tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

WrapperFactory.h (4554B)

      1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
      2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
      3 /* This Source Code Form is subject to the terms of the Mozilla Public
      4 * License, v. 2.0. If a copy of the MPL was not distributed with this
      5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      6 
      7 #ifndef _xpc_WRAPPERFACTORY_H
      8 #define _xpc_WRAPPERFACTORY_H
      9 
     10 #include "js/Wrapper.h"
     11 
     12 namespace xpc {
     13 
     14 /**
     15 * A wrapper that's only used for cross-origin objects. This should be
     16 * just like a CrossCompartmentWrapper but (as an implementation
     17 * detail) doesn't actually do any compartment-entering and (as an
     18 * implementation detail) delegates all the security decisions and
     19 * compartment-entering to the target object, which is always a
     20 * proxy.
     21 *
     22 * We could also inherit from CrossCompartmentWrapper but then we
     23 * would need to override all the proxy hooks to avoid the
     24 * compartment-entering bits.
     25 */
     26 class CrossOriginObjectWrapper : public js::Wrapper {
     27 public:
     28  // We want to claim to have a security policy, so code doesn't just
     29  // CheckedUnwrap us willy-nilly.  But we're OK with the BaseProxyHandler
     30  // implementation of enter(), which allows entering.  Our target is what
     31  // really does the security checks.
     32  //
     33  // We don't want to inherit from CrossCompartmentWrapper, because we don't
     34  // want the compartment-entering behavior it has.  But we do want to set the
     35  // CROSS_COMPARTMENT flag on js::Wrapper so that we test true for
     36  // is<js::CrossCompartmentWrapperObject> and so forth.
     37  constexpr explicit CrossOriginObjectWrapper()
     38      : js::Wrapper(CROSS_COMPARTMENT, /* aHasPrototype = */ false,
     39                    /* aHasSecurityPolicy = */ true) {}
     40 
     41  bool dynamicCheckedUnwrapAllowed(JS::Handle<JSObject*> obj,
     42                                   JSContext* cx) const override;
     43 
     44  // Cross origin objects should not participate in private fields.
     45  virtual bool throwOnPrivateField() const override { return true; }
     46 
     47  static const CrossOriginObjectWrapper singleton;
     48 };
     49 
     50 class WrapperFactory {
     51 public:
     52  enum {
     53    WAIVE_XRAY_WRAPPER_FLAG = js::Wrapper::LAST_USED_FLAG << 1,
     54    IS_XRAY_WRAPPER_FLAG = WAIVE_XRAY_WRAPPER_FLAG << 1
     55  };
     56 
     57  // Return true if any of any of the nested wrappers have the flag set.
     58  static bool HasWrapperFlag(JSObject* wrapper, unsigned flag) {
     59    unsigned flags = 0;
     60    js::UncheckedUnwrap(wrapper, true, &flags);
     61    return !!(flags & flag);
     62  }
     63 
     64  static bool IsXrayWrapper(JSObject* wrapper) {
     65    return HasWrapperFlag(wrapper, IS_XRAY_WRAPPER_FLAG);
     66  }
     67 
     68  static bool IsCrossOriginWrapper(JSObject* obj) {
     69    return (js::IsProxy(obj) &&
     70            js::GetProxyHandler(obj) == &CrossOriginObjectWrapper::singleton);
     71  }
     72 
     73  static bool IsOpaqueWrapper(JSObject* obj);
     74 
     75  static bool HasWaiveXrayFlag(JSObject* wrapper) {
     76    return HasWrapperFlag(wrapper, WAIVE_XRAY_WRAPPER_FLAG);
     77  }
     78 
     79  static bool IsCOW(JSObject* wrapper);
     80 
     81  static JSObject* GetXrayWaiver(JS::Handle<JSObject*> obj);
     82  // If allowExisting is true, there is an existing waiver for obj in
     83  // its scope, but we want to replace it with the new one.
     84  static JSObject* CreateXrayWaiver(JSContext* cx, JS::Handle<JSObject*> obj,
     85                                    bool allowExisting = false);
     86  static JSObject* WaiveXray(JSContext* cx, JSObject* obj);
     87 
     88  // Computes whether we should allow the creation of an Xray waiver from
     89  // |target| to |origin|.
     90  static bool AllowWaiver(JS::Compartment* target, JS::Compartment* origin);
     91 
     92  // Convenience method for the above, operating on a wrapper.
     93  static bool AllowWaiver(JSObject* wrapper);
     94 
     95  // Prepare a given object for wrapping in a new compartment.
     96  static void PrepareForWrapping(JSContext* cx, JS::Handle<JSObject*> scope,
     97                                 JS::Handle<JSObject*> origObj,
     98                                 JS::Handle<JSObject*> obj,
     99                                 JS::Handle<JSObject*> objectPassedToWrap,
    100                                 JS::MutableHandle<JSObject*> retObj);
    101 
    102  // Rewrap an object that is about to cross compartment boundaries.
    103  static JSObject* Rewrap(JSContext* cx, JS::Handle<JSObject*> existing,
    104                          JS::Handle<JSObject*> obj);
    105 
    106  // Wrap wrapped object into a waiver wrapper and then re-wrap it.
    107  static bool WaiveXrayAndWrap(JSContext* cx, JS::MutableHandle<JS::Value> vp);
    108  static bool WaiveXrayAndWrap(JSContext* cx,
    109                               JS::MutableHandle<JSObject*> object);
    110 };
    111 
    112 }  // namespace xpc
    113 
    114 #endif /* _xpc_WRAPPERFACTORY_H */