HRESULT DirectDraw::DuplicateSurface(
LPDIRECTDRAWSURFACE lpDDSurface,
LPDIRECTDRAWSURFACE FAR *lplpDupDDSurface
)
{
std::ostringstream str;
str << this << " " << __FUNCTION__;
str << " " << lpDDSurface;
if (IsWrapper(lpDDSurface))
{
lpDDSurface = static_cast<DirectDrawSurface*>(lpDDSurface)->_original;
}
HRESULT hr = this->_original->DuplicateSurface(lpDDSurface, lplpDupDDSurface);
if (SUCCEEDED(hr))
{
*lplpDupDDSurface = CreateWrapperT(DirectDrawSurface, *lplpDupDDSurface);
}
str << std::endl;
str << tostr_HR(hr);
if (lplpDupDDSurface)
{
str << " " << *lplpDupDDSurface;
}
LogText(str.str());
return hr;
}
static JSObject *
GetCurrentOuter(JSContext *cx, JSObject *obj)
{
obj = JS_ObjectToOuterObject(cx, obj);
if (IsWrapper(obj) && !js::GetObjectClass(obj)->ext.innerObject) {
obj = UnwrapObject(obj);
NS_ASSERTION(js::GetObjectClass(obj)->ext.innerObject,
"weird object, expecting an outer window proxy");
}
return obj;
}
HRESULT DirectDrawClipper::Initialize(
LPDIRECTDRAW lpDD,
DWORD dwFlags
)
{
std::ostringstream str;
str << this << " " << __FUNCTION__;
if (IsWrapper(lpDD))
{
lpDD = static_cast<DirectDraw*>(lpDD)->_original;
}
HRESULT hr = this->_original->Initialize(lpDD, dwFlags);
str << std::endl;
str << tostr_HR(hr);
LogText(str.str());
return hr;
}
JSObject *
WrapperFactory::Rewrap(JSContext *cx, JSObject *obj, JSObject *wrappedProto, JSObject *parent,
unsigned flags)
{
NS_ASSERTION(!IsWrapper(obj) ||
GetProxyHandler(obj) == &WaiveXrayWrapperWrapper ||
js::GetObjectClass(obj)->ext.innerObject,
"wrapped object passed to rewrap");
NS_ASSERTION(JS_GetClass(obj) != &XrayUtils::HolderClass, "trying to wrap a holder");
JSCompartment *origin = js::GetObjectCompartment(obj);
JSCompartment *target = js::GetContextCompartment(cx);
bool usingXray = false;
Wrapper *wrapper;
CompartmentPrivate *targetdata =
static_cast<CompartmentPrivate *>(JS_GetCompartmentPrivate(target));
if (AccessCheck::isChrome(target)) {
if (AccessCheck::isChrome(origin)) {
wrapper = &CrossCompartmentWrapper::singleton;
} else {
bool isSystem;
{
JSAutoEnterCompartment ac;
if (!ac.enter(cx, obj))
return nsnull;
JSObject *globalObj = JS_GetGlobalForObject(cx, obj);
JS_ASSERT(globalObj);
isSystem = JS_IsSystemObject(cx, globalObj);
}
if (isSystem) {
wrapper = &CrossCompartmentWrapper::singleton;
} else if (flags & WAIVE_XRAY_WRAPPER_FLAG) {
// If we waived the X-ray wrapper for this object, wrap it into a
// special wrapper to transitively maintain the X-ray waiver.
wrapper = &CrossOriginWrapper::singleton;
} else {
// Native objects must be wrapped into an X-ray wrapper.
bool proxy;
if (CanXray(obj, &proxy)) {
if (proxy) {
wrapper = &XrayProxy::singleton;
} else {
typedef XrayWrapper<CrossCompartmentWrapper> Xray;
usingXray = true;
wrapper = &Xray::singleton;
}
} else {
wrapper = &NoWaiverWrapper::singleton;
}
}
}
} else if (AccessCheck::isChrome(origin)) {
JSFunction *fun = JS_GetObjectFunction(obj);
if (fun) {
if (JS_IsBuiltinEvalFunction(fun) || JS_IsBuiltinFunctionConstructor(fun)) {
JS_ReportError(cx, "Not allowed to access chrome eval or Function from content");
return nsnull;
}
}
XPCWrappedNative *wn;
if (targetdata &&
(wn = GetWrappedNative(cx, obj)) &&
wn->HasProto() && wn->GetProto()->ClassIsDOMObject()) {
typedef XrayWrapper<CrossCompartmentSecurityWrapper> Xray;
usingXray = true;
if (IsLocationObject(obj))
wrapper = &FilteringWrapper<Xray, LocationPolicy>::singleton;
else
wrapper = &FilteringWrapper<Xray, CrossOriginAccessiblePropertiesOnly>::singleton;
} else {
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
ExposedPropertiesOnly>::singleton;
}
} else if (AccessCheck::isSameOrigin(origin, target)) {
// For the same-origin case we use a transparent wrapper, unless one
// of the following is true:
// * The wrapper is a Location object.
// * The wrapper is flagged as needing a SOW.
// * The context compartment specifically requested Xray vision into
// same-origin compartments.
