorObject, true); + + // Compute the current window id if any. + uint64_t windowId = 0; + if (nsGlobalWindowInner* win = CurrentWindowOrNull(cx)) { + windowId = win->WindowID(); + } + + Maybe<nsPrintfCString> errorMessage; + if (type == WrapperDenialForXray) { + errorMessage.emplace( + "XrayWrapper denied access to property %s (reason: %s). " + "See https://developer.mozilla.org/en-US/docs/Xray_vision " + "for more information. Note that only the first denied " + "property access from a given global object will be reported.", + NS_LossyConvertUTF16toASCII(propertyName).get(), reason); + } else { + MOZ_ASSERT(type == WrapperDenialForCOW); + errorMessage.emplace( + "Security wrapper denied access to property %s on privileged " + "Javascript object. Note that only the first denied property " + "access from a given global object will be reported.", + NS_LossyConvertUTF16toASCII(propertyName).get()); + } + nsString filenameStr(NS_ConvertASCIItoUTF16(filename.get())); + nsresult rv = errorObject->InitWithWindowID( + NS_ConvertASCIItoUTF16(errorMessage.ref()), filenameStr, u""_ns, line, + column.oneOriginValue(), nsIScriptError::warningFlag, "XPConnect", + windowId); + NS_ENSURE_SUCCESS(rv, true); + rv = consoleService->LogMessage(errorObject); + NS_ENSURE_SUCCESS(rv, true); + + return true; +} + +bool JSXrayTraits::getOwnPropertyFromWrapperIfSafe( + JSContext* cx, HandleObject wrapper, HandleId id, + MutableHandle<Maybe<PropertyDescriptor>> outDesc) { + MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx)); + RootedObject target(cx, getTargetObject(wrapper)); + RootedObject wrapperGlobal(cx, JS::CurrentGlobalOrNull(cx)); + { + JSAutoRealm ar(cx, target); + JS_MarkCrossZoneId(cx, id); + if (!getOwnPropertyFromTargetIfSafe(cx, target, wrapper, wrapperGlobal, id, + outDesc)) { + return false; + } + } + return JS_WrapPropertyDescriptor(cx, outDesc); +} + +bool JSXrayTraits::getOwnPropertyFromTargetIfSafe( + JSContext* cx, HandleObject target, HandleObject wrapper, + HandleObject wrapperGlobal, HandleId id, + MutableHandle<Maybe<PropertyDescriptor>> outDesc) { + // Note - This function operates in the target compartment, because it + // avoids a bunch of back-and-forth wrapping in enumerateNames. + MOZ_ASSERT(getTargetObject(wrapper) == target); + MOZ_ASSERT(js::IsObjectInContextCompartment(target, cx)); + MOZ_ASSERT(WrapperFactory::IsXrayWrapper(wrapper)); + MOZ_ASSERT(JS_IsGlobalObject(wrapperGlobal)); + js::AssertSameCompartment(wrapper, wrapperGlobal); + MOZ_ASSERT(outDesc.isNothing()); + + Rooted<Maybe<PropertyDescriptor>> desc(cx); + if (!JS_GetOwnPropertyDescriptorById(cx, target, id, &desc)) { + return false; + } + + // If the property doesn't exist at all, we're done. + if (desc.isNothing()) { + return true; + } + + // Disallow accessor properties. + if (desc->isAccessorDescriptor()) { + JSAutoRealm ar(cx, wrapperGlobal); + JS_MarkCrossZoneId(cx, id); + return ReportWrapperDenial(cx, id, WrapperDenialForXray, + "property has accessor"); + } + + // Apply extra scrutiny to objects. + if (desc->value().isObject()) { + RootedObject propObj(cx, js::UncheckedUnwrap(&desc->value().toObject())); + JSAutoRealm ar(cx, propObj); + + // Disallow non-subsumed objects. + if (!AccessCheck::subsumes(target, propObj)) { + JSAutoRealm ar(cx, wrapperGlobal); + JS_MarkCrossZoneId(cx, id); + return ReportWrapperDenial(cx, id, WrapperDenialForXray, + "value not same-origin with target"); + } + + // Disallow non-Xrayable objects. + XrayType xrayType = GetXrayType(propObj); + if (xrayType == NotXray || xrayType == XrayForOpaqueObject) { + JSAutoRealm ar(cx, wrapperGlobal); + JS_MarkCrossZoneId(cx, id); + return ReportWrapperDenial(cx, id, WrapperDenialForXray, + "value not Xrayable"); + } + + // Disallow callables. + if (JS::IsCallable(propObj)) { + JSAutoRealm ar(cx, wrapperGlobal); + JS_MarkCrossZoneId(cx, id); + return ReportWrapperDenial(cx, id, WrapperDenialForXray, + "value is callable"); + } + } + + // Disallow any property that shadows something on its (Xrayed) + // prototype chain. + JSAutoRealm ar2(cx, wrapperGlobal); + JS_MarkCrossZoneId(cx, id); + RootedObject proto(cx); + bool foundOnProto = false; + if (!JS_GetPrototype(cx, wrapper, &proto) || + (proto && !JS_HasPropertyById(cx, proto, id, &foundOnProto))) { + return false; + } + if (foundOnProto) { + return ReportWrapperDenial( + cx, id, WrapperDenialForXray, + "value shadows a property on the standard prototype"); + } + + // We made it! Assign over the descriptor, and don't forget to wrap. + outDesc.set(desc); + return true; +} + +// Returns true on success (in the JSAPI sense), false on failure. If true is +// returned, desc.object() will indicate whether we actually resolved +// the property. +// +// id is the property id we're looking for. +// holder is the object to define the property on. +// fs is the relevant JSFunctionSpec*. +// ps is the relevant JSPropertySpec*. +// desc is the descriptor we're resolving into. +static bool TryResolvePropertyFromSpecs( + JSContext* cx, HandleId id, HandleObject holder, const JSFunctionSpec* fs, + const JSPropertySpec* ps, MutableHandle<Maybe<PropertyDescriptor>> desc) { + // Scan through the functions. + const JSFunctionSpec* fsMatch = nullptr; + for (; fs && fs->name; ++fs) { + if (PropertySpecNameEqualsId(fs->name, id)) { + fsMatch = fs; + break; + } + } + if (fsMatch) { + // Generate an Xrayed version of the method. + RootedFunction fun(cx, JS::NewFunctionFromSpec(cx, fsMatch, id)); + if (!fun) { + return false; + } + + // The generic Xray machinery only defines non-own properties of the target + // on the holder. This is broken, and will be fixed at some point, but for + // now we need to cache the value explicitly. See the corresponding call to + // JS_GetOwnPropertyDescriptorById at the top of + // JSXrayTraits::resolveOwnProperty. + RootedObject funObj(cx, JS_GetFunctionObject(fun)); + return JS_DefinePropertyById(cx, holder, id, funObj, 0) && + JS_GetOwnPropertyDescriptorById(cx, holder, id, desc); + } + + // Scan through the properties. + const JSPropertySpec* psMatch = nullptr; + for (; ps && ps->name; ++ps) { + if (PropertySpecNameEqualsId(ps->name, id)) { + psMatch = ps; + break; + } + } + if (psMatch) { + // The generic Xray machinery only defines non-own properties on the holder. + // This is broken, and will be fixed at some point, but for now we need to + // cache the value explicitly. See the corresponding call to + // JS_GetPropertyById at the top of JSXrayTraits::resolveOwnProperty. + // + // Note also that the public-facing API here doesn't give us a way to + // pass along JITInfo. It's probably ok though, since Xrays are already + // pretty slow. + + unsigned attrs = psMatch->attributes(); + if (psMatch->isAccessor()) { + if (psMatch->isSelfHosted()) { + JSFunction* getterFun = JS::GetSelfHostedFunction( + cx, psMatch->u.accessors.getter.selfHosted.funname, id, 0); + if (!getterFun) { + return false; + } + RootedObject getterObj(cx, JS_GetFunctionObject(getterFun)); + RootedObject setterObj(cx); + if (psMatch->u.accessors.setter.selfHosted.funname) { + JSFunction* setterFun = JS::GetSelfHostedFunction( + cx, psMatch->u.accessors.setter.selfHosted.funname, id, 0); + if (!setterFun) { + return false; + } + setterObj = JS_GetFunctionObject(setterFun); + } + if (!JS_DefinePropertyById(cx, holder, id, getterObj, setterObj, + attrs)) { + return false; + } + } else { + if (!JS_DefinePropertyById( + cx, holder, id, psMatch->u.accessors.getter.native.op, + psMatch->u.accessors.setter.native.op, attrs)) { + return false; + } + } + } else { + RootedValue v(cx); + if (!psMatch->getValue(cx, &v)) { + return false; + } + if (!JS_DefinePropertyById(cx, holder, id, v, attrs)) { + return false; + } + } + + return JS_GetOwnPropertyDescriptorById(cx, holder, id, desc); + } + + return true; +} + +static bool ShouldResolvePrototypeProperty(JSProtoKey key) { + // Proxy constructors have no "prototype" property. + return key != JSProto_Proxy; +} + +static bool ShouldResolveStaticProperties(JSProtoKey key) { + if (!IsJSXraySupported(key)) { + // If we can't Xray this ES class, then we can't resolve statics on it. + return false; + } + + // Don't try to resolve static properties on RegExp, because they + // have issues. In particular, some of them grab state off the + // global of the RegExp constructor that describes the last regexp + // evaluation in that global, which is not a useful thing to do + // over Xrays. + return key != JSProto_RegExp; +} + +bool JSXrayTraits::resolveOwnProperty( + JSContext* cx, HandleObject wrapper, HandleObject target, + HandleObject holder, HandleId id, + MutableHandle<Maybe<PropertyDescriptor>> desc) { + // Call the common code. + bool ok = + XrayTraits::resolveOwnProperty(cx, wrapper, target, holder, id, desc); + if (!ok || desc.isSome()) { + return ok; + } + + // The non-HasPrototypes semantics implemented by traditional Xrays are kind + // of broken with respect to |own|-ness and the holder. The common code + // muddles through by only checking the holder for non-|own| lookups, but + // that doesn't work for us. So we do an explicit holder check here, and hope + // that this mess gets fixed up soon. + if (!JS_GetOwnPropertyDescriptorById(cx, holder, id, desc)) { + return false; + } + if (desc.isSome()) { + return true; + } + + JSProtoKey key = getProtoKey(holder); + if (!isPrototype(holder)) { + // For Object and Array instances, we expose some properties from the + // underlying object, but only after filtering them carefully. + // + // Note that, as far as JS observables go, Arrays are just Objects with + // a different prototype and a magic (own, non-configurable) |.length| that + // serves as a non-tight upper bound on |own| indexed properties. So while + // it's tempting to try to impose some sort of structure on what Arrays + // "should" look like over Xrays, the underlying object is squishy enough + // that it makes sense to just treat them like Objects for Xray purposes. + if (key == JSProto_Object || key == JSProto_Array) { + return getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc); + } + if (IsTypedArrayKey(key)) { + if (IsArrayIndex(GetArrayIndexFromId(id))) { + // WebExtensions can't use cloneInto(), so we just let them do + // the slow thing to maximize compatibility. + if (CompartmentPrivate::Get(CurrentGlobalOrNull(cx)) + ->isWebExtensionContentScript) { + Rooted<Maybe<PropertyDescriptor>> innerDesc(cx); + { + JSAutoRealm ar(cx, target); + JS_MarkCrossZoneId(cx, id); + if (!JS_GetOwnPropertyDescriptorById(cx, target, id, &innerDesc)) { + return false; + } + } + if (innerDesc.isSome() && innerDesc->isDataDescriptor() && + innerDesc->value().isNumber()) { + desc.set(innerDesc); + } + return true; + } + JS_ReportErrorASCII( + cx, + "Accessing TypedArray data over Xrays is slow, and forbidden " + "in order to encourage performant code. To copy TypedArrays " + "across origin boundaries, consider using " + "Components.utils.cloneInto()."); + return false; + } + } else if (key == JSProto_Function) { + if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_LENGTH)) { + uint16_t length; + RootedFunction fun(cx, JS_GetObjectFunction(target)); + { + JSAutoRealm