/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifndef _xpc_WRAPPERFACTORY_H #define _xpc_WRAPPERFACTORY_H #include "js/Wrapper.h" namespace xpc { /** * A wrapper that's only used for cross-origin objects. This should be * just like a CrossCompartmentWrapper but (as an implementation * detail) doesn't actually do any compartment-entering and (as an * implementation detail) delegates all the security decisions and * compartment-entering to the target object, which is always a * proxy. * * We could also inherit from CrossCompartmentWrapper but then we * would need to override all the proxy hooks to avoid the * compartment-entering bits. */ class CrossOriginObjectWrapper : public js::Wrapper { public: // We want to claim to have a security policy, so code doesn't just // CheckedUnwrap us willy-nilly. But we're OK with the BaseProxyHandler // implementation of enter(), which allows entering. Our target is what // really does the security checks. // // We don't want to inherit from CrossCompartmentWrapper, because we don't // want the compartment-entering behavior it has. But we do want to set the // CROSS_COMPARTMENT flag on js::Wrapper so that we test true for // is and so forth. constexpr explicit CrossOriginObjectWrapper() : js::Wrapper(CROSS_COMPARTMENT, /* aHasPrototype = */ false, /* aHasSecurityPolicy = */ true) {} bool dynamicCheckedUnwrapAllowed(JS::Handle obj, JSContext* cx) const override; // Cross origin objects should not participate in private fields. virtual bool throwOnPrivateField() const override { return true; } static const CrossOriginObjectWrapper singleton; }; class WrapperFactory { public: enum { WAIVE_XRAY_WRAPPER_FLAG = js::Wrapper::LAST_USED_FLAG << 1, IS_XRAY_WRAPPER_FLAG = WAIVE_XRAY_WRAPPER_FLAG << 1 }; // Return true if any of any of the nested wrappers have the flag set. static bool HasWrapperFlag(JSObject* wrapper, unsigned flag) { unsigned flags = 0; js::UncheckedUnwrap(wrapper, true, &flags); return !!(flags & flag); } static bool IsXrayWrapper(JSObject* wrapper) { return HasWrapperFlag(wrapper, IS_XRAY_WRAPPER_FLAG); } static bool IsCrossOriginWrapper(JSObject* obj) { return (js::IsProxy(obj) && js::GetProxyHandler(obj) == &CrossOriginObjectWrapper::singleton); } static bool IsOpaqueWrapper(JSObject* obj); static bool HasWaiveXrayFlag(JSObject* wrapper) { return HasWrapperFlag(wrapper, WAIVE_XRAY_WRAPPER_FLAG); } static bool IsCOW(JSObject* wrapper); static JSObject* GetXrayWaiver(JS::Handle obj); // If allowExisting is true, there is an existing waiver for obj in // its scope, but we want to replace it with the new one. static JSObject* CreateXrayWaiver(JSContext* cx, JS::Handle obj, bool allowExisting = false); static JSObject* WaiveXray(JSContext* cx, JSObject* obj); // Computes whether we should allow the creation of an Xray waiver from // |target| to |origin|. static bool AllowWaiver(JS::Compartment* target, JS::Compartment* origin); // Convenience method for the above, operating on a wrapper. static bool AllowWaiver(JSObject* wrapper); // Prepare a given object for wrapping in a new compartment. static void PrepareForWrapping(JSContext* cx, JS::Handle scope, JS::Handle origObj, JS::Handle obj, JS::Handle objectPassedToWrap, JS::MutableHandle retObj); // Rewrap an object that is about to cross compartment boundaries. static JSObject* Rewrap(JSContext* cx, JS::Handle existing, JS::Handle obj); // Wrap wrapped object into a waiver wrapper and then re-wrap it. static bool WaiveXrayAndWrap(JSContext* cx, JS::MutableHandle vp); static bool WaiveXrayAndWrap(JSContext* cx, JS::MutableHandle object); }; } // namespace xpc #endif /* _xpc_WRAPPERFACTORY_H */