//
// The first two cases always require a security wrapper for non-chrome
// access, regardless of the origin of the object.
bool proxy;
if (AccessCheck::needsSystemOnlyWrapper(obj)) {
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
OnlyIfSubjectIsSystem>::singleton;
} else if (IsLocationObject(obj)) {
typedef XrayWrapper<CrossCompartmentSecurityWrapper> Xray;
usingXray = true;
wrapper = &FilteringWrapper<Xray, LocationPolicy>::singleton;
} else if (targetdata && targetdata->wantXrays && CanXray(obj, &proxy)) {
if (proxy) {
wrapper = &XrayProxy::singleton;
} else {
typedef XrayWrapper<CrossCompartmentWrapper> Xray;
usingXray = true;
wrapper = &Xray::singleton;
}
} else {
wrapper = &CrossCompartmentWrapper::singleton;
}
} else {
NS_ASSERTION(!AccessCheck::needsSystemOnlyWrapper(obj),
"bad object exposed across origins");
// Cross origin we want to disallow scripting and limit access to
// a predefined set of properties. XrayWrapper adds a property
// (.wrappedJSObject) which allows bypassing the XrayWrapper, but
// we filter out access to that property.
bool proxy;
if (!CanXray(obj, &proxy)) {
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
CrossOriginAccessiblePropertiesOnly>::singleton;
} else {
if (proxy) {
wrapper = &FilteringWrapper<XrayProxy,
CrossOriginAccessiblePropertiesOnly>::singleton;
} else {
typedef XrayWrapper<CrossCompartmentSecurityWrapper> Xray;
usingXray = true;
// Location objects can become same origin after navigation, so we might
// have to grant transparent access later on.
if (IsLocationObject(obj)) {
wrapper = &FilteringWrapper<Xray, LocationPolicy>::singleton;
} else {
wrapper = &FilteringWrapper<Xray,
CrossOriginAccessiblePropertiesOnly>::singleton;
}
}
}
}
JSObject *wrapperObj = Wrapper::New(cx, obj, wrappedProto, parent, wrapper);
if (!wrapperObj || !usingXray)
return wrapperObj;
JSObject *xrayHolder = XrayUtils::createHolder(cx, obj, parent);
if (!xrayHolder)
return nsnull;
js::SetProxyExtra(wrapperObj, 0, js::ObjectValue(*xrayHolder));
return wrapperObj;
}
JSObject *
WrapperFactory::PrepareForWrapping(JSContext *cx, JSObject *scope, JSObject *obj, unsigned flags)
{
// Don't unwrap an outer window, just double wrap it if needed.
if (js::GetObjectClass(obj)->ext.innerObject)
return DoubleWrap(cx, obj, flags);
// Here are the rules for wrapping:
// We should never get a proxy here (the JS engine unwraps those for us).
JS_ASSERT(!IsWrapper(obj));
// As soon as an object is wrapped in a security wrapper, it morphs to be
// a fat wrapper. (see also: bug XXX).
if (IS_SLIM_WRAPPER(obj) && !MorphSlimWrapper(cx, obj))
return nsnull;
// We only hand out outer objects to script.
obj = GetCurrentOuter(cx, obj);
if (js::GetObjectClass(obj)->ext.innerObject)
return DoubleWrap(cx, obj, flags);
// Now, our object is ready to be wrapped, but several objects (notably
// nsJSIIDs) have a wrapper per scope. If we are about to wrap one of
// those objects in a security wrapper, then we need to hand back the
// wrapper for the new scope instead. Also, global objects don't move
// between scopes so for those we also want to return the wrapper. So...
if (!IS_WN_WRAPPER(obj) || !js::GetObjectParent(obj))
return DoubleWrap(cx, obj, flags);
XPCWrappedNative *wn = static_cast<XPCWrappedNative *>(xpc_GetJSPrivate(obj));
JSAutoEnterCompartment ac;
if (!ac.enter(cx, obj))
return nsnull;
XPCCallContext ccx(JS_CALLER, cx, obj);
{
if (NATIVE_HAS_FLAG(&ccx, WantPreCreate)) {
// We have a precreate hook. This object might enforce that we only
// ever create JS object for it.
JSObject *originalScope = scope;
nsresult rv = wn->GetScriptableInfo()->GetCallback()->
PreCreate(wn->Native(), cx, scope, &scope);
NS_ENSURE_SUCCESS(rv, DoubleWrap(cx, obj, flags));
// If the handed back scope differs from the passed-in scope and is in
// a separate compartment, then this object is explicitly requesting
// that we don't create a second JS object for it: create a security
// wrapper.
if (js::GetObjectCompartment(originalScope) != js::GetObjectCompartment(scope))
return DoubleWrap(cx, obj, flags);
// Note: this penalizes objects that only have one wrapper, but are
// being accessed across compartments. We would really prefer to
// replace the above code with a test that says "do you only have one
// wrapper?"
}
}
// NB: Passing a holder here inhibits slim wrappers under
// WrapNativeToJSVal.
nsCOMPtr<nsIXPConnectJSObjectHolder> holder;
// This public WrapNativeToJSVal API enters the compartment of 'scope'
// so we don't have to.
jsval v;
nsresult rv =
nsXPConnect::FastGetXPConnect()->WrapNativeToJSVal(cx, scope, wn->Native(), nsnull,
&NS_GET_IID(nsISupports), false,
&v, getter_AddRefs(holder));
if (NS_SUCCEEDED(rv)) {
obj = JSVAL_TO_OBJECT(v);
NS_ASSERTION(IS_WN_WRAPPER(obj), "bad object");
// Because the underlying native didn't have a PreCreate hook, we had
// to a new (or possibly pre-existing) XPCWN in our compartment.
// This could be a problem for chrome code that passes XPCOM objects
// across compartments, because the effects of QI would disappear across
// compartments.
//
// So whenever we pull an XPCWN across compartments in this manner, we
// give the destination object the union of the two native sets. We try
// to do this cleverly in the common case to avoid too much overhead.
