Bug 789224 - Remove miscellaneous UniversalXPConnect checks sprinkled throughout gecko. r=mrbkap

This commit is contained in:
Bobby Holley 2012-10-22 08:29:55 +02:00
parent 664f20a153
commit 66fe81e49a
18 changed files with 45 additions and 212 deletions

View File

@ -1537,11 +1537,7 @@ nsContentUtils::Shutdown()
bool
nsContentUtils::CallerHasUniversalXPConnect()
{
bool hasCap;
if (NS_FAILED(sSecurityManager->IsCapabilityEnabled("UniversalXPConnect",
&hasCap)))
return false;
return hasCap;
return IsCallerChrome();
}
/**
@ -1782,8 +1778,12 @@ nsContentUtils::IsCallerChrome()
if (NS_FAILED(rv)) {
return false;
}
if (is_caller_chrome) {
return true;
}
return is_caller_chrome;
// If the check failed, look for UniversalXPConnect on the cx compartment.
return xpc::IsUniversalXPConnectEnabled(GetCurrentJSContext());
}
bool

View File

@ -324,15 +324,9 @@ GetInitArgs(JSContext *cx, uint32_t argc, jsval *argv,
nsIPrincipal** aPrincipal, nsIURI** aDocumentURI,
nsIURI** aBaseURI)
{
// Only proceed if the caller has UniversalXPConnect.
bool haveUniversalXPConnect;
nsresult rv = nsContentUtils::GetSecurityManager()->
IsCapabilityEnabled("UniversalXPConnect", &haveUniversalXPConnect);
NS_ENSURE_SUCCESS(rv, rv);
if (!haveUniversalXPConnect) {
if (!nsContentUtils::IsCallerChrome()) {
return NS_ERROR_DOM_SECURITY_ERR;
}
}
nsIXPConnect* xpc = nsContentUtils::XPConnect();

View File

@ -2310,14 +2310,9 @@ nsINode::WrapObject(JSContext *aCx, JSObject *aScope, bool *aTriedToWrap)
// If the document has never had a script handling object, untrusted
// scripts (3) shouldn't touch it!
bool hasHadScriptHandlingObject = false;
bool enabled;
nsIScriptSecurityManager* securityManager;
if (!OwnerDoc()->GetScriptHandlingObject(hasHadScriptHandlingObject) &&
!hasHadScriptHandlingObject &&
!((securityManager = nsContentUtils::GetSecurityManager()) &&
NS_SUCCEEDED(securityManager->IsCapabilityEnabled("UniversalXPConnect",
&enabled)) &&
enabled)) {
!nsContentUtils::IsCallerChrome()) {
Throw<true>(aCx, NS_ERROR_UNEXPECTED);
*aTriedToWrap = true;
return nullptr;