ar(cx, target); + if (!JS_GetFunctionLength(cx, fun, &length)) { + return false; + } + } + desc.set(Some(PropertyDescriptor::Data(NumberValue(length), {}))); + return true; + } + if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_NAME)) { + JS::Rooted<JSFunction*> fun(cx, JS_GetObjectFunction(target)); + JS::Rooted<JSString*> fname(cx); + if (!JS_GetFunctionId(cx, fun, &fname)) { + return false; + } + if (fname) { + JS_MarkCrossZoneIdValue(cx, StringValue(fname)); + } + desc.set(Some(PropertyDescriptor::Data( + fname ? StringValue(fname) : JS_GetEmptyStringValue(cx), {}))); + } else { + // Look for various static properties/methods and the + // 'prototype' property. + JSProtoKey standardConstructor = constructorFor(holder); + if (standardConstructor != JSProto_Null) { + // Handle the 'prototype' property to make + // xrayedGlobal.StandardClass.prototype work. + if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_PROTOTYPE) && + ShouldResolvePrototypeProperty(standardConstructor)) { + RootedObject standardProto(cx); + { + JSAutoRealm ar(cx, target); + if (!JS_GetClassPrototype(cx, standardConstructor, + &standardProto)) { + return false; + } + MOZ_ASSERT(standardProto); + } + + if (!JS_WrapObject(cx, &standardProto)) { + return false; + } + desc.set(Some( + PropertyDescriptor::Data(ObjectValue(*standardProto), {}))); + return true; + } + + if (ShouldResolveStaticProperties(standardConstructor)) { + const JSClass* clasp = js::ProtoKeyToClass(standardConstructor); + MOZ_ASSERT(clasp->specDefined()); + + if (!TryResolvePropertyFromSpecs( + cx, id, holder, clasp->specConstructorFunctions(), + clasp->specConstructorProperties(), desc)) { + return false; + } + + if (desc.isSome()) { + return true; + } + } + } + } + } else if (IsErrorObjectKey(key)) { + // The useful state of error objects (except for .stack) is + // (unfortunately) represented as own data properties per-spec. This + // means that we can't have a a clean representation of the data + // (free from tampering) without doubling the slots of Error + // objects, which isn't great. So we forward these properties to the + // underlying object and then just censor any values with the wrong + // type. This limits the ability of content to do anything all that + // confusing. + bool isErrorIntProperty = + id == GetJSIDByIndex(cx, XPCJSContext::IDX_LINENUMBER) || + id == GetJSIDByIndex(cx, XPCJSContext::IDX_COLUMNNUMBER); + bool isErrorStringProperty = + id == GetJSIDByIndex(cx, XPCJSContext::IDX_FILENAME) || + id == GetJSIDByIndex(cx, XPCJSContext::IDX_MESSAGE); + if (isErrorIntProperty || isErrorStringProperty) { + RootedObject waiver(cx, wrapper); + if (!WrapperFactory::WaiveXrayAndWrap(cx, &waiver)) { + return false; + } + if (!JS_GetOwnPropertyDescriptorById(cx, waiver, id, desc)) { + return false; + } + if (desc.isSome()) { + // Make sure the property has the expected type. + if (!desc->isDataDescriptor() || + (isErrorIntProperty && !desc->value().isInt32()) || + (isErrorStringProperty && !desc->value().isString())) { + desc.reset(); + } + } + return true; + } + +#if defined(NIGHTLY_BUILD) + // The optional .cause property can have any value. + if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_CAUSE)) { + return getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc); + } +#endif + + if (key == JSProto_AggregateError && + id == GetJSIDByIndex(cx, XPCJSContext::IDX_ERRORS)) { + return getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc); + } + } else if (key == JSProto_RegExp) { + if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_LASTINDEX)) { + return getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc); + } + } else if (key == JSProto_BoundFunction) { + // Bound functions have configurable .name and .length own data + // properties. Only support string values for .name and number values for + // .length. + if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_NAME)) { + if (!getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc)) { + return false; + } + if (desc.isSome() && + (!desc->isDataDescriptor() || !desc->value().isString())) { + desc.reset(); + } + return true; + } + if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_LENGTH)) { + if (!getOwnPropertyFromWrapperIfSafe(cx, wrapper, id, desc)) { + return false; + } + if (desc.isSome() && + (!desc->isDataDescriptor() || !desc->value().isNumber())) { + desc.reset(); + } + return true; + } + } + + // The rest of this function applies only to prototypes. + return true; + } + + // Handle the 'constructor' property. + if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_CONSTRUCTOR)) { + RootedObject constructor(cx); + { + JSAutoRealm ar(cx, target); + if (!JS_GetClassObject(cx, key, &constructor)) { + return false; + } + } + if (!JS_WrapObject(cx, &constructor)) { + return false; + } + desc.set(Some(PropertyDescriptor::Data( + ObjectValue(*constructor), + {PropertyAttribute::Configurable, PropertyAttribute::Writable}))); + return true; + } + + if (ShouldIgnorePropertyDefinition(cx, key, id)) { + MOZ_ASSERT(desc.isNothing()); + return true; + } + + // Grab the JSClass. We require all Xrayable classes to have a ClassSpec. + const JSClass* clasp = JS::GetClass(target); + MOZ_ASSERT(clasp->specDefined()); + + // Indexed array properties are handled above, so we can just work with the + // class spec here. + return TryResolvePropertyFromSpecs(cx, id, holder, + clasp->specPrototypeFunctions(), + clasp->specPrototypeProperties(), desc); +} + +bool JSXrayTraits::delete_(JSContext* cx, HandleObject wrapper, HandleId id, + ObjectOpResult& result) { + MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx)); + + RootedObject holder(cx, ensureHolder(cx, wrapper)); + if (!holder) { + return false; + } + + // If we're using Object Xrays, we allow callers to attempt to delete any + // property from the underlying object that they are able to resolve. Note + // that this deleting may fail if the property is non-configurable. + JSProtoKey key = getProtoKey(holder); + bool isObjectOrArrayInstance = + (key == JSProto_Object || key == JSProto_Array) && !isPrototype(holder); + if (isObjectOrArrayInstance) { + RootedObject wrapperGlobal(cx, JS::CurrentGlobalOrNull(cx)); + RootedObject target(cx, getTargetObject(wrapper)); + JSAutoRealm ar(cx, target); + JS_MarkCrossZoneId(cx, id); + Rooted<Maybe<PropertyDescriptor>> desc(cx); + if (!getOwnPropertyFromTargetIfSafe(cx, target, wrapper, wrapperGlobal, id, + &desc)) { + return false; + } + if (desc.isSome()) { + return JS_DeletePropertyById(cx, target, id, result); + } + } + return result.succeed(); +} + +bool JSXrayTraits::defineProperty( + JSContext* cx, HandleObject wrapper, HandleId id, + Handle<PropertyDescriptor> desc, + Handle<Maybe<PropertyDescriptor>> existingDesc, + Handle<JSObject*> existingHolder, ObjectOpResult& result, bool* defined) { + *defined = false; + RootedObject holder(cx, ensureHolder(cx, wrapper)); + if (!holder) { + return false; + } + + // Object and Array instances are special. For those cases, we forward + // property definitions to the underlying object if the following + // conditions are met: + // * The property being defined is a value-prop. + // * The property being defined is either a primitive or subsumed by the + // target. + // * As seen from the Xray, any existing property that we would overwrite + // is an |own| value-prop. + // + // To avoid confusion, we disallow expandos on Object and Array instances, and + // therefore raise an exception here if the above conditions aren't met. + JSProtoKey key = getProtoKey(holder); + bool isInstance = !isPrototype(holder); + bool isObjectOrArray = (key == JSProto_Object || key == JSProto_Array); + if (isObjectOrArray && isInstance) { + RootedObject target(cx, getTargetObject(wrapper)); + if (desc.isAccessorDescriptor()) { + JS_ReportErrorASCII(cx, + "Not allowed to define accessor property on [Object] " + "or [Array] XrayWrapper"); + return false; + } + if (desc.value().isObject() && + !AccessCheck::subsumes(target, + js::UncheckedUnwrap(&desc.value().toObject()))) { + JS_ReportErrorASCII(cx, + "Not allowed to define cross-origin object as " + "property on [Object] or [Array] XrayWrapper"); + return false; + } + if (existingDesc.isSome()) { + if (existingDesc->isAccessorDescriptor()) { + JS_ReportErrorASCII(cx, + "Not allowed to overwrite accessor property on " + "[Object] or [Array] XrayWrapper"); + return false; + } + if (existingHolder != wrapper) { + JS_ReportErrorASCII(cx, + "Not allowed to shadow non-own Xray-resolved " + "property on [Object] or [Array] XrayWrapper"); + return false; + } + } + + Rooted<PropertyDescriptor> wrappedDesc(cx, desc); + JSAutoRealm ar(cx, target); + JS_MarkCrossZoneId(cx, id); + if (!JS_WrapPropertyDescriptor(cx, &wrappedDesc) || + !JS_DefinePropertyById(cx, target, id, wrappedDesc, result)) { + return false; + } + *defined = true; + return true; + } + + // For WebExtensions content scripts, we forward the definition of indexed + // properties. By validating that the key and value are both numbers, we can + // avoid doing any wrapping. + if (isInstance && IsTypedArrayKey(key) && + CompartmentPrivate::Get(JS::CurrentGlobalOrNull(cx)) + ->isWebExtensionContentScript && + desc.isDataDescriptor() && + (desc.value().isNumber() || desc.value().isUndefined()) && + IsArrayIndex(GetArrayIndexFromId(id))) { + RootedObject target(cx, getTargetObject(wrapper)); + JSAutoRealm ar(cx, target); + JS_MarkCrossZoneId(cx, id); + if (!JS_DefinePropertyById(cx, target, id, desc, result)) { + return false; + } + *defined = true; + return true; + } + + return true; +} + +static bool MaybeAppend(jsid id, unsigned flags, MutableHandleIdVector props) { + MOZ_ASSERT(!(flags & JSITER_SYMBOLSONLY)); + if (!