The Tor Browser: addon-sdk/source/lib/sdk/content/sandbox.js@129ffea94266 (annotated)

addon-sdk/source/lib/sdk/content/sandbox.js@129ffea94266 (annotated)

addon-sdk/source/lib/sdk/content/sandbox.js

Sat, 03 Jan 2015 20:18:00 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Sat, 03 Jan 2015 20:18:00 +0100
branch: TOR_BUG_3246
changeset 7: 129ffea94266
permissions: -rw-r--r--

Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 'use strict';
 module.metadata = {
   'stability': 'unstable'
 };
 const { Class } = require('../core/heritage');
 const { EventTarget } = require('../event/target');
 const { on, off, emit } = require('../event/core');
 const { requiresAddonGlobal } = require('./utils');
 const { delay: async } = require('../lang/functional');
 const { Ci, Cu, Cc } = require('chrome');
 const timer = require('../timers');
 const { URL } = require('../url');
 const { sandbox, evaluate, load } = require('../loader/sandbox');
 const { merge } = require('../util/object');
 const { getTabForContentWindow } = require('../tabs/utils');
 const { getInnerId } = require('../window/utils');
 const { PlainTextConsole } = require('../console/plain-text');
 // WeakMap of sandboxes so we can access private values
 const sandboxes = new WeakMap();
 /* Trick the linker in order to ensure shipping these files in the XPI.
   require('./content-worker.js');
   Then, retrieve URL of these files in the XPI:
 */
 let prefix = module.uri.split('sandbox.js')[0];
 const CONTENT_WORKER_URL = prefix + 'content-worker.js';
 const metadata = require('@loader/options').metadata;
 // Fetch additional list of domains to authorize access to for each content
 // script. It is stored in manifest `metadata` field which contains
 // package.json data. This list is originaly defined by authors in
 // `permissions` attribute of their package.json addon file.
 const permissions = (metadata && metadata['permissions']) || {};
 const EXPANDED_PRINCIPALS = permissions['cross-domain-content'] || [];
 const waiveSecurityMembrane = !!permissions['unsafe-content-script'];
 const nsIScriptSecurityManager = Ci.nsIScriptSecurityManager;
 const secMan = Cc["@mozilla.org/scriptsecuritymanager;1"].
   getService(Ci.nsIScriptSecurityManager);
 const JS_VERSION = '1.8';
 const WorkerSandbox = Class({
   implements: [ EventTarget ],
   /**
    * Emit a message to the worker content sandbox
    */
   emit: function emit(type, ...args) {
     // JSON.stringify is buggy with cross-sandbox values,
     // it may return "{}" on functions. Use a replacer to match them correctly.
     let replacer = (k, v) =>
       typeof(v) === "function"
         ? (type === "console" ? Function.toString.call(v) : void(0))
         : v;
     // Ensure having an asynchronous behavior
     async(() =>
       emitToContent(this, JSON.stringify([type, ...args], replacer))
     );
   },
   /**
    * Synchronous version of `emit`.
    * /!\ Should only be used when it is strictly mandatory /!\
    *     Doesn't ensure passing only JSON values.
    *     Mainly used by context-menu in order to avoid breaking it.
    */
   emitSync: function emitSync(...args) {
     return emitToContent(this, args);
   },
   /**
    * Tells if content script has at least one listener registered for one event,
    * through `self.on('xxx', ...)`.
    * /!\ Shouldn't be used. Implemented to avoid breaking context-menu API.
    */
   hasListenerFor: function hasListenerFor(name) {
     return modelFor(this).hasListenerFor(name);
   },
   /**
    * Configures sandbox and loads content scripts into it.
    * @param {Worker} worker
    *    content worker
    */
   initialize: function WorkerSandbox(worker, window) {
     let model = {};
     sandboxes.set(this, model);
     model.worker = worker;
     // We receive a wrapped window, that may be an xraywrapper if it's content
     let proto = window;
     // TODO necessary?
     // Ensure that `emit` has always the right `this`
     this.emit = this.emit.bind(this);
     this.emitSync = this.emitSync.bind(this);
     // Use expanded principal for content-script if the content is a
     // regular web content for better isolation.
     // (This behavior can be turned off for now with the unsafe-content-script
     // flag to give addon developers time for making the necessary changes)
     // But prevent it when the Worker isn't used for a content script but for
     // injecting `addon` object into a Panel, Widget, ... scope.
     // That's because:
     // 1/ It is useless to use multiple domains as the worker is only used
     // to communicate with the addon,
     // 2/ By using it it would prevent the document to have access to any JS
     // value of the worker. As JS values coming from multiple domain principals
     // can't be accessed by 'mono-principals' (principal with only one domain).
