2010-06-03 22:27:29 +00:00
|
|
|
/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
|
|
|
|
* vim: set ts=4 sw=4 et tw=99:
|
|
|
|
*
|
2012-05-21 11:12:37 +00:00
|
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
2010-06-03 22:27:29 +00:00
|
|
|
|
|
|
|
#ifndef jswrapper_h___
|
|
|
|
#define jswrapper_h___
|
|
|
|
|
2011-11-20 20:22:51 +00:00
|
|
|
#include "mozilla/Attributes.h"
|
2011-11-14 18:31:46 +00:00
|
|
|
|
2010-06-03 22:27:29 +00:00
|
|
|
#include "jsapi.h"
|
|
|
|
#include "jsproxy.h"
|
|
|
|
|
2011-09-09 03:29:15 +00:00
|
|
|
namespace js {
|
2010-09-26 03:05:36 +00:00
|
|
|
|
2012-01-02 18:05:19 +00:00
|
|
|
class DummyFrameGuard;
|
|
|
|
|
2012-07-08 17:04:14 +00:00
|
|
|
/*
|
2012-10-29 15:52:53 +00:00
|
|
|
* A wrapper is a proxy with a target object to which it generally forwards
|
|
|
|
* operations, but may restrict access to certain operations or instrument
|
|
|
|
* the trap operations in various ways. A wrapper is distinct from a Direct Proxy
|
|
|
|
* Handler in the sense that it can be "unwrapped" in C++, exposing the underlying
|
|
|
|
* object (Direct Proxy Handlers have an underlying target object, but don't
|
|
|
|
* expect to expose this object via any kind of unwrapping operation). Callers
|
|
|
|
* should be careful to avoid unwrapping security wrappers in the wrong context.
|
2012-07-08 17:04:14 +00:00
|
|
|
*/
|
2012-10-29 15:52:53 +00:00
|
|
|
class JS_FRIEND_API(Wrapper) : public DirectProxyHandler
|
2011-09-09 03:29:15 +00:00
|
|
|
{
|
2012-04-19 18:19:41 +00:00
|
|
|
unsigned mFlags;
|
2012-11-14 17:56:25 +00:00
|
|
|
bool mSafeToUnwrap;
|
2012-06-28 02:10:37 +00:00
|
|
|
|
2010-07-02 01:06:33 +00:00
|
|
|
public:
|
2013-02-22 16:14:33 +00:00
|
|
|
using BaseProxyHandler::Action;
|
2012-04-19 18:19:41 +00:00
|
|
|
|
2012-06-28 02:10:37 +00:00
|
|
|
enum Flags {
|
|
|
|
CROSS_COMPARTMENT = 1 << 0,
|
|
|
|
LAST_USED_FLAG = CROSS_COMPARTMENT
|
|
|
|
};
|
2010-06-03 22:27:29 +00:00
|
|
|
|
2012-11-14 17:56:25 +00:00
|
|
|
/*
|
|
|
|
* Wrappers can explicitly specify that they are unsafe to unwrap from a
|
|
|
|
* security perspective (as is the case for SecurityWrappers). If a wrapper
|
|
|
|
* is not safe to unwrap, operations requiring full access to the underlying
|
|
|
|
* object (via UnwrapObjectChecked) will throw. Otherwise, they will succeed.
