namespace dom {
static bool
ShouldExposeChildWindow(nsString& aNameBeingResolved, nsPIDOMWindowOuter* aChild)
{
Element* e = aChild->GetFrameElementInternal();
if (e && e->IsInShadowTree()) {
return false;
}
// If we're same-origin with the child, go ahead and expose it.
nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(aChild);
NS_ENSURE_TRUE(sop, false);
if (nsContentUtils::SubjectPrincipal()->Equals(sop->GetPrincipal())) {
return true;
}
// If we're not same-origin, expose it _only_ if the name of the browsing
// context matches the 'name' attribute of the frame element in the parent.
// The motivations behind this heuristic are worth explaining here.
//
// Historically, all UAs supported global named access to any child browsing
// context (that is to say, window.dolske returns a child frame where either
// the "name" attribute on the frame element was set to "dolske", or where
// the child explicitly set window.name = "dolske").
//
// This is problematic because it allows possibly-malicious and unrelated
// cross-origin subframes to pollute the global namespace of their parent in
// unpredictable ways (see bug 860494). This is also problematic for browser
// engines like Servo that want to run cross-origin script on different
// threads.
//
// The naive solution here would be to filter out any cross-origin subframes
// obtained when doing named lookup in global scope. But that is unlikely to
// be web-compatible, since it will break named access for consumers that do
// <iframe name="dolske" src="http://cross-origin.com/sadtrombone.html"> and
// expect to be able to access the cross-origin subframe via named lookup on
// the global.
//
// The optimal behavior would be to do the following:
// (a) Look for any child browsing context with name="dolske".
// (b) If the result is cross-origin, null it out.
// (c) If we have null, look for a frame element whose 'name' attribute is
// "dolske".
//
// Unfortunately, (c) would require some engineering effort to be performant
// in Gecko, and probably in other UAs as well. So we go with a simpler
// approximation of the above. This approximation will only break sites that
// rely on their cross-origin subframes setting window.name to a known value,
// which is unlikely to be very common. And while it does introduce a
// dependency on cross-origin state when doing global lookups, it doesn't
// allow the child to arbitrarily pollute the parent namespace, and requires
// cross-origin communication only in a limited set of cases that can be
// computed independently by the parent.
return e && e->AttrValueIs(kNameSpaceID_None, nsGkAtoms::name,
aNameBeingResolved, eCaseMatters);
}
bool
WindowNamedPropertiesHandler::getOwnPropDescriptor(JSContext* aCx,
JS::Handle<JSObject*> aProxy,
JS::Handle<jsid> aId,
bool /* unused */,
JS::MutableHandle<JS::PropertyDescriptor> aDesc)
const
{
if (!JSID_IS_STRING(aId)) {
// Nothing to do if we're resolving a non-string property.
return true;
}
bool hasOnPrototype;
if (!HasPropertyOnPrototype(aCx, aProxy, aId, &hasOnPrototype)) {
return false;
}
if (hasOnPrototype) {
return true;
}
nsAutoJSString str;
if (!str.init(aCx, JSID_TO_STRING(aId))) {
return false;
}
if(str.IsEmpty()) {
return true;
}
// Grab the DOM window.
JS::Rooted<JSObject*> global(aCx, JS_GetGlobalForObject(aCx, aProxy));
nsGlobalWindow* win = xpc::WindowOrNull(global);
if (win->Length() > 0) {
nsCOMPtr<nsPIDOMWindowOuter> childWin = win->GetChildWindow(str);
if (childWin && ShouldExposeChildWindow(str, childWin)) {
// We found a subframe of the right name. Shadowing via |var foo| in
// global scope is still allowed, since |var| only looks up |own|
// properties. But unqualified shadowing will fail, per-spec.