     // Even if this principal is for a domain that is specified in the multiple
     // domain principal.
     let principals = window;
     let wantGlobalProperties = [];
     let isSystemPrincipal = secMan.isSystemPrincipal(
       window.document.nodePrincipal);
     if (!isSystemPrincipal && !requiresAddonGlobal(worker)) {
       if (EXPANDED_PRINCIPALS.length > 0) {
         // We have to replace XHR constructor of the content document
         // with a custom cross origin one, automagically added by platform code:
         delete proto.XMLHttpRequest;
         wantGlobalProperties.push('XMLHttpRequest');
       }
       if (!waiveSecurityMembrane)
         principals = EXPANDED_PRINCIPALS.concat(window);
     }
     // Instantiate trusted code in another Sandbox in order to prevent content
     // script from messing with standard classes used by proxy and API code.
     let apiSandbox = sandbox(principals, { wantXrays: true, sameZoneAs: window });
     apiSandbox.console = console;
     // Create the sandbox and bind it to window in order for content scripts to
     // have access to all standard globals (window, document, ...)
     let content = sandbox(principals, {
       sandboxPrototype: proto,
       wantXrays: true,
       wantGlobalProperties: wantGlobalProperties,
       wantExportHelpers: true,
       sameZoneAs: window,
       metadata: {
         SDKContentScript: true,
         'inner-window-id': getInnerId(window)
       }
     });
     model.sandbox = content;
     // We have to ensure that window.top and window.parent are the exact same
     // object than window object, i.e. the sandbox global object. But not
     // always, in case of iframes, top and parent are another window object.
     let top = window.top === window ? content : content.top;
     let parent = window.parent === window ? content : content.parent;
     merge(content, {
       // We need 'this === window === top' to be true in toplevel scope:
       get window() content,
       get top() top,
       get parent() parent,
       // Use the Greasemonkey naming convention to provide access to the
       // unwrapped window object so the content script can access document
       // JavaScript values.
       // NOTE: this functionality is experimental and may change or go away
       // at any time!
       get unsafeWindow() window.wrappedJSObject
     });
     // Load trusted code that will inject content script API.
     // We need to expose JS objects defined in same principal in order to
     // avoid having any kind of wrapper.
     load(apiSandbox, CONTENT_WORKER_URL);
     // prepare a clean `self.options`
     let options = 'contentScriptOptions' in worker ?
       JSON.stringify(worker.contentScriptOptions) :
       undefined;
     // Then call `inject` method and communicate with this script
     // by trading two methods that allow to send events to the other side:
     //   - `onEvent` called by content script
     //   - `result.emitToContent` called by addon script
     // Bug 758203: We have to explicitely define `__exposedProps__` in order
     // to allow access to these chrome object attributes from this sandbox with
     // content priviledges
     // https://developer.mozilla.org/en/XPConnect_wrappers#Other_security_wrappers
     let onEvent = onContentEvent.bind(null, this);
     // `ContentWorker` is defined in CONTENT_WORKER_URL file
     let chromeAPI = createChromeAPI();
     let result = apiSandbox.ContentWorker.inject(content, chromeAPI, onEvent, options);
     // Merge `emitToContent` and `hasListenerFor` into our private
     // model of the WorkerSandbox so we can communicate with content
     // script
     merge(model, result);
     let console = new PlainTextConsole(null, getInnerId(window));
     // Handle messages send by this script:
     setListeners(this, console);
     // Inject `addon` global into target document if document is trusted,
     // `addon` in document is equivalent to `self` in content script.
     if (requiresAddonGlobal(worker)) {
       Object.defineProperty(getUnsafeWindow(window), 'addon', {
           value: content.self
         }
       );
     }
     // Inject our `console` into target document if worker doesn't have a tab
     // (e.g Panel, PageWorker, Widget).
     // `worker.tab` can't be used because bug 804935.
     if (!getTabForContentWindow(window)) {
       let win = getUnsafeWindow(window);
       // export our chrome console to content window, as described here:
       // https://developer.mozilla.org/en-US/docs/Components.utils.createObjectIn
       let con = Cu.createObjectIn(win);
       let genPropDesc = function genPropDesc(fun) {
         return { enumerable: true, configurable: true, writable: true,
           value: console[fun] };
       }
       const properties = {
         log: genPropDesc('log'),
         info: genPropDesc('info'),
         warn: genPropDesc('warn'),
         error: genPropDesc('error'),
         debug: genPropDesc('debug'),
         trace: genPropDesc('trace'),
         dir: genPropDesc('dir'),
         group: genPropDesc('group'),
         groupCollapsed: genPropDesc('groupCollapsed'),
         groupEnd: genPropDesc('groupEnd'),
         time: genPropDesc('time'),
         timeEnd: genPropDesc('timeEnd'),
         profile: genPropDesc('profile'),
         profileEnd: genPropDesc('profileEnd'),
        __noSuchMethod__: { enumerable: true, configurable: true, writable: true,
                             value: function() {} }
       };
       Object.defineProperties(con, properties);
       Cu.makeObjectPropsNormal(con);
       win.console = con;
     };
     // The order of `contentScriptFile` and `contentScript` evaluation is
     // intentional, so programs can load libraries like jQuery from script URLs
     // and use them in scripts.
