void
AutoJSAPI::ReportException()
{
MOZ_ASSERT(OwnsErrorReporting(), "This is not our exception to report!");
if (!HasException()) {
return;
}
// AutoJSAPI uses a JSAutoNullableCompartment, and may be in a null
// compartment when the destructor is called. However, the JS engine
// requires us to be in a compartment when we fetch the pending exception.
// In this case, we enter the privileged junk scope and don't dispatch any
// error events.
JS::Rooted<JSObject*> errorGlobal(cx(), JS::CurrentGlobalOrNull(cx()));
if (!errorGlobal) {
if (mIsMainThread) {
errorGlobal = xpc::PrivilegedJunkScope();
} else {
errorGlobal = workers::GetCurrentThreadWorkerGlobal();
}
}
JSAutoCompartment ac(cx(), errorGlobal);
JS::Rooted<JS::Value> exn(cx());
js::ErrorReport jsReport(cx());
if (StealException(&exn) && jsReport.init(cx(), exn)) {
if (mIsMainThread) {
RefPtr<xpc::ErrorReport> xpcReport = new xpc::ErrorReport();
RefPtr<nsGlobalWindow> win = xpc::WindowGlobalOrNull(errorGlobal);
nsPIDOMWindowInner* inner = win ? win->AsInner() : nullptr;
xpcReport->Init(jsReport.report(), jsReport.message(),
nsContentUtils::IsCallerChrome(),
inner ? inner->WindowID() : 0);
if (inner) {
DispatchScriptErrorEvent(inner, JS_GetRuntime(cx()), xpcReport, exn);
} else {
xpcReport->LogToConsole();
}
} else {
// On a worker, we just use the worker error reporting mechanism and don't
// bother with xpc::ErrorReport. This will ensure that all the right
// events (which are a lot more complicated than in the window case) get
// fired.
workers::WorkerPrivate* worker = workers::GetCurrentThreadWorkerPrivate();
MOZ_ASSERT(worker);
MOZ_ASSERT(worker->GetJSContext() == cx());
// Before invoking ReportError, put the exception back on the context,
// because it may want to put it in its error events and has no other way
// to get hold of it. After we invoke ReportError, clear the exception on
// cx(), just in case ReportError didn't.
JS_SetPendingException(cx(), exn);
worker->ReportError(cx(), jsReport.message(), jsReport.report());
ClearException();
}
} else {
NS_WARNING("OOMed while acquiring uncaught exception from JSAPI");
ClearException();
}
}
NS_IMETHODIMP
PostMessageEvent::Run()
{
MOZ_ASSERT(mTargetWindow->IsOuterWindow(),
"should have been passed an outer window!");
MOZ_ASSERT(!mSource || mSource->IsOuterWindow(),
"should have been passed an outer window!");
AutoJSAPI jsapi;
jsapi.Init();
JSContext* cx = jsapi.cx();
// The document is just used for the principal mismatch error message below.
// Use a stack variable so mSourceDocument is not held onto after this method
// finishes, regardless of the method outcome.
nsCOMPtr<nsIDocument> sourceDocument;
sourceDocument.swap(mSourceDocument);
// If we bailed before this point we're going to leak mMessage, but
// that's probably better than crashing.
RefPtr<nsGlobalWindow> targetWindow;
if (mTargetWindow->IsClosedOrClosing() ||
!(targetWindow = mTargetWindow->GetCurrentInnerWindowInternal()) ||
targetWindow->IsClosedOrClosing())
return NS_OK;
MOZ_ASSERT(targetWindow->IsInnerWindow(),
"we ordered an inner window!");
JSAutoCompartment ac(cx, targetWindow->GetWrapperPreserveColor());
// Ensure that any origin which might have been provided is the origin of this
// window's document. Note that we do this *now* instead of when postMessage
// is called because the target window might have been navigated to a
// different location between then and now. If this check happened when
// postMessage was called, it would be fairly easy for a malicious webpage to
// intercept messages intended for another site by carefully timing navigation
// of the target window so it changed location after postMessage but before
// now.
if (mProvidedPrincipal) {
// Get the target's origin either from its principal or, in the case the
// principal doesn't carry a URI (e.g. the system principal), the target's
// document.
nsIPrincipal* targetPrin = targetWindow->GetPrincipal();
if (NS_WARN_IF(!targetPrin))
return NS_OK;
// Note: This is contrary to the spec with respect to file: URLs, which
// the spec groups into a single origin, but given we intentionally
// don't do that in other places it seems better to hold the line for
// now. Long-term, we want HTML5 to address this so that we can
// be compliant while being safer.
