Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-26 22:32:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
gecko-dev/dom/workers/WorkerLoadInfo.h
Andrew Sutherland a212459d62 Bug 1544232 - Limit lifetime extension of SWs by SWs to the sender's lifetime. r=edenchuang 
This patch introduces an explicit concept of lifetimes with mechanisms
in place so that actions taken by Clients (windows or non-ServiceWorker
orkers) will extend the lifetime of a ServiceWorker, but a ServiceWorker
cannot extend the life of another ServiceWorker.

The areas of concern are:
- ServiceWorker.postMessage: With ServiceWorkers exposed on workers and
  the ability to access other registrations via ServiceWorkerContainer
  being exposed, ServiceWorkers can message other ServiceWorkers.  It's
  essential that they never be allowed to give a ServiceWorker a
  lifetime longer than their own.
- ServiceWorkerRegistration.update(): Requesting an update of a
  registration should not allow any installed/updated ServiceWorker to
  have a lifetime longer than the ServiceWorker creating the request.
- ServiceWorkerContainer.register(): Requesting the installation of a
  new ServiceWorker should likewise constrain the lifetime of the newly
  installed ServiceWorker.

Note that in cases where we would potentially spawn a ServiceWorker,
whether it be in response to postMessage or as part of an install or
update, a key criteria is whether the lifetime extends far enough into
the future for us to believe the ServiceWorker can accomplish anything.
Currently we have a constant of 5 seconds against a normal full
lifetime of 30 seconds (before 30 second grace period).  So once a SW
has < 5 seconds of lifetime left, it won't be able to spawn a SW.  Note
that in the case of install/update, we do not prevent the creation of
the job at this time, instead the job will fail during the check script
evaluation step as failure to spawn the ServiceWorker is equivalent to
a script load failure.

A somewhat ugly part of this implementation is that because Bug 1853706
is not yet implemented, our actors that are fundamentally associated
with a global don't have an inherent understanding of their relationship
to that global.  So we approximate that by:
- For postMessage, we always have a ServiceWorkerDescriptor if we are
  being messaged by a ServiceWorker, allowing us direct lookup.
- ServiceWorkerRegistration.update(): In a previous patch in the stack
  we had ServiceWorkerRegistrationProxy latch the ClientInfo of its
  owning global when it was created.  Note that in the case of a
  ServiceWorker's own registration, this will be created at startup
  before the worker hits the execution ready state.
  - Note that because we have at most one live
    ServiceWorkerRegistration per global at a time, and the
    registration is fundamentally associated with the
    ServiceWorkerGlobalScope, that registration and its proxy will
    remain alive for the duration of the global.
- ServiceWorkerContainer.register(): We already were sending the client
  info along with the register call (as well as all other calls on the
  container).

Looking up the ServiceWorker from its client is not something that was
really intended.  This is further complicated by ServiceWorkerManager
being authoritative for ServiceWorkers on the parent process main thread
whereas the ClientManagerService is authoritative on PBackground and
actor-centric, making sketchy multi-threaded maps not really an option.

Looking up the ServiceWorker from a ServiceWorkerDescriptor is intended,
but the primary intent in those cases is so that the recipient of such a
descriptor can easily create a ServiceWorker instance that is
live-updating (by way of its owning ServiceWorkerRegistration; we don't
have IPC actors directly for ServiceWorkers, just the registration).
Adding the descriptor to clients until Bug 1853706 is implemented would
be an exceedingly ugly workaround because it would greatly complicate
the existing plumbing code, and a lot of the code is confusing enough
as-is.

This patch initially adopted an approach of encoding the scope of a
ServiceWorker as its client URL, but it turns out web extension
ServiceWorker support (reasonably) assumed the URL would be the script
URL so the original behavior was restored and when performing our
lookup we just check all registrations associated with the given
origin.  This is okay because register and update calls are inherently
expensive, rare operations and the overhead of the additional checks is
marginal.  Additionally, we can remove this logic once Bug 1853706 is
implemented.

