bool
WrapperFactory::WaiveXrayAndWrap(JSContext *cx, MutableHandleObject argObj)
{
MOZ_ASSERT(argObj);
RootedObject obj(cx, js::UncheckedUnwrap(argObj));
MOZ_ASSERT(!js::IsInnerObject(obj));
if (js::IsObjectInContextCompartment(obj, cx)) {
argObj.set(obj);
return true;
}
// Even though waivers have no effect on access by scopes that don't subsume
// the underlying object, good defense-in-depth dictates that we should avoid
// handing out waivers to callers that can't use them. The transitive waiving
// machinery unconditionally calls WaiveXrayAndWrap on return values from
// waived functions, even though the return value might be not be same-origin
// with the function. So if we find ourselves trying to create a waiver for
// |cx|, we should check whether the caller has any business with waivers
// to things in |obj|'s compartment.
JSCompartment *target = js::GetContextCompartment(cx);
JSCompartment *origin = js::GetObjectCompartment(obj);
obj = AccessCheck::subsumes(target, origin) ? WaiveXray(cx, obj) : obj;
if (!obj)
return false;
if (!JS_WrapObject(cx, &obj))
return false;
argObj.set(obj);
return true;
}
// DoubleWrap is called from PrepareForWrapping to maintain the state that
// we're supposed to waive Xray wrappers for the given on. On entrance, it
// expects |cx->compartment != obj->compartment()|. The returned object will
// be in the same compartment as |obj|.
JSObject *
WrapperFactory::DoubleWrap(JSContext *cx, HandleObject obj, unsigned flags)
{
if (flags & WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG) {
JSAutoCompartment ac(cx, obj);
return WaiveXray(cx, obj);
}
return obj;
}
// DoubleWrap is called from PrepareForWrapping to maintain the state that
// we're supposed to waive Xray wrappers for the given on. On entrance, it
// expects |cx->compartment != obj->compartment()|. The returned object will
// be in the same compartment as |obj|.
JSObject *
WrapperFactory::DoubleWrap(JSContext *cx, JSObject *obj, unsigned flags)
{
if (flags & WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG) {
JSAutoEnterCompartment ac;
if (!ac.enter(cx, obj))
return nsnull;
return WaiveXray(cx, obj);
}
return obj;
}
JSObject *
WrapperFactory::WaiveXray(JSContext *cx, JSObject *obj)
{
obj = UnwrapObject(obj);
// We have to make sure that if we're wrapping an outer window, that
// the .wrappedJSObject also wraps the outer window.
obj = GetCurrentOuter(cx, obj);
{
// See if we already have a waiver wrapper for this object.
CompartmentPrivate *priv =
(CompartmentPrivate *)JS_GetCompartmentPrivate(js::GetObjectCompartment(obj));
JSObject *wobj = nsnull;
if (priv && priv->waiverWrapperMap) {
wobj = priv->waiverWrapperMap->Find(obj);
xpc_UnmarkGrayObject(wobj);
}
// No wrapper yet, make one.
if (!wobj) {
JSObject *proto = js::GetObjectProto(obj);
if (proto && !(proto = WaiveXray(cx, proto)))
return nsnull;
JSAutoEnterCompartment ac;
if (!ac.enter(cx, obj) || !JS_WrapObject(cx, &proto))
return nsnull;
wobj = Wrapper::New(cx, obj, proto, JS_GetGlobalForObject(cx, obj),
&WaiveXrayWrapperWrapper);
if (!wobj)
return nsnull;
// Add the new wrapper so we find it next time.