(flags & JSITER_SYMBOLS) && id.isSymbol()) { + return true; + } + return props.append(id); +} + +// Append the names from the given function and property specs to props. +static bool AppendNamesFromFunctionAndPropertySpecs( + JSContext* cx, JSProtoKey key, const JSFunctionSpec* fs, + const JSPropertySpec* ps, unsigned flags, MutableHandleIdVector props) { + // Convert the method and property names to jsids and pass them to the caller. + for (; fs && fs->name; ++fs) { + jsid id; + if (!PropertySpecNameToPermanentId(cx, fs->name, &id)) { + return false; + } + if (!js::ShouldIgnorePropertyDefinition(cx, key, id)) { + if (!MaybeAppend(id, flags, props)) { + return false; + } + } + } + for (; ps && ps->name; ++ps) { + jsid id; + if (!PropertySpecNameToPermanentId(cx, ps->name, &id)) { + return false; + } + if (!js::ShouldIgnorePropertyDefinition(cx, key, id)) { + if (!MaybeAppend(id, flags, props)) { + return false; + } + } + } + + return true; +} + +bool JSXrayTraits::enumerateNames(JSContext* cx, HandleObject wrapper, + unsigned flags, MutableHandleIdVector props) { + MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx)); + + RootedObject target(cx, getTargetObject(wrapper)); + RootedObject holder(cx, ensureHolder(cx, wrapper)); + if (!holder) { + return false; + } + + JSProtoKey key = getProtoKey(holder); + if (!isPrototype(holder)) { + // For Object and Array instances, we expose some properties from the + // underlying object, but only after filtering them carefully. + if (key == JSProto_Object || key == JSProto_Array) { + MOZ_ASSERT(props.empty()); + RootedObject wrapperGlobal(cx, JS::CurrentGlobalOrNull(cx)); + { + JSAutoRealm ar(cx, target); + RootedIdVector targetProps(cx); + if (!js::GetPropertyKeys(cx, target, flags | JSITER_OWNONLY, + &targetProps)) { + return false; + } + // Loop over the properties, and only pass along the ones that + // we determine to be safe. + if (!props.reserve(targetProps.length())) { + return false; + } + for (size_t i = 0; i < targetProps.length(); ++i) { + Rooted<Maybe<PropertyDescriptor>> desc(cx); + RootedId id(cx, targetProps[i]); + if (!getOwnPropertyFromTargetIfSafe(cx, target, wrapper, + wrapperGlobal, id, &desc)) { + return false; + } + if (desc.isSome()) { + props.infallibleAppend(id); + } + } + } + for (size_t i = 0; i < props.length(); ++i) { + JS_MarkCrossZoneId(cx, props[i]); + } + return true; + } + if (IsTypedArrayKey(key)) { + size_t length = JS_GetTypedArrayLength(target); + // TypedArrays enumerate every indexed property in range, but + // |length| is a getter that lives on the proto, like it should be. + + // Fail early if the typed array is enormous, because this will be very + // slow and will likely report OOM. This also means we don't need to + // handle indices greater than PropertyKey::IntMax in the loop below. + static_assert(PropertyKey::IntMax >= INT32_MAX); + if (length > INT32_MAX) { + JS_ReportOutOfMemory(cx); + return false; + } + + if (!props.reserve(length)) { + return false; + } + for (int32_t i = 0; i < int32_t(length); ++i) { + props.infallibleAppend(PropertyKey::Int(i)); + } + } else if (key == JSProto_Function) { + if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_LENGTH))) { + return false; + } + if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_NAME))) { + return false; + } + // Handle the .prototype property and static properties on standard + // constructors. + JSProtoKey standardConstructor = constructorFor(holder); + if (standardConstructor != JSProto_Null) { + if (ShouldResolvePrototypeProperty(standardConstructor)) { + if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_PROTOTYPE))) { + return false; + } + } + + if (ShouldResolveStaticProperties(standardConstructor)) { + const JSClass* clasp = js::ProtoKeyToClass(standardConstructor); + MOZ_ASSERT(clasp->specDefined()); + + if (!AppendNamesFromFunctionAndPropertySpecs( + cx, key, clasp->specConstructorFunctions(), + clasp->specConstructorProperties(), flags, props)) { + return false; + } + } + } + } else if (IsErrorObjectKey(key)) { + if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_FILENAME)) || + !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_LINENUMBER)) || + !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_COLUMNNUMBER)) || + !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_STACK)) || + !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_MESSAGE))) { + return false; + } + } else if (key == JSProto_RegExp) { + if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_LASTINDEX))) { + return false; + } + } else if (key == JSProto_BoundFunction) { + if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_LENGTH)) || + !props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_NAME))) { + return false; + } + } + + // The rest of this function applies only to prototypes. + return true; + } + + // Add the 'constructor' property. + if (!props.append(GetJSIDByIndex(cx, XPCJSContext::IDX_CONSTRUCTOR))) { + return false; + } + + // Grab the JSClass. We require all Xrayable classes to have a ClassSpec. + const JSClass* clasp = JS::GetClass(target); + MOZ_ASSERT(clasp->specDefined()); + + return AppendNamesFromFunctionAndPropertySpecs( + cx, key, clasp->specPrototypeFunctions(), + clasp->specPrototypeProperties(), flags, props); +} + +bool JSXrayTraits::construct(JSContext* cx, HandleObject wrapper, + const JS::CallArgs& args, + const js::Wrapper& baseInstance) { + JSXrayTraits& self = JSXrayTraits::singleton; + JS::RootedObject holder(cx, self.ensureHolder(cx, wrapper)); + if (!holder) { + return false; + } + + const JSProtoKey key = xpc::JSXrayTraits::getProtoKey(holder); + if (key == JSProto_Function) { + JSProtoKey standardConstructor = constructorFor(holder); + if (standardConstructor == JSProto_Null) { + return baseInstance.construct(cx, wrapper, args); + } + + const JSClass* clasp = js::ProtoKeyToClass(standardConstructor); + MOZ_ASSERT(clasp); + if (!(clasp->flags & JSCLASS_HAS_XRAYED_CONSTRUCTOR)) { + return baseInstance.construct(cx, wrapper, args); + } + + // If the JSCLASS_HAS_XRAYED_CONSTRUCTOR flag is set on the Class, + // we don't use the constructor at hand. Instead, we retrieve the + // equivalent standard constructor in the xray compartment and run + // it in that compartment. The newTarget isn't unwrapped, and the + // constructor has to be able to detect and handle this situation. + // See the comments in js/public/Class.h and PromiseConstructor for + // details and an example. + RootedObject ctor(cx); + if (!JS_GetClassObject(cx, standardConstructor, &ctor)) { + return false; + } + + RootedValue ctorVal(cx, ObjectValue(*ctor)); + HandleValueArray vals(args); + RootedObject result(cx); + if (!JS::Construct(cx, ctorVal, wrapper, vals, &result)) { + return false; + } + AssertSameCompartment(cx, result); + args.rval().setObject(*result); + return true; + } + if (key == JSProto_BoundFunction) { + return baseInstance.construct(cx, wrapper, args); + } + + JS::RootedValue v(cx, JS::ObjectValue(*wrapper)); + js::ReportIsNotFunction(cx, v); + return false; +} + +JSObject* JSXrayTraits::createHolder(JSContext* cx, JSObject* wrapper) { + RootedObject target(cx, getTargetObject(wrapper)); + RootedObject holder(cx, + JS_NewObjectWithGivenProto(cx, &HolderClass, nullptr)); + if (!holder) { + return nullptr; + } + + // Compute information about the target. + bool isPrototype = false; + JSProtoKey key = IdentifyStandardInstance(target); + if (key == JSProto_Null) { + isPrototype = true; + key = IdentifyStandardPrototype(target); + } + MOZ_ASSERT(key != JSProto_Null); + + // Special case: pretend Arguments objects are arrays for Xrays. + // + // Arguments objects are strange beasts - they inherit Object.prototype, + // and implement iteration by defining an |own| property for + // Symbol.iterator. Since this value is callable, Array/Object Xrays will + // filter it out, causing the Xray view to be non-iterable, which in turn + // breaks consumers. + // + // We can't trust the iterator value from the content compartment, + // but the generic one on Array.prototype works well enough. So we force + // the Xray view of Arguments objects to inherit Array.prototype, which + // in turn allows iteration via the inherited + // Array.prototype[Symbol.iterator]. This doesn't emulate any of the weird + // semantics of Arguments iterators, but is probably good enough. + // + // Note that there are various Xray traps that do other special behavior for + // JSProto_Array, but they also provide that special behavior for + // JSProto_Object, and since Arguments would otherwise get JSProto_Object, + // this does not cause any behavior change at those sites. + if (key == JSProto_Object && js::IsArgumentsObject(target)) { + key = JSProto_Array; + } + + // Store it on the holder. + RootedValue v(cx); + v.setNumber(static_cast<uint32_t>(key)); + JS::SetReservedSlot(holder, SLOT_PROTOKEY, v); + v.setBoolean(isPrototype); + JS::SetReservedSlot(holder, SLOT_ISPROTOTYPE, v); + + // If this is a function, also compute whether it serves as a constructor + // for a standard class. + if (key == JSProto_Function) { + v.setNumber(static_cast<uint32_t>(IdentifyStandardConstructor(target))); + JS::SetReservedSlot(holder, SLOT_CONSTRUCTOR_FOR, v); + } + + return holder; +} + +DOMXrayTraits DOMXrayTraits::singleton; +JSXrayTraits JSXrayTraits::singleton; +OpaqueXrayTraits OpaqueXrayTraits::singleton; + +XrayTraits* GetXrayTraits(JSObject* obj) { + switch (GetXrayType(obj)) { + case XrayForDOMObject: + return &DOMXrayTraits::singleton; + case XrayForJSObject: + return &JSXrayTraits::singleton; + case XrayForOpaqueObject: + return &OpaqueXrayTraits::singleton; + default: + return nullptr; + } +} + +/* + * Xray expando handling. + * + * We hang expandos for Xray wrappers off a reserved slot on the target object + * so that same-origin compartments can share expandos for a given object. We + * have a linked list of expando objects, one per origin. The properties on + * these objects are generally wrappers pointing back to the compartment that + * applied them. + * + * The expando objects should _never_ be exposed to script. The fact that they + * live in the target compartment is a detail of the implementation, and does + * not imply that code in the target compartment should be allowed to inspect + * them. They are private to the origin that placed them. + */ + +// Certain compartments do not share expandos with other compartments. Xrays in +// these compartments cache expandos on the wrapper's holder, as there is only +// one such wrapper which can create or access the expando. This allows for +// faster access to the expando, including through JIT inline caches. +static inline bool CompartmentHasExclusiveExpandos(JSObject* obj) { + JS::Compartment* comp = JS::GetCompartment(obj); + CompartmentPrivate* priv = CompartmentPrivate::Get(comp); + return priv && priv->hasExclusiveExpandos; +} + +static inline JSObject* GetCachedXrayExpando(JSObject* wrapper); + +static inline void SetCachedXrayExpando(JSObject* holder, + JSObject* expandoWrapper); + +static nsIPrincipal* WrapperPrincipal(JSObject* obj) { + // Use the principal stored in CompartmentOriginInfo. That works because + // consumers are only interested in the origin-ignoring-document.domain. + // See expandoObjectMatchesConsumer. + MOZ_ASSERT(IsXrayWrapper(obj)); + JS::Compartment* comp = JS::GetCompartment(obj); + CompartmentPrivate* priv = CompartmentPrivate::Get(comp); + return priv->originInfo.GetPrincipalIgnoringDocumentDomain(); +} + +static nsIPrincipal* GetExpandoObjectPrincipal(JSObject* expandoObject) { + Value v = JS::GetReservedSlot(expandoObject, JSSLOT_EXPANDO_ORIGIN); + return static_cast<nsIPrincipal*>(v.toPrivate()); +} + +static void ExpandoObjectFinalize(JS::GCContext* gcx, JSObject* obj) { + // Release the principal. + nsIPrincipal* principal = GetExpandoObjectPrincipal(obj); + NS_RELEASE(principal); +} + +const JSClassOps XrayExpandoObjectClassOps = { + nullptr, // addProperty + nullptr, // delProperty + nullptr, // enumerate + nullptr, // newEnumerate + nullptr, // resolve + nullptr, // mayResolve + ExpandoObjectFinalize, // finalize + nullptr, // call + nullptr, // construct + nullptr, // trace +}; + +bool XrayTraits::expandoObjectMatchesConsumer(JSContext* cx, + HandleObject expandoObject, + nsIPrincipal* consumerOrigin) { + MOZ_ASSERT(js::IsObjectInContextCompartment(expandoObject, cx)); + + // First, compare the principals. + nsIPrincipal* o = GetExpandoObjectPrincipal(expandoObject); + // Note that it's very important here to ignore document.domain. We + // pull the principal for the expando object off of the