View File

@ -174,15 +174,6 @@ static void AddLoadFlags(nsIRequest *request, nsLoadFlags newFlags)
request->SetLoadFlags(flags);
}
static nsresult IsCapabilityEnabled(const char *capability, bool *enabled)
{
nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
if (!secMan)
return NS_ERROR_FAILURE;
return secMan->IsCapabilityEnabled(capability, enabled);
}
// Helper proxy class to be used when expecting an
// multipart/x-mixed-replace stream of XML documents.
@ -1475,9 +1466,7 @@ nsXMLHttpRequest::GetResponseHeader(const nsACString& header,
}
// See bug #380418. Hide "Set-Cookie" headers from non-chrome scripts.
bool chrome = false; // default to false in case IsCapabilityEnabled fails
IsCapabilityEnabled("UniversalXPConnect", &chrome);
if (!chrome &&
if (!nsContentUtils::IsCallerChrome() &&
(header.LowerCaseEqualsASCII("set-cookie") ||
header.LowerCaseEqualsASCII("set-cookie2"))) {
NS_WARNING("blocked access to response header");
@ -3192,13 +3181,9 @@ nsXMLHttpRequest::SetRequestHeader(const nsACString& header,
}
// Prevent modification to certain HTTP headers (see bug 302263), unless
// the executing script has UniversalXPConnect.
// the executing script is privileged.
bool privileged;
if (NS_FAILED(IsCapabilityEnabled("UniversalXPConnect", &privileged)))
return NS_ERROR_FAILURE;
if (!privileged) {
if (!nsContentUtils::IsCallerChrome()) {
// Step 5: Check for dangerous headers.
const char *kInvalidHeaders[] = {
"accept-charset", "accept-encoding", "access-control-request-headers",
@ -3423,13 +3408,7 @@ nsXMLHttpRequest::SetMozBackgroundRequest(bool aMozBackgroundRequest)
void
nsXMLHttpRequest::SetMozBackgroundRequest(bool aMozBackgroundRequest, nsresult& aRv)
{
bool privileged;
aRv = IsCapabilityEnabled("UniversalXPConnect", &privileged);
if (NS_FAILED(aRv)) {
return;
}
if (!privileged) {
if (!nsContentUtils::IsCallerChrome()) {
aRv = NS_ERROR_DOM_SECURITY_ERR;
return;
}
@ -4030,9 +4009,7 @@ NS_IMETHODIMP nsXMLHttpRequest::
nsHeaderVisitor::VisitHeader(const nsACString &header, const nsACString &value)
{
// See bug #380418. Hide "Set-Cookie" headers from non-chrome scripts.
bool chrome = false; // default to false in case IsCapabilityEnabled fails
IsCapabilityEnabled("UniversalXPConnect", &chrome);
if (!chrome &&
if (!nsContentUtils::IsCallerChrome() &&
(header.LowerCaseEqualsASCII("set-cookie") ||
header.LowerCaseEqualsASCII("set-cookie2"))) {
NS_WARNING("blocked access to response header");

View File

@ -472,12 +472,7 @@ nsDOMEvent::InitEvent(const nsAString& aEventTypeArg, bool aCanBubbleArg, bool a
if (NS_IS_TRUSTED_EVENT(mEvent)) {
// Ensure the caller is permitted to dispatch trusted DOM events.
bool enabled = false;
nsContentUtils::GetSecurityManager()->
IsCapabilityEnabled("UniversalXPConnect", &enabled);
if (!enabled) {
if (!nsContentUtils::IsCallerChrome()) {
SetTrusted(false);
}
}

View File

@ -723,19 +723,8 @@ nsXBLContentSink::ConstructImplementation(const PRUnichar **aAtts)
}
else if (localName == nsGkAtoms::implements) {
// Only allow implementation of interfaces via XBL if the principal of
// our XBL document has UniversalXPConnect privileges. No principal
// means no privs!
// XXX this api is so badly tied to JS it's not even funny. We don't
// have a concept of enabling capabilities on a per-principal basis,
// but only on a per-principal-and-JS-stackframe basis! So for now
// this is basically equivalent to testing that we have the system
// principal, since there is no JS stackframe in sight here...
bool hasUniversalXPConnect;
nsresult rv = mDocument->NodePrincipal()->
IsCapabilityEnabled("UniversalXPConnect", nullptr,
&hasUniversalXPConnect);
if (NS_SUCCEEDED(rv) && hasUniversalXPConnect) {
// our XBL document is the system principal.
if (nsContentUtils::IsSystemPrincipal(mDocument->NodePrincipal())) {
mBinding->ConstructInterfaceTable(nsDependentString(aAtts[1]));
}
}

