gecko-dev/js/xpconnect/wrappers/AccessCheck.h

/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
 * vim: set ts=4 sw=4 et tw=99 ft=cpp:
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef __AccessCheck_h__
#define __AccessCheck_h__

#include "jsapi.h"
#include "jswrapper.h"

class nsIPrincipal;

namespace xpc {

class AccessCheck {
  public:
    static bool subsumes(JSCompartment *a, JSCompartment *b);
    static bool subsumes(JSObject *a, JSObject *b);
    static bool wrapperSubsumes(JSObject *wrapper);
    static bool subsumesIgnoringDomain(JSCompartment *a, JSCompartment *b);
    static bool isChrome(JSCompartment *compartment);
    static bool isChrome(JSObject *obj);
    static bool callerIsChrome();
    static nsIPrincipal *getPrincipal(JSCompartment *compartment);
    static bool isCrossOriginAccessPermitted(JSContext *cx, JSObject *obj, jsid id,
                                             js::Wrapper::Action act);

    static bool needsSystemOnlyWrapper(JSObject *obj);
};

struct Policy {
};

// This policy only allows calling the underlying callable. All other operations throw.
struct Opaque : public Policy {
    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
        return act == js::Wrapper::CALL;
    }
    static bool deny(js::Wrapper::Action act) {
        return false;
    }
    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)
    {
        return false;
    }
};

// This policy is designed to protect privileged callers from untrusted non-
// Xrayable objects. Nothing is allowed, and nothing throws.
struct GentlyOpaque : public Policy {
    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
        return false;
    }
    static bool deny(js::Wrapper::Action act) {
        return true;
    }
    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)
    {
        // We allow nativeCall here because the alternative is throwing (which
        // happens in SecurityWrapper::nativeCall), which we don't want. There's
        // unlikely to be too much harm to letting this through, because this
        // wrapper is only used to wrap less-privileged objects in more-privileged
        // scopes, so unwrapping here only drops privileges.
        return true;
    }
};

// This policy only permits access to properties that are safe to be used
// across origins.
struct CrossOriginAccessiblePropertiesOnly : public Policy {
    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
        return AccessCheck::isCrossOriginAccessPermitted(cx, wrapper, id, act);
    }
    static bool deny(js::Wrapper::Action act) {
        return false;
    }
    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)
    {
        return false;
    }
};

// This policy only permits access to properties if they appear in the
// objects exposed properties list.
struct ExposedPropertiesOnly : public Policy {
    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act);

    static bool deny(js::Wrapper::Action act) {
        // Fail silently for GETs.
        return act == js::Wrapper::GET;
    }
    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl);
};

// Components specific policy
struct ComponentsObjectPolicy : public Policy {
    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act);

    static bool deny(js::Wrapper::Action act) {
        return false;
    }
    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
        return false;
    }
};

}

#endif /* __AccessCheck_h__ */
Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 22:58:09 +00:00			`/* -- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 --`
			`* vim: set ts=4 sw=4 et tw=99 ft=cpp:`
			`*`
Bug 716478 - update licence to MPL 2. 2012-05-21 11:12:37 +00:00			`* This Source Code Form is subject to the terms of the Mozilla Public`
			`* License, v. 2.0. If a copy of the MPL was not distributed with this`
			`* file, You can obtain one at http://mozilla.org/MPL/2.0/. */`
Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 22:58:09 +00:00
Bug 760109 - Introduce an explicit ChromeObjectWrapper. r=mrbkap For now it's identical to ChromeObjectWrapperBase. Custom behavior comes in the next patch. 2012-07-27 10:15:46 +00:00			`#ifndef __AccessCheck_h__`
			`#define __AccessCheck_h__`

Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 22:58:09 +00:00			`#include "jsapi.h"`
			`#include "jswrapper.h"`

bug 580128 - Avoid using the parent chain of proxies for anything because it's often wrong. r=jst 2010-09-25 01:00:58 +00:00			`class nsIPrincipal;`

Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 22:58:09 +00:00			`namespace xpc {`