|
|
|
|
*/
|
2012-12-09 17:23:19 +00:00
|
|
|
void setSafeToUnwrap(bool safe) { mSafeToUnwrap = safe; }
|
|
|
|
bool isSafeToUnwrap() { return mSafeToUnwrap; }
|
2012-11-14 17:56:25 +00:00
|
|
|
|
2012-06-28 02:10:37 +00:00
|
|
|
static JSObject *New(JSContext *cx, JSObject *obj, JSObject *proto,
|
|
|
|
JSObject *parent, Wrapper *handler);
|
|
|
|
|
2012-09-12 00:14:24 +00:00
|
|
|
static JSObject *Renew(JSContext *cx, JSObject *existing, JSObject *obj, Wrapper *handler);
|
|
|
|
|
2012-07-23 20:37:31 +00:00
|
|
|
static Wrapper *wrapperHandler(RawObject wrapper);
|
2012-06-28 02:10:37 +00:00
|
|
|
|
2012-07-23 20:37:31 +00:00
|
|
|
static JSObject *wrappedObject(RawObject wrapper);
|
2012-06-28 02:10:37 +00:00
|
|
|
|
|
|
|
unsigned flags() const {
|
|
|
|
return mFlags;
|
|
|
|
}
|
|
|
|
|
2012-10-29 15:52:53 +00:00
|
|
|
explicit Wrapper(unsigned flags, bool hasPrototype = false);
|
2012-04-15 23:43:14 +00:00
|
|
|
|
2012-10-29 15:52:53 +00:00
|
|
|
virtual ~Wrapper();
|
2012-04-15 23:43:14 +00:00
|
|
|
|
2012-06-29 14:43:16 +00:00
|
|
|
/* ES5 Harmony fundamental wrapper traps. */
|
2012-09-11 19:42:01 +00:00
|
|
|
virtual bool defaultValue(JSContext *cx, JSObject *wrapper_, JSType hint,
|
|
|
|
Value *vp) MOZ_OVERRIDE;
|
2012-04-15 23:43:14 +00:00
|
|
|
|
2012-10-29 15:52:53 +00:00
|
|
|
static Wrapper singleton;
|
|
|
|
static Wrapper singletonWithPrototype;
|
2010-06-03 22:27:29 +00:00
|
|
|
|
2010-10-10 22:36:04 +00:00
|
|
|
static void *getWrapperFamily();
|
2010-06-23 21:35:10 +00:00
|
|
|
};
|
|
|
|
|
2010-06-24 21:45:32 +00:00
|
|
|
/* Base class for all cross compartment wrapper handlers. */
|
2012-10-29 15:52:53 +00:00
|
|
|
class JS_FRIEND_API(CrossCompartmentWrapper) : public Wrapper
|
2011-09-09 03:29:15 +00:00
|
|
|
{
|
2010-06-24 21:45:32 +00:00
|
|
|
public:
|
2012-08-10 11:55:55 +00:00
|
|
|
CrossCompartmentWrapper(unsigned flags, bool hasPrototype = false);
|
2010-06-25 22:58:09 +00:00
|
|
|
|
2011-09-09 03:29:15 +00:00
|
|
|
virtual ~CrossCompartmentWrapper();
|
2010-06-24 21:45:32 +00:00
|
|
|
|
2010-07-02 20:54:53 +00:00
|
|
|
/* ES5 Harmony fundamental wrapper traps. */
|
2013-01-03 21:31:36 +00:00
|
|
|
virtual bool getPropertyDescriptor(JSContext *cx, JSObject *wrapper, jsid id,
|
|
|
|
PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE;
|
|
|
|
virtual bool getOwnPropertyDescriptor(JSContext *cx, JSObject *wrapper, jsid id,
|
|
|
|
PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE;
|
2010-08-10 16:31:06 +00:00
|
|
|
virtual bool defineProperty(JSContext *cx, JSObject *wrapper, jsid id,
|
2011-11-14 18:31:46 +00:00
|
|
|
PropertyDescriptor *desc) MOZ_OVERRIDE;
|
|
|
|
virtual bool getOwnPropertyNames(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE;
|
|
|
|
virtual bool delete_(JSContext *cx, JSObject *wrapper, jsid id, bool *bp) MOZ_OVERRIDE;
|
|
|
|