View File

@ -1338,28 +1338,12 @@ nsXULDocument::Persist(const nsAString& aID,
return NS_OK;
}
bool
nsXULDocument::IsCapabilityEnabled(const char* aCapabilityLabel)
{
nsresult rv;
// NodePrincipal is guarantied to be non-null
bool enabled = false;
rv = NodePrincipal()->IsCapabilityEnabled(aCapabilityLabel, nullptr, &enabled);
if (NS_FAILED(rv))
return false;
return enabled;
}
nsresult
nsXULDocument::Persist(nsIContent* aElement, int32_t aNameSpaceID,
nsIAtom* aAttribute)
{
// For non-chrome documents, persistance is simply broken
if (!IsCapabilityEnabled("UniversalXPConnect"))
if (!nsContentUtils::IsSystemPrincipal(NodePrincipal()))
return NS_ERROR_NOT_AVAILABLE;
// First make sure we _have_ a local store to stuff the persisted
@ -2109,7 +2093,7 @@ nsresult
nsXULDocument::ApplyPersistentAttributes()
{
// For non-chrome documents, persistance is simply broken
if (!IsCapabilityEnabled("UniversalXPConnect"))
if (!nsContentUtils::IsSystemPrincipal(NodePrincipal()))
return NS_ERROR_NOT_AVAILABLE;
// Add all of the 'persisted' attributes into the content

View File

@ -245,9 +245,6 @@ protected:
static PRLogModuleInfo* gXULLog;
bool
IsCapabilityEnabled(const char* aCapabilityLabel);
nsresult
Persist(nsIContent* aElement, int32_t aNameSpaceID, nsIAtom* aAttribute);

View File

@ -1661,26 +1661,10 @@ bool
nsDocShell::ValidateOrigin(nsIDocShellTreeItem* aOriginTreeItem,
nsIDocShellTreeItem* aTargetTreeItem)
{
nsCOMPtr<nsIScriptSecurityManager> securityManager =
do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
NS_ENSURE_TRUE(securityManager, false);
nsCOMPtr<nsIPrincipal> subjectPrincipal;
nsresult rv =
securityManager->GetSubjectPrincipal(getter_AddRefs(subjectPrincipal));
NS_ENSURE_SUCCESS(rv, false);
if (subjectPrincipal) {
// We're called from JS, check if UniversalXPConnect is
// enabled.
bool ubwEnabled = false;
rv = securityManager->IsCapabilityEnabled("UniversalXPConnect",
&ubwEnabled);
NS_ENSURE_SUCCESS(rv, false);
if (ubwEnabled) {
return true;
}
// We want to bypass this check for chrome callers, but only if there's
// JS on the stack. System callers still need to do it.
if (nsContentUtils::GetCurrentJSContext() && nsContentUtils::IsCallerChrome()) {
return true;
}
// Get origin document principal
@ -1692,8 +1676,8 @@ nsDocShell::ValidateOrigin(nsIDocShellTreeItem* aOriginTreeItem,
NS_ENSURE_TRUE(targetDocument, false);
bool equal;
rv = originDocument->NodePrincipal()->
Equals(targetDocument->NodePrincipal(), &equal);
nsresult rv = originDocument->NodePrincipal()->Equals(targetDocument->NodePrincipal(),
&equal);
if (NS_SUCCEEDED(rv) && equal) {
return true;
}
@ -8187,21 +8171,13 @@ nsDocShell::CheckLoadingPermissions()
return rv;
}
nsCOMPtr<nsIScriptSecurityManager> securityManager =
do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
NS_ENSURE_SUCCESS(rv, rv);
// We're a frame. Check that the caller has write permission to
// the parent before allowing it to load anything into this
// docshell.
nsCOMPtr<nsIScriptSecurityManager> securityManager =
do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
NS_ENSURE_SUCCESS(rv, rv);
bool ubwEnabled = false;
rv = securityManager->IsCapabilityEnabled("UniversalXPConnect",
&ubwEnabled);
if (NS_FAILED(rv) || ubwEnabled) {
return rv;
}
nsCOMPtr<nsIPrincipal> subjPrincipal;
rv = securityManager->GetSubjectPrincipal(getter_AddRefs(subjPrincipal));
NS_ENSURE_TRUE(NS_SUCCEEDED(rv) && subjPrincipal, rv);