     let contentScriptFile = ('contentScriptFile' in worker) ? worker.contentScriptFile
           : null,
         contentScript = ('contentScript' in worker) ? worker.contentScript : null;
     if (contentScriptFile)
       importScripts.apply(null, [this].concat(contentScriptFile));
     if (contentScript) {
       evaluateIn(
         this,
         Array.isArray(contentScript) ? contentScript.join(';\n') : contentScript
       );
     }
   },
   destroy: function destroy(reason) {
     if (typeof reason != 'string')
       reason = '';
     this.emitSync('event', 'detach', reason);
     let model = modelFor(this);
     model.sandbox = null
     model.worker = null;
   },
 });
 exports.WorkerSandbox = WorkerSandbox;
 /**
  * Imports scripts to the sandbox by reading files under urls and
  * evaluating its source. If exception occurs during evaluation
  * `'error'` event is emitted on the worker.
  * This is actually an analog to the `importScript` method in web
  * workers but in our case it's not exposed even though content
  * scripts may be able to do it synchronously since IO operation
  * takes place in the UI process.
  */
 function importScripts (workerSandbox, ...urls) {
   let { worker, sandbox } = modelFor(workerSandbox);
   for (let i in urls) {
     let contentScriptFile = urls[i];
     try {
       let uri = URL(contentScriptFile);
       if (uri.scheme === 'resource')
         load(sandbox, String(uri));
       else
         throw Error('Unsupported `contentScriptFile` url: ' + String(uri));
     }
     catch(e) {
       emit(worker, 'error', e);
     }
   }
 }
 function setListeners (workerSandbox, console) {
   let { worker } = modelFor(workerSandbox);
   // console.xxx calls
   workerSandbox.on('console', function consoleListener (kind, ...args) {
     console[kind].apply(console, args);
   });
   // self.postMessage calls
   workerSandbox.on('message', function postMessage(data) {
     // destroyed?
     if (worker)
       emit(worker, 'message', data);
   });
   // self.port.emit calls
   workerSandbox.on('event', function portEmit (...eventArgs) {
     // If not destroyed, emit event information to worker
     // `eventArgs` has the event name as first element,
     // and remaining elements are additional arguments to pass
     if (worker)
       emit.apply(null, [worker.port].concat(eventArgs));
   });
   // unwrap, recreate and propagate async Errors thrown from content-script
   workerSandbox.on('error', function onError({instanceOfError, value}) {
     if (worker) {
       let error = value;
       if (instanceOfError) {
         error = new Error(value.message, value.fileName, value.lineNumber);
         error.stack = value.stack;
         error.name = value.name;
       }
       emit(worker, 'error', error);
     }
   });
 }
 /**
  * Evaluates code in the sandbox.
  * @param {String} code
  *    JavaScript source to evaluate.
  * @param {String} [filename='javascript:' + code]
  *    Name of the file
  */
 function evaluateIn (workerSandbox, code, filename) {
   let { worker, sandbox } = modelFor(workerSandbox);
   try {
     evaluate(sandbox, code, filename || 'javascript:' + code);
   }
   catch(e) {
     emit(worker, 'error', e);
   }
 }
 /**
  * Method called by the worker sandbox when it needs to send a message
  */
 function onContentEvent (workerSandbox, args) {
   // As `emit`, we ensure having an asynchronous behavior
   async(function () {
     // We emit event to chrome/addon listeners
     emit.apply(null, [workerSandbox].concat(JSON.parse(args)));
   });
 }
 function modelFor (workerSandbox) {
   return sandboxes.get(workerSandbox);
 }
 function getUnsafeWindow (win) {
   return win.wrappedJSObject || win;
 }
 function emitToContent (workerSandbox, args) {
   return modelFor(workerSandbox).emitToContent(args);
 }
 function createChromeAPI () {
   return {
     timers: {
       setTimeout: timer.setTimeout,
       setInterval: timer.setInterval,
       clearTimeout: timer.clearTimeout,
       clearInterval: timer.clearInterval,
       __exposedProps__: {
         setTimeout: 'r',
         setInterval: 'r',
         clearTimeout: 'r',
         clearInterval: 'r'
       },
     },
     sandbox: {
       evaluate: evaluate,
       __exposedProps__: {
         evaluate: 'r'
       }
     },
     __exposedProps__: {
       timers: 'r',
       sandbox: 'r'
     }
   };
 }