From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 19 Apr 2024 02:47:55 +0200
Subject: Adding upstream version 124.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 dom/base/WindowNamedPropertiesHandler.cpp | 277 ++++++++++++++++++++++++++++++
 1 file changed, 277 insertions(+)
 create mode 100644 dom/base/WindowNamedPropertiesHandler.cpp

(limited to 'dom/base/WindowNamedPropertiesHandler.cpp')

diff --git a/dom/base/WindowNamedPropertiesHandler.cpp b/dom/base/WindowNamedPropertiesHandler.cpp
new file mode 100644
index 0000000000..8b5f8a29a8
--- /dev/null
+++ b/dom/base/WindowNamedPropertiesHandler.cpp
@@ -0,0 +1,277 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "WindowNamedPropertiesHandler.h"
+#include "mozilla/dom/EventTargetBinding.h"
+#include "mozilla/dom/ProxyHandlerUtils.h"
+#include "mozilla/dom/WindowBinding.h"
+#include "mozilla/dom/WindowProxyHolder.h"
+#include "nsContentUtils.h"
+#include "nsGlobalWindowInner.h"
+#include "nsGlobalWindowOuter.h"
+#include "nsHTMLDocument.h"
+#include "nsJSUtils.h"
+#include "xpcprivate.h"
+
+namespace mozilla::dom {
+
+static bool ShouldExposeChildWindow(const nsString& aNameBeingResolved,
+                                    BrowsingContext* aChild) {
+  Element* e = aChild->GetEmbedderElement();
+  if (e && e->IsInShadowTree()) {
+    return false;
+  }
+
+  // If we're same-origin with the child, go ahead and expose it.
+  nsPIDOMWindowOuter* child = aChild->GetDOMWindow();
+  nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(child);
+  if (sop && nsContentUtils::SubjectPrincipal()->Equals(sop->GetPrincipal())) {
+    return true;
+  }
+
+  // If we're not same-origin, expose it _only_ if the name of the browsing
+  // context matches the 'name' attribute of the frame element in the parent.
+  // The motivations behind this heuristic are worth explaining here.
+  //
+  // Historically, all UAs supported global named access to any child browsing
+  // context (that is to say, window.dolske returns a child frame where either
+  // the "name" attribute on the frame element was set to "dolske", or where
+  // the child explicitly set window.name = "dolske").
+  //
+  // This is problematic because it allows possibly-malicious and unrelated
+  // cross-origin subframes to pollute the global namespace of their parent in
+  // unpredictable ways (see bug 860494). This is also problematic for browser
+  // engines like Servo that want to run cross-origin script on different
+  // threads.
+  //
+  // The naive solution here would be to filter out any cross-origin subframes
+  // obtained when doing named lookup in global scope. But that is unlikely to
+  // be web-compatible, since it will break named access for consumers that do
+  // <iframe name="dolske" src="http://cross-origin.com/sadtrombone.html"> and
+  // expect to be able to access the cross-origin subframe via named lookup on
+  // the global.
+  //
+  // The optimal behavior would be to do the following:
+  // (a) Look for any child browsing context with name="dolske".
+  // (b) If the result is cross-origin, null it out.
+  // (c) If we have null, look for a frame element whose 'name' attribute is
+  //     "dolske".
+  //
+  // Unfortunately, (c) would require some engineering effort to be performant
+  // in Gecko, and probably in other UAs as well. So we go with a simpler
+  // approximation of the above. This approximation will only break sites that
+  // rely on their cross-origin subframes setting window.name to a known value,
+  // which is unlikely to be very common. And while it does introduce a
+  // dependency on cross-origin state when doing global lookups, it doesn't
+  // allow the child to arbitrarily pollute the parent namespace, and requires
+  // cross-origin communication only in a limited set of cases that can be
+  // computed independently by the parent.