			`class AccessCheck {`
			`public:`
Bug 655649 - Use Subsumes Rather than Equals in XPConnect wrapper computation. r=mrbkap Now that we have nsExpandedPrincipal, the current way of doing things is wrong. For some reason, the old document.domain hackery was hiding the failures here. 2012-07-12 08:10:15 +00:00			`static bool subsumes(JSCompartment a, JSCompartment b);`
Bug 813901 - Validate __exposedProps__. r=mrbkap This also involves modifying test_cows to deep clone in getCOW. 2012-12-07 22:49:11 +00:00			`static bool subsumes(JSObject a, JSObject b);`
Bug 788914 - Kill the XOW flag. r=mrbkap There are really two questions to be asked: is the caller chrome, and does the caller subsume the callee. We have other, more precise ways of asking both of these questions. 2012-09-11 08:05:10 +00:00			`static bool wrapperSubsumes(JSObject *wrapper);`
Bug 789713 - Ignore domain when computing whether to share non-PreCreate WNs cross-compartment. r=mrbkap 2012-09-11 17:23:20 +00:00			`static bool subsumesIgnoringDomain(JSCompartment a, JSCompartment b);`
Implement remaining cross compartment wrappers (574924, r=mrbkap). 2010-07-02 20:54:53 +00:00			`static bool isChrome(JSCompartment *compartment);`
Bug 788914 - Kill the XOW flag. r=mrbkap There are really two questions to be asked: is the caller chrome, and does the caller subsume the callee. We have other, more precise ways of asking both of these questions. 2012-09-11 08:05:10 +00:00			`static bool isChrome(JSObject *obj);`
Bug 763433 - Clarify compartment semantics for ExposedPropertiesOnly. r=mrbkap 2012-06-18 13:47:09 +00:00			`static bool callerIsChrome();`
bug 580128 - Avoid using the parent chain of proxies for anything because it's often wrong. r=jst 2010-09-25 01:00:58 +00:00			`static nsIPrincipal getPrincipal(JSCompartment compartment);`
bug 580128 - Allow calling functions cross origin. r=gal 2010-09-17 21:54:40 +00:00			`static bool isCrossOriginAccessPermitted(JSContext cx, JSObject obj, jsid id,`
Bug 683361, part 1 - Strip JS prefix from proxy names since they are already in namespace js (r=gal) --HG-- extra : rebase_source : 5eded8e02c36991322c94fca1092970910c2ceea 2011-09-09 03:29:15 +00:00			`js::Wrapper::Action act);`
Implement remaining cross compartment wrappers (574924, r=mrbkap). 2010-07-02 20:54:53 +00:00
			`static bool needsSystemOnlyWrapper(JSObject *obj);`
			`};`

			`struct Policy {`
			`};`

Bug 823348 - Make NNXOWs use an explicitly opaque Policy. r=mrbkap There's no reason to be doing a dynamic check here, given that the JSClasses will never match. Lets be explicit and safe. 2013-01-23 05:04:38 +00:00			`// This policy only allows calling the underlying callable. All other operations throw.`
			`struct Opaque : public Policy {`
			`static bool check(JSContext cx, JSObject wrapper, jsid id, js::Wrapper::Action act) {`
			`return act == js::Wrapper::CALL;`
			`}`
Bug 836301 - Introduce an RAII class for entering policies. r=mrbkap This will allow us to make some hard assertions that a given policy has been entered exactly once. 2013-02-25 21:54:18 +00:00			`static bool deny(js::Wrapper::Action act) {`
Bug 823348 - Make NNXOWs use an explicitly opaque Policy. r=mrbkap There's no reason to be doing a dynamic check here, given that the JSClasses will never match. Lets be explicit and safe. 2013-01-23 05:04:38 +00:00			`return false;`
			`}`
			`static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)`
			`{`
			`return false;`
			`}`
			`};`

Bug 843829 - Wrap unwaived content JS objects in opaque wrappers for XBL scopes. r=mrbkap 2013-04-03 18:41:23 +00:00			`// This policy is designed to protect privileged callers from untrusted non-`
			`// Xrayable objects. Nothing is allowed, and nothing throws.`
			`struct GentlyOpaque : public Policy {`
			`static bool check(JSContext cx, JSObject wrapper, jsid id, js::Wrapper::Action act) {`
			`return false;`
			`}`
			`static bool deny(js::Wrapper::Action act) {`
			`return true;`
			`}`
			`static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)`
			`{`
			`// We allow nativeCall here because the alternative is throwing (which`
			`// happens in SecurityWrapper::nativeCall), which we don't want. There's`
			`// unlikely to be too much harm to letting this through, because this`
			`// wrapper is only used to wrap less-privileged objects in more-privileged`
			`// scopes, so unwrapping here only drops privileges.`
			`return true;`
			`}`
Implement remaining cross compartment wrappers (574924, r=mrbkap). 2010-07-02 20:54:53 +00:00			`};`