first consumer + // for a given origin, and freely share the expandos amongst multiple + // same-origin consumers afterwards. However, this means that we have + // no way to know whether _all_ consumers have opted in to collaboration + // by explicitly setting document.domain. So we just mandate that expando + // sharing is unaffected by it. + if (!consumerOrigin->Equals(o)) { + return false; + } + + // Certain globals exclusively own the associated expandos, in which case + // the caller should have used the cached expando on the wrapper instead. + JSObject* owner = JS::GetReservedSlot(expandoObject, + JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER) + .toObjectOrNull(); + return owner == nullptr; +} + +bool XrayTraits::getExpandoObjectInternal(JSContext* cx, JSObject* expandoChain, + HandleObject exclusiveWrapper, + nsIPrincipal* origin, + MutableHandleObject expandoObject) { + MOZ_ASSERT(!JS_IsExceptionPending(cx)); + expandoObject.set(nullptr); + + // Use the cached expando if this wrapper has exclusive access to it. + if (exclusiveWrapper) { + JSObject* expandoWrapper = GetCachedXrayExpando(exclusiveWrapper); + expandoObject.set(expandoWrapper ? UncheckedUnwrap(expandoWrapper) + : nullptr); +#ifdef DEBUG + // Make sure the expando we found is on the target's chain. While we + // don't use this chain to look up expandos for the wrapper, + // the expando still needs to be on the chain to keep the wrapper and + // expando alive. + if (expandoObject) { + JSObject* head = expandoChain; + while (head && head != expandoObject) { + head = JS::GetReservedSlot(head, JSSLOT_EXPANDO_NEXT).toObjectOrNull(); + } + MOZ_ASSERT(head == expandoObject); + } +#endif + return true; + } + + // The expando object lives in the compartment of the target, so all our + // work needs to happen there. + RootedObject head(cx, expandoChain); + JSAutoRealm ar(cx, head); + + // Iterate through the chain, looking for a same-origin object. + while (head) { + if (expandoObjectMatchesConsumer(cx, head, origin)) { + expandoObject.set(head); + return true; + } + head = JS::GetReservedSlot(head, JSSLOT_EXPANDO_NEXT).toObjectOrNull(); + } + + // Not found. + return true; +} + +bool XrayTraits::getExpandoObject(JSContext* cx, HandleObject target, + HandleObject consumer, + MutableHandleObject expandoObject) { + // Return early if no expando object has ever been attached, which is + // usually the case. + JSObject* chain = getExpandoChain(target); + if (!chain) { + return true; + } + + bool isExclusive = CompartmentHasExclusiveExpandos(consumer); + return getExpandoObjectInternal(cx, chain, isExclusive ? consumer : nullptr, + WrapperPrincipal(consumer), expandoObject); +} + +// Wrappers which have exclusive access to the expando on their target object +// need to be kept alive as long as the target object exists. This is done by +// keeping the expando in the expando chain on the target (even though it will +// not be used while looking up the expando for the wrapper), and keeping a +// strong reference from that expando to the wrapper itself, via the +// JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER reserved slot. This slot does not +// point to the wrapper itself, because it is a cross compartment edge and we +// can't create a wrapper for a wrapper. Instead, the slot points to an +// instance of the holder class below in the wrapper's compartment, and the +// wrapper is held via this holder object's reserved slot. +static const JSClass gWrapperHolderClass = {"XrayExpandoWrapperHolder", + JSCLASS_HAS_RESERVED_SLOTS(1)}; +static const size_t JSSLOT_WRAPPER_HOLDER_CONTENTS = 0; + +JSObject* XrayTraits::attachExpandoObject(JSContext* cx, HandleObject target, + HandleObject exclusiveWrapper, + HandleObject exclusiveWrapperGlobal, + nsIPrincipal* origin) { + // Make sure the compartments are sane. + MOZ_ASSERT(js::IsObjectInContextCompartment(target, cx)); + if (exclusiveWrapper) { + MOZ_ASSERT(!js::IsObjectInContextCompartment(exclusiveWrapper, cx)); + MOZ_ASSERT(JS_IsGlobalObject(exclusiveWrapperGlobal)); + js::AssertSameCompartment(exclusiveWrapper, exclusiveWrapperGlobal); + } + + // No duplicates allowed. +#ifdef DEBUG + { + JSObject* chain = getExpandoChain(target); + if (chain) { + RootedObject existingExpandoObject(cx); + if (getExpandoObjectInternal(cx, chain, exclusiveWrapper, origin, + &existingExpandoObject)) { + MOZ_ASSERT(!existingExpandoObject); + } else { + JS_ClearPendingException(cx); + } + } + } +#endif + + // Create the expando object. + const JSClass* expandoClass = getExpandoClass(cx, target); + MOZ_ASSERT(!strcmp(expandoClass->name, "XrayExpandoObject")); + RootedObject expandoObject( + cx, JS_NewObjectWithGivenProto(cx, expandoClass, nullptr)); + if (!expandoObject) { + return nullptr; + } + + // AddRef and store the principal. + NS_ADDREF(origin); + JS_SetReservedSlot(expandoObject, JSSLOT_EXPANDO_ORIGIN, + JS::PrivateValue(origin)); + + // Note the exclusive wrapper, if there is one. + RootedObject wrapperHolder(cx); + if (exclusiveWrapper) { + JSAutoRealm ar(cx, exclusiveWrapperGlobal); + wrapperHolder = + JS_NewObjectWithGivenProto(cx, &gWrapperHolderClass, nullptr); + if (!wrapperHolder) { + return nullptr; + } + JS_SetReservedSlot(wrapperHolder, JSSLOT_WRAPPER_HOLDER_CONTENTS, + ObjectValue(*exclusiveWrapper)); + } + if (!JS_WrapObject(cx, &wrapperHolder)) { + return nullptr; + } + JS_SetReservedSlot(expandoObject, JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER, + ObjectOrNullValue(wrapperHolder)); + + // Store it on the exclusive wrapper, if there is one. + if (exclusiveWrapper) { + RootedObject cachedExpandoObject(cx, expandoObject); + JSAutoRealm ar(cx, exclusiveWrapperGlobal); + if (!JS_WrapObject(cx, &cachedExpandoObject)) { + return nullptr; + } + JSObject* holder = ensureHolder(cx, exclusiveWrapper); + if (!holder) { + return nullptr; + } + SetCachedXrayExpando(holder, cachedExpandoObject); + } + + // If this is our first expando object, take the opportunity to preserve + // the wrapper. This keeps our expandos alive even if the Xray wrapper gets + // collected. + RootedObject chain(cx, getExpandoChain(target)); + if (!chain) { + preserveWrapper(target); + } + + // Insert it at the front of the chain. + JS_SetReservedSlot(expandoObject, JSSLOT_EXPANDO_NEXT, + ObjectOrNullValue(chain)); + setExpandoChain(cx, target, expandoObject); + + return expandoObject; +} + +JSObject* XrayTraits::ensureExpandoObject(JSContext* cx, HandleObject wrapper, + HandleObject target) { + MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx)); + RootedObject wrapperGlobal(cx, JS::CurrentGlobalOrNull(cx)); + + // Expando objects live in the target compartment. + JSAutoRealm ar(cx, target); + RootedObject expandoObject(cx); + if (!getExpandoObject(cx, target, wrapper, &expandoObject)) { + return nullptr; + } + if (!expandoObject) { + bool isExclusive = CompartmentHasExclusiveExpandos(wrapper); + expandoObject = + attachExpandoObject(cx, target, isExclusive ? wrapper : nullptr, + wrapperGlobal, WrapperPrincipal(wrapper)); + } + return expandoObject; +} + +bool XrayTraits::cloneExpandoChain(JSContext* cx, HandleObject dst, + HandleObject srcChain) { + MOZ_ASSERT(js::IsObjectInContextCompartment(dst, cx)); + MOZ_ASSERT(getExpandoChain(dst) == nullptr); + + RootedObject oldHead(cx, srcChain); + while (oldHead) { + // If movingIntoXrayCompartment is true, then our new reflector is in a + // compartment that used to have an Xray-with-expandos to the old reflector + // and we should copy the expandos to the new reflector directly. + bool movingIntoXrayCompartment; + + // exclusiveWrapper is only used if movingIntoXrayCompartment ends up true. + RootedObject exclusiveWrapper(cx); + RootedObject exclusiveWrapperGlobal(cx); + RootedObject wrapperHolder( + cx, + JS::GetReservedSlot(oldHead, JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER) + .toObjectOrNull()); + if (wrapperHolder) { + RootedObject unwrappedHolder(cx, UncheckedUnwrap(wrapperHolder)); + // unwrappedHolder is the compartment of the relevant Xray, so check + // whether that matches the compartment of cx (which matches the + // compartment of dst). + movingIntoXrayCompartment = + js::IsObjectInContextCompartment(unwrappedHolder, cx); + + if (!movingIntoXrayCompartment) { + // The global containing this wrapper holder has an xray for |src| + // with expandos. Create an xray in the global for |dst| which + // will be associated with a clone of |src|'s expando object. + JSAutoRealm ar(cx, unwrappedHolder); + exclusiveWrapper = dst; + if (!JS_WrapObject(cx, &exclusiveWrapper)) { + return false; + } + exclusiveWrapperGlobal = JS::CurrentGlobalOrNull(cx); + } + } else { + JSAutoRealm ar(cx, oldHead); + movingIntoXrayCompartment = + expandoObjectMatchesConsumer(cx, oldHead, GetObjectPrincipal(dst)); + } + + if (movingIntoXrayCompartment) { + // Just copy properties directly onto dst. + if (!JS_CopyOwnPropertiesAndPrivateFields(cx, dst, oldHead)) { + return false; + } + } else { + // Create a new expando object in the compartment of dst to replace + // oldHead. + RootedObject newHead( + cx, + attachExpandoObject(cx, dst, exclusiveWrapper, exclusiveWrapperGlobal, + GetExpandoObjectPrincipal(oldHead))); + if (!JS_CopyOwnPropertiesAndPrivateFields(cx, newHead, oldHead)) { + return false; + } + } + oldHead = + JS::GetReservedSlot(oldHead, JSSLOT_EXPANDO_NEXT).toObjectOrNull(); + } + return true; +} + +void ClearXrayExpandoSlots(JSObject* target, size_t slotIndex) { + if (!NS_IsMainThread()) { + // No Xrays + return; + } + + MOZ_ASSERT(slotIndex != JSSLOT_EXPANDO_NEXT); + MOZ_ASSERT(slotIndex != JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER); + MOZ_ASSERT(GetXrayTraits(target) == &DOMXrayTraits::singleton); + RootingContext* rootingCx = RootingCx(); + RootedObject rootedTarget(rootingCx, target); + RootedObject head(rootingCx, + DOMXrayTraits::singleton.getExpandoChain(rootedTarget)); + while (head) { + MOZ_ASSERT(JSCLASS_RESERVED_SLOTS(JS::GetClass(head)) > slotIndex); + JS::SetReservedSlot(head, slotIndex, UndefinedValue()); + head = JS::GetReservedSlot(head, JSSLOT_EXPANDO_NEXT).toObjectOrNull(); + } +} + +JSObject* EnsureXrayExpandoObject(JSContext* cx, JS::HandleObject wrapper) { + MOZ_ASSERT(NS_IsMainThread()); + MOZ_ASSERT(GetXrayTraits(wrapper) == &DOMXrayTraits::singleton); + MOZ_ASSERT(IsXrayWrapper(wrapper)); + + RootedObject target(cx, DOMXrayTraits::getTargetObject(wrapper)); + return DOMXrayTraits::singleton.ensureExpandoObject(cx, wrapper, target); +} + +const JSClass* XrayTraits::getExpandoClass(JSContext* cx, + HandleObject target) const { + return &DefaultXrayExpandoObjectClass; +} + +static const size_t JSSLOT_XRAY_HOLDER = 0; + +/* static */ +JSObject* XrayTraits::getHolder(JSObject* wrapper) { + MOZ_ASSERT(WrapperFactory::IsXrayWrapper(wrapper)); + JS::Value v = js::GetProxyReservedSlot(wrapper, JSSLOT_XRAY_HOLDER); + return v.isObject() ? &v.toObject() : nullptr; +} + +JSObject* XrayTraits::ensureHolder(JSContext* cx, HandleObject wrapper) { + RootedObject holder(cx, getHolder(wrapper)); + if (holder) { + return holder; + } + holder = createHolder(cx, wrapper); // virtual trap. + if (holder) { + js::SetProxyReservedSlot(wrapper, JSSLOT_XRAY_HOLDER, ObjectValue(*holder)); + } + return holder; +} + +static inline JSObject* GetCachedXrayExpando(JSObject* wrapper) { + JSObject* holder = XrayTraits::getHolder(wrapper); + if (!holder) { + return nullptr; + } + Value v = JS::GetReservedSlot(holder, XrayTraits::HOLDER_SLOT_EXPANDO); + return v.isObject() ? &v.toObject() : nullptr; +} + +static inline void SetCachedXrayExpando(JSObject* holder, + JSObject* expandoWrapper) { + MOZ_ASSERT(JS::GetCompartment(holder) == JS::GetCompartment(expandoWrapper)); + JS_SetReservedSlot(holder, XrayTraits::HOLDER_SLOT_EXPANDO, + ObjectValue(*expandoWrapper)); +} + +static nsGlobalWindowInner* AsWindow(JSContext* cx, JSObject* wrapper) { + // We want to use our target object here, since we don't want to be + // doing a security check while unwrapping. + JSObject* target = XrayTraits::getTargetObject(wrapper); + return WindowOrNull(target); +} + +static bool IsWindow(JSContext* cx, JSObject* wrapper) { + return !!AsWindow(cx, wrapper); +} + +static bool wrappedJSObject_getter(JSContext* cx, unsigned argc, Value* vp) { + CallArgs args = CallArgsFromVp(argc, vp); + if (!args.thisv().isObject()) { + JS_ReportErrorASCII(cx, "This value not an object"); + return false; + } + RootedObject wrapper(cx, &args.thisv().toObject()); + if (!IsWrapper(wrapper) || !WrapperFactory::IsXrayWrapper(wrapper) || + !WrapperFactory::AllowWaiver(wrapper)) { + JS_ReportErrorASCII(cx, "Unexpected object"); + return false; + } + + args.rval().setObject(*wrapper); + + return WrapperFactory::WaiveXrayAndWrap(cx, args.rval()); +} + +bool XrayTraits::resolveOwnProperty( + JSContext* cx, HandleObject wrapper, HandleObject target, + HandleObject holder, HandleId id, + MutableHandle<Maybe<PropertyDescriptor>> desc) { + desc.reset(); + + RootedObject expando(cx); + if (!getExpandoObject(cx, target, wrapper, &expando)) { + return false; + } + + // Check for expando properties first. Note that the expando object lives + // in the target compartment. + if (expando) { + JSAutoRealm ar(cx, expando); + JS_MarkCrossZoneId(cx, id); + if (!JS_GetOwnPropertyDescriptorById(cx, expando, id, desc)) { + return false; + } + } + + // Next, check for ES builtins. + if (!desc.isSome() && JS_IsGlobalObject(target)) { + JSProtoKey key = JS_IdToProtoKey(cx, id); + JSAutoRealm ar(cx, target); + if (key != JSProto_Null) { + MOZ_ASSERT(key < JSProto_LIMIT); + RootedObject constructor(cx); + if (!JS_GetClassObject(cx, key, &constructor)) { + return false; + } + MOZ_ASSERT(constructor); + + desc.set(Some(PropertyDescriptor::Data( + ObjectValue(*constructor), + {PropertyAttribute::Configurable, PropertyAttribute::Writable}))); + } else if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_EVAL)) { + RootedObject eval(cx); + if (!js::GetRealmOriginalEval(cx, &eval)) { + return false; + } + desc.set(Some(PropertyDescriptor::Data( + ObjectValue(*eval), + {PropertyAttribute::Configurable, PropertyAttribute::Writable}))); + } else if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_INFINITY)) { + desc.set(Some(PropertyDescriptor::Data( + DoubleValue(PositiveInfinity<double>()), {}))); + } else if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_NAN)) { + desc.set(Some(PropertyDescriptor::Data(NaNValue(), {}))); + } + } + + if (desc.isSome()) { + return JS_WrapPropertyDescriptor(cx, desc); + } + + // Handle .wrappedJSObject for subsuming callers. This should move once we + // sort out own-ness for the holder. + if (id == GetJSIDByIndex(cx, XPCJSContext::IDX_WRAPPED_JSOBJECT) && + WrapperFactory::AllowWaiver(wrapper)) { + bool found = false; + if (!JS_AlreadyHasOwnPropertyById(cx, holder, id, &found)) { + return false; + } + if (!found && !JS_DefinePropertyById(cx, holder, id, wrappedJSObject_getter, + nullptr, JSPROP_ENUMERATE)) { + return false; + } + return JS_GetOwnPropertyDescriptorById(cx, holder, id, desc); + } + + return true; +} + +bool DOMXrayTraits::resolveOwnProperty( + JSContext* cx, HandleObject wrapper, HandleObject target, + HandleObject holder, HandleId id, + MutableHandle<Maybe<PropertyDescriptor>> desc) { + // Call the common code. + bool ok = + XrayTraits::resolveOwnProperty(cx, wrapper, target, holder, id, desc); + if (!ok || desc.isSome()) { + return ok; + } + + // Check for indexed access on a window. + uint32_t index = GetArrayIndexFromId(id); + if (IsArrayIndex(index)) { + nsGlobalWindowInner* win = AsWindow(cx, wrapper); + // Note: As() unwraps outer windows to get to the inner window. + if (win) { + Nullable<WindowProxyHolder> subframe = win->IndexedGetter(index); + if (!subframe.IsNull()) { + Rooted<Value> value(cx); + if (MOZ_UNLIKELY(!WrapObject(cx, subframe.Value(), &value))) { + // It's gone? + return xpc::Throw(cx, NS_ERROR_FAILURE); + } + desc.set(Some(PropertyDescriptor::Data( + value, + {PropertyAttribute::Configurable, PropertyAttribute::Enumerable}))); + return JS_WrapPropertyDescriptor(cx, desc); + } + } + } + + if (!JS_GetOwnPropertyDescriptorById(cx, holder, id, desc)) { + return false; + } + if (desc.isSome()) { + return true; + } + + bool cacheOnHolder; + if (!XrayResolveOwnProperty(cx, wrapper, target, id, desc, cacheOnHolder)) { + return false; + } + + if (desc.isNothing() || !cacheOnHolder) { + return true; + } + + Rooted<PropertyDescriptor> defineDesc(cx, *desc); + return JS_DefinePropertyById(cx, holder, id, defineDesc) && + JS_GetOwnPropertyDescriptorById(cx, holder, id, desc); +} + +bool DOMXrayTraits::delete_(JSContext* cx, JS::HandleObject wrapper, + JS::HandleId id, JS::ObjectOpResult& result) { + RootedObject target(cx, getTargetObject(wrapper)); + return XrayDeleteNamedProperty(cx, wrapper, target, id, result); +} + +bool DOMXrayTraits::defineProperty( + JSContext* cx, HandleObject wrapper, HandleId id, + Handle<PropertyDescriptor> desc, + Handle<Maybe<PropertyDescriptor>> existingDesc, + Handle<JSObject*> existingHolder, JS::ObjectOpResult& result, bool* done) { + // Check for an indexed property on a Window. If that's happening, do + // nothing but set done to true so it won't get added as an expando. + if (IsWindow(cx, wrapper)) { + if (IsArrayIndex(GetArrayIndexFromId(id))) { + *done = true; + return result.succeed(); + } + } + + JS::Rooted<JSObject*> obj(cx, getTargetObject(wrapper)); + return XrayDefineProperty(cx, wrapper, obj, id, desc, result, done); +} + +bool DOMXrayTraits::enumerateNames(JSContext* cx, HandleObject wrapper, + unsigned flags, + MutableHandleIdVector props) { + // Put the indexed properties for a window first. + nsGlobalWindowInner* win = AsWindow(cx, wrapper); + if (win) { + uint32_t length = win->Length(); + if (!props.reserve(props.length() + length)) { + return false; + } + JS::RootedId indexId(cx); + for (uint32_t i = 0; i < length; ++i) { + if (!JS_IndexToId(cx, i, &indexId)) { + return false; + } + props.infallibleAppend(indexId); + } + } + + JS::Rooted<JSObject*> obj(cx, getTargetObject(wrapper)); + if (JS_IsGlobalObject(obj)) { + // We could do this in a shared enumerateNames with JSXrayTraits, but we + // don't really have globals we expose via those. + JSAutoRealm ar(cx, obj); + if (!JS_NewEnumerateStandardClassesIncludingResolved( + cx, obj, props, !(flags & JSITER_HIDDEN))) { + return false; + } + } + return XrayOwnPropertyKeys(cx, wrapper, obj, flags, props); +} + +bool DOMXrayTraits::call(JSContext* cx, HandleObject wrapper, + const JS::CallArgs& args, + const js::Wrapper& baseInstance) { + RootedObject obj(cx, getTargetObject(wrapper)); + // What we have is either a WebIDL interface object, a WebIDL prototype + // object, or a WebIDL instance object. WebIDL interface objects we want to + // invoke on the xray compartment. WebIDL prototype objects never have a + // clasp->call. WebIDL instance objects either don't have a clasp->call or are + // using "legacycaller". At this time for all the legacycaller users it makes + // more sense to invoke on the xray compartment, so we just go ahead and do + // that for everything. + if (js::IsProxy(obj)) { + if (JS::IsCallable(obj)) { + // Passing obj here, but it doesn't really matter because legacycaller + // uses args.callee() anyway. + return GetProxyHandler(obj)->call(cx, obj, args); + } + } else { + const JSClass* clasp = JS::GetClass(obj); + if (JSNative call = clasp->getCall()) { + // call it on the Xray compartment + return call(cx, args.length(), args.base()); + } + } + + RootedValue v(cx, ObjectValue(*wrapper)); + js::ReportIsNotFunction(cx, v); + return false; +} + +bool DOMXrayTraits::construct(JSContext* cx, HandleObject wrapper, + const JS::CallArgs& args, + const js::Wrapper& baseInstance) { + RootedObject obj(cx, getTargetObject(wrapper)); + MOZ_ASSERT(mozilla::dom::HasConstructor(obj)); + const JSClass* clasp = JS::GetClass(obj); + // See comments in DOMXrayTraits::call() explaining what's going on here. + if (clasp->flags & JSCLASS_IS_DOMIFACEANDPROTOJSCLASS) { + if (JSNative construct = clasp->getConstruct()) { + if (!construct(cx, args.length(), args.base())) { + return false; + } + } else { + RootedValue v(cx, ObjectValue(*wrapper)); + js::ReportIsNotFunction(cx, v); + return false; + } + } else { + if (!baseInstance.construct(cx, wrapper, args)) { + return false; + } + } + if (!args.rval().isObject() || !JS_WrapValue(cx, args.rval())) { + return false; + } + return true; +} + +bool DOMXrayTraits::getPrototype(JSContext* cx, JS::HandleObject wrapper, + JS::HandleObject target, + JS::MutableHandleObject protop) { + return mozilla::dom::XrayGetNativeProto(cx, target, protop); +} + +void DOMXrayTraits::preserveWrapper(JSObject* target) { + nsISupports* identity = mozilla::dom::UnwrapDOMObjectToISupports(target); + if (!identity) { + return; + } + nsWrapperCache* cache = nullptr; + CallQueryInterface(identity, &cache); + if (cache) { + cache->PreserveWrapper(identity); + } +} + +JSObject* DOMXrayTraits::createHolder(JSContext* cx, JSObject* wrapper) { + return JS_NewObjectWithGivenProto(cx, &HolderClass, nullptr); +} + +const JSClass* DOMXrayTraits::getExpandoClass(JSContext* cx, + HandleObject target) const { + return XrayGetExpandoClass(cx, target); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::preventExtensions( + JSContext* cx, HandleObject wrapper, ObjectOpResult& result) const { + // Xray wrappers are supposed to provide a clean view of the target + // reflector, hiding any modifications by script in the target scope. So + // even if that script freezes the reflector, we don't want to make that + // visible to the caller. DOM reflectors are always extensible by default, + // so we can just return failure here. + return result.failCantPreventExtensions(); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::isExtensible(JSContext* cx, + JS::Handle<JSObject*> wrapper, + bool* extensible) const { + // See above. + *extensible = true; + return true; +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::getOwnPropertyDescriptor( + JSContext* cx, HandleObject wrapper, HandleId id, + MutableHandle<Maybe<PropertyDescriptor>> desc) const { + assertEnteredPolicy(cx, wrapper, id, + BaseProxyHandler::GET | BaseProxyHandler::SET | + BaseProxyHandler::GET_PROPERTY_DESCRIPTOR); + RootedObject target(cx, Traits::getTargetObject(wrapper)); + RootedObject