XPCWrappedNative *newwn = static_cast<XPCWrappedNative *>(xpc_GetJSPrivate(obj));
XPCNativeSet *unionSet = XPCNativeSet::GetNewOrUsed(ccx, newwn->GetSet(),
wn->GetSet(), false);
if (!unionSet)
return nsnull;
newwn->SetSet(unionSet);
}
return DoubleWrap(cx, obj, flags);
}
bool
WrapperFactory::IsCOW(JSObject *obj)
{
return IsWrapper(obj) &&
Wrapper::wrapperHandler(obj) == &ChromeObjectWrapper::singleton;
}
JSObject *
WrapperFactory::Rewrap(JSContext *cx, HandleObject existing, HandleObject obj,
HandleObject wrappedProto, HandleObject parent,
unsigned flags)
{
MOZ_ASSERT(!IsWrapper(obj) ||
GetProxyHandler(obj) == &XrayWaiver ||
js::GetObjectClass(obj)->ext.innerObject,
"wrapped object passed to rewrap");
MOZ_ASSERT(!XrayUtils::IsXPCWNHolderClass(JS_GetClass(obj)), "trying to wrap a holder");
MOZ_ASSERT(!js::IsInnerObject(obj));
// We sometimes end up here after nsContentUtils has been shut down but before
// XPConnect has been shut down, so check the context stack the roundabout way.
MOZ_ASSERT(XPCJSRuntime::Get()->GetJSContextStack()->Peek() == cx);
// Compute the information we need to select the right wrapper.
JSCompartment *origin = js::GetObjectCompartment(obj);
JSCompartment *target = js::GetContextCompartment(cx);
bool originIsChrome = AccessCheck::isChrome(origin);
bool targetIsChrome = AccessCheck::isChrome(target);
bool originSubsumesTarget = AccessCheck::subsumesConsideringDomain(origin, target);
bool targetSubsumesOrigin = AccessCheck::subsumesConsideringDomain(target, origin);
bool sameOrigin = targetSubsumesOrigin && originSubsumesTarget;
XrayType xrayType = GetXrayType(obj);
bool waiveXrayFlag = flags & WAIVE_XRAY_WRAPPER_FLAG;
Wrapper *wrapper;
CompartmentPrivate *targetdata = EnsureCompartmentPrivate(target);
//
// First, handle the special cases.
//
// If UniversalXPConnect is enabled, this is just some dumb mochitest. Use
// a vanilla CCW.
if (xpc::IsUniversalXPConnectEnabled(target)) {
wrapper = &CrossCompartmentWrapper::singleton;
// If this is a chrome object being exposed to content without Xrays, use
// a COW.
} else if (originIsChrome && !targetIsChrome && xrayType == NotXray) {
wrapper = &ChromeObjectWrapper::singleton;
// If content is accessing NAC, we need a special filter, even if the
// object is same origin. Note that we allow access to NAC for remote-XUL
// whitelisted domains, since they don't have XBL scopes.
} else if (AccessCheck::needsSystemOnlyWrapper(obj) &&
xpc::AllowXBLScope(target) &&
!(targetIsChrome || (targetSubsumesOrigin && nsContentUtils::IsCallerXBL())))
{
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
}
// Normally, a non-xrayable non-waived content object that finds itself in
// a privileged scope is wrapped with a CrossCompartmentWrapper, even though
// the lack of a waiver _really_ should give it an opaque wrapper. This is
// a bit too entrenched to change for content-chrome, but we can at least fix
// it for XBL scopes.
//
// See bug 843829.
else if (targetSubsumesOrigin && !originSubsumesTarget &&
!waiveXrayFlag && xrayType == NotXray &&
IsXBLScope(target))
{
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, GentlyOpaque>::singleton;
}
//
// Now, handle the regular cases.
//
// These are wrappers we can compute using a rule-based approach. In order
// to do so, we need to compute some parameters.
//
else {
// The wrapper is a security wrapper (protecting the wrappee) if and
// only if the target does not subsume the origin.
bool securityWrapper = !targetSubsumesOrigin;
// Xrays are warranted if either the target or the origin don't trust
// each other. This is generally the case, unless the two are same-origin
// and the caller has not requested same-origin Xrays.
//
// Xrays are a bidirectional protection, since it affords clarity to the
// caller and privacy to the callee.
bool wantXrays = !(sameOrigin && !targetdata->wantXrays);
// If Xrays are warranted, the caller may waive them for non-security
// wrappers.
bool waiveXrays = wantXrays && !securityWrapper && waiveXrayFlag;
wrapper = SelectWrapper(securityWrapper, wantXrays, xrayType, waiveXrays);
}
if (!targetSubsumesOrigin) {
// Do a belt-and-suspenders check against exposing eval()/Function() to
// non-subsuming content.
JSFunction *fun = JS_GetObjectFunction(obj);
if (fun) {
if (JS_IsBuiltinEvalFunction(fun) || JS_IsBuiltinFunctionConstructor(fun)) {
JS_ReportError(cx, "Permission denied to expose eval or Function to non-subsuming content");
return nullptr;
}
}
}
DEBUG_CheckUnwrapSafety(obj, wrapper, origin, target);
if (existing)
return Wrapper::Renew(cx, existing, obj, wrapper);
return Wrapper::New(cx, obj, parent, wrapper);
}
JSObject *
WrapperFactory::PrepareForWrapping(JSContext *cx, HandleObject scope,
HandleObject objArg, unsigned flags)
{
RootedObject obj(cx, objArg);
// Outerize any raw inner objects at the entry point here, so that we don't
// have to worry about them for the rest of the wrapping code.
if (js::IsInnerObject(obj)) {
JSAutoCompartment ac(cx, obj);
obj = JS_ObjectToOuterObject(cx, obj);
NS_ENSURE_TRUE(obj, nullptr);
// The outerization hook wraps, which means that we can end up with a
// CCW here if |obj| was a navigated-away-from inner. Strip any CCWs.
obj = js::UncheckedUnwrap(obj);
MOZ_ASSERT(js::IsOuterObject(obj));
}
// If we've got an outer window, there's nothing special that needs to be
// done here, and we can move on to the next phase of wrapping. We handle
// this case first to allow us to assert against wrappers below.
if (js::IsOuterObject(obj))
return DoubleWrap(cx, obj, flags);
// Here are the rules for wrapping:
// We should never get a proxy here (the JS engine unwraps those for us).