JS::Rooted<JS::Value> v(aCx);
if (!WrapObject(aCx, childWin, &v)) {
return false;
}
FillPropertyDescriptor(aDesc, aProxy, 0, v);
return true;
}
}
// The rest of this function is for HTML documents only.
nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc());
if (!htmlDoc) {
return true;
}
nsHTMLDocument* document = static_cast<nsHTMLDocument*>(htmlDoc.get());
Element* element = document->GetElementById(str);
if (element) {
JS::Rooted<JS::Value> v(aCx);
if (!WrapObject(aCx, element, &v)) {
return false;
}
FillPropertyDescriptor(aDesc, aProxy, 0, v);
return true;
}
nsWrapperCache* cache;
nsISupports* result = document->ResolveName(str, &cache);
if (!result) {
return true;
}
JS::Rooted<JS::Value> v(aCx);
if (!WrapObject(aCx, result, cache, nullptr, &v)) {
return false;
}
FillPropertyDescriptor(aDesc, aProxy, 0, v);
return true;
}
bool
WindowNamedPropertiesHandler::defineProperty(JSContext* aCx,
JS::Handle<JSObject*> aProxy,
JS::Handle<jsid> aId,
JS::Handle<JS::PropertyDescriptor> aDesc,
JS::ObjectOpResult &result) const
{
ErrorResult rv;
rv.ThrowTypeError<MSG_DEFINEPROPERTY_ON_GSP>();
rv.MaybeSetPendingException(aCx);
return false;
}
bool
WindowNamedPropertiesHandler::ownPropNames(JSContext* aCx,
JS::Handle<JSObject*> aProxy,
unsigned flags,
JS::AutoIdVector& aProps) const
{
if (!(flags & JSITER_HIDDEN)) {
// None of our named properties are enumerable.
return true;
}
// Grab the DOM window.
nsGlobalWindow* win = xpc::WindowOrNull(JS_GetGlobalForObject(aCx, aProxy));
nsTArray<nsString> names;
// The names live on the outer window, which might be null
nsGlobalWindow* outer = win->GetOuterWindowInternal();
if (outer) {
nsDOMWindowList* childWindows = outer->GetWindowList();
if (childWindows) {
uint32_t length = childWindows->GetLength();
for (uint32_t i = 0; i < length; ++i) {
nsCOMPtr<nsIDocShellTreeItem> item =
childWindows->GetDocShellTreeItemAt(i);
// This is a bit silly, since we could presumably just do
// item->GetWindow(). But it's not obvious whether this does the same
// thing as GetChildWindow() with the item's name (due to the complexity
// of FindChildWithName). Since GetChildWindow is what we use in
// getOwnPropDescriptor, let's try to be consistent.
nsString name;
item->GetName(name);
if (!names.Contains(name)) {
// Make sure we really would expose it from getOwnPropDescriptor.
nsCOMPtr<nsPIDOMWindowOuter> childWin = win->GetChildWindow(name);
if (childWin && ShouldExposeChildWindow(name, childWin)) {
names.AppendElement(name);
}
}
}
}
}
if (!AppendNamedPropertyIds(aCx, aProxy, names, false, aProps)) {
return false;
}
names.Clear();
nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc());
if (!htmlDoc) {
return true;
}
nsHTMLDocument* document = static_cast<nsHTMLDocument*>(htmlDoc.get());
// Document names are enumerable, so we want to get them no matter what flags
// is.
document->GetSupportedNames(names);
JS::AutoIdVector docProps(aCx);
if (!AppendNamedPropertyIds(aCx, aProxy, names, false, docProps)) {
return false;
}
return js::AppendUnique(aCx, aProps, docProps);
}
bool
WindowNamedPropertiesHandler::delete_(JSContext* aCx,
JS::Handle<JSObject*> aProxy,
JS::Handle<jsid> aId,
JS::ObjectOpResult &aResult) const
{
return aResult.failCantDeleteWindowNamedProperty();
}
static bool
ResolveWindowNamedProperty(JSContext* aCx, JS::Handle<JSObject*> aWrapper,
JS::Handle<JSObject*> aObj, JS::Handle<jsid> aId,
JS::MutableHandle<JS::PropertyDescriptor> aDesc)
{
{
JSAutoCompartment ac(aCx, aObj);
if (!js::GetProxyHandler(aObj)->getOwnPropertyDescriptor(aCx, aObj, aId,
aDesc)) {
return false;
}
}
if (aDesc.object()) {
aDesc.object().set(aWrapper);
return JS_WrapPropertyDescriptor(aCx, aDesc);
}
return true;
}
static bool
EnumerateWindowNamedProperties(JSContext* aCx, JS::Handle<JSObject*> aWrapper,
JS::Handle<JSObject*> aObj,
JS::AutoIdVector& aProps)
{
JSAutoCompartment ac(aCx, aObj);
return js::GetProxyHandler(aObj)->ownPropertyKeys(aCx, aObj, aProps);
}
const NativePropertyHooks sWindowNamedPropertiesNativePropertyHooks[] = { {
ResolveWindowNamedProperty,
EnumerateWindowNamedProperties,
nullptr,
{ nullptr, nullptr },
prototypes::id::_ID_Count,
constructors::id::_ID_Count,
nullptr
} };
static const DOMIfaceAndProtoJSClass WindowNamedPropertiesClass = {
PROXY_CLASS_DEF("WindowProperties",
JSCLASS_IS_DOMIFACEANDPROTOJSCLASS),
eNamedPropertiesObject,
false,
prototypes::id::_ID_Count,
0,
sWindowNamedPropertiesNativePropertyHooks,
"[object WindowProperties]",
EventTargetBinding::GetProtoObject
};
// static
JSObject*
WindowNamedPropertiesHandler::Create(JSContext* aCx,
JS::Handle<JSObject*> aProto)
{
// Note: since the scope polluter proxy lives on the window's prototype
// chain, it needs a singleton type to avoid polluting type information
// for properties on the window.