			`// This policy only permits access to properties that are safe to be used`
			`// across origins.`
			`struct CrossOriginAccessiblePropertiesOnly : public Policy {`
Bug 805807 - Rearchitect filtering policies so that check() doesn't throw on denial. r=mrbkap This is another one of those annoying situaitons in XPConnect right now where we can't ask a question without potentially throwing if the answer is no. There's also a bunch of unused cruft in here (like the Perm*Access stuff), so this stuff was ripe for a spring cleaning. Unfortunately, I wasn't able to divide this patch up nicely. Sorry for the big diff. :-( In a nutshell, this patch changes things so that Policy::check() just becomes a predicate that says whether the access is allowed or not. There's the remote possibility that one of the underlying JSAPI calls in a ::check() implementation might throw, so callers to ::check() should check JS_IsExceptionPending afterwards (this doesn't catch OOM, but we can just continue along until the next OOM-triggering operation and throw there). Aside from exceptional cases, callers should call Policy::deny if they want to report the failure. Policy::deny returns success value that should be returned to the wrapper's consumer. 2012-11-03 00:47:49 +00:00			`static bool check(JSContext cx, JSObject wrapper, jsid id, js::Wrapper::Action act) {`
			`return AccessCheck::isCrossOriginAccessPermitted(cx, wrapper, id, act);`
			`}`
Bug 836301 - Introduce an RAII class for entering policies. r=mrbkap This will allow us to make some hard assertions that a given policy has been entered exactly once. 2013-02-25 21:54:18 +00:00			`static bool deny(js::Wrapper::Action act) {`
Silenty return undefined instead of throwing when content tries to access non-exposed chrome properties (bug 594999, r=mrbkap). 2011-01-30 02:48:30 +00:00			`return false;`
Implement remaining cross compartment wrappers (574924, r=mrbkap). 2010-07-02 20:54:53 +00:00			`}`
Bug 809652 - Deny nativeCall for SecurityWrapper except under specific circumstances. r=jorendorff 2012-12-21 06:33:26 +00:00			`static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)`
			`{`
			`return false;`
			`}`
Implement remaining cross compartment wrappers (574924, r=mrbkap). 2010-07-02 20:54:53 +00:00			`};`
Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 22:58:09 +00:00
Implement remaining cross compartment wrappers (574924, r=mrbkap). 2010-07-02 20:54:53 +00:00			`// This policy only permits access to properties if they appear in the`
			`// objects exposed properties list.`
			`struct ExposedPropertiesOnly : public Policy {`
Bug 805807 - Rearchitect filtering policies so that check() doesn't throw on denial. r=mrbkap This is another one of those annoying situaitons in XPConnect right now where we can't ask a question without potentially throwing if the answer is no. There's also a bunch of unused cruft in here (like the Perm*Access stuff), so this stuff was ripe for a spring cleaning. Unfortunately, I wasn't able to divide this patch up nicely. Sorry for the big diff. :-( In a nutshell, this patch changes things so that Policy::check() just becomes a predicate that says whether the access is allowed or not. There's the remote possibility that one of the underlying JSAPI calls in a ::check() implementation might throw, so callers to ::check() should check JS_IsExceptionPending afterwards (this doesn't catch OOM, but we can just continue along until the next OOM-triggering operation and throw there). Aside from exceptional cases, callers should call Policy::deny if they want to report the failure. Policy::deny returns success value that should be returned to the wrapper's consumer. 2012-11-03 00:47:49 +00:00			`static bool check(JSContext cx, JSObject wrapper, jsid id, js::Wrapper::Action act);`