MOZ_ASSERT(!IsWrapper(obj));
// If the object being wrapped is a prototype for a standard class and the
// wrapper does not subsumes the wrappee, use the one from the content
// compartment. This is generally safer all-around, and in the COW case this
// lets us safely take advantage of things like .forEach() via the
// ChromeObjectWrapper machinery.
//
// If the prototype chain of chrome object |obj| looks like this:
//
// obj => foo => bar => chromeWin.StandardClass.prototype
//
// The prototype chain of COW(obj) looks lke this:
//
// COW(obj) => COW(foo) => COW(bar) => contentWin.StandardClass.prototype
//
// NB: We now remap all non-subsuming access of standard prototypes.
//
// NB: We need to ignore domain here so that the security relationship we
// compute here can't change over time. See the comment above the other
// subsumes call below.
bool subsumes = AccessCheck::subsumes(js::GetContextCompartment(cx),
js::GetObjectCompartment(obj));
XrayType xrayType = GetXrayType(obj);
if (!subsumes && xrayType == NotXray) {
JSProtoKey key = JSProto_Null;
{
JSAutoCompartment ac(cx, obj);
key = IdentifyStandardPrototype(obj);
}
if (key != JSProto_Null) {
RootedObject homeProto(cx);
if (!JS_GetClassPrototype(cx, key, &homeProto))
return nullptr;
MOZ_ASSERT(homeProto);
// No need to double-wrap here. We should never have waivers to
// COWs.
return homeProto;
}
}
// Now, our object is ready to be wrapped, but several objects (notably
// nsJSIIDs) have a wrapper per scope. If we are about to wrap one of
// those objects in a security wrapper, then we need to hand back the
// wrapper for the new scope instead. Also, global objects don't move
// between scopes so for those we also want to return the wrapper. So...
if (!IS_WN_REFLECTOR(obj) || !js::GetObjectParent(obj))
return DoubleWrap(cx, obj, flags);
XPCWrappedNative *wn = XPCWrappedNative::Get(obj);
JSAutoCompartment ac(cx, obj);
XPCCallContext ccx(JS_CALLER, cx, obj);
RootedObject wrapScope(cx, scope);
{
if (NATIVE_HAS_FLAG(&ccx, WantPreCreate)) {
// We have a precreate hook. This object might enforce that we only
// ever create JS object for it.
// Note: this penalizes objects that only have one wrapper, but are
// being accessed across compartments. We would really prefer to
// replace the above code with a test that says "do you only have one
// wrapper?"
nsresult rv = wn->GetScriptableInfo()->GetCallback()->
PreCreate(wn->Native(), cx, scope, wrapScope.address());
NS_ENSURE_SUCCESS(rv, DoubleWrap(cx, obj, flags));
// If the handed back scope differs from the passed-in scope and is in
// a separate compartment, then this object is explicitly requesting
// that we don't create a second JS object for it: create a security
// wrapper.
if (js::GetObjectCompartment(scope) != js::GetObjectCompartment(wrapScope))
return DoubleWrap(cx, obj, flags);
RootedObject currentScope(cx, JS_GetGlobalForObject(cx, obj));
if (MOZ_UNLIKELY(wrapScope != currentScope)) {
// The wrapper claims it wants to be in the new scope, but
// currently has a reflection that lives in the old scope. This
// can mean one of two things, both of which are rare:
//
// 1 - The object has a PreCreate hook (we checked for it above),
// but is deciding to request one-wrapper-per-scope (rather than
// one-wrapper-per-native) for some reason. Usually, a PreCreate
// hook indicates one-wrapper-per-native. In this case we want to
// make a new wrapper in the new scope.
//
// 2 - We're midway through wrapper reparenting. The document has
// moved to a new scope, but |wn| hasn't been moved yet, and
// we ended up calling JS_WrapObject() on its JS object. In this
// case, we want to return the existing wrapper.
//
// So we do a trick: call PreCreate _again_, but say that we're
// wrapping for the old scope, rather than the new one. If (1) is
// the case, then PreCreate will return the scope we pass to it
// (the old scope). If (2) is the case, PreCreate will return the
// scope of the document (the new scope).
RootedObject probe(cx);
rv = wn->GetScriptableInfo()->GetCallback()->
PreCreate(wn->Native(), cx, currentScope, probe.address());
// Check for case (2).
if (probe != currentScope) {
MOZ_ASSERT(probe == wrapScope);
return DoubleWrap(cx, obj, flags);
}
// Ok, must be case (1). Fall through and create a new wrapper.
}
// Nasty hack for late-breaking bug 781476. This will confuse identity checks,
// but it's probably better than any of our alternatives.
//
// Note: We have to ignore domain here. The JS engine assumes that, given a
// compartment c, if c->wrap(x) returns a cross-compartment wrapper at time t0,
// it will also return a cross-compartment wrapper for any time t1 > t0 unless
// an explicit transplant is performed. In particular, wrapper recomputation
// assumes that recomputing a wrapper will always result in a wrapper.
//
// This doesn't actually pose a security issue, because we'll still compute
// the correct (opaque) wrapper for the object below given the security
// characteristics of the two compartments.
if (!AccessCheck::isChrome(js::GetObjectCompartment(wrapScope)) &&
AccessCheck::subsumes(js::GetObjectCompartment(wrapScope),
js::GetObjectCompartment(obj)))
{
return DoubleWrap(cx, obj, flags);
}
}
}
// This public WrapNativeToJSVal API enters the compartment of 'wrapScope'
// so we don't have to.
RootedValue v(cx);
nsresult rv =
nsXPConnect::XPConnect()->WrapNativeToJSVal(cx, wrapScope, wn->Native(), nullptr,
&NS_GET_IID(nsISupports), false, &v);
NS_ENSURE_SUCCESS(rv, nullptr);
obj.set(&v.toObject());
MOZ_ASSERT(IS_WN_REFLECTOR(obj), "bad object");
// Because the underlying native didn't have a PreCreate hook, we had
// to a new (or possibly pre-existing) XPCWN in our compartment.