As part of that initial scope tunneling was that, as noted above, we
do sample the ClientInfo for a ServiceWorker's own registration before
the worker is execution-ready.  And prior to this patch, we only would
populate the URL during execution-ready because for most globals, we
can't possibly know the URL when the ClientSource is created.  However,
for ServiceWorkers we can.  Because we also want to know what the id of
the ServiceWorker client would be, we also change the creation of the
ServiceWorker ClientSource so that it uses a ClientInfo created by the
authoritative ServiceWorkerPrivate in its Initialize method.

A minor retained hack is that because the worker scriptloader propagates
its CSP structure onto its ClientInfo (but not its ClientSource, which
feels weird, but makes sense) and that does get sent via register(), we
do also need to normalize the ClientInfo in the parent when we do
equality checking to have it ignore the CSP.

Differential Revision: https://phabricator.services.mozilla.com/D180915
2024-10-24 03:02:42 +00:00

202 lines
6.2 KiB
C++
Raw Permalink Blame History

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef mozilla_dom_workers_WorkerLoadInfo_h
#define mozilla_dom_workers_WorkerLoadInfo_h
#include "mozilla/OriginAttributes.h"
#include "mozilla/StorageAccess.h"
#include "mozilla/OriginTrials.h"
#include "mozilla/UniquePtr.h"
#include "mozilla/dom/ChannelInfo.h"
#include "mozilla/net/NeckoChannelParams.h"
#include "mozilla/dom/ServiceWorkerRegistrationDescriptor.h"
#include "mozilla/dom/WorkerCommon.h"
#include "nsIInterfaceRequestor.h"
#include "nsILoadContext.h"
#include "nsIRequest.h"
#include "nsISupportsImpl.h"
#include "nsIWeakReferenceUtils.h"
#include "nsRFPService.h"
#include "nsTArray.h"
class nsIChannel;
class nsIContentSecurityPolicy;
class nsICookieJarSettings;
class nsILoadGroup;
class nsIPrincipal;
class nsIReferrerInfo;
class nsIRunnable;
class nsIScriptContext;
class nsIBrowserChild;
class nsIURI;
class nsPIDOMWindowInner;
namespace mozilla {
namespace ipc {
class PrincipalInfo;
class CSPInfo;
} // namespace ipc
namespace dom {
class WorkerPrivate;
struct WorkerLoadInfoData {
// All of these should be released in
// WorkerPrivateParent::ForgetMainThreadObjects.
nsCOMPtr<nsIURI> mBaseURI;
nsCOMPtr<nsIURI> mResolvedScriptURI;
// This is the principal of the global (parent worker or a window) loading
// the worker. It can be null if we are executing a ServiceWorker, otherwise,
// except for data: URL, it must subsumes the worker principal.
// If we load a data: URL, mPrincipal will be a null principal.
nsCOMPtr<nsIPrincipal> mLoadingPrincipal;
nsCOMPtr<nsIPrincipal> mPrincipal;
nsCOMPtr<nsIPrincipal> mPartitionedPrincipal;
// Taken from the parent context.
nsCOMPtr<nsICookieJarSettings> mCookieJarSettings;
// The CookieJarSettingsArgs of mCookieJarSettings.
// This is specific for accessing on worker thread.
net::CookieJarSettingsArgs mCookieJarSettingsArgs;
nsCOMPtr<nsIScriptContext> mScriptContext;
nsCOMPtr<nsPIDOMWindowInner> mWindow;
nsCOMPtr<nsIContentSecurityPolicy> mCSP;
// Thread boundaries require us to not only store a CSP object, but also a
// serialized version of the CSP. Reason being: Serializing a CSP to a CSPInfo
// needs to happen on the main thread, but storing the CSPInfo needs to happen
// on the worker thread. We move the CSPInfo into the Client within
// ScriptLoader::PreRun().