+  return e && e->AttrValueIs(kNameSpaceID_None, nsGkAtoms::name,
+                             aNameBeingResolved, eCaseMatters);
+}
+
+bool WindowNamedPropertiesHandler::getOwnPropDescriptor(
+    JSContext* aCx, JS::Handle<JSObject*> aProxy, JS::Handle<jsid> aId,
+    bool /* unused */,
+    JS::MutableHandle<Maybe<JS::PropertyDescriptor>> aDesc) const {
+  aDesc.reset();
+
+  if (aId.isSymbol()) {
+    if (aId.isWellKnownSymbol(JS::SymbolCode::toStringTag)) {
+      JS::Rooted<JSString*> toStringTagStr(
+          aCx, JS_NewStringCopyZ(aCx, "WindowProperties"));
+      if (!toStringTagStr) {
+        return false;
+      }
+
+      aDesc.set(Some(
+          JS::PropertyDescriptor::Data(JS::StringValue(toStringTagStr),
+                                       {JS::PropertyAttribute::Configurable})));
+      return true;
+    }
+
+    // Nothing to do if we're resolving another symbol property.
+    return true;
+  }
+
+  bool hasOnPrototype;
+  if (!HasPropertyOnPrototype(aCx, aProxy, aId, &hasOnPrototype)) {
+    return false;
+  }
+  if (hasOnPrototype) {
+    return true;
+  }
+
+  nsAutoJSString str;
+  if (!str.init(aCx, aId)) {
+    return false;
+  }
+
+  if (str.IsEmpty()) {
+    return true;
+  }
+
+  // Grab the DOM window.
+  nsGlobalWindowInner* win = xpc::WindowGlobalOrNull(aProxy);
+  if (win->Length() > 0) {
+    RefPtr<BrowsingContext> child = win->GetChildWindow(str);
+    if (child && ShouldExposeChildWindow(str, child)) {
+      // We found a subframe of the right name. Shadowing via |var foo| in
+      // global scope is still allowed, since |var| only looks up |own|
+      // properties. But unqualified shadowing will fail, per-spec.
+      JS::Rooted<JS::Value> v(aCx);
+      if (!ToJSValue(aCx, WindowProxyHolder(std::move(child)), &v)) {
+        return false;
+      }
+      aDesc.set(mozilla::Some(
+          JS::PropertyDescriptor::Data(v, {JS::PropertyAttribute::Configurable,
+                                           JS::PropertyAttribute::Writable})));
+      return true;
+    }
+  }
+
+  // The rest of this function is for HTML documents only.
+  Document* doc = win->GetExtantDoc();
+  if (!doc || !doc->IsHTMLOrXHTML()) {
+    return true;
+  }
+  nsHTMLDocument* document = doc->AsHTMLDocument();
+
+  JS::Rooted<JS::Value> v(aCx);
+  Element* element = document->GetElementById(str);
+  if (element) {
+    if (!ToJSValue(aCx, element, &v)) {
+      return false;
+    }
+    aDesc.set(mozilla::Some(
+        JS::PropertyDescriptor::Data(v, {JS::PropertyAttribute::Configurable,
+                                         JS::PropertyAttribute::Writable})));
+    return true;
+  }
+
+  ErrorResult rv;
+  bool found = document->ResolveName(aCx, str, &v, rv);
+  if (rv.MaybeSetPendingException(aCx)) {
+    return false;
+  }
+
+  if (found) {
+    aDesc.set(mozilla::Some(
+        JS::PropertyDescriptor::Data(v, {JS::PropertyAttribute::Configurable,
+                                         JS::PropertyAttribute::Writable})));
+  }
+  return true;
+}
+
+bool WindowNamedPropertiesHandler::defineProperty(
+    JSContext* aCx, JS::Handle<JSObject*> aProxy, JS::Handle<jsid> aId,
+    JS::Handle<JS::PropertyDescriptor> aDesc,
+    JS::ObjectOpResult& result) const {
+  return result.failCantDefineWindowNamedProperty();
+}
+
+bool WindowNamedPropertiesHandler::ownPropNames(
+    JSContext* aCx, JS::Handle<JSObject*> aProxy, unsigned flags,
+    JS::MutableHandleVector<jsid> aProps) const {
+  if (!(flags & JSITER_HIDDEN)) {
+    // None of our named properties are enumerable.