// This could be a problem for chrome code that passes XPCOM objects
// across compartments, because the effects of QI would disappear across
// compartments.
//
// So whenever we pull an XPCWN across compartments in this manner, we
// give the destination object the union of the two native sets. We try
// to do this cleverly in the common case to avoid too much overhead.
XPCWrappedNative *newwn = XPCWrappedNative::Get(obj);
XPCNativeSet *unionSet = XPCNativeSet::GetNewOrUsed(newwn->GetSet(),
wn->GetSet(), false);
if (!unionSet)
return nullptr;
newwn->SetSet(unionSet);
return DoubleWrap(cx, obj, flags);
}
JSObject *
WrapperFactory::Rewrap(JSContext *cx, HandleObject existing, HandleObject obj,
HandleObject wrappedProto, HandleObject parent,
unsigned flags)
{
MOZ_ASSERT(!IsWrapper(obj) ||
GetProxyHandler(obj) == &XrayWaiver ||
js::GetObjectClass(obj)->ext.innerObject,
"wrapped object passed to rewrap");
MOZ_ASSERT(JS_GetClass(obj) != &XrayUtils::HolderClass, "trying to wrap a holder");
MOZ_ASSERT(!js::IsInnerObject(obj));
// We sometimes end up here after nsContentUtils has been shut down but before
// XPConnect has been shut down, so check the context stack the roundabout way.
MOZ_ASSERT(XPCJSRuntime::Get()->GetJSContextStack()->Peek() == cx);
// Compute the information we need to select the right wrapper.
JSCompartment *origin = js::GetObjectCompartment(obj);
JSCompartment *target = js::GetContextCompartment(cx);
bool originIsChrome = AccessCheck::isChrome(origin);
bool targetIsChrome = AccessCheck::isChrome(target);
bool originSubsumesTarget = AccessCheck::subsumes(origin, target);
bool targetSubsumesOrigin = AccessCheck::subsumes(target, origin);
bool sameOrigin = targetSubsumesOrigin && originSubsumesTarget;
XrayType xrayType = GetXrayType(obj);
bool waiveXrayFlag = flags & WAIVE_XRAY_WRAPPER_FLAG;
// By default we use the wrapped proto of the underlying object as the
// prototype for our wrapper, but we may select something different below.
RootedObject proxyProto(cx, wrappedProto);
Wrapper *wrapper;
CompartmentPrivate *targetdata = EnsureCompartmentPrivate(target);
//
// First, handle the special cases.
//
// If UniversalXPConnect is enabled, this is just some dumb mochitest. Use
// a vanilla CCW.
if (xpc::IsUniversalXPConnectEnabled(target)) {
wrapper = &CrossCompartmentWrapper::singleton;
// If this is a chrome object being exposed to content without Xrays, use
// a COW.
} else if (originIsChrome && !targetIsChrome && xrayType == NotXray) {
wrapper = &ChromeObjectWrapper::singleton;
// If content is accessing a Components object or NAC, we need a special filter,
// even if the object is same origin.
} else if (IsComponentsObject(obj) && !AccessCheck::isChrome(target)) {
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
ComponentsObjectPolicy>::singleton;
} else if (AccessCheck::needsSystemOnlyWrapper(obj) &&
!(targetIsChrome || (targetSubsumesOrigin && nsContentUtils::IsCallerXBL())))
{
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
OnlyIfSubjectIsSystem>::singleton;
}
// Normally, a non-xrayable non-waived content object that finds itself in
// a privileged scope is wrapped with a CrossCompartmentWrapper, even though
// the lack of a waiver _really_ should give it an opaque wrapper. This is
// a bit too entrenched to change for content-chrome, but we can at least fix
// it for XBL scopes.
//
// See bug 843829.
else if (targetSubsumesOrigin && !originSubsumesTarget &&
!waiveXrayFlag && xrayType == NotXray &&
IsXBLScope(target))
{
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, GentlyOpaque>::singleton;
}
//
// Now, handle the regular cases.
//
// These are wrappers we can compute using a rule-based approach. In order
// to do so, we need to compute some parameters.
//
else {
// The wrapper is a security wrapper (protecting the wrappee) if and
// only if the target does not subsume the origin.
bool securityWrapper = !targetSubsumesOrigin;
// Xrays are warranted if either the target or the origin don't trust
// each other. This is generally the case, unless the two are same-origin
// and the caller has not requested same-origin Xrays.
//
// Xrays are a bidirectional protection, since it affords clarity to the
// caller and privacy to the callee.
bool wantXrays = !(sameOrigin && !targetdata->wantXrays);
// If Xrays are warranted, the caller may waive them for non-security
// wrappers.
bool waiveXrays = wantXrays && !securityWrapper && waiveXrayFlag;
wrapper = SelectWrapper(securityWrapper, wantXrays, xrayType, waiveXrays);
}
// If the prototype of a chrome object being wrapped in content is a prototype
// for a standard class, use the one from the content compartment so
// that we can safely take advantage of things like .forEach().
//
// If the prototype chain of chrome object |obj| looks like this:
//
// obj => foo => bar => chromeWin.StandardClass.prototype
//
// The prototype chain of COW(obj) looks lke this:
//
// COW(obj) => COW(foo) => COW(bar) => contentWin.StandardClass.prototype
if (wrapper == &ChromeObjectWrapper::singleton) {
JSProtoKey key = JSProto_Null;
{
JSAutoCompartment ac(cx, obj);
RootedObject unwrappedProto(cx);
if (!js::GetObjectProto(cx, obj, unwrappedProto.address()))
return NULL;
if (unwrappedProto && IsCrossCompartmentWrapper(unwrappedProto))
unwrappedProto = Wrapper::wrappedObject(unwrappedProto);
if (unwrappedProto) {
JSAutoCompartment ac2(cx, unwrappedProto);
key = JS_IdentifyClassPrototype(cx, unwrappedProto);
}
}
if (key != JSProto_Null) {
RootedObject homeProto(cx);
if (!JS_GetClassPrototype(cx, key, homeProto.address()))
return NULL;
MOZ_ASSERT(homeProto);
proxyProto = homeProto;
}
// This shouldn't happen, but do a quick check to make some dumb addon
// doesn't expose chrome eval or Function().