holder(cx, Traits::singleton.ensureHolder(cx, wrapper)); + if (!holder) { + return false; + } + + return Traits::singleton.resolveOwnProperty(cx, wrapper, target, holder, id, + desc); +} + +// Consider what happens when chrome does |xray.expando = xray.wrappedJSObject|. +// +// Since the expando comes from the target compartment, wrapping it back into +// the target compartment to define it on the expando object ends up stripping +// off the Xray waiver that gives |xray| and |xray.wrappedJSObject| different +// identities. This is generally the right thing to do when wrapping across +// compartments, but is incorrect in the special case of the Xray expando +// object. Manually re-apply Xrays if necessary. +// +// NB: In order to satisfy the invariants of WaiveXray, we need to pass +// in an object sans security wrapper, which means we need to strip off any +// potential same-compartment security wrapper that may have been applied +// to the content object. This is ok, because the the expando object is only +// ever accessed by code across the compartment boundary. +static bool RecreateLostWaivers(JSContext* cx, const PropertyDescriptor* orig, + MutableHandle<PropertyDescriptor> wrapped) { + // Compute whether the original objects were waived, and implicitly, whether + // they were objects at all. + bool valueWasWaived = + orig->hasValue() && orig->value().isObject() && + WrapperFactory::HasWaiveXrayFlag(&orig->value().toObject()); + bool getterWasWaived = orig->hasGetter() && orig->getter() && + WrapperFactory::HasWaiveXrayFlag(orig->getter()); + bool setterWasWaived = orig->hasSetter() && orig->setter() && + WrapperFactory::HasWaiveXrayFlag(orig->setter()); + + // Recreate waivers. Note that for value, we need an extra UncheckedUnwrap + // to handle same-compartment security wrappers (see above). This should + // never happen for getters/setters. + + RootedObject rewaived(cx); + if (valueWasWaived && + !IsCrossCompartmentWrapper(&wrapped.value().toObject())) { + rewaived = &wrapped.value().toObject(); + rewaived = WrapperFactory::WaiveXray(cx, UncheckedUnwrap(rewaived)); + NS_ENSURE_TRUE(rewaived, false); + wrapped.value().set(ObjectValue(*rewaived)); + } + if (getterWasWaived && !IsCrossCompartmentWrapper(wrapped.getter())) { + // We can't end up with WindowProxy or Location as getters. + MOZ_ASSERT(CheckedUnwrapStatic(wrapped.getter())); + rewaived = WrapperFactory::WaiveXray(cx, wrapped.getter()); + NS_ENSURE_TRUE(rewaived, false); + wrapped.setGetter(rewaived); + } + if (setterWasWaived && !IsCrossCompartmentWrapper(wrapped.setter())) { + // We can't end up with WindowProxy or Location as setters. + MOZ_ASSERT(CheckedUnwrapStatic(wrapped.setter())); + rewaived = WrapperFactory::WaiveXray(cx, wrapped.setter()); + NS_ENSURE_TRUE(rewaived, false); + wrapped.setSetter(rewaived); + } + + return true; +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::defineProperty(JSContext* cx, + HandleObject wrapper, + HandleId id, + Handle<PropertyDescriptor> desc, + ObjectOpResult& result) const { + assertEnteredPolicy(cx, wrapper, id, BaseProxyHandler::SET); + + Rooted<Maybe<PropertyDescriptor>> existingDesc(cx); + Rooted<JSObject*> existingHolder(cx); + if (!JS_GetPropertyDescriptorById(cx, wrapper, id, &existingDesc, + &existingHolder)) { + return false; + } + + // Note that the check here is intended to differentiate between own and + // non-own properties, since the above lookup is not limited to own + // properties. At present, this may not always do the right thing because + // we often lie (sloppily) about where we found properties and set + // existingHolder to |wrapper|. Once we fully fix our Xray prototype + // semantics, this should work as intended. + if (existingDesc.isSome() && existingHolder == wrapper && + !existingDesc->configurable()) { + // We have a non-configurable property. See if the caller is trying to + // re-configure it in any way other than making it non-writable. + if (existingDesc->isAccessorDescriptor() || desc.isAccessorDescriptor() || + (desc.hasEnumerable() && + existingDesc->enumerable() != desc.enumerable()) || + (desc.hasWritable() && !existingDesc->writable() && desc.writable())) { + // We should technically report non-configurability in strict mode, but + // doing that via JSAPI used to be a lot of trouble. See bug 1135997. + return result.succeed(); + } + if (!existingDesc->writable()) { + // Same as the above for non-writability. + return result.succeed(); + } + } + + bool done = false; + if (!Traits::singleton.defineProperty(cx, wrapper, id, desc, existingDesc, + existingHolder, result, &done)) { + return false; + } + if (done) { + return true; + } + + // Grab the relevant expando object. + RootedObject target(cx, Traits::getTargetObject(wrapper)); + RootedObject expandoObject( + cx, Traits::singleton.ensureExpandoObject(cx, wrapper, target)); + if (!expandoObject) { + return false; + } + + // We're placing an expando. The expando objects live in the target + // compartment, so we need to enter it. + JSAutoRealm ar(cx, target); + JS_MarkCrossZoneId(cx, id); + + // Wrap the property descriptor for the target compartment. + Rooted<PropertyDescriptor> wrappedDesc(cx, desc); + if (!JS_WrapPropertyDescriptor(cx, &wrappedDesc)) { + return false; + } + + // Fix up Xray waivers. + if (!RecreateLostWaivers(cx, desc.address(), &wrappedDesc)) { + return false; + } + + return JS_DefinePropertyById(cx, expandoObject, id, wrappedDesc, result); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::ownPropertyKeys( + JSContext* cx, HandleObject wrapper, MutableHandleIdVector props) const { + assertEnteredPolicy(cx, wrapper, JS::PropertyKey::Void(), + BaseProxyHandler::ENUMERATE); + return getPropertyKeys( + cx, wrapper, JSITER_OWNONLY | JSITER_HIDDEN | JSITER_SYMBOLS, props); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::delete_(JSContext* cx, HandleObject wrapper, + HandleId id, + ObjectOpResult& result) const { + assertEnteredPolicy(cx, wrapper, id, BaseProxyHandler::SET); + + // Check the expando object. + RootedObject target(cx, Traits::getTargetObject(wrapper)); + RootedObject expando(cx); + if (!Traits::singleton.getExpandoObject(cx, target, wrapper, &expando)) { + return false; + } + + if (expando) { + JSAutoRealm ar(cx, expando); + JS_MarkCrossZoneId(cx, id); + bool hasProp; + if (!JS_HasPropertyById(cx, expando, id, &hasProp)) { + return false; + } + if (hasProp) { + return JS_DeletePropertyById(cx, expando, id, result); + } + } + + return Traits::singleton.delete_(cx, wrapper, id, result); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::get(JSContext* cx, HandleObject wrapper, + HandleValue receiver, HandleId id, + MutableHandleValue vp) const { + // This is called by Proxy::get, but since we return true for hasPrototype() + // it's only called for properties that hasOwn() claims we have as own + // properties. Since we only need to worry about own properties, we can use + // getOwnPropertyDescriptor here. + Rooted<Maybe<PropertyDescriptor>> desc(cx); + if (!getOwnPropertyDescriptor(cx, wrapper, id, &desc)) { + return false; + } + + MOZ_ASSERT(desc.isSome(), + "hasOwn() claimed we have this property, so why would we not get " + "a descriptor here?"); + desc->assertComplete(); + + // Everything after here follows [[Get]] for ordinary objects. + if (desc->isDataDescriptor()) { + vp.set(desc->value()); + return true; + } + + MOZ_ASSERT(desc->isAccessorDescriptor()); + RootedObject getter(cx, desc->getter()); + + if (!getter) { + vp.setUndefined(); + return true; + } + + return Call(cx, receiver, getter, HandleValueArray::empty(), vp); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::set(JSContext* cx, HandleObject wrapper, + HandleId id, HandleValue v, + HandleValue receiver, + ObjectOpResult& result) const { + MOZ_CRASH("Shouldn't be called: we return true for hasPrototype()"); + return false; +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::has(JSContext* cx, HandleObject wrapper, + HandleId id, bool* bp) const { + MOZ_CRASH("Shouldn't be called: we return true for hasPrototype()"); + return false; +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::hasOwn(JSContext* cx, HandleObject wrapper, + HandleId id, bool* bp) const { + // Skip our Base if it isn't already ProxyHandler. + return js::BaseProxyHandler::hasOwn(cx, wrapper, id, bp); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::getOwnEnumerablePropertyKeys( + JSContext* cx, HandleObject wrapper, MutableHandleIdVector props) const { + // Skip our Base if it isn't already ProxyHandler. + return js::BaseProxyHandler::getOwnEnumerablePropertyKeys(cx, wrapper, props); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::enumerate( + JSContext* cx, HandleObject wrapper, + JS::MutableHandleIdVector props) const { + MOZ_CRASH("Shouldn't be called: we return true for hasPrototype()"); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::call(JSContext* cx, HandleObject wrapper, + const JS::CallArgs& args) const { + assertEnteredPolicy(cx, wrapper, JS::PropertyKey::Void(), + BaseProxyHandler::CALL); + // Hard cast the singleton since SecurityWrapper doesn't have one. + return Traits::call(cx, wrapper, args, Base::singleton); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::construct(JSContext* cx, HandleObject wrapper, + const JS::CallArgs& args) const { + assertEnteredPolicy(cx, wrapper, JS::PropertyKey::Void(), + BaseProxyHandler::CALL); + // Hard cast the singleton since SecurityWrapper doesn't have one. + return Traits::construct(cx, wrapper, args, Base::singleton); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::getBuiltinClass(JSContext* cx, + JS::HandleObject wrapper, + js::ESClass* cls) const { + return Traits::getBuiltinClass(cx, wrapper, Base::singleton, cls); +} + +template <typename Base, typename Traits> +const char* XrayWrapper<Base, Traits>::className(JSContext* cx, + HandleObject wrapper) const { + return Traits::className(cx, wrapper, Base::singleton); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::getPrototype( + JSContext* cx, JS::HandleObject wrapper, + JS::MutableHandleObject protop) const { + // We really only want this override for non-SecurityWrapper-inheriting + // |Base|. But doing that statically with templates requires partial method + // specializations (and therefore a helper class), which is all more trouble + // than it's worth. Do a dynamic check. + if (Base::hasSecurityPolicy()) { + return Base::getPrototype(cx, wrapper, protop); + } + + RootedObject target(cx, Traits::getTargetObject(wrapper)); + RootedObject expando(cx); + if (!Traits::singleton.getExpandoObject(cx, target, wrapper, &expando)) { + return false; + } + + // We want to keep the Xray's prototype distinct from that of content, but + // only if there's been a set. If there's not an expando, or the expando + // slot is |undefined|, hand back the default proto, appropriately wrapped. + + if (expando) { + RootedValue v(cx); + { // Scope for JSAutoRealm + JSAutoRealm ar(cx, expando); + v = JS::GetReservedSlot(expando, JSSLOT_EXPANDO_PROTOTYPE); + } + if (!v.isUndefined()) { + protop.set(v.toObjectOrNull()); + return JS_WrapObject(cx, protop); + } + } + + // Check