if (priv) {
if (!priv->waiverWrapperMap) {
priv->waiverWrapperMap = JSObject2JSObjectMap::newMap(XPC_WRAPPER_MAP_SIZE);
if (!priv->waiverWrapperMap)
return nsnull;
}
if (!priv->waiverWrapperMap->Add(obj, wobj))
return nsnull;
}
}
obj = wobj;
}
return obj;
}
bool
WrapperFactory::WaiveXrayAndWrap(JSContext *cx, jsval *vp)
{
if (JSVAL_IS_PRIMITIVE(*vp))
return JS_WrapValue(cx, vp);
JSObject *obj = JSVAL_TO_OBJECT(*vp);
obj = WaiveXray(cx, obj);
if (!obj)
return false;
*vp = OBJECT_TO_JSVAL(obj);
return JS_WrapValue(cx, vp);
}
// Call WaiveXrayAndWrap when you have a JS object that you don't want to be
// wrapped in an Xray wrapper. cx->compartment is the compartment that will be
// using the returned object. If the object to be wrapped is already in the
// correct compartment, then this returns the unwrapped object.
bool
WrapperFactory::WaiveXrayAndWrap(JSContext *cx, jsval *vp)
{
if (JSVAL_IS_PRIMITIVE(*vp))
return JS_WrapValue(cx, vp);
JSObject *obj = js::UnwrapObject(JSVAL_TO_OBJECT(*vp));
obj = GetCurrentOuter(cx, obj);
if (js::IsObjectInContextCompartment(obj, cx)) {
*vp = OBJECT_TO_JSVAL(obj);
return true;
}
obj = WaiveXray(cx, obj);
if (!obj)
return false;
*vp = OBJECT_TO_JSVAL(obj);
return JS_WrapValue(cx, vp);
}
// Call WaiveXrayAndWrap when you have a JS object that you don't want to be
// wrapped in an Xray wrapper. cx->compartment is the compartment that will be
// using the returned object. If the object to be wrapped is already in the
// correct compartment, then this returns the unwrapped object.
bool
WrapperFactory::WaiveXrayAndWrap(JSContext *cx, jsval *vp)
{
if (JSVAL_IS_PRIMITIVE(*vp))
return JS_WrapValue(cx, vp);
JSObject *obj = JSVAL_TO_OBJECT(*vp)->unwrap();
obj = GetCurrentOuter(cx, obj);
if (obj->compartment() == cx->compartment) {
*vp = OBJECT_TO_JSVAL(obj);
return true;
}
obj = WaiveXray(cx, obj);
if (!obj)
return false;
*vp = OBJECT_TO_JSVAL(obj);
return JS_WrapValue(cx, vp);
}
JSObject *
WrapperFactory::CreateXrayWaiver(JSContext *cx, HandleObject obj)
{
// The caller is required to have already done a lookup.
// NB: This implictly performs the assertions of GetXrayWaiver.
MOZ_ASSERT(!GetXrayWaiver(obj));
XPCWrappedNativeScope *scope = GetObjectScope(obj);
// Get a waiver for the proto.
JSObject *proto;
if (!js::GetObjectProto(cx, obj, &proto))
return nullptr;
if (proto && !(proto = WaiveXray(cx, proto)))
return nullptr;
// Create the waiver.
JSAutoCompartment ac(cx, obj);
if (!JS_WrapObject(cx, &proto))
return nullptr;
JSObject *waiver = Wrapper::New(cx, obj, proto,
JS_GetGlobalForObject(cx, obj),
&XrayWaiver);
if (!waiver)
return nullptr;
// Add the new waiver to the map. It's important that we only ever have
// one waiver for the lifetime of the target object.
if (!scope->mWaiverWrapperMap) {
scope->mWaiverWrapperMap =
JSObject2JSObjectMap::newMap(XPC_WRAPPER_MAP_SIZE);
MOZ_ASSERT(scope->mWaiverWrapperMap);
}
if (!scope->mWaiverWrapperMap->Add(obj, waiver))
return nullptr;
return waiver;
}
JSObject *
WrapperFactory::PrepareForWrapping(JSContext *cx, HandleObject scope,
HandleObject objArg, HandleObject objectPassedToWrap)
{
bool waive = ShouldWaiveXray(cx, objectPassedToWrap);
RootedObject obj(cx, objArg);
// Outerize any raw inner objects at the entry point here, so that we don't
// have to worry about them for the rest of the wrapping code.