js::ProxyOptions options;
options.setSingleton(true);
options.setClass(&WindowNamedPropertiesClass.mBase);
JS::Rooted<JSObject*> gsp(aCx);
gsp = js::NewProxyObject(aCx, WindowNamedPropertiesHandler::getInstance(),
JS::NullHandleValue, aProto,
options);
if (!gsp) {
return nullptr;
}
bool succeeded;
if (!JS_SetImmutablePrototype(aCx, gsp, &succeeded)) {
return nullptr;
}
MOZ_ASSERT(succeeded,
"errors making the [[Prototype]] of the named properties object "
"immutable should have been JSAPI failures, not !succeeded");
return gsp;
}
} // namespace dom
nsCycleCollectionTraversalCallback& aCb) const override {
auto location =
static_cast<BrowsingContext::LocationProxy*>(GetNative(aProxy));
CycleCollectionNoteChild(aCb, location->GetBrowsingContext(),
"js::GetObjectPrivate(obj)->GetBrowsingContext()");
}
};
static const RemoteLocationProxy sSingleton;
// Give RemoteLocationProxy 2 reserved slots, like the other wrappers,
// so JSObject::swap can swap it with CrossCompartmentWrappers without requiring
// malloc.
template <>
const js::Class RemoteLocationProxy::Base::sClass =
PROXY_CLASS_DEF("Proxy", JSCLASS_HAS_RESERVED_SLOTS(2));
void BrowsingContext::Location(JSContext* aCx,
JS::MutableHandle<JSObject*> aLocation,
ErrorResult& aError) {
aError.MightThrowJSException();
sSingleton.GetProxyObject(aCx, &mLocation, aLocation);
if (!aLocation) {
aError.StealExceptionFromJSContext(aCx);
}
}
void BrowsingContext::Close(CallerType aCallerType, ErrorResult& aError) {
// FIXME We need to set mClosed, but only once we're sending the
// DOMWindowClose event (which happens in the process where the
// document for this browsing context is loaded).
namespace dom {
static bool
ShouldExposeChildWindow(nsString& aNameBeingResolved, nsIDOMWindow *aChild)
{
// If we're same-origin with the child, go ahead and expose it.
nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(aChild);
NS_ENSURE_TRUE(sop, false);
if (nsContentUtils::SubjectPrincipal()->Equals(sop->GetPrincipal())) {
return true;
}
// If we're not same-origin, expose it _only_ if the name of the browsing
// context matches the 'name' attribute of the frame element in the parent.
// The motivations behind this heuristic are worth explaining here.
//
// Historically, all UAs supported global named access to any child browsing
// context (that is to say, window.dolske returns a child frame where either
// the "name" attribute on the frame element was set to "dolske", or where
// the child explicitly set window.name = "dolske").
//
// This is problematic because it allows possibly-malicious and unrelated
// cross-origin subframes to pollute the global namespace of their parent in
// unpredictable ways (see bug 860494). This is also problematic for browser
// engines like Servo that want to run cross-origin script on different
// threads.
