Beispiel #1
0
JSObject *
WrapperFactory::Rewrap(JSContext *cx, HandleObject existing, HandleObject obj,
                       HandleObject parent)
{
    MOZ_ASSERT(!IsWrapper(obj) ||
               GetProxyHandler(obj) == &XrayWaiver ||
               js::GetObjectClass(obj)->ext.innerObject,
               "wrapped object passed to rewrap");
    MOZ_ASSERT(!XrayUtils::IsXPCWNHolderClass(JS_GetClass(obj)), "trying to wrap a holder");
    MOZ_ASSERT(!js::IsInnerObject(obj));
    // We sometimes end up here after nsContentUtils has been shut down but before
    // XPConnect has been shut down, so check the context stack the roundabout way.
    MOZ_ASSERT(XPCJSRuntime::Get()->GetJSContextStack()->Peek() == cx);

    // Compute the information we need to select the right wrapper.
    JSCompartment *origin = js::GetObjectCompartment(obj);
    JSCompartment *target = js::GetContextCompartment(cx);
    bool originIsChrome = AccessCheck::isChrome(origin);
    bool targetIsChrome = AccessCheck::isChrome(target);
    bool originSubsumesTarget = AccessCheck::subsumesConsideringDomain(origin, target);
    bool targetSubsumesOrigin = AccessCheck::subsumesConsideringDomain(target, origin);
    bool sameOrigin = targetSubsumesOrigin && originSubsumesTarget;
    XrayType xrayType = GetXrayType(obj);

    const Wrapper *wrapper;

    //
    // First, handle the special cases.
    //

    // If UniversalXPConnect is enabled, this is just some dumb mochitest. Use
    // a vanilla CCW.
    if (xpc::IsUniversalXPConnectEnabled(target)) {
        CrashIfNotInAutomation();
        wrapper = &CrossCompartmentWrapper::singleton;
    }

    // Let the SpecialPowers scope make its stuff easily accessible to content.
    else if (CompartmentPrivate::Get(origin)->forcePermissiveCOWs) {
        CrashIfNotInAutomation();
        wrapper = &CrossCompartmentWrapper::singleton;
    }

    // If this is a chrome object being exposed to content without Xrays, use
    // a COW.
    //
    // We make an exception for Object instances, because we still rely on COWs
    // for those in a lot of places in the tree.
    else if (originIsChrome && !targetIsChrome &&
             (xrayType == NotXray || ForceCOWBehavior(obj)))
    {
        wrapper = &ChromeObjectWrapper::singleton;
    }

    //
    // Now, handle the regular cases.
    //
    // These are wrappers we can compute using a rule-based approach. In order
    // to do so, we need to compute some parameters.
    //
    else {

        // The wrapper is a security wrapper (protecting the wrappee) if and
        // only if the target does not subsume the origin.
        bool securityWrapper = !targetSubsumesOrigin;

        // Xrays are warranted if either the target or the origin don't trust
        // each other. This is generally the case, unless the two are same-origin
        // and the caller has not requested same-origin Xrays.
        //
        // Xrays are a bidirectional protection, since it affords clarity to the
        // caller and privacy to the callee.
        bool sameOriginXrays = CompartmentPrivate::Get(origin)->wantXrays ||
                               CompartmentPrivate::Get(target)->wantXrays;
        bool wantXrays = !sameOrigin || sameOriginXrays;

        // If Xrays are warranted, the caller may waive them for non-security
        // wrappers.
        bool waiveXrays = wantXrays && !securityWrapper && HasWaiveXrayFlag(obj);

        // We have slightly different behavior for the case when the object
        // being wrapped is in an XBL scope.
        bool originIsContentXBLScope = IsContentXBLScope(origin);

        wrapper = SelectWrapper(securityWrapper, wantXrays, xrayType, waiveXrays,
                                originIsContentXBLScope);

        // If we want to apply add-on interposition in the target compartment,
        // then we try to "upgrade" the wrapper to an interposing one.
        if (CompartmentPrivate::Get(target)->scope->HasInterposition())
            wrapper = SelectAddonWrapper(cx, obj, wrapper);
    }

    if (!targetSubsumesOrigin) {
        // Do a belt-and-suspenders check against exposing eval()/Function() to
        // non-subsuming content.
        if (JSFunction *fun = JS_GetObjectFunction(obj)) {
            if (JS_IsBuiltinEvalFunction(fun) || JS_IsBuiltinFunctionConstructor(fun)) {
                NS_WARNING("Trying to expose eval or Function to non-subsuming content!");
                wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
            }
        }
    }

    DEBUG_CheckUnwrapSafety(obj, wrapper, origin, target);

    if (existing)
        return Wrapper::Renew(cx, existing, obj, wrapper);

    return Wrapper::New(cx, obj, parent, wrapper);
}
JSObject*
WrapperFactory::Rewrap(JSContext* cx, HandleObject existing, HandleObject obj)
{
    MOZ_ASSERT(!IsWrapper(obj) ||
               GetProxyHandler(obj) == &XrayWaiver ||
               js::IsWindowProxy(obj),
               "wrapped object passed to rewrap");
    MOZ_ASSERT(!XrayUtils::IsXPCWNHolderClass(JS_GetClass(obj)), "trying to wrap a holder");
    MOZ_ASSERT(!js::IsWindow(obj));
    MOZ_ASSERT(dom::IsJSAPIActive());