if (js::IsInnerObject(obj)) {
JSAutoCompartment ac(cx, obj);
obj = JS_ObjectToOuterObject(cx, obj);
NS_ENSURE_TRUE(obj, nullptr);
// The outerization hook wraps, which means that we can end up with a
// CCW here if |obj| was a navigated-away-from inner. Strip any CCWs.
obj = js::UncheckedUnwrap(obj);
MOZ_ASSERT(js::IsOuterObject(obj));
}
// If we've got an outer window, there's nothing special that needs to be
// done here, and we can move on to the next phase of wrapping. We handle
// this case first to allow us to assert against wrappers below.
if (js::IsOuterObject(obj))
return waive ? WaiveXray(cx, obj) : obj;
// Here are the rules for wrapping:
// We should never get a proxy here (the JS engine unwraps those for us).
MOZ_ASSERT(!IsWrapper(obj));
// If the object being wrapped is a prototype for a standard class and the
// wrapper does not subsumes the wrappee, use the one from the content
// compartment. This is generally safer all-around, and in the COW case this
// lets us safely take advantage of things like .forEach() via the
// ChromeObjectWrapper machinery.
//
// If the prototype chain of chrome object |obj| looks like this:
//
// obj => foo => bar => chromeWin.StandardClass.prototype
//
// The prototype chain of COW(obj) looks lke this:
//
// COW(obj) => COW(foo) => COW(bar) => contentWin.StandardClass.prototype
//
// NB: We now remap all non-subsuming access of standard prototypes.
//
// NB: We need to ignore domain here so that the security relationship we
// compute here can't change over time. See the comment above the other
// subsumes call below.
bool subsumes = AccessCheck::subsumes(js::GetContextCompartment(cx),
js::GetObjectCompartment(obj));
XrayType xrayType = GetXrayType(obj);
if (!subsumes && (xrayType == NotXray || ForceCOWBehavior(obj))) {
JSProtoKey key = JSProto_Null;
{
JSAutoCompartment ac(cx, obj);
key = IdentifyStandardPrototype(obj);
}
if (key != JSProto_Null) {
RootedObject homeProto(cx);
if (!JS_GetClassPrototype(cx, key, &homeProto))
return nullptr;
MOZ_ASSERT(homeProto);
// No need to double-wrap here. We should never have waivers to
// COWs.
return homeProto;
}
}
// Now, our object is ready to be wrapped, but several objects (notably
// nsJSIIDs) have a wrapper per scope. If we are about to wrap one of
// those objects in a security wrapper, then we need to hand back the
// wrapper for the new scope instead. Also, global objects don't move
// between scopes so for those we also want to return the wrapper. So...
if (!IS_WN_REFLECTOR(obj) || !js::GetObjectParent(obj))
return waive ? WaiveXray(cx, obj) : obj;
XPCWrappedNative *wn = XPCWrappedNative::Get(obj);
JSAutoCompartment ac(cx, obj);
XPCCallContext ccx(JS_CALLER, cx, obj);
RootedObject wrapScope(cx, scope);
{
if (NATIVE_HAS_FLAG(&ccx, WantPreCreate)) {
// We have a precreate hook. This object might enforce that we only
// ever create JS object for it.