+    return true;
+  }
+
+  // Grab the DOM window.
+  nsGlobalWindowInner* win = xpc::WindowGlobalOrNull(aProxy);
+  nsTArray<nsString> names;
+  // The names live on the outer window, which might be null
+  nsGlobalWindowOuter* outer = win->GetOuterWindowInternal();
+  if (outer) {
+    if (BrowsingContext* bc = outer->GetBrowsingContext()) {
+      for (const auto& child : bc->Children()) {
+        const nsString& name = child->Name();
+        if (!name.IsEmpty() && !names.Contains(name)) {
+          // Make sure we really would expose it from getOwnPropDescriptor.
+          if (ShouldExposeChildWindow(name, child)) {
+            names.AppendElement(name);
+          }
+        }
+      }
+    }
+  }
+  if (!AppendNamedPropertyIds(aCx, aProxy, names, false, aProps)) {
+    return false;
+  }
+
+  names.Clear();
+  Document* doc = win->GetExtantDoc();
+  if (!doc || !doc->IsHTMLOrXHTML()) {
+    // Define to @@toStringTag on this object to keep Object.prototype.toString
+    // backwards compatible.
+    JS::Rooted<jsid> toStringTagId(
+        aCx, JS::GetWellKnownSymbolKey(aCx, JS::SymbolCode::toStringTag));
+    return aProps.append(toStringTagId);
+  }
+
+  nsHTMLDocument* document = doc->AsHTMLDocument();
+  // Document names are enumerable, so we want to get them no matter what flags
+  // is.
+  document->GetSupportedNames(names);
+
+  JS::RootedVector<jsid> docProps(aCx);
+  if (!AppendNamedPropertyIds(aCx, aProxy, names, false, &docProps)) {
+    return false;
+  }
+
+  JS::Rooted<jsid> toStringTagId(
+      aCx, JS::GetWellKnownSymbolKey(aCx, JS::SymbolCode::toStringTag));
+  if (!docProps.append(toStringTagId)) {
+    return false;
+  }
+
+  return js::AppendUnique(aCx, aProps, docProps);
+}
+
+bool WindowNamedPropertiesHandler::delete_(JSContext* aCx,
+                                           JS::Handle<JSObject*> aProxy,
+                                           JS::Handle<jsid> aId,
+                                           JS::ObjectOpResult& aResult) const {
+  return aResult.failCantDeleteWindowNamedProperty();
+}
+
+// Note that this class doesn't need any reserved slots, but SpiderMonkey
+// asserts all proxy classes have at least one reserved slot.
+static const DOMIfaceAndProtoJSClass WindowNamedPropertiesClass = {
+    PROXY_CLASS_DEF("WindowProperties", JSCLASS_IS_DOMIFACEANDPROTOJSCLASS |
+                                            JSCLASS_HAS_RESERVED_SLOTS(1)),
+    eNamedPropertiesObject,
+    prototypes::id::_ID_Count,
+    0,
+    &sEmptyNativePropertyHooks,
+    EventTarget_Binding::GetProtoObject};
+
+// static
+JSObject* WindowNamedPropertiesHandler::Create(JSContext* aCx,
+                                               JS::Handle<JSObject*> aProto) {
+  js::ProxyOptions options;
+  options.setClass(&WindowNamedPropertiesClass.mBase);
+
+  JS::Rooted<JSObject*> gsp(
+      aCx, js::NewProxyObject(aCx, WindowNamedPropertiesHandler::getInstance(),
+                              JS::NullHandleValue, aProto, options));
+  if (!gsp) {
+    return nullptr;
+  }
+
+  bool succeeded;
+  if (!JS_SetImmutablePrototype(aCx, gsp, &succeeded)) {
+    return nullptr;
+  }
+  MOZ_ASSERT(succeeded,
+             "errors making the [[Prototype]] of the named properties object "
+             "immutable should have been JSAPI failures, not !succeeded");
+
+  return gsp;
+}
+
+}  // namespace mozilla::dom
-- 
cgit v1.2.3