mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-30 05:35:31 +00:00
249 lines
8.5 KiB
C++
249 lines
8.5 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
|
|
/* vim: set ts=4 et sw=4 tw=80: */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#ifndef nsScriptSecurityManager_h__
|
|
#define nsScriptSecurityManager_h__
|
|
|
|
#include "nsIScriptSecurityManager.h"
|
|
#include "nsIPrincipal.h"
|
|
#include "nsIXPCSecurityManager.h"
|
|
#include "nsInterfaceHashtable.h"
|
|
#include "nsHashtable.h"
|
|
#include "nsCOMPtr.h"
|
|
#include "nsIChannelEventSink.h"
|
|
#include "nsIObserver.h"
|
|
#include "pldhash.h"
|
|
#include "plstr.h"
|
|
#include "nsIScriptExternalNameSet.h"
|
|
#include "js/TypeDecls.h"
|
|
|
|
#include <stdint.h>
|
|
|
|
class nsIDocShell;
|
|
class nsString;
|
|
class nsIClassInfo;
|
|
class nsIIOService;
|
|
class nsIStringBundle;
|
|
class nsSystemPrincipal;
|
|
class ClassInfoData;
|
|
|
|
/////////////////////////////
|
|
// nsScriptSecurityManager //
|
|
/////////////////////////////
|
|
#define NS_SCRIPTSECURITYMANAGER_CID \
|
|
{ 0x7ee2a4c0, 0x4b93, 0x17d3, \
|
|
{ 0xba, 0x18, 0x00, 0x60, 0xb0, 0xf1, 0x99, 0xa2 }}
|
|
|
|
class nsScriptSecurityManager : public nsIScriptSecurityManager,
|
|
public nsIChannelEventSink,
|
|
public nsIObserver
|
|
{
|
|
public:
|
|
static void Shutdown();
|
|
|
|
NS_DEFINE_STATIC_CID_ACCESSOR(NS_SCRIPTSECURITYMANAGER_CID)
|
|
|
|
NS_DECL_ISUPPORTS
|
|
NS_DECL_NSISCRIPTSECURITYMANAGER
|
|
NS_DECL_NSIXPCSECURITYMANAGER
|
|
NS_DECL_NSICHANNELEVENTSINK
|
|
NS_DECL_NSIOBSERVER
|
|
|
|
static nsScriptSecurityManager*
|
|
GetScriptSecurityManager();
|
|
|
|
static nsSystemPrincipal*
|
|
SystemPrincipalSingletonConstructor();
|
|
|
|
JSContext* GetCurrentJSContext();
|
|
|
|
JSContext* GetSafeJSContext();
|
|
|
|
/**
|
|
* Utility method for comparing two URIs. For security purposes, two URIs
|
|
* are equivalent if their schemes, hosts, and ports (if any) match. This
|
|
* method returns true if aSubjectURI and aObjectURI have the same origin,
|
|
* false otherwise.
|
|
*/
|
|
static bool SecurityCompareURIs(nsIURI* aSourceURI, nsIURI* aTargetURI);
|
|
static uint32_t SecurityHashURI(nsIURI* aURI);
|
|
|
|
static nsresult
|
|
ReportError(JSContext* cx, const nsAString& messageTag,
|
|
nsIURI* aSource, nsIURI* aTarget);
|
|
|
|
static nsresult
|
|
CheckSameOriginPrincipal(nsIPrincipal* aSubject,
|
|
nsIPrincipal* aObject);
|
|
static uint32_t
|
|
HashPrincipalByOrigin(nsIPrincipal* aPrincipal);
|
|
|
|
static bool
|
|
GetStrictFileOriginPolicy()
|
|
{
|
|
return sStrictFileOriginPolicy;
|
|
}
|
|
|
|
/**
|
|
* Returns true if the two principals share the same app attributes.
|
|
*
|
|
* App attributes are appId and the inBrowserElement flag.
|
|
* Two principals have the same app attributes if those information are
|
|
* equals.
|
|
* This method helps keeping principals from different apps isolated from
|
|
* each other. Also, it helps making sure mozbrowser (web views) and their
|
|
* parent are isolated from each other. All those entities do not share the
|
|
* same data (cookies, IndexedDB, localStorage, etc.) so we shouldn't allow
|
|
* violating that principle.
|
|
*/
|
|
static bool
|
|
AppAttributesEqual(nsIPrincipal* aFirst,
|
|
nsIPrincipal* aSecond);
|
|
|
|
void DeactivateDomainPolicy();
|
|
|
|
private:
|
|
|
|
// GetScriptSecurityManager is the only call that can make one
|
|
nsScriptSecurityManager();
|
|
virtual ~nsScriptSecurityManager();
|
|
|
|
bool SubjectIsPrivileged();
|
|
|
|
static bool
|
|
CheckObjectAccess(JSContext *cx, JS::Handle<JSObject*> obj,
|
|
JS::Handle<jsid> id, JSAccessMode mode,
|
|
JS::MutableHandle<JS::Value> vp);
|
|
|
|
// Decides, based on CSP, whether or not eval() and stuff can be executed.
|
|
static bool
|
|
ContentSecurityPolicyPermitsJSAction(JSContext *cx);
|
|
|
|
// Returns null if a principal cannot be found; generally callers
|
|
// should error out at that point.