if (!targetPrin->Equals(mProvidedPrincipal)) {
nsAutoString providedOrigin, targetOrigin;
nsresult rv = nsContentUtils::GetUTFOrigin(targetPrin, targetOrigin);
NS_ENSURE_SUCCESS(rv, rv);
rv = nsContentUtils::GetUTFOrigin(mProvidedPrincipal, providedOrigin);
NS_ENSURE_SUCCESS(rv, rv);
const char16_t* params[] = { providedOrigin.get(), targetOrigin.get() };
nsContentUtils::ReportToConsole(nsIScriptError::errorFlag,
NS_LITERAL_CSTRING("DOM Window"), sourceDocument,
nsContentUtils::eDOM_PROPERTIES,
"TargetPrincipalDoesNotMatch",
params, ArrayLength(params));
return NS_OK;
}
}
ErrorResult rv;
JS::Rooted<JS::Value> messageData(cx);
nsCOMPtr<nsPIDOMWindowInner> window = targetWindow->AsInner();
Read(window, cx, &messageData, rv);
if (NS_WARN_IF(rv.Failed())) {
return rv.StealNSResult();
}
// Create the event
nsCOMPtr<mozilla::dom::EventTarget> eventTarget = do_QueryObject(targetWindow);
RefPtr<MessageEvent> event =
new MessageEvent(eventTarget, nullptr, nullptr);
Nullable<WindowProxyOrMessagePort> source;
source.SetValue().SetAsWindowProxy() = mSource ? mSource->AsOuter() : nullptr;
event->InitMessageEvent(nullptr, NS_LITERAL_STRING("message"),
false /*non-bubbling */, false /*cancelable */,
messageData, mCallerOrigin,
EmptyString(), source, nullptr);
nsTArray<RefPtr<MessagePort>> ports = TakeTransferredPorts();
event->SetPorts(new MessagePortList(static_cast<dom::Event*>(event.get()),
ports));
// We can't simply call dispatchEvent on the window because doing so ends
// up flipping the trusted bit on the event, and we don't want that to
// happen because then untrusted content can call postMessage on a chrome
// window if it can get a reference to it.
nsIPresShell *shell = targetWindow->GetExtantDoc()->GetShell();
RefPtr<nsPresContext> presContext;
if (shell)
presContext = shell->GetPresContext();
event->SetTrusted(mTrustedCaller);
WidgetEvent* internalEvent = event->GetInternalNSEvent();
nsEventStatus status = nsEventStatus_eIgnore;
EventDispatcher::Dispatch(window,
presContext,
internalEvent,
static_cast<dom::Event*>(event.get()),
&status);
return NS_OK;
}
void
AutoJSAPI::ReportException()
{
if (!HasException()) {
return;
}
// AutoJSAPI uses a JSAutoNullableCompartment, and may be in a null
// compartment when the destructor is called. However, the JS engine
// requires us to be in a compartment when we fetch the pending exception.
// In this case, we enter the privileged junk scope and don't dispatch any
// error events.
JS::Rooted<JSObject*> errorGlobal(cx(), JS::CurrentGlobalOrNull(cx()));
if (!errorGlobal) {
if (mIsMainThread) {
errorGlobal = xpc::PrivilegedJunkScope();
} else {
errorGlobal = workers::GetCurrentThreadWorkerGlobal();
}
}
JSAutoCompartment ac(cx(), errorGlobal);
JS::Rooted<JS::Value> exn(cx());
js::ErrorReport jsReport(cx());
if (StealException(&exn) &&
jsReport.init(cx(), exn, js::ErrorReport::WithSideEffects)) {
if (mIsMainThread) {
RefPtr<xpc::ErrorReport> xpcReport = new xpc::ErrorReport();
RefPtr<nsGlobalWindow> win = xpc::WindowGlobalOrNull(errorGlobal);
if (!win) {
// We run addons in a separate privileged compartment, but they still
// expect to trigger the onerror handler of their associated DOM Window.
win = xpc::AddonWindowOrNull(errorGlobal);
}
nsPIDOMWindowInner* inner = win ? win->AsInner() : nullptr;
xpcReport->Init(jsReport.report(), jsReport.toStringResult().c_str(),
nsContentUtils::IsCallerChrome(),
inner ? inner->WindowID() : 0);
if (inner && jsReport.report()->errorNumber != JSMSG_OUT_OF_MEMORY) {
JS::RootingContext* rcx = JS::RootingContext::get(cx());
DispatchScriptErrorEvent(inner, rcx, xpcReport, exn);
} else {
JS::Rooted<JSObject*> stack(cx(),
xpc::FindExceptionStackForConsoleReport(inner, exn));
xpcReport->LogToConsoleWithStack(stack);
}
} else {
// On a worker, we just use the worker error reporting mechanism and don't
// bother with xpc::ErrorReport. This will ensure that all the right
// events (which are a lot more complicated than in the window case) get
// fired.
workers::WorkerPrivate* worker = workers::GetCurrentThreadWorkerPrivate();
MOZ_ASSERT(worker);
MOZ_ASSERT(worker->GetJSContext() == cx());
// Before invoking ReportError, put the exception back on the context,
// because it may want to put it in its error events and has no other way
// to get hold of it. After we invoke ReportError, clear the exception on
// cx(), just in case ReportError didn't.
JS_SetPendingException(cx(), exn);
worker->ReportError(cx(), jsReport.toStringResult(), jsReport.report());
ClearException();
}
} else {
NS_WARNING("OOMed while acquiring uncaught exception from JSAPI");
ClearException();
}
}