    // Compute the information we need to select the right wrapper.
    JSCompartment* origin = js::GetObjectCompartment(obj);
    JSCompartment* target = js::GetContextCompartment(cx);
    bool originIsChrome = AccessCheck::isChrome(origin);
    bool targetIsChrome = AccessCheck::isChrome(target);
    bool originSubsumesTarget = AccessCheck::subsumesConsideringDomain(origin, target);
    bool targetSubsumesOrigin = AccessCheck::subsumesConsideringDomain(target, origin);
    bool sameOrigin = targetSubsumesOrigin && originSubsumesTarget;
    XrayType xrayType = GetXrayType(obj);

    const Wrapper* wrapper;

    //
    // First, handle the special cases.
    //

    // If UniversalXPConnect is enabled, this is just some dumb mochitest. Use
    // a vanilla CCW.
    if (xpc::IsUniversalXPConnectEnabled(target)) {
        CrashIfNotInAutomation();
        wrapper = &CrossCompartmentWrapper::singleton;
    }

    // Let the SpecialPowers scope make its stuff easily accessible to content.
    else if (CompartmentPrivate::Get(origin)->forcePermissiveCOWs) {
        CrashIfNotInAutomation();
        wrapper = &CrossCompartmentWrapper::singleton;
    }

    // Special handling for chrome objects being exposed to content.
    else if (originIsChrome && !targetIsChrome) {
        // If this is a chrome function being exposed to content, we need to allow
        // call (but nothing else). We allow CPOWs that purport to be function's
        // here, but only in the content process.
        if ((IdentifyStandardInstance(obj) == JSProto_Function ||
            (jsipc::IsCPOW(obj) && JS::IsCallable(obj) &&
             XRE_IsContentProcess())))
        {
            wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, OpaqueWithCall>::singleton;
        }

        // For Vanilla JSObjects exposed from chrome to content, we use a wrapper
        // that supports __exposedProps__. We'd like to get rid of these eventually,
        // but in their current form they don't cause much trouble.
        else if (IdentifyStandardInstance(obj) == JSProto_Object) {
            wrapper = &ChromeObjectWrapper::singleton;
        }

        // Otherwise we get an opaque wrapper.
        else {
            wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
        }
    }

    //
    // Now, handle the regular cases.
    //
    // These are wrappers we can compute using a rule-based approach. In order
    // to do so, we need to compute some parameters.
    //
    else {

        // The wrapper is a security wrapper (protecting the wrappee) if and
        // only if the target does not subsume the origin.
        bool securityWrapper = !targetSubsumesOrigin;

        // Xrays are warranted if either the target or the origin don't trust
        // each other. This is generally the case, unless the two are same-origin
        // and the caller has not requested same-origin Xrays.
        //
        // Xrays are a bidirectional protection, since it affords clarity to the
        // caller and privacy to the callee.
        bool sameOriginXrays = CompartmentPrivate::Get(origin)->wantXrays ||
                               CompartmentPrivate::Get(target)->wantXrays;
        bool wantXrays = !sameOrigin || sameOriginXrays;

        // If Xrays are warranted, the caller may waive them for non-security
        // wrappers (unless explicitly forbidden from doing so).
        bool waiveXrays = wantXrays && !securityWrapper &&
                          CompartmentPrivate::Get(target)->allowWaivers &&
                          HasWaiveXrayFlag(obj);

        // We have slightly different behavior for the case when the object
        // being wrapped is in an XBL scope.
        bool originIsContentXBLScope = IsContentXBLScope(origin);

        wrapper = SelectWrapper(securityWrapper, wantXrays, xrayType, waiveXrays,
                                originIsContentXBLScope, obj);

        // If we want to apply add-on interposition in the target compartment,
        // then we try to "upgrade" the wrapper to an interposing one.
        if (CompartmentPrivate::Get(target)->scope->HasInterposition())
            wrapper = SelectAddonWrapper(cx, obj, wrapper);
    }

    if (!targetSubsumesOrigin) {
        // Do a belt-and-suspenders check against exposing eval()/Function() to
        // non-subsuming content.
        if (JSFunction* fun = JS_GetObjectFunction(obj)) {
            if (JS_IsBuiltinEvalFunction(fun) || JS_IsBuiltinFunctionConstructor(fun)) {
                NS_WARNING("Trying to expose eval or Function to non-subsuming content!");
                wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
            }
        }
    }

    DEBUG_CheckUnwrapSafety(obj, wrapper, origin, target);

    if (existing)
        return Wrapper::Renew(cx, existing, obj, wrapper);

    return Wrapper::New(cx, obj, wrapper);
}