tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

AccessCheck.h (4286B)

      1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
      2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
      3 /* This Source Code Form is subject to the terms of the Mozilla Public
      4 * License, v. 2.0. If a copy of the MPL was not distributed with this
      5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      6 
      7 #ifndef __AccessCheck_h__
      8 #define __AccessCheck_h__
      9 
     10 #include "js/Id.h"
     11 #include "js/Wrapper.h"
     12 #include "nsString.h"
     13 
     14 #ifdef XP_MACOSX
     15 // AssertMacros.h defines 'check' which conflicts with the method declarations
     16 // in this file.
     17 #  undef check
     18 #endif
     19 
     20 namespace xpc {
     21 
     22 class AccessCheck {
     23 public:
     24  static bool subsumes(JSObject* a, JSObject* b);
     25  static bool wrapperSubsumes(JSObject* wrapper);
     26  static bool subsumesConsideringDomain(JS::Realm* a, JS::Realm* b);
     27  static bool subsumesConsideringDomainIgnoringFPD(JS::Realm* a, JS::Realm* b);
     28  static bool isChrome(JS::Compartment* compartment);
     29  static bool isChrome(JS::Realm* realm);
     30  static bool isChrome(JSObject* obj);
     31  static bool checkPassToPrivilegedCode(JSContext* cx, JS::HandleObject wrapper,
     32                                        JS::HandleValue value);
     33  static bool checkPassToPrivilegedCode(JSContext* cx, JS::HandleObject wrapper,
     34                                        const JS::CallArgs& args);
     35  // Called to report the correct sort of exception when our policy denies and
     36  // should throw.  The accessType argument should be one of "access",
     37  // "define", "delete", depending on which operation is being denied.
     38  static void reportCrossOriginDenial(JSContext* cx, JS::HandleId id,
     39                                      const nsACString& accessType);
     40 };
     41 
     42 /**
     43 * Returns true if the given object (which is expected to be stripped of
     44 * cross-compartment wrappers in practice, but this function doesn't assume
     45 * that) is a WindowProxy or Location object, which need special wrapping
     46 * behavior due to being usable cross-origin in limited ways.
     47 */
     48 bool IsCrossOriginAccessibleObject(JSObject* obj);
     49 
     50 struct Policy {
     51  static bool checkCall(JSContext* cx, JS::HandleObject wrapper,
     52                        const JS::CallArgs& args) {
     53    MOZ_CRASH("As a rule, filtering wrappers are non-callable");
     54  }
     55 };
     56 
     57 // This policy allows no interaction with the underlying callable. Everything
     58 // throws.
     59 struct Opaque : public Policy {
     60  static bool check(JSContext* cx, JSObject* wrapper, jsid id,
     61                    js::Wrapper::Action act) {
     62    return false;
     63  }
     64  static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id,
     65                   bool mayThrow) {
     66    return false;
     67  }
     68  static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test,
     69                              JS::NativeImpl impl) {
     70    return false;
     71  }
     72 };
     73 
     74 // Like the above, but allows CALL.
     75 struct OpaqueWithCall : public Policy {
     76  static bool check(JSContext* cx, JSObject* wrapper, jsid id,
     77                    js::Wrapper::Action act) {
     78    return act == js::Wrapper::CALL;
     79  }
     80  static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id,
     81                   bool mayThrow) {
     82    return false;
     83  }
     84  static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test,
     85                              JS::NativeImpl impl) {
     86    return false;
     87  }
     88  static bool checkCall(JSContext* cx, JS::HandleObject wrapper,
     89                        const JS::CallArgs& args) {
     90    return AccessCheck::checkPassToPrivilegedCode(cx, wrapper, args);
     91  }
     92 };
     93 
     94 // This class used to support permitting access to properties if they
     95 // appeared in an access list on the object, but now it acts like an
     96 // Opaque wrapper, with the exception that it fails silently for GET,
     97 // ENUMERATE, and GET_PROPERTY_DESCRIPTOR. This is done for backwards
     98 // compatibility. See bug 1397513.
     99 struct OpaqueWithSilentFailing : public Policy {
    100  static bool check(JSContext* cx, JS::HandleObject wrapper, JS::HandleId id,
    101                    js::Wrapper::Action act) {
    102    return false;
    103  }
    104 
    105  static bool deny(JSContext* cx, js::Wrapper::Action act, JS::HandleId id,
    106                   bool mayThrow);
    107  static bool allowNativeCall(JSContext* cx, JS::IsAcceptableThis test,
    108                              JS::NativeImpl impl) {
    109    return false;
    110  }
    111 };
    112 
    113 }  // namespace xpc
    114 
    115 #endif /* __AccessCheck_h__ */