virtual bool enumerate(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE;
|
2010-07-02 20:54:53 +00:00
|
|
|
|
|
|
|
/* ES5 Harmony derived wrapper traps. */
|
2011-11-14 18:31:46 +00:00
|
|
|
virtual bool has(JSContext *cx, JSObject *wrapper, jsid id, bool *bp) MOZ_OVERRIDE;
|
|
|
|
virtual bool hasOwn(JSContext *cx, JSObject *wrapper, jsid id, bool *bp) MOZ_OVERRIDE;
|
|
|
|
virtual bool get(JSContext *cx, JSObject *wrapper, JSObject *receiver, jsid id, Value *vp) MOZ_OVERRIDE;
|
2011-02-09 19:31:40 +00:00
|
|
|
virtual bool set(JSContext *cx, JSObject *wrapper, JSObject *receiver, jsid id, bool strict,
|
2011-11-14 18:31:46 +00:00
|
|
|
Value *vp) MOZ_OVERRIDE;
|
|
|
|
virtual bool keys(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE;
|
2012-02-28 23:11:11 +00:00
|
|
|
virtual bool iterate(JSContext *cx, JSObject *wrapper, unsigned flags, Value *vp) MOZ_OVERRIDE;
|
2010-06-24 21:45:32 +00:00
|
|
|
|
|
|
|
/* Spidermonkey extensions. */
|
2012-02-28 23:11:11 +00:00
|
|
|
virtual bool call(JSContext *cx, JSObject *wrapper, unsigned argc, Value *vp) MOZ_OVERRIDE;
|
|
|
|
virtual bool construct(JSContext *cx, JSObject *wrapper, unsigned argc, Value *argv, Value *rval) MOZ_OVERRIDE;
|
2012-07-04 00:44:22 +00:00
|
|
|
virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
|
|
|
|
CallArgs args) MOZ_OVERRIDE;
|
2012-09-04 23:40:12 +00:00
|
|
|
virtual bool hasInstance(JSContext *cx, HandleObject wrapper, MutableHandleValue v, bool *bp) MOZ_OVERRIDE;
|
2011-11-14 18:31:46 +00:00
|
|
|
virtual JSString *obj_toString(JSContext *cx, JSObject *wrapper) MOZ_OVERRIDE;
|
2012-02-28 23:11:11 +00:00
|
|
|
virtual JSString *fun_toString(JSContext *cx, JSObject *wrapper, unsigned indent) MOZ_OVERRIDE;
|
2012-08-07 16:50:52 +00:00
|
|
|
virtual bool regexp_toShared(JSContext *cx, JSObject *proxy, RegExpGuard *g) MOZ_OVERRIDE;
|
2011-11-14 18:31:46 +00:00
|
|
|
virtual bool defaultValue(JSContext *cx, JSObject *wrapper, JSType hint, Value *vp) MOZ_OVERRIDE;
|
2012-09-03 23:42:22 +00:00
|
|
|
virtual bool getPrototypeOf(JSContext *cx, JSObject *proxy, JSObject **protop);
|
2011-07-08 00:31:24 +00:00
|
|
|
|
2011-09-09 03:29:15 +00:00
|
|
|
static CrossCompartmentWrapper singleton;
|
2012-08-10 11:55:55 +00:00
|
|
|
static CrossCompartmentWrapper singletonWithPrototype;
|
2010-06-24 21:45:32 +00:00
|
|
|
};
|
|
|
|
|
2011-10-04 17:50:25 +00:00
|
|
|
/*
|
|
|
|
* Base class for security wrappers. A security wrapper is potentially hiding
|
|
|
|
* all or part of some wrapped object thus SecurityWrapper defaults to denying
|
|
|
|
* access to the wrappee. This is the opposite of Wrapper which tries to be
|
|
|
|
* completely transparent.
|
|
|
|
*
|
|
|
|
* NB: Currently, only a few ProxyHandler operations are overridden to deny
|
|
|
|
* access, relying on derived SecurityWrapper to block access when necessary.