JSFunction *fun = JS_GetObjectFunction(obj);
if (fun) {
if (JS_IsBuiltinEvalFunction(fun) || JS_IsBuiltinFunctionConstructor(fun)) {
JS_ReportError(cx, "Not allowed to access chrome eval or Function from content");
return nullptr;
}
}
}
DEBUG_CheckUnwrapSafety(obj, wrapper, origin, target);
if (existing && proxyProto == wrappedProto)
return Wrapper::Renew(cx, existing, obj, wrapper);
return Wrapper::New(cx, obj, proxyProto, parent, wrapper);
}
JSObject *
WrapperFactory::PrepareForWrapping(JSContext *cx, HandleObject scope,
HandleObject objArg, unsigned flags)
{
RootedObject obj(cx, objArg);
// Outerize any raw inner objects at the entry point here, so that we don't
// have to worry about them for the rest of the wrapping code.
if (js::IsInnerObject(obj)) {
JSAutoCompartment ac(cx, obj);
obj = JS_ObjectToOuterObject(cx, obj);
NS_ENSURE_TRUE(obj, nullptr);
// The outerization hook wraps, which means that we can end up with a
// CCW here if |obj| was a navigated-away-from inner. Strip any CCWs.
obj = js::UncheckedUnwrap(obj);
MOZ_ASSERT(js::IsOuterObject(obj));
}
// If we've got an outer window, there's nothing special that needs to be
// done here, and we can move on to the next phase of wrapping. We handle
// this case first to allow us to assert against wrappers below.
if (js::IsOuterObject(obj))
return DoubleWrap(cx, obj, flags);
// Here are the rules for wrapping:
// We should never get a proxy here (the JS engine unwraps those for us).
MOZ_ASSERT(!IsWrapper(obj));
// As soon as an object is wrapped in a security wrapper, it morphs to be
// a fat wrapper. (see also: bug XXX).
if (IS_SLIM_WRAPPER(obj) && !MorphSlimWrapper(cx, obj))
return nullptr;
// Now, our object is ready to be wrapped, but several objects (notably
// nsJSIIDs) have a wrapper per scope. If we are about to wrap one of
// those objects in a security wrapper, then we need to hand back the
// wrapper for the new scope instead. Also, global objects don't move
// between scopes so for those we also want to return the wrapper. So...
if (!IS_WN_WRAPPER(obj) || !js::GetObjectParent(obj))
return DoubleWrap(cx, obj, flags);
XPCWrappedNative *wn = static_cast<XPCWrappedNative *>(xpc_GetJSPrivate(obj));
JSAutoCompartment ac(cx, obj);
XPCCallContext ccx(JS_CALLER, cx, obj);
RootedObject wrapScope(cx, scope);
{
if (NATIVE_HAS_FLAG(&ccx, WantPreCreate)) {
// We have a precreate hook. This object might enforce that we only
// ever create JS object for it.
// Note: this penalizes objects that only have one wrapper, but are
// being accessed across compartments. We would really prefer to
// replace the above code with a test that says "do you only have one
// wrapper?"
nsresult rv = wn->GetScriptableInfo()->GetCallback()->
PreCreate(wn->Native(), cx, scope, wrapScope.address());
NS_ENSURE_SUCCESS(rv, DoubleWrap(cx, obj, flags));
// If the handed back scope differs from the passed-in scope and is in
// a separate compartment, then this object is explicitly requesting
// that we don't create a second JS object for it: create a security
// wrapper.
if (js::GetObjectCompartment(scope) != js::GetObjectCompartment(wrapScope))
return DoubleWrap(cx, obj, flags);
RootedObject currentScope(cx, JS_GetGlobalForObject(cx, obj));
if (MOZ_UNLIKELY(wrapScope != currentScope)) {
// The wrapper claims it wants to be in the new scope, but
// currently has a reflection that lives in the old scope. This
// can mean one of two things, both of which are rare:
//
// 1 - The object has a PreCreate hook (we checked for it above),
// but is deciding to request one-wrapper-per-scope (rather than
// one-wrapper-per-native) for some reason. Usually, a PreCreate
// hook indicates one-wrapper-per-native. In this case we want to
// make a new wrapper in the new scope.
//
// 2 - We're midway through wrapper reparenting. The document has
// moved to a new scope, but |wn| hasn't been moved yet, and
// we ended up calling JS_WrapObject() on its JS object. In this
// case, we want to return the existing wrapper.
//
// So we do a trick: call PreCreate _again_, but say that we're
// wrapping for the old scope, rather than the new one. If (1) is
// the case, then PreCreate will return the scope we pass to it
// (the old scope). If (2) is the case, PreCreate will return the
// scope of the document (the new scope).
RootedObject probe(cx);
rv = wn->GetScriptableInfo()->GetCallback()->
PreCreate(wn->Native(), cx, currentScope, probe.address());
// Check for case (2).
if (probe != currentScope) {
MOZ_ASSERT(probe == wrapScope);
return DoubleWrap(cx, obj, flags);
}
// Ok, must be case (1). Fall through and create a new wrapper.
}
// Nasty hack for late-breaking bug 781476. This will confuse identity checks,
// but it's probably better than any of our alternatives.