|
|
static nsIPrincipal* doGetObjectPrincipal(JSObject* obj);
|
|
|
|
// Returns null if a principal cannot be found. Note that rv can be NS_OK
|
|
// when this happens -- this means that there was no JS running.
|
|
nsIPrincipal*
|
|
doGetSubjectPrincipal(nsresult* rv);
|
|
|
|
nsresult
|
|
CheckPropertyAccessImpl(uint32_t aAction,
|
|
nsAXPCNativeCallContext* aCallContext,
|
|
JSContext* cx, JSObject* aJSObject,
|
|
nsISupports* aObj,
|
|
nsIClassInfo* aClassInfo,
|
|
const char* aClassName, jsid aProperty);
|
|
|
|
nsresult
|
|
CheckSameOriginDOMProp(nsIPrincipal* aSubject,
|
|
nsIPrincipal* aObject,
|
|
uint32_t aAction);
|
|
|
|
nsresult
|
|
GetCodebasePrincipalInternal(nsIURI* aURI, uint32_t aAppId,
|
|
bool aInMozBrowser,
|
|
nsIPrincipal** result);
|
|
|
|
nsresult
|
|
CreateCodebasePrincipal(nsIURI* aURI, uint32_t aAppId, bool aInMozBrowser,
|
|
nsIPrincipal** result);
|
|
|
|
// Returns null if a principal cannot be found. Note that rv can be NS_OK
|
|
// when this happens -- this means that there was no script for the
|
|
// context. Callers MUST pass in a non-null rv here.
|
|
nsIPrincipal*
|
|
GetSubjectPrincipal(JSContext* cx, nsresult* rv);
|
|
|
|
/**
|
|
* Check capability levels for an |aObj| that implements
|
|
* nsISecurityCheckedComponent.
|
|
*
|
|
* NB: This function also checks to see if aObj is a plugin and the user
|
|
* has set the "security.xpconnect.plugin.unrestricted" pref to allow
|
|
* anybody to script plugin objects from anywhere.
|
|
*
|
|
* @param cx The context we're running on.
|
|
* NB: If null, "sameOrigin" does not have any effect.
|
|
* @param aObj The nsISupports representation of the object in question
|
|
* object, possibly null.
|
|
* @param aJSObject The JSObject representation of the object in question
|
|
* if |cx| is non-null and |aObjectSecurityLevel| is
|
|
* "sameOrigin". If null will be calculated from aObj (if
|
|
* non-null) if and only if aObj is an XPCWrappedJS. The
|
|
* rationale behind this is that if we're creating a JS
|
|
* wrapper for an XPCWrappedJS, this object definitely
|
|
* expects to be exposed to JS.
|
|
* @param aSubjectPrincipal The nominal subject principal used when
|
|
* aObjectSecurityLevel is "sameOrigin". If null,
|
|
* this is calculated if it's needed.
|
|
* @param aObjectSecurityLevel Can be one of three values:
|
|
* - allAccess: Allow access no matter what.
|
|
* - noAccess: Deny access no matter what.
|
|
* - sameOrigin: If |cx| is null, behave like noAccess.
|
|
* Otherwise, possibly compute a subject
|
|
* and object principal and return true if
|
|
* and only if the subject has greater than
|
|
* or equal privileges to the object.
|
|
*/
|
|
nsresult
|
|
CheckXPCPermissions(JSContext* cx,
|
|
nsISupports* aObj, JSObject* aJSObject,
|
|
nsIPrincipal* aSubjectPrincipal,
|
|
const char* aObjectSecurityLevel);
|
|
|
|
nsresult
|
|
Init();
|
|
|
|
nsresult
|
|
InitPrefs();
|
|
|
|
inline void
|
|
ScriptSecurityPrefChanged();
|
|
|
|
nsCOMPtr<nsIPrincipal> mSystemPrincipal;
|
|
bool mPrefInitialized;
|
|
bool mIsJavaScriptEnabled;
|
|
|
|
// This machinery controls new-style domain policies. The old-style
|
|
// policy machinery will be removed soon.
|
|
nsCOMPtr<nsIDomainPolicy> mDomainPolicy;
|
|
|
|
static bool sStrictFileOriginPolicy;
|
|
|
|
static nsIIOService *sIOService;
|
|
static nsIStringBundle *sStrBundle;
|
|
static JSRuntime *sRuntime;
|
|
};
|
|
|
|
#define NS_SECURITYNAMESET_CID \
|
|
{ 0x7c02eadc, 0x76, 0x4d03, \
|
|
{ 0x99, 0x8d, 0x80, 0xd7, 0x79, 0xc4, 0x85, 0x89 } }
|
|
#define NS_SECURITYNAMESET_CONTRACTID "@mozilla.org/security/script/nameset;1"
|
|
|
|
class nsSecurityNameSet : public nsIScriptExternalNameSet
|
|
{
|
|
public:
|
|
nsSecurityNameSet();
|
|
virtual ~nsSecurityNameSet();
|
|
|
|
NS_DECL_ISUPPORTS
|
|
|
|
NS_IMETHOD InitializeNameSet(nsIScriptContext* aScriptContext);
|
|
};
|
|
|
|
namespace mozilla {
|
|
|
|
void
|
|
GetJarPrefix(uint32_t aAppid,
|
|
bool aInMozBrowser,
|
|
nsACString& aJarPrefix);
|
|
|
|
} // namespace mozilla
|
|
|
|
#endif // nsScriptSecurityManager_h__
|