Bug 836301 - Introduce an RAII class for entering policies. r=mrbkap This will allow us to make some hard assertions that a given policy has been entered exactly once. 2013-02-25 21:54:18 +00:00			`static bool deny(js::Wrapper::Action act) {`
			`// Fail silently for GETs.`
			`return act == js::Wrapper::GET;`
Bug 805807 - Rearchitect filtering policies so that check() doesn't throw on denial. r=mrbkap This is another one of those annoying situaitons in XPConnect right now where we can't ask a question without potentially throwing if the answer is no. There's also a bunch of unused cruft in here (like the Perm*Access stuff), so this stuff was ripe for a spring cleaning. Unfortunately, I wasn't able to divide this patch up nicely. Sorry for the big diff. :-( In a nutshell, this patch changes things so that Policy::check() just becomes a predicate that says whether the access is allowed or not. There's the remote possibility that one of the underlying JSAPI calls in a ::check() implementation might throw, so callers to ::check() should check JS_IsExceptionPending afterwards (this doesn't catch OOM, but we can just continue along until the next OOM-triggering operation and throw there). Aside from exceptional cases, callers should call Policy::deny if they want to report the failure. Policy::deny returns success value that should be returned to the wrapper's consumer. 2012-11-03 00:47:49 +00:00			`}`
Bug 809652 - Deny nativeCall for SecurityWrapper except under specific circumstances. r=jorendorff 2012-12-21 06:33:26 +00:00			`static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl);`
Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 22:58:09 +00:00			`};`

Bug 735280 - Part 3: Components object specific wrapper. r=bholley 2012-04-28 13:12:28 +00:00			`// Components specific policy`
			`struct ComponentsObjectPolicy : public Policy {`
Bug 805807 - Rearchitect filtering policies so that check() doesn't throw on denial. r=mrbkap This is another one of those annoying situaitons in XPConnect right now where we can't ask a question without potentially throwing if the answer is no. There's also a bunch of unused cruft in here (like the Perm*Access stuff), so this stuff was ripe for a spring cleaning. Unfortunately, I wasn't able to divide this patch up nicely. Sorry for the big diff. :-( In a nutshell, this patch changes things so that Policy::check() just becomes a predicate that says whether the access is allowed or not. There's the remote possibility that one of the underlying JSAPI calls in a ::check() implementation might throw, so callers to ::check() should check JS_IsExceptionPending afterwards (this doesn't catch OOM, but we can just continue along until the next OOM-triggering operation and throw there). Aside from exceptional cases, callers should call Policy::deny if they want to report the failure. Policy::deny returns success value that should be returned to the wrapper's consumer. 2012-11-03 00:47:49 +00:00			`static bool check(JSContext cx, JSObject wrapper, jsid id, js::Wrapper::Action act);`

Bug 836301 - Introduce an RAII class for entering policies. r=mrbkap This will allow us to make some hard assertions that a given policy has been entered exactly once. 2013-02-25 21:54:18 +00:00			`static bool deny(js::Wrapper::Action act) {`
Bug 805807 - Rearchitect filtering policies so that check() doesn't throw on denial. r=mrbkap This is another one of those annoying situaitons in XPConnect right now where we can't ask a question without potentially throwing if the answer is no. There's also a bunch of unused cruft in here (like the Perm*Access stuff), so this stuff was ripe for a spring cleaning. Unfortunately, I wasn't able to divide this patch up nicely. Sorry for the big diff. :-( In a nutshell, this patch changes things so that Policy::check() just becomes a predicate that says whether the access is allowed or not. There's the remote possibility that one of the underlying JSAPI calls in a ::check() implementation might throw, so callers to ::check() should check JS_IsExceptionPending afterwards (this doesn't catch OOM, but we can just continue along until the next OOM-triggering operation and throw there). Aside from exceptional cases, callers should call Policy::deny if they want to report the failure. Policy::deny returns success value that should be returned to the wrapper's consumer. 2012-11-03 00:47:49 +00:00			`return false;`
			`}`
Bug 809652 - Deny nativeCall for SecurityWrapper except under specific circumstances. r=jorendorff 2012-12-21 06:33:26 +00:00			`static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {`
			`return false;`
			`}`
Bug 735280 - Part 3: Components object specific wrapper. r=bholley 2012-04-28 13:12:28 +00:00			`};`

Implement new chrome wrappers (574539, r=mrbkap). 2010-06-25 22:58:09 +00:00			`}`
Bug 760109 - Introduce an explicit ChromeObjectWrapper. r=mrbkap For now it's identical to ChromeObjectWrapperBase. Custom behavior comes in the next patch. 2012-07-27 10:15:46 +00:00
			`#endif /* __AccessCheck_h__ */`