our holder, and cache there if we don't have it cached already. + RootedObject holder(cx, Traits::singleton.ensureHolder(cx, wrapper)); + if (!holder) { + return false; + } + + Value cached = JS::GetReservedSlot(holder, Traits::HOLDER_SLOT_CACHED_PROTO); + if (cached.isUndefined()) { + if (!Traits::singleton.getPrototype(cx, wrapper, target, protop)) { + return false; + } + + JS::SetReservedSlot(holder, Traits::HOLDER_SLOT_CACHED_PROTO, + ObjectOrNullValue(protop)); + } else { + protop.set(cached.toObjectOrNull()); + } + return true; +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::setPrototype(JSContext* cx, + JS::HandleObject wrapper, + JS::HandleObject proto, + JS::ObjectOpResult& result) const { + // Do this only for non-SecurityWrapper-inheriting |Base|. See the comment + // in getPrototype(). + if (Base::hasSecurityPolicy()) { + return Base::setPrototype(cx, wrapper, proto, result); + } + + RootedObject target(cx, Traits::getTargetObject(wrapper)); + RootedObject expando( + cx, Traits::singleton.ensureExpandoObject(cx, wrapper, target)); + if (!expando) { + return false; + } + + // The expando lives in the target's realm, so do our installation there. + JSAutoRealm ar(cx, target); + + RootedValue v(cx, ObjectOrNullValue(proto)); + if (!JS_WrapValue(cx, &v)) { + return false; + } + JS_SetReservedSlot(expando, JSSLOT_EXPANDO_PROTOTYPE, v); + return result.succeed(); +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::getPrototypeIfOrdinary( + JSContext* cx, JS::HandleObject wrapper, bool* isOrdinary, + JS::MutableHandleObject protop) const { + // We want to keep the Xray's prototype distinct from that of content, but + // only if there's been a set. This different-prototype-over-time behavior + // means that the [[GetPrototypeOf]] trap *can't* be ECMAScript's ordinary + // [[GetPrototypeOf]]. This also covers cross-origin Window behavior that + // per + // <https://html.spec.whatwg.org/multipage/browsers.html#windowproxy-getprototypeof> + // must be non-ordinary. + *isOrdinary = false; + return true; +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::setImmutablePrototype(JSContext* cx, + JS::HandleObject wrapper, + bool* succeeded) const { + // For now, lacking an obvious place to store a bit, prohibit making an + // Xray's [[Prototype]] immutable. We can revisit this (or maybe give all + // Xrays immutable [[Prototype]], because who does this, really?) later if + // necessary. + *succeeded = false; + return true; +} + +template <typename Base, typename Traits> +bool XrayWrapper<Base, Traits>::getPropertyKeys( + JSContext* cx, HandleObject wrapper, unsigned flags, + MutableHandleIdVector props) const { + assertEnteredPolicy(cx, wrapper, JS::PropertyKey::Void(), + BaseProxyHandler::ENUMERATE); + + // Enumerate expando properties first. Note that the expando object lives + // in the target compartment. + RootedObject target(cx, Traits::getTargetObject(wrapper)); + RootedObject expando(cx); + if (!Traits::singleton.getExpandoObject(cx, target, wrapper, &expando)) { + return false; + } + + if (expando) { + JSAutoRealm ar(cx, expando); + if (!js::GetPropertyKeys(cx, expando, flags, props)) { + return false; + } + } + for (size_t i = 0; i < props.length(); ++i) { + JS_MarkCrossZoneId(cx, props[i]); + } + + return Traits::singleton.enumerateNames(cx, wrapper, flags, props); +} + +/* + * The Permissive / Security variants should be used depending on whether the + * compartment of the wrapper is guranteed to subsume the compartment of the + * wrapped object (i.e. - whether it is safe from a security perspective to + * unwrap the wrapper). + */ + +template <typename Base, typename Traits> +const xpc::XrayWrapper<Base, Traits> xpc::XrayWrapper<Base, Traits>::singleton( + 0); + +template class PermissiveXrayDOM; +template class PermissiveXrayJS; +template class PermissiveXrayOpaque; + +/* + * This callback is used by the JS engine to test if a proxy handler is for a + * cross compartment xray with no security requirements. + */ +static bool IsCrossCompartmentXrayCallback( + const js::BaseProxyHandler* handler) { + return handler == &PermissiveXrayDOM::singleton; +} + +JS::XrayJitInfo gXrayJitInfo = { + IsCrossCompartmentXrayCallback, CompartmentHasExclusiveExpandos, + JSSLOT_XRAY_HOLDER, XrayTraits::HOLDER_SLOT_EXPANDO, + JSSLOT_EXPANDO_PROTOTYPE}; + +} // namespace xpc diff --git a/js/xpconnect/wrappers/XrayWrapper.h b/js/xpconnect/wrappers/XrayWrapper.h new file mode 100644 index 0000000000..fb0c8b36c6 --- /dev/null +++ b/js/xpconnect/wrappers/XrayWrapper.h @@ -0,0 +1,495 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef XrayWrapper_h +#define XrayWrapper_h + +#include "mozilla/Maybe.h" + +#include "WrapperFactory.h" + +#include "jsapi.h" +#include "jsfriendapi.h" +#include "js/friend/XrayJitInfo.h" // JS::XrayJitInfo +#include "js/Object.h" // JS::GetReservedSlot +#include "js/Proxy.h" +#include "js/Wrapper.h" + +// Slot where Xray functions for Web IDL methods store a pointer to +// the Xray wrapper they're associated with. +#define XRAY_DOM_FUNCTION_PARENT_WRAPPER_SLOT 0 +// Slot where in debug builds Xray functions for Web IDL methods store +// a pointer to their themselves, just so we can assert that they're the +// sort of functions we expect. +#define XRAY_DOM_FUNCTION_NATIVE_SLOT_FOR_SELF 1 + +// Xray wrappers re-resolve the original native properties on the native +// object and always directly access to those properties. +// Because they work so differently from the rest of the wrapper hierarchy, +// we pull them out of the Wrapper inheritance hierarchy and create a +// little world around them. + +class nsIPrincipal; + +namespace xpc { + +enum XrayType { + XrayForDOMObject, + XrayForJSObject, + XrayForOpaqueObject, + NotXray +}; + +class XrayTraits { + public: + constexpr XrayTraits() = default; + + static JSObject* getTargetObject(JSObject* wrapper) { + JSObject* target = + js::UncheckedUnwrap(wrapper, /* stopAtWindowProxy = */ false); + if (target) { + JS::ExposeObjectToActiveJS(target); + } + return target; + } + + // NB: resolveOwnProperty may decide whether or not to cache what it finds + // on the holder. If the result is not cached, the lookup will happen afresh + // for each access, which is the right thing for things like dynamic NodeList + // properties. + virtual bool resolveOwnProperty( + JSContext* cx, JS::HandleObject wrapper, JS::HandleObject target, + JS::HandleObject holder, JS::HandleId id, + JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc); + + bool delete_(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id, + JS::ObjectOpResult& result) { + return result.succeed(); + } + + static bool getBuiltinClass(JSContext* cx, JS::HandleObject wrapper, + const js::Wrapper& baseInstance, + js::ESClass* cls) { + return baseInstance.getBuiltinClass(cx, wrapper, cls); + } + + static const char* className(JSContext* cx, JS::HandleObject wrapper, + const js::Wrapper& baseInstance) { + return baseInstance.className(cx, wrapper); + } + + virtual void preserveWrapper(JSObject* target) = 0; + + bool getExpandoObject(JSContext* cx, JS::HandleObject target, + JS::HandleObject consumer, + JS::MutableHandleObject expandObject); + JSObject* ensureExpandoObject(JSContext* cx, JS::HandleObject wrapper, + JS::HandleObject target); + + // Slots for holder objects. + enum { + HOLDER_SLOT_CACHED_PROTO = 0, + HOLDER_SLOT_EXPANDO = 1, + HOLDER_SHARED_SLOT_COUNT + }; + + static JSObject* getHolder(JSObject* wrapper); + JSObject* ensureHolder(JSContext* cx, JS::HandleObject wrapper); + virtual JSObject* createHolder(JSContext* cx, JSObject* wrapper) = 0; + + JSObject* getExpandoChain(JS::HandleObject obj); + JSObject* detachExpandoChain(JS::HandleObject obj); + bool setExpandoChain(JSContext* cx, JS::HandleObject obj, + JS::HandleObject chain); + bool cloneExpandoChain(JSContext* cx, JS::HandleObject dst, + JS::HandleObject srcChain); + + protected: + static const JSClass HolderClass; + + // Get the JSClass we should use for our expando object. + virtual const JSClass* getExpandoClass(JSContext* cx, + JS::HandleObject target) const; + + private: + bool expandoObjectMatchesConsumer(JSContext* cx, + JS::HandleObject expandoObject, + nsIPrincipal* consumerOrigin); + + // |expandoChain| is the expando chain in the wrapped object's compartment. + // |exclusiveWrapper| is any xray that has exclusive use of the expando. + // |cx| may be in any compartment. + bool getExpandoObjectInternal(JSContext* cx, JSObject* expandoChain, + JS::HandleObject exclusiveWrapper, + nsIPrincipal* origin, + JS::MutableHandleObject expandoObject); + + // |cx| is in the target's compartment, and |exclusiveWrapper| is any xray + // that has exclusive use of the expando. |exclusiveWrapperGlobal| is the + // caller's global and must be same-compartment with |exclusiveWrapper|. + JSObject* attachExpandoObject(JSContext* cx, JS::HandleObject target, + JS::HandleObject exclusiveWrapper, + JS::HandleObject exclusiveWrapperGlobal, + nsIPrincipal* origin); + + XrayTraits(XrayTraits&) = delete; + const XrayTraits& operator=(XrayTraits&) = delete; +}; + +class DOMXrayTraits : public XrayTraits { + public: + constexpr DOMXrayTraits() = default; + + static const XrayType Type = XrayForDOMObject; + + virtual bool resolveOwnProperty( + JSContext* cx, JS::HandleObject wrapper, JS::HandleObject target, + JS::HandleObject holder, JS::HandleId id, + JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc) override; + + bool delete_(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id, + JS::ObjectOpResult& result); + + bool defineProperty( + JSContext* cx, JS::HandleObject wrapper, JS::HandleId id, + JS::Handle<JS::PropertyDescriptor> desc, + JS::Handle<mozilla::Maybe<JS::PropertyDescriptor>> existingDesc, + JS::Handle<JSObject*> existingHolder, JS::ObjectOpResult& result, + bool* done); + virtual bool enumerateNames(JSContext* cx, JS::HandleObject wrapper, + unsigned flags, JS::MutableHandleIdVector props); + static bool call(JSContext* cx, JS::HandleObject wrapper, + const JS::CallArgs& args, const js::Wrapper& baseInstance); + static bool construct(JSContext* cx, JS::HandleObject wrapper, + const JS::CallArgs& args, + const js::Wrapper& baseInstance); + + static bool getPrototype(JSContext* cx, JS::HandleObject wrapper, + JS::HandleObject target, + JS::MutableHandleObject protop); + + virtual void preserveWrapper(JSObject* target) override; + + virtual JSObject* createHolder(JSContext* cx, JSObject* wrapper) override; + + static DOMXrayTraits singleton; + + protected: + virtual const JSClass* getExpandoClass( + JSContext* cx, JS::HandleObject target) const override; +}; + +class JSXrayTraits : public XrayTraits { + public: + static const XrayType Type = XrayForJSObject; + + virtual bool resolveOwnProperty( + JSContext* cx, JS::HandleObject wrapper, JS::HandleObject target, + JS::HandleObject holder, JS::HandleId id, + JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc) override; + + bool delete_(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id, + JS::ObjectOpResult& result); + + bool defineProperty( + JSContext* cx, JS::HandleObject wrapper, JS::HandleId