View File

@ -15,6 +15,7 @@
#include "nsIWebBrowserChrome.h"
#include "nsIDOMWindow.h"
#include "nsDOMClassInfoID.h"
#include "nsContentUtils.h"
//
// Basic (virtual) BarProp class implementation
@ -68,13 +69,7 @@ nsBarProp::SetVisibleByFlag(bool aVisible, uint32_t aChromeFlag)
nsCOMPtr<nsIWebBrowserChrome> browserChrome = GetBrowserChrome();
NS_ENSURE_TRUE(browserChrome, NS_OK);
bool enabled = false;
nsCOMPtr<nsIScriptSecurityManager>
securityManager(do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));
if (securityManager)
securityManager->IsCapabilityEnabled("UniversalXPConnect", &enabled);
if (!enabled)
if (!nsContentUtils::IsCallerChrome())
return NS_OK;
uint32_t chromeFlags;
@ -285,13 +280,7 @@ nsScrollbarsProp::GetVisible(bool *aVisible)
NS_IMETHODIMP
nsScrollbarsProp::SetVisible(bool aVisible)
{
bool enabled = false;
nsCOMPtr<nsIScriptSecurityManager>
securityManager(do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));
if (securityManager)
securityManager->IsCapabilityEnabled("UniversalXPConnect", &enabled);
if (!enabled)
if (!nsContentUtils::IsCallerChrome())
return NS_OK;
/* Scrollbars, unlike the other barprops, implement visibility directly

View File

@ -7722,15 +7722,6 @@ nsNodeSH::PostCreatePrototype(JSContext * cx, JSObject * proto)
return rv;
}
bool
nsNodeSH::IsCapabilityEnabled(const char* aCapability)
{
bool enabled;
return sSecMan &&
NS_SUCCEEDED(sSecMan->IsCapabilityEnabled(aCapability, &enabled)) &&
enabled;
}
NS_IMETHODIMP
nsNodeSH::PreCreate(nsISupports *nativeObj, JSContext *cx, JSObject *globalObj,
JSObject **parentObj)
@ -7766,7 +7757,7 @@ nsNodeSH::PreCreate(nsISupports *nativeObj, JSContext *cx, JSObject *globalObj,
bool hasHadScriptHandlingObject = false;
NS_ENSURE_STATE(doc->GetScriptHandlingObject(hasHadScriptHandlingObject) ||
hasHadScriptHandlingObject ||
IsPrivilegedScript());
nsContentUtils::IsCallerChrome());
nsINode *native_parent;

View File

@ -518,13 +518,6 @@ protected:
{
}
// Helper to check whether a capability is enabled
bool IsCapabilityEnabled(const char* aCapability);
inline bool IsPrivilegedScript() {
return IsCapabilityEnabled("UniversalXPConnect");
}
public:
NS_IMETHOD PreCreate(nsISupports *nativeObj, JSContext *cx,
JSObject *globalObj, JSObject **parentObj);

View File

@ -74,11 +74,7 @@ using namespace mozilla::widget;
static bool IsUniversalXPConnectCapable()
{
bool hasCap = false;
nsresult rv = nsContentUtils::GetSecurityManager()->
IsCapabilityEnabled("UniversalXPConnect", &hasCap);
NS_ENSURE_SUCCESS(rv, false);
return hasCap;
return nsContentUtils::IsCallerChrome();
}
DOMCI_DATA(WindowUtils, nsDOMWindowUtils)

View File

@ -2460,10 +2460,7 @@ nsJSContext::AddSupportsPrimitiveTojsvals(nsISupports *aArg, jsval *aArgv)
static JSBool
CheckUniversalXPConnectForTraceMalloc(JSContext *cx)
{
bool hasCap = false;
nsresult rv = nsContentUtils::GetSecurityManager()->
IsCapabilityEnabled("UniversalXPConnect", &hasCap);
if (NS_SUCCEEDED(rv) && hasCap)
if (nsContentUtils::IsCallerChrome())
return JS_TRUE;
JS_ReportError(cx, "trace-malloc functions require UniversalXPConnect");
return JS_FALSE;