UniquePtr<mozilla::ipc::CSPInfo> mCSPInfo;
nsCOMPtr<nsIChannel> mChannel;
nsCOMPtr<nsILoadGroup> mLoadGroup;
class InterfaceRequestor final : public nsIInterfaceRequestor {
NS_DECL_ISUPPORTS
public:
InterfaceRequestor(nsIPrincipal* aPrincipal, nsILoadGroup* aLoadGroup);
void MaybeAddBrowserChild(nsILoadGroup* aLoadGroup);
NS_IMETHOD GetInterface(const nsIID& aIID, void** aSink) override;
void SetOuterRequestor(nsIInterfaceRequestor* aOuterRequestor) {
MOZ_ASSERT(!mOuterRequestor);
MOZ_ASSERT(aOuterRequestor);
mOuterRequestor = aOuterRequestor;
}
private:
~InterfaceRequestor() = default;
already_AddRefed<nsIBrowserChild> GetAnyLiveBrowserChild();
nsCOMPtr<nsILoadContext> mLoadContext;
nsCOMPtr<nsIInterfaceRequestor> mOuterRequestor;
// Array of weak references to nsIBrowserChild. We do not want to keep
// BrowserChild actors alive for long after their ActorDestroy() methods are
// called.
nsTArray<nsWeakPtr> mBrowserChildList;
};
// Only set if we have a custom overriden load group
RefPtr<InterfaceRequestor> mInterfaceRequestor;
UniquePtr<mozilla::ipc::PrincipalInfo> mPrincipalInfo;
UniquePtr<mozilla::ipc::PrincipalInfo> mPartitionedPrincipalInfo;
nsCString mDomain;
nsString mServiceWorkerCacheName;
Maybe<ServiceWorkerDescriptor> mServiceWorkerDescriptor;
Maybe<ServiceWorkerRegistrationDescriptor>
mServiceWorkerRegistrationDescriptor;
Maybe<ClientInfo> mSourceInfo;
Maybe<ServiceWorkerDescriptor> mParentController;
nsID mAgentClusterId;
ChannelInfo mChannelInfo;
nsLoadFlags mLoadFlags;
uint64_t mWindowID;
uint64_t mAssociatedBrowsingContextID;
nsCOMPtr<nsIReferrerInfo> mReferrerInfo;
OriginTrials mTrials;
bool mFromWindow;
bool mEvalAllowed;
bool mReportEvalCSPViolations;
bool mWasmEvalAllowed;
bool mReportWasmEvalCSPViolations;
bool mXHRParamsAllowed;
bool mWatchedByDevTools;
StorageAccess mStorageAccess;
bool mUseRegularPrincipal;
bool mUsingStorageAccess;
bool mServiceWorkersTestingInWindow;
bool mShouldResistFingerprinting;
Maybe<RFPTarget> mOverriddenFingerprintingSettings;
OriginAttributes mOriginAttributes;
bool mIsThirdPartyContext;
enum {
eNotSet,
eInsecureContext,
eSecureContext,
} mSecureContext;
WorkerLoadInfoData();
WorkerLoadInfoData(WorkerLoadInfoData&& aOther) = default;
WorkerLoadInfoData& operator=(WorkerLoadInfoData&& aOther) = default;
};
struct WorkerLoadInfo : WorkerLoadInfoData {
WorkerLoadInfo();
WorkerLoadInfo(WorkerLoadInfo&& aOther) noexcept;
~WorkerLoadInfo();
WorkerLoadInfo& operator=(WorkerLoadInfo&& aOther) = default;
nsresult SetPrincipalsAndCSPOnMainThread(nsIPrincipal* aPrincipal,
nsIPrincipal* aPartitionedPrincipal,
nsILoadGroup* aLoadGroup,
nsIContentSecurityPolicy* aCSP);
nsresult GetPrincipalsAndLoadGroupFromChannel(
nsIChannel* aChannel, nsIPrincipal** aPrincipalOut,
nsIPrincipal** aPartitionedPrincipalOut, nsILoadGroup** aLoadGroupOut);
nsresult SetPrincipalsAndCSPFromChannel(nsIChannel* aChannel);
bool FinalChannelPrincipalIsValid(nsIChannel* aChannel);
#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
bool PrincipalIsValid() const;
bool PrincipalURIMatchesScriptURL();
#endif
bool ProxyReleaseMainThreadObjects(WorkerPrivate* aWorkerPrivate);
bool ProxyReleaseMainThreadObjects(
WorkerPrivate* aWorkerPrivate,
nsCOMPtr<nsILoadGroup>&& aLoadGroupToCancel);
};
} // namespace dom
} // namespace mozilla
#endif // mozilla_dom_workers_WorkerLoadInfo_h
Reference in New Issue View Git Blame Copy Permalink