|
|
|
|
*/
|
|
|
|
template <class Base>
|
|
|
|
class JS_FRIEND_API(SecurityWrapper) : public Base
|
|
|
|
{
|
|
|
|
public:
|
2012-02-28 23:11:11 +00:00
|
|
|
SecurityWrapper(unsigned flags);
|
2011-10-04 17:50:25 +00:00
|
|
|
|
2012-12-21 06:33:26 +00:00
|
|
|
virtual bool enter(JSContext *cx, JSObject *wrapper, jsid id, Wrapper::Action act,
|
|
|
|
bool *bp) MOZ_OVERRIDE;
|
2012-07-04 00:44:22 +00:00
|
|
|
virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
|
|
|
|
CallArgs args) MOZ_OVERRIDE;
|
2011-11-14 18:31:46 +00:00
|
|
|
virtual bool objectClassIs(JSObject *obj, ESClassValue classValue, JSContext *cx) MOZ_OVERRIDE;
|
2012-02-23 21:51:19 +00:00
|
|
|
virtual bool regexp_toShared(JSContext *cx, JSObject *proxy, RegExpGuard *g) MOZ_OVERRIDE;
|
2012-12-21 06:33:26 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Allow our subclasses to select the superclass behavior they want without
|
|
|
|
* needing to specify an exact superclass.
|
|
|
|
*/
|
|
|
|
typedef Base Permissive;
|
|
|
|
typedef SecurityWrapper<Base> Restrictive;
|
2011-10-04 17:50:25 +00:00
|
|
|
};
|
|
|
|
|
2012-10-29 15:52:53 +00:00
|
|
|
typedef SecurityWrapper<Wrapper> SameCompartmentSecurityWrapper;
|
2011-10-04 17:50:25 +00:00
|
|
|
typedef SecurityWrapper<CrossCompartmentWrapper> CrossCompartmentSecurityWrapper;
|
|
|
|
|
2012-07-19 16:39:43 +00:00
|
|
|
class JS_FRIEND_API(DeadObjectProxy) : public BaseProxyHandler
|
|
|
|
{
|
|
|
|
public:
|
|
|
|
static int sDeadObjectFamily;
|
|
|
|
|
|
|
|
explicit DeadObjectProxy();
|
|
|
|
|
|
|
|
/* ES5 Harmony fundamental wrapper traps. */
|
2013-01-03 21:31:36 +00:00
|
|
|
virtual bool getPropertyDescriptor(JSContext *cx, JSObject *wrapper, jsid id,
|
|
|
|
PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE;
|
|
|
|
virtual bool getOwnPropertyDescriptor(JSContext *cx, JSObject *wrapper, jsid id,
|
|
|
|
PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE;
|
2012-07-19 16:39:43 +00:00
|
|
|
virtual bool defineProperty(JSContext *cx, JSObject *wrapper, jsid id,
|
|
|
|
PropertyDescriptor *desc) MOZ_OVERRIDE;
|
|
|
|
virtual bool getOwnPropertyNames(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE;
|
|
|
|
virtual bool delete_(JSContext *cx, JSObject *wrapper, jsid id, bool *bp) MOZ_OVERRIDE;
|
|
|
|
virtual bool enumerate(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE;
|
|
|
|
|
|
|
|
/* Spidermonkey extensions. */
|
|
|
|
virtual bool call(JSContext *cx, JSObject *proxy, unsigned argc, Value *vp);
|
|
|
|
virtual bool construct(JSContext *cx, JSObject *proxy, unsigned argc, Value *argv, Value *rval);
|
|
|
|
virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
|
|
|
|
CallArgs args) MOZ_OVERRIDE;
|
2012-09-04 23:40:12 +00:00
|
|
|