//
// Note: We have to ignore domain here. The JS engine assumes that, given a
// compartment c, if c->wrap(x) returns a cross-compartment wrapper at time t0,
// it will also return a cross-compartment wrapper for any time t1 > t0 unless
// an explicit transplant is performed. In particular, wrapper recomputation
// assumes that recomputing a wrapper will always result in a wrapper.
//
// This doesn't actually pose a security issue, because we'll still compute
// the correct (opaque) wrapper for the object below given the security
// characteristics of the two compartments.
if (!AccessCheck::isChrome(js::GetObjectCompartment(wrapScope)) &&
AccessCheck::subsumesIgnoringDomain(js::GetObjectCompartment(wrapScope),
js::GetObjectCompartment(obj)))
{
return DoubleWrap(cx, obj, flags);
}
}
}
// NB: Passing a holder here inhibits slim wrappers under
// WrapNativeToJSVal.
nsCOMPtr<nsIXPConnectJSObjectHolder> holder;
// This public WrapNativeToJSVal API enters the compartment of 'wrapScope'
// so we don't have to.
RootedValue v(cx);
nsresult rv =
nsXPConnect::FastGetXPConnect()->WrapNativeToJSVal(cx, wrapScope, wn->Native(), nullptr,
&NS_GET_IID(nsISupports), false,
v.address(), getter_AddRefs(holder));
if (NS_SUCCEEDED(rv)) {
obj = JSVAL_TO_OBJECT(v);
NS_ASSERTION(IS_WN_WRAPPER(obj), "bad object");
// Because the underlying native didn't have a PreCreate hook, we had
// to a new (or possibly pre-existing) XPCWN in our compartment.
// This could be a problem for chrome code that passes XPCOM objects
// across compartments, because the effects of QI would disappear across
// compartments.
//
// So whenever we pull an XPCWN across compartments in this manner, we
// give the destination object the union of the two native sets. We try
// to do this cleverly in the common case to avoid too much overhead.
XPCWrappedNative *newwn = static_cast<XPCWrappedNative *>(xpc_GetJSPrivate(obj));
XPCNativeSet *unionSet = XPCNativeSet::GetNewOrUsed(ccx, newwn->GetSet(),
wn->GetSet(), false);
if (!unionSet)
return nullptr;
newwn->SetSet(unionSet);
}
return DoubleWrap(cx, obj, flags);
}
JSObject *
WrapperFactory::Rewrap(JSContext *cx, HandleObject existing, HandleObject obj,
HandleObject parent)
{
MOZ_ASSERT(!IsWrapper(obj) ||
GetProxyHandler(obj) == &XrayWaiver ||
js::GetObjectClass(obj)->ext.innerObject,
"wrapped object passed to rewrap");
MOZ_ASSERT(!XrayUtils::IsXPCWNHolderClass(JS_GetClass(obj)), "trying to wrap a holder");
MOZ_ASSERT(!js::IsInnerObject(obj));
// We sometimes end up here after nsContentUtils has been shut down but before
// XPConnect has been shut down, so check the context stack the roundabout way.
MOZ_ASSERT(XPCJSRuntime::Get()->GetJSContextStack()->Peek() == cx);
// Compute the information we need to select the right wrapper.
JSCompartment *origin = js::GetObjectCompartment(obj);
JSCompartment *target = js::GetContextCompartment(cx);
bool originIsChrome = AccessCheck::isChrome(origin);
bool targetIsChrome = AccessCheck::isChrome(target);
bool originSubsumesTarget = AccessCheck::subsumesConsideringDomain(origin, target);
bool targetSubsumesOrigin = AccessCheck::subsumesConsideringDomain(target, origin);
bool sameOrigin = targetSubsumesOrigin && originSubsumesTarget;
XrayType xrayType = GetXrayType(obj);
const Wrapper *wrapper;
//
// First, handle the special cases.
//
// If UniversalXPConnect is enabled, this is just some dumb mochitest. Use
// a vanilla CCW.
if (xpc::IsUniversalXPConnectEnabled(target)) {
CrashIfNotInAutomation();
wrapper = &CrossCompartmentWrapper::singleton;
}
// Let the SpecialPowers scope make its stuff easily accessible to content.
else if (CompartmentPrivate::Get(origin)->forcePermissiveCOWs) {
CrashIfNotInAutomation();
wrapper = &CrossCompartmentWrapper::singleton;
}
// If this is a chrome object being exposed to content without Xrays, use
// a COW.
//
// We make an exception for Object instances, because we still rely on COWs
// for those in a lot of places in the tree.
else if (originIsChrome && !targetIsChrome &&
(xrayType == NotXray || ForceCOWBehavior(obj)))
{
wrapper = &ChromeObjectWrapper::singleton;
}
//
// Now, handle the regular cases.
//
// These are wrappers we can compute using a rule-based approach. In order
// to do so, we need to compute some parameters.
//
else {
// The wrapper is a security wrapper (protecting the wrappee) if and
// only if the target does not subsume the origin.
bool securityWrapper = !targetSubsumesOrigin;
// Xrays are warranted if either the target or the origin don't trust
// each other. This is generally the case, unless the two are same-origin
// and the caller has not requested same-origin Xrays.