// Note: this penalizes objects that only have one wrapper, but are
// being accessed across compartments. We would really prefer to
// replace the above code with a test that says "do you only have one
// wrapper?"
nsresult rv = wn->GetScriptableInfo()->GetCallback()->
PreCreate(wn->Native(), cx, scope, wrapScope.address());
NS_ENSURE_SUCCESS(rv, waive ? WaiveXray(cx, obj) : obj);
// If the handed back scope differs from the passed-in scope and is in
// a separate compartment, then this object is explicitly requesting
// that we don't create a second JS object for it: create a security
// wrapper.
if (js::GetObjectCompartment(scope) != js::GetObjectCompartment(wrapScope))
return waive ? WaiveXray(cx, obj) : obj;
RootedObject currentScope(cx, JS_GetGlobalForObject(cx, obj));
if (MOZ_UNLIKELY(wrapScope != currentScope)) {
// The wrapper claims it wants to be in the new scope, but
// currently has a reflection that lives in the old scope. This
// can mean one of two things, both of which are rare:
//
// 1 - The object has a PreCreate hook (we checked for it above),
// but is deciding to request one-wrapper-per-scope (rather than
// one-wrapper-per-native) for some reason. Usually, a PreCreate
// hook indicates one-wrapper-per-native. In this case we want to
// make a new wrapper in the new scope.
//
// 2 - We're midway through wrapper reparenting. The document has
// moved to a new scope, but |wn| hasn't been moved yet, and
// we ended up calling JS_WrapObject() on its JS object. In this
// case, we want to return the existing wrapper.
//
// So we do a trick: call PreCreate _again_, but say that we're
// wrapping for the old scope, rather than the new one. If (1) is
// the case, then PreCreate will return the scope we pass to it
// (the old scope). If (2) is the case, PreCreate will return the
// scope of the document (the new scope).
RootedObject probe(cx);
rv = wn->GetScriptableInfo()->GetCallback()->
PreCreate(wn->Native(), cx, currentScope, probe.address());
// Check for case (2).
if (probe != currentScope) {
MOZ_ASSERT(probe == wrapScope);
return waive ? WaiveXray(cx, obj) : obj;
}
// Ok, must be case (1). Fall through and create a new wrapper.
}
// Nasty hack for late-breaking bug 781476. This will confuse identity checks,
// but it's probably better than any of our alternatives.
//
// Note: We have to ignore domain here. The JS engine assumes that, given a
// compartment c, if c->wrap(x) returns a cross-compartment wrapper at time t0,
// it will also return a cross-compartment wrapper for any time t1 > t0 unless
// an explicit transplant is performed. In particular, wrapper recomputation
// assumes that recomputing a wrapper will always result in a wrapper.
//
// This doesn't actually pose a security issue, because we'll still compute
// the correct (opaque) wrapper for the object below given the security
// characteristics of the two compartments.
if (!AccessCheck::isChrome(js::GetObjectCompartment(wrapScope)) &&
AccessCheck::subsumes(js::GetObjectCompartment(wrapScope),
js::GetObjectCompartment(obj)))
{
return waive ? WaiveXray(cx, obj) : obj;
}
}
}
// This public WrapNativeToJSVal API enters the compartment of 'wrapScope'
// so we don't have to.
RootedValue v(cx);
nsresult rv =
nsXPConnect::XPConnect()->WrapNativeToJSVal(cx, wrapScope, wn->Native(), nullptr,
&NS_GET_IID(nsISupports), false, &v);
NS_ENSURE_SUCCESS(rv, nullptr);
obj.set(&v.toObject());
MOZ_ASSERT(IS_WN_REFLECTOR(obj), "bad object");
// Because the underlying native didn't have a PreCreate hook, we had
// to a new (or possibly pre-existing) XPCWN in our compartment.
// This could be a problem for chrome code that passes XPCOM objects
// across compartments, because the effects of QI would disappear across
// compartments.
//
// So whenever we pull an XPCWN across compartments in this manner, we
// give the destination object the union of the two native sets. We try
// to do this cleverly in the common case to avoid too much overhead.
XPCWrappedNative *newwn = XPCWrappedNative::Get(obj);
XPCNativeSet *unionSet = XPCNativeSet::GetNewOrUsed(newwn->GetSet(),
wn->GetSet(), false);
if (!unionSet)
return nullptr;
newwn->SetSet(unionSet);
return waive ? WaiveXray(cx, obj) : obj;
}