virtual bool hasInstance(JSContext *cx, HandleObject proxy, MutableHandleValue v, bool *bp);
|
2012-07-19 16:39:43 +00:00
|
|
|
virtual bool objectClassIs(JSObject *obj, ESClassValue classValue, JSContext *cx);
|
|
|
|
virtual JSString *obj_toString(JSContext *cx, JSObject *proxy);
|
|
|
|
virtual JSString *fun_toString(JSContext *cx, JSObject *proxy, unsigned indent);
|
|
|
|
virtual bool regexp_toShared(JSContext *cx, JSObject *proxy, RegExpGuard *g);
|
|
|
|
virtual bool defaultValue(JSContext *cx, JSObject *obj, JSType hint, Value *vp);
|
|
|
|
virtual bool getElementIfPresent(JSContext *cx, JSObject *obj, JSObject *receiver,
|
|
|
|
uint32_t index, Value *vp, bool *present);
|
2012-09-03 23:42:22 +00:00
|
|
|
virtual bool getPrototypeOf(JSContext *cx, JSObject *proxy, JSObject **protop);
|
2012-07-19 16:39:43 +00:00
|
|
|
|
|
|
|
static DeadObjectProxy singleton;
|
|
|
|
};
|
|
|
|
|
2010-06-24 21:45:32 +00:00
|
|
|
extern JSObject *
|
2012-09-12 00:14:24 +00:00
|
|
|
TransparentObjectWrapper(JSContext *cx, JSObject *existing, JSObject *obj,
|
|
|
|
JSObject *wrappedProto, JSObject *parent,
|
2012-02-28 23:11:11 +00:00
|
|
|
unsigned flags);
|
2010-06-24 21:45:32 +00:00
|
|
|
|
2012-02-21 18:31:35 +00:00
|
|
|
// Proxy family for wrappers. Public so that IsWrapper() can be fully inlined by
|
|
|
|
// jsfriendapi users.
|
|
|
|
extern JS_FRIEND_DATA(int) sWrapperFamily;
|
|
|
|
|
|
|
|
inline bool
|
2012-07-23 20:37:31 +00:00
|
|
|
IsWrapper(RawObject obj)
|
2012-02-21 18:31:35 +00:00
|
|
|
{
|
|
|
|
return IsProxy(obj) && GetProxyHandler(obj)->family() == &sWrapperFamily;
|
|
|
|
}
|
2012-01-26 13:55:27 +00:00
|
|
|
|
|
|
|
// Given a JSObject, returns that object stripped of wrappers. If
|
|
|
|
// stopAtOuter is true, then this returns the outer window if it was
|
|
|
|
// previously wrapped. Otherwise, this returns the first object for
|
|
|
|
// which JSObject::isWrapper returns false.
|
2012-05-22 21:54:08 +00:00
|
|
|
JS_FRIEND_API(JSObject *)
|
|
|
|
UnwrapObject(JSObject *obj, bool stopAtOuter = true, unsigned *flagsp = NULL);
|
2012-01-26 13:55:27 +00:00
|
|
|
|
2012-03-23 21:59:27 +00:00
|
|
|
// Given a JSObject, returns that object stripped of wrappers. At each stage,
|
|
|
|
// the security wrapper has the opportunity to veto the unwrap. Since checked
|
|
|
|
// code should never be unwrapping outer window wrappers, we always stop at
|
|
|
|
// outer windows.
|
2012-05-22 21:54:08 +00:00
|
|
|
JS_FRIEND_API(JSObject *)
|
2013-02-14 00:11:32 +00:00
|
|
|
UnwrapObjectChecked(RawObject obj, bool stopAtOuter = true);
|
2012-03-23 21:59:27 +00:00
|
|
|
|
2012-07-18 11:51:28 +00:00
|
|
|
// Unwrap only the outermost security wrapper, with the same semantics as
|
|
|
|
// above. This is the checked version of Wrapper::wrappedObject.