//
// Xrays are a bidirectional protection, since it affords clarity to the
// caller and privacy to the callee.
bool sameOriginXrays = CompartmentPrivate::Get(origin)->wantXrays ||
CompartmentPrivate::Get(target)->wantXrays;
bool wantXrays = !sameOrigin || sameOriginXrays;
// If Xrays are warranted, the caller may waive them for non-security
// wrappers.
bool waiveXrays = wantXrays && !securityWrapper && HasWaiveXrayFlag(obj);
// We have slightly different behavior for the case when the object
// being wrapped is in an XBL scope.
bool originIsContentXBLScope = IsContentXBLScope(origin);
wrapper = SelectWrapper(securityWrapper, wantXrays, xrayType, waiveXrays,
originIsContentXBLScope);
// If we want to apply add-on interposition in the target compartment,
// then we try to "upgrade" the wrapper to an interposing one.
if (CompartmentPrivate::Get(target)->scope->HasInterposition())
wrapper = SelectAddonWrapper(cx, obj, wrapper);
}
if (!targetSubsumesOrigin) {
// Do a belt-and-suspenders check against exposing eval()/Function() to
// non-subsuming content.
if (JSFunction *fun = JS_GetObjectFunction(obj)) {
if (JS_IsBuiltinEvalFunction(fun) || JS_IsBuiltinFunctionConstructor(fun)) {
NS_WARNING("Trying to expose eval or Function to non-subsuming content!");
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
}
}
}
DEBUG_CheckUnwrapSafety(obj, wrapper, origin, target);
if (existing)
return Wrapper::Renew(cx, existing, obj, wrapper);
return Wrapper::New(cx, obj, parent, wrapper);
}
JSObject*
WrapperFactory::Rewrap(JSContext* cx, HandleObject existing, HandleObject obj)
{
MOZ_ASSERT(!IsWrapper(obj) ||
GetProxyHandler(obj) == &XrayWaiver ||
js::IsWindowProxy(obj),
"wrapped object passed to rewrap");
MOZ_ASSERT(!XrayUtils::IsXPCWNHolderClass(JS_GetClass(obj)), "trying to wrap a holder");
MOZ_ASSERT(!js::IsWindow(obj));
MOZ_ASSERT(dom::IsJSAPIActive());
// Compute the information we need to select the right wrapper.
JSCompartment* origin = js::GetObjectCompartment(obj);
JSCompartment* target = js::GetContextCompartment(cx);
bool originIsChrome = AccessCheck::isChrome(origin);
bool targetIsChrome = AccessCheck::isChrome(target);
bool originSubsumesTarget = AccessCheck::subsumesConsideringDomain(origin, target);
bool targetSubsumesOrigin = AccessCheck::subsumesConsideringDomain(target, origin);
bool sameOrigin = targetSubsumesOrigin && originSubsumesTarget;
XrayType xrayType = GetXrayType(obj);
const Wrapper* wrapper;
//
// First, handle the special cases.
//
// If UniversalXPConnect is enabled, this is just some dumb mochitest. Use
// a vanilla CCW.
if (xpc::IsUniversalXPConnectEnabled(target)) {
CrashIfNotInAutomation();
wrapper = &CrossCompartmentWrapper::singleton;
}
// Let the SpecialPowers scope make its stuff easily accessible to content.
else if (CompartmentPrivate::Get(origin)->forcePermissiveCOWs) {
CrashIfNotInAutomation();
wrapper = &CrossCompartmentWrapper::singleton;
}
// Special handling for chrome objects being exposed to content.
else if (originIsChrome && !targetIsChrome) {
// If this is a chrome function being exposed to content, we need to allow
// call (but nothing else). We allow CPOWs that purport to be function's
// here, but only in the content process.
if ((IdentifyStandardInstance(obj) == JSProto_Function ||
(jsipc::IsCPOW(obj) && JS::IsCallable(obj) &&
XRE_IsContentProcess())))
{
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, OpaqueWithCall>::singleton;
}
// For Vanilla JSObjects exposed from chrome to content, we use a wrapper
// that supports __exposedProps__. We'd like to get rid of these eventually,
// but in their current form they don't cause much trouble.
else if (IdentifyStandardInstance(obj) == JSProto_Object) {
wrapper = &ChromeObjectWrapper::singleton;
}
// Otherwise we get an opaque wrapper.
else {
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
}
}
//
// Now, handle the regular cases.
//
// These are wrappers we can compute using a rule-based approach. In order
// to do so, we need to compute some parameters.
//
else {
// The wrapper is a security wrapper (protecting the wrappee) if and
// only if the target does not subsume the origin.
bool securityWrapper = !targetSubsumesOrigin;
// Xrays are warranted if either the target or the origin don't trust
// each other. This is generally the case, unless the two are same-origin
// and the caller has not requested same-origin Xrays.
//
// Xrays are a bidirectional protection, since it affords clarity to the
// caller and privacy to the callee.
bool sameOriginXrays = CompartmentPrivate::Get(origin)->wantXrays ||
CompartmentPrivate::Get(target)->wantXrays;
bool wantXrays = !sameOrigin || sameOriginXrays;
// If Xrays are warranted, the caller may waive them for non-security
// wrappers (unless explicitly forbidden from doing so).
bool waiveXrays = wantXrays && !securityWrapper &&
CompartmentPrivate::Get(target)->allowWaivers &&
HasWaiveXrayFlag(obj);
// We have slightly different behavior for the case when the object
// being wrapped is in an XBL scope.
bool originIsContentXBLScope = IsContentXBLScope(origin);
wrapper = SelectWrapper(securityWrapper, wantXrays, xrayType, waiveXrays,
originIsContentXBLScope, obj);
// If we want to apply add-on interposition in the target compartment,
// then we try to "upgrade" the wrapper to an interposing one.
if (CompartmentPrivate::Get(target)->scope->HasInterposition())
wrapper = SelectAddonWrapper(cx, obj, wrapper);
}
if (!targetSubsumesOrigin) {
// Do a belt-and-suspenders check against exposing eval()/Function() to
// non-subsuming content.
if (JSFunction* fun = JS_GetObjectFunction(obj)) {
if (JS_IsBuiltinEvalFunction(fun) || JS_IsBuiltinFunctionConstructor(fun)) {
NS_WARNING("Trying to expose eval or Function to non-subsuming content!");
wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
}
}
}
DEBUG_CheckUnwrapSafety(obj, wrapper, origin, target);
if (existing)
return Wrapper::Renew(cx, existing, obj, wrapper);
return Wrapper::New(cx, obj, wrapper);
}
