Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-27 20:25:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8615f8ac98
gecko-dev/js/xpconnect/wrappers/AccessCheck.h
Bobby Holley 4a9f9e844b Bug 1034239 - Replace GentlyOpaque with an "Xray-to-nothing" wrapper. r=gabor 
I did this wrong before. Making this a SecurityWrapper means that the caller does
not subsumes the target, and that the target therefore needs to be protected
from the caller. But GentlyOpaque was supposed to be an analog of PermissiveXray
for use when no useful XrayTraits exist, so it should behave similarly.

If we make this a Filtering Security Wrapper, we get a bunch of assertions where we
expect CheckedUnwrap to succeed for a chrome-side wrapper. And we can't making it
a Filtering Non-Security Wrapper, because then the filtering policy isn't even
consulted (an optimization in jsproxy.cpp).

Really, we want all of the Xray machinery (like the ability to waive and to place
expandos), and we just don't want to resolve any properties. This patch does this.
2014-07-10 09:31:37 -07:00

93 lines
3.2 KiB
C++
Raw Blame History

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/* vim: set ts=8 sts=4 et sw=4 tw=99: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __AccessCheck_h__
#define __AccessCheck_h__
#include "jswrapper.h"
#include "js/Id.h"
class nsIPrincipal;
namespace xpc {
class AccessCheck {
public:
static bool subsumes(JSCompartment *a, JSCompartment *b);
static bool subsumes(JSObject *a, JSObject *b);
static bool wrapperSubsumes(JSObject *wrapper);
static bool subsumesConsideringDomain(JSCompartment *a, JSCompartment *b);
static bool isChrome(JSCompartment *compartment);
static bool isChrome(JSObject *obj);
static nsIPrincipal *getPrincipal(JSCompartment *compartment);
static bool isCrossOriginAccessPermitted(JSContext *cx, JSObject *obj, jsid id,
js::Wrapper::Action act);
};
struct Policy {
};
// This policy allows no interaction with the underlying callable. Everything throws.
struct Opaque : public Policy {
static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
return false;
}
static bool deny(js::Wrapper::Action act, JS::HandleId id) {
return false;
}
static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
return false;
}
};
// Like the above, but allows CALL.
struct OpaqueWithCall : public Policy {
static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
return act == js::Wrapper::CALL;
}
static bool deny(js::Wrapper::Action act, JS::HandleId id) {
return false;
}
static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
return false;
}
};
// This policy only permits access to properties that are safe to be used
// across origins.
struct CrossOriginAccessiblePropertiesOnly : public Policy {
static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
return AccessCheck::isCrossOriginAccessPermitted(cx, wrapper, id, act);
}
static bool deny(js::Wrapper::Action act, JS::HandleId id) {
// Silently fail for enumerate-like operations.
if (act == js::Wrapper::ENUMERATE)
return true;
return false;
}
static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
return false;
}
};
// This policy only permits access to properties if they appear in the
// objects exposed properties list.
struct ExposedPropertiesOnly : public Policy {
static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act);
static bool deny(js::Wrapper::Action act, JS::HandleId id) {
// Fail silently for GETs and ENUMERATEs.
return act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE;
}
static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
return false;
}
};
}
#endif /* __AccessCheck_h__ */
Reference in New Issue View Git Blame Copy Permalink