id, + JS::Handle<JS::PropertyDescriptor> desc, + JS::Handle<mozilla::Maybe<JS::PropertyDescriptor>> existingDesc, + JS::Handle<JSObject*> existingHolder, JS::ObjectOpResult& result, + bool* defined); + + virtual bool enumerateNames(JSContext* cx, JS::HandleObject wrapper, + unsigned flags, JS::MutableHandleIdVector props); + + static bool call(JSContext* cx, JS::HandleObject wrapper, + const JS::CallArgs& args, const js::Wrapper& baseInstance) { + JSXrayTraits& self = JSXrayTraits::singleton; + JS::RootedObject holder(cx, self.ensureHolder(cx, wrapper)); + if (!holder) { + return false; + } + JSProtoKey key = xpc::JSXrayTraits::getProtoKey(holder); + if (key == JSProto_Function || key == JSProto_BoundFunction) { + return baseInstance.call(cx, wrapper, args); + } + + JS::RootedValue v(cx, JS::ObjectValue(*wrapper)); + js::ReportIsNotFunction(cx, v); + return false; + } + + static bool construct(JSContext* cx, JS::HandleObject wrapper, + const JS::CallArgs& args, + const js::Wrapper& baseInstance); + + bool getPrototype(JSContext* cx, JS::HandleObject wrapper, + JS::HandleObject target, JS::MutableHandleObject protop) { + JS::RootedObject holder(cx, ensureHolder(cx, wrapper)); + if (!holder) { + return false; + } + JSProtoKey key = getProtoKey(holder); + if (isPrototype(holder)) { + JSProtoKey protoKey = js::InheritanceProtoKeyForStandardClass(key); + if (protoKey == JSProto_Null) { + protop.set(nullptr); + return true; + } + key = protoKey; + } + + { + JSAutoRealm ar(cx, target); + if (!JS_GetClassPrototype(cx, key, protop)) { + return false; + } + } + return JS_WrapObject(cx, protop); + } + + virtual void preserveWrapper(JSObject* target) override { + // In the case of pure JS objects, there is no underlying object, and + // the target is the canonical representation of state. If it gets + // collected, then expandos and such should be collected too. So there's + // nothing to do here. + } + + enum { + SLOT_PROTOKEY = HOLDER_SHARED_SLOT_COUNT, + SLOT_ISPROTOTYPE, + SLOT_CONSTRUCTOR_FOR, + SLOT_COUNT + }; + virtual JSObject* createHolder(JSContext* cx, JSObject* wrapper) override; + + static JSProtoKey getProtoKey(JSObject* holder) { + int32_t key = JS::GetReservedSlot(holder, SLOT_PROTOKEY).toInt32(); + return static_cast<JSProtoKey>(key); + } + + static bool isPrototype(JSObject* holder) { + return JS::GetReservedSlot(holder, SLOT_ISPROTOTYPE).toBoolean(); + } + + static JSProtoKey constructorFor(JSObject* holder) { + int32_t key = JS::GetReservedSlot(holder, SLOT_CONSTRUCTOR_FOR).toInt32(); + return static_cast<JSProtoKey>(key); + } + + // Operates in the wrapper compartment. + static bool getOwnPropertyFromWrapperIfSafe( + JSContext* cx, JS::HandleObject wrapper, JS::HandleId id, + JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc); + + // Like the above, but operates in the target compartment. wrapperGlobal is + // the caller's global (must be in the wrapper compartment). + static bool getOwnPropertyFromTargetIfSafe( + JSContext* cx, JS::HandleObject target, JS::HandleObject wrapper, + JS::HandleObject wrapperGlobal, JS::HandleId id, + JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc); + + static const JSClass HolderClass; + static JSXrayTraits singleton; +}; + +// These traits are used when the target is not Xrayable and we therefore want +// to make it opaque modulo the usual Xray machinery (like expandos and +// .wrappedJSObject). +class OpaqueXrayTraits : public XrayTraits { + public: + static const XrayType Type = XrayForOpaqueObject; + + virtual bool resolveOwnProperty( + JSContext* cx, JS::HandleObject wrapper, JS::HandleObject target, + JS::HandleObject holder, JS::HandleId id, + JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc) override; + + bool defineProperty( + JSContext* cx, JS::HandleObject wrapper, JS::HandleId id, + JS::Handle<JS::PropertyDescriptor> desc, + JS::Handle<mozilla::Maybe<JS::PropertyDescriptor>> existingDesc, + JS::Handle<JSObject*> existingHolder, JS::ObjectOpResult& result, + bool* defined) { + *defined = false; + return true; + } + + virtual bool enumerateNames(JSContext* cx, JS::HandleObject wrapper, + unsigned flags, JS::MutableHandleIdVector props) { + return true; + } + + static bool call(JSContext* cx, JS::HandleObject wrapper, + const JS::CallArgs& args, const js::Wrapper& baseInstance) { + JS::RootedValue v(cx, JS::ObjectValue(*wrapper)); + js::ReportIsNotFunction(cx, v); + return false; + } + + static bool construct(JSContext* cx, JS::HandleObject wrapper, + const JS::CallArgs& args, + const js::Wrapper& baseInstance) { + JS::RootedValue v(cx, JS::ObjectValue(*wrapper)); + js::ReportIsNotFunction(cx, v); + return false; + } + + bool getPrototype(JSContext* cx, JS::HandleObject wrapper, + JS::HandleObject target, JS::MutableHandleObject protop) { + // Opaque wrappers just get targetGlobal.Object.prototype as their + // prototype. This is preferable to using a null prototype because it + // lets things like |toString| and |__proto__| work. + { + JSAutoRealm ar(cx, target); + if (!JS_GetClassPrototype(cx, JSProto_Object, protop)) { + return false; + } + } + return JS_WrapObject(cx, protop); + } + + static bool getBuiltinClass(JSContext* cx, JS::HandleObject wrapper, + const js::Wrapper& baseInstance, + js::ESClass* cls) { + *cls = js::ESClass::Other; + return true; + } + + static const char* className(JSContext* cx, JS::HandleObject wrapper, + const js::Wrapper& baseInstance) { + return "Opaque"; + } + + virtual void preserveWrapper(JSObject* target) override {} + + virtual JSObject* createHolder(JSContext* cx, JSObject* wrapper) override { + return JS_NewObjectWithGivenProto(cx, &HolderClass, nullptr); + } + + static OpaqueXrayTraits singleton; +}; + +XrayType GetXrayType(JSObject* obj); +XrayTraits* GetXrayTraits(JSObject* obj); + +template <typename Base, typename Traits> +class XrayWrapper : public Base { + static_assert(std::is_base_of_v<js::BaseProxyHandler, Base>, + "Base *must* derive from js::BaseProxyHandler"); + + public: + constexpr explicit XrayWrapper(unsigned flags) + : Base(flags | WrapperFactory::IS_XRAY_WRAPPER_FLAG, + /* aHasPrototype = */ true){}; + + /* Standard internal methods. */ + virtual bool getOwnPropertyDescriptor( + JSContext* cx, JS::Handle<JSObject*> wrapper, JS::Handle<jsid> id, + JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc) + const override; + virtual bool defineProperty(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::Handle<jsid> id, + JS::Handle<JS::PropertyDescriptor> desc, + JS::ObjectOpResult& result) const override; + virtual bool ownPropertyKeys(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::MutableHandleIdVector props) const override; + virtual bool delete_(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::Handle<jsid> id, + JS::ObjectOpResult& result) const override; + virtual bool enumerate(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::MutableHandleIdVector props) const override; + virtual bool getPrototype(JSContext* cx, JS::HandleObject wrapper, + JS::MutableHandleObject protop) const override; + virtual bool setPrototype(JSContext* cx, JS::HandleObject wrapper, + JS::HandleObject proto, + JS::ObjectOpResult& result) const override; + virtual bool getPrototypeIfOrdinary( + JSContext* cx, JS::HandleObject wrapper, bool* isOrdinary, + JS::MutableHandleObject protop) const override; + virtual bool setImmutablePrototype(JSContext* cx, JS::HandleObject wrapper, + bool* succeeded) const override; + virtual bool preventExtensions(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::ObjectOpResult& result) const override; + virtual bool isExtensible(JSContext* cx, JS::Handle<JSObject*> wrapper, + bool* extensible) const override; + virtual bool has(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::Handle<jsid> id, bool* bp) const override; + virtual bool get(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::HandleValue receiver, JS::Handle<jsid> id, + JS::MutableHandle<JS::Value> vp) const override; + virtual bool set(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::Handle<jsid> id, JS::Handle<JS::Value> v, + JS::Handle<JS::Value> receiver, + JS::ObjectOpResult& result) const override; + virtual bool call(JSContext* cx, JS::Handle<JSObject*> wrapper, + const JS::CallArgs& args) const override; + virtual bool construct(JSContext* cx, JS::Handle<JSObject*> wrapper, + const JS::CallArgs& args) const override; + + /* SpiderMonkey extensions. */ + virtual bool hasOwn(JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::Handle<jsid> id, bool* bp) const override; + virtual bool getOwnEnumerablePropertyKeys( + JSContext* cx, JS::Handle<JSObject*> wrapper, + JS::MutableHandleIdVector props) const override; + + virtual bool getBuiltinClass(JSContext* cx, JS::HandleObject wapper, + js::ESClass* cls) const override; + virtual const char* className(JSContext* cx, + JS::HandleObject proxy) const override; + + static const XrayWrapper singleton; + + protected: + bool getPropertyKeys(JSContext* cx, JS::Handle<JSObject*> wrapper, + unsigned flags, JS::MutableHandleIdVector props) const; +}; + +#define PermissiveXrayDOM \ + xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits> +#define PermissiveXrayJS \ + xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::JSXrayTraits> +#define PermissiveXrayOpaque \ + xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::OpaqueXrayTraits> + +extern template class PermissiveXrayDOM; +extern template class PermissiveXrayJS; +extern template class PermissiveXrayOpaque; + +/* + * Slots for Xray expando objects. See comments in XrayWrapper.cpp for details + * of how these get used; we mostly want the value of JSSLOT_EXPANDO_COUNT here. + */ +enum ExpandoSlots { + JSSLOT_EXPANDO_NEXT = 0, + JSSLOT_EXPANDO_ORIGIN, + JSSLOT_EXPANDO_EXCLUSIVE_WRAPPER_HOLDER, + JSSLOT_EXPANDO_PROTOTYPE, + JSSLOT_EXPANDO_COUNT +}; + +extern const JSClassOps XrayExpandoObjectClassOps; + +/* + * Clear the given slot on all Xray expandos for the given object. + * + * No-op when called on non-main threads (where Xrays don't exist). + */ +void ClearXrayExpandoSlots(JSObject* target, size_t slotIndex); + +/* + * Ensure the given wrapper has an expando object and return it. This can + * return null on failure. Will only be called when "wrapper" is an Xray for a + * DOM object. + */ +JSObject* EnsureXrayExpandoObject(JSContext* cx, JS::HandleObject wrapper); + +// Information about xrays for use by the JITs. +extern JS::XrayJitInfo gXrayJitInfo; + +} // namespace xpc + +#endif diff --git a/js/xpconnect/wrappers/moz.build b/js/xpconnect/wrappers/moz.build new file mode 100644 index 0000000000..fcf07a0181 --- /dev/null +++ b/js/xpconnect/wrappers/moz.build @@ -0,0 +1,32 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +EXPORTS += [ + "WrapperFactory.h", +] + +UNIFIED_SOURCES += [ + "AccessCheck.cpp", + "ChromeObjectWrapper.cpp", + "FilteringWrapper.cpp", + "WaiveXrayWrapper.cpp", + "WrapperFactory.cpp", +] + +# XrayWrapper needs to be built separately because of template instantiations. +SOURCES += [ + "XrayWrapper.cpp", +] + +include("/ipc/chromium/chromium-config.mozbuild") + +FINAL_LIBRARY = "xul" + +LOCAL_INCLUDES += [ + "../../../dom/base", + "../src", + "/caps", +] |