//
// The naive solution here would be to filter out any cross-origin subframes
// obtained when doing named lookup in global scope. But that is unlikely to
// be web-compatible, since it will break named access for consumers that do
// <iframe name="dolske" src="http://cross-origin.com/sadtrombone.html"> and
// expect to be able to access the cross-origin subframe via named lookup on
// the global.
//
// The optimal behavior would be to do the following:
// (a) Look for any child browsing context with name="dolske".
// (b) If the result is cross-origin, null it out.
// (c) If we have null, look for a frame element whose 'name' attribute is
// "dolske".
//
// Unfortunately, (c) would require some engineering effort to be performant
// in Goanna, and probably in other UAs as well. So we go with a simpler
// approximation of the above. This approximation will only break sites that
// rely on their cross-origin subframes setting window.name to a known value,
// which is unlikely to be very common. And while it does introduce a
// dependency on cross-origin state when doing global lookups, it doesn't
// allow the child to arbitrarily pollute the parent namespace, and requires
// cross-origin communication only in a limited set of cases that can be
// computed independently by the parent.
nsCOMPtr<nsPIDOMWindow> piWin = do_QueryInterface(aChild);
NS_ENSURE_TRUE(piWin, false);
Element* e = piWin->GetFrameElementInternal();
return e && e->AttrValueIs(kNameSpaceID_None, nsGkAtoms::name,
aNameBeingResolved, eCaseMatters);
}
bool
WindowNamedPropertiesHandler::getOwnPropDescriptor(JSContext* aCx,
JS::Handle<JSObject*> aProxy,
JS::Handle<jsid> aId,
bool /* unused */,
JS::MutableHandle<JSPropertyDescriptor> aDesc)
const
{
if (!JSID_IS_STRING(aId)) {
// Nothing to do if we're resolving a non-string property.
return true;
}
bool hasOnPrototype;
if (!HasPropertyOnPrototype(aCx, aProxy, aId, &hasOnPrototype)) {
return false;
}
if (hasOnPrototype) {
return true;
}
nsAutoJSString str;
if (!str.init(aCx, JSID_TO_STRING(aId))) {
return false;
}
// Grab the DOM window.
JS::Rooted<JSObject*> global(aCx, JS_GetGlobalForObject(aCx, aProxy));
nsGlobalWindow* win = xpc::WindowOrNull(global);
if (win->Length() > 0) {
nsCOMPtr<nsIDOMWindow> childWin = win->GetChildWindow(str);
if (childWin && ShouldExposeChildWindow(str, childWin)) {
// We found a subframe of the right name. Shadowing via |var foo| in
// global scope is still allowed, since |var| only looks up |own|
// properties. But unqualified shadowing will fail, per-spec.
JS::Rooted<JS::Value> v(aCx);
if (!WrapObject(aCx, childWin, &v)) {
return false;
}
aDesc.object().set(aProxy);
aDesc.value().set(v);
aDesc.setAttributes(JSPROP_ENUMERATE);
return true;
}
}
// The rest of this function is for HTML documents only.
nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc());
if (!htmlDoc) {
return true;
}
nsHTMLDocument* document = static_cast<nsHTMLDocument*>(htmlDoc.get());
Element* element = document->GetElementById(str);
if (element) {
JS::Rooted<JS::Value> v(aCx);
if (!WrapObject(aCx, element, &v)) {
return false;
}
aDesc.object().set(aProxy);
aDesc.value().set(v);
aDesc.setAttributes(JSPROP_ENUMERATE);
return true;
}
nsWrapperCache* cache;
nsISupports* result = document->ResolveName(str, &cache);
if (!result) {
return true;
}
JS::Rooted<JS::Value> v(aCx);
if (!WrapObject(aCx, result, cache, nullptr, &v)) {
return false;
}
aDesc.object().set(aProxy);
aDesc.value().set(v);
aDesc.setAttributes(JSPROP_ENUMERATE);
return true;
}
bool
WindowNamedPropertiesHandler::defineProperty(JSContext* aCx,
JS::Handle<JSObject*> aProxy,
JS::Handle<jsid> aId,
JS::MutableHandle<JSPropertyDescriptor> aDesc) const
{
ErrorResult rv;
rv.ThrowTypeError(MSG_DEFINEPROPERTY_ON_GSP);
rv.ReportErrorWithMessage(aCx);
return false;
}
bool
WindowNamedPropertiesHandler::ownPropNames(JSContext* aCx,
JS::Handle<JSObject*> aProxy,
unsigned flags,
JS::AutoIdVector& aProps) const
{
// Grab the DOM window.