View File

@ -532,16 +532,7 @@ ResolveWorkerClasses(JSContext* aCx, JSHandleObject aObj, JSHandleId aId, unsign
for (uint32_t i = 0; i < ID_COUNT; i++) {
if (gStringIDs[i] == aId) {
nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
NS_ASSERTION(ssm, "This should never be null!");
bool enabled;
if (NS_FAILED(ssm->IsCapabilityEnabled("UniversalXPConnect", &enabled))) {
NS_WARNING("IsCapabilityEnabled failed!");
isChrome = false;
}
isChrome = !!enabled;
isChrome = nsContentUtils::IsCallerChrome();
// Don't resolve if this is ChromeWorker and we're not chrome. Otherwise
// always resolve.

View File

@ -2515,11 +2515,7 @@ WorkerPrivate::Create(JSContext* aCx, JSObject* aObj, WorkerPrivate* aParent,
nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
NS_ASSERTION(ssm, "This should never be null!");
bool isChrome;
if (NS_FAILED(ssm->IsCapabilityEnabled("UniversalXPConnect", &isChrome))) {
NS_WARNING("IsCapabilityEnabled failed!");
isChrome = false;
}
bool isChrome = nsContentUtils::IsCallerChrome();
// First check to make sure the caller has permission to make a
// ChromeWorker if they called the ChromeWorker constructor.

View File

@ -704,11 +704,7 @@ nsresult nsWebBrowserFind::SearchInFrame(nsIDOMWindow* aWindow,
rv = subject->Subsumes(theDoc->NodePrincipal(), &subsumes);
NS_ENSURE_SUCCESS(rv, rv);
if (!subsumes) {
bool hasCap = false;
secMan->IsCapabilityEnabled("UniversalXPConnect", &hasCap);
if (!hasCap) {
return NS_ERROR_DOM_PROP_ACCESS_DENIED;
}
return NS_ERROR_DOM_PROP_ACCESS_DENIED;
}
}

View File

@ -1607,13 +1607,7 @@ uint32_t nsWindowWatcher::CalculateChromeFlags(nsIDOMWindow *aParent,
*/
// Check security state for use in determing window dimensions
bool enabled = false;
if (securityManager) {
rv = securityManager->IsCapabilityEnabled("UniversalXPConnect",
&enabled);
}
if (NS_FAILED(rv) || !enabled || (isChrome && !aHasChromeParent)) {
if (!nsContentUtils::IsCallerChrome() || (isChrome && !aHasChromeParent)) {
// If priv check fails (or if we're called from chrome, but the
// parent is not a chrome window), set all elements to minimum
// reqs., else leave them alone.
@ -2045,31 +2039,14 @@ nsWindowWatcher::SizeOpenedDocShellItem(nsIDocShellTreeItem *aDocShellItem,
}
bool positionSpecified = aSizeSpec.PositionSpecified();
nsresult res;
bool enabled = false;
// Check security state for use in determing window dimensions
nsCOMPtr<nsIScriptSecurityManager>
securityManager(do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));
if (securityManager) {
res = securityManager->IsCapabilityEnabled("UniversalXPConnect",
&enabled);
if (NS_FAILED(res))
enabled = false;
else if (enabled && aParent) {
nsCOMPtr<nsIDOMChromeWindow> chromeWin(do_QueryInterface(aParent));
bool isChrome = false;
nsresult rv = securityManager->SubjectPrincipalIsSystem(&isChrome);
if (NS_FAILED(rv)) {
isChrome = false;
}
// Only enable special priveleges for chrome when chrome calls
// open() on a chrome window
enabled = !(isChrome && chromeWin == nullptr);
}
bool enabled = false;
if (nsContentUtils::IsCallerChrome()) {
// Only enable special priveleges for chrome when chrome calls
// open() on a chrome window
nsCOMPtr<nsIDOMChromeWindow> chromeWin(do_QueryInterface(aParent));
enabled = !aParent || chromeWin;
}
if (!enabled) {