|
|
|
|
JS_FRIEND_API(JSObject *)
|
2013-02-14 00:11:32 +00:00
|
|
|
UnwrapOneChecked(RawObject obj, bool stopAtOuter = true);
|
2012-07-18 11:51:28 +00:00
|
|
|
|
2012-06-04 08:13:18 +00:00
|
|
|
JS_FRIEND_API(bool)
|
2012-07-23 20:37:31 +00:00
|
|
|
IsCrossCompartmentWrapper(RawObject obj);
|
2012-05-22 21:54:08 +00:00
|
|
|
|
2012-09-12 00:14:24 +00:00
|
|
|
bool
|
|
|
|
IsDeadProxyObject(RawObject obj);
|
|
|
|
|
2012-08-04 15:15:04 +00:00
|
|
|
JSObject *
|
|
|
|
NewDeadProxyObject(JSContext *cx, JSObject *parent);
|
|
|
|
|
2012-05-22 21:54:08 +00:00
|
|
|
void
|
2012-09-03 23:42:22 +00:00
|
|
|
NukeCrossCompartmentWrapper(JSContext *cx, JSObject *wrapper);
|
2011-10-04 14:06:54 +00:00
|
|
|
|
2012-07-04 10:13:01 +00:00
|
|
|
bool
|
|
|
|
RemapWrapper(JSContext *cx, JSObject *wobj, JSObject *newTarget);
|
|
|
|
|
2012-07-23 15:57:39 +00:00
|
|
|
JS_FRIEND_API(bool)
|
2012-07-04 10:13:01 +00:00
|
|
|
RemapAllWrappersForObject(JSContext *cx, JSObject *oldTarget,
|
|
|
|
JSObject *newTarget);
|
2012-07-04 10:13:01 +00:00
|
|
|
|
|
|
|
// API to recompute all cross-compartment wrappers whose source and target
|
|
|
|
// match the given filters.
|
|
|
|
JS_FRIEND_API(bool)
|
|
|
|
RecomputeWrappers(JSContext *cx, const CompartmentFilter &sourceFilter,
|
|
|
|
const CompartmentFilter &targetFilter);
|
|
|
|
|
2012-11-12 22:57:53 +00:00
|
|
|
/*
|
|
|
|
* This auto class should be used around any code, such as brain transplants,
|
2013-02-07 02:08:16 +00:00
|
|
|
* that may touch dead zones. Brain transplants can cause problems
|
2012-11-12 22:57:53 +00:00
|
|
|
* because they operate on all compartments, whether live or dead. A brain
|
|
|
|
* transplant can cause a formerly dead object to be "reanimated" by causing a
|
|
|
|
* read or write barrier to be invoked on it during the transplant. In this way,
|
2013-02-07 02:08:16 +00:00
|
|
|
* a zone becomes a zombie, kept alive by repeatedly consuming
|
2012-11-12 22:57:53 +00:00
|
|
|
* (transplanted) brains.
|
|
|
|
*
|
|
|
|
* To work around this issue, we observe when mark bits are set on objects in
|
2013-02-07 02:08:16 +00:00
|
|
|
* dead zones. If this happens during a brain transplant, we do a full,
|
2012-11-12 22:57:53 +00:00
|
|
|
* non-incremental GC at the end of the brain transplant. This will clean up any
|
|
|
|
* objects that were improperly marked.
|
|
|
|
*/
|
2013-02-07 02:08:16 +00:00
|
|
|
struct JS_FRIEND_API(AutoMaybeTouchDeadZones)
|
2012-11-12 22:57:53 +00:00
|
|
|
{
|
|
|
|
// The version that takes an object just uses it for its runtime.
|
2013-02-07 02:08:16 +00:00
|
|
|
AutoMaybeTouchDeadZones(JSContext *cx);
|
|
|
|
AutoMaybeTouchDeadZones(JSObject *obj);
|
|
|
|
~AutoMaybeTouchDeadZones();
|
2012-11-12 22:57:53 +00:00
|
|
|
|
|
|
|
private:
|
|
|
|
JSRuntime *runtime;
|
|
|
|
unsigned markCount;
|
|
|
|
bool inIncremental;
|
2013-02-07 02:08:16 +00:00
|
|
|
bool manipulatingDeadZones;
|
2012-11-12 22:57:53 +00:00
|
|
|
};
|
|
|
|
|
2011-10-04 14:06:54 +00:00
|
|
|
} /* namespace js */
|
2010-06-03 22:27:29 +00:00
|
|
|
|
|
|
|
#endif
|