nsGlobalWindow* win = xpc::WindowOrNull(JS_GetGlobalForObject(aCx, aProxy));
nsTArray<nsString> names;
win->GetSupportedNames(names);
// Filter out the ones we wouldn't expose from getOwnPropertyDescriptor.
// We iterate backwards so we can remove things from the list easily.
for (size_t i = names.Length(); i > 0; ) {
--i; // Now we're pointing at the next name we want to look at
nsIDOMWindow* childWin = win->GetChildWindow(names[i]);
if (!childWin || !ShouldExposeChildWindow(names[i], childWin)) {
names.RemoveElementAt(i);
}
}
if (!AppendNamedPropertyIds(aCx, aProxy, names, false, aProps)) {
return false;
}
names.Clear();
nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc());
if (!htmlDoc) {
return true;
}
nsHTMLDocument* document = static_cast<nsHTMLDocument*>(htmlDoc.get());
document->GetSupportedNames(flags, names);
JS::AutoIdVector docProps(aCx);
if (!AppendNamedPropertyIds(aCx, aProxy, names, false, docProps)) {
return false;
}
return js::AppendUnique(aCx, aProps, docProps);
}
bool
WindowNamedPropertiesHandler::delete_(JSContext* aCx,
JS::Handle<JSObject*> aProxy,
JS::Handle<jsid> aId, bool* aBp) const
{
*aBp = false;
return true;
}
static bool
ResolveWindowNamedProperty(JSContext* aCx, JS::Handle<JSObject*> aWrapper,
JS::Handle<JSObject*> aObj, JS::Handle<jsid> aId,
JS::MutableHandle<JSPropertyDescriptor> aDesc)
{
{
JSAutoCompartment ac(aCx, aObj);
if (!js::GetProxyHandler(aObj)->getOwnPropertyDescriptor(aCx, aObj, aId,
aDesc)) {
return false;
}
}
if (aDesc.object()) {
aDesc.object().set(aWrapper);
return JS_WrapPropertyDescriptor(aCx, aDesc);
}
return true;
}
static bool
EnumerateWindowNamedProperties(JSContext* aCx, JS::Handle<JSObject*> aWrapper,
JS::Handle<JSObject*> aObj,
JS::AutoIdVector& aProps)
{
JSAutoCompartment ac(aCx, aObj);
return js::GetProxyHandler(aObj)->ownPropertyKeys(aCx, aObj, aProps);
}
const NativePropertyHooks sWindowNamedPropertiesNativePropertyHooks[] = { {
ResolveWindowNamedProperty,
EnumerateWindowNamedProperties,
{ nullptr, nullptr },
prototypes::id::_ID_Count,
constructors::id::_ID_Count,
nullptr
}
};
static const DOMIfaceAndProtoJSClass WindowNamedPropertiesClass = {
PROXY_CLASS_DEF("WindowProperties",
JSCLASS_IS_DOMIFACEANDPROTOJSCLASS),
eNamedPropertiesObject,
sWindowNamedPropertiesNativePropertyHooks,
"[object WindowProperties]",
prototypes::id::_ID_Count,
0,
EventTargetBinding::GetProtoObject
};
// static
JSObject*
WindowNamedPropertiesHandler::Create(JSContext* aCx,
JS::Handle<JSObject*> aProto)
{
// Note: since the scope polluter proxy lives on the window's prototype
// chain, it needs a singleton type to avoid polluting type information
// for properties on the window.
JS::Rooted<JSObject*> gsp(aCx);
js::ProxyOptions options;
options.setSingleton(true);
options.setClass(&WindowNamedPropertiesClass.mBase);
return js::NewProxyObject(aCx, WindowNamedPropertiesHandler::getInstance(),
JS::NullHandleValue, aProto,
js::GetGlobalForObjectCrossCompartment(aProto),
options);
}
} // namespace dom
