The Tor Browser: dom/xbl/nsXBLProtoImplField.cpp@129ffea94266 (annotated)

dom/xbl/nsXBLProtoImplField.cpp@129ffea94266 (annotated)

dom/xbl/nsXBLProtoImplField.cpp

Sat, 03 Jan 2015 20:18:00 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Sat, 03 Jan 2015 20:18:00 +0100
branch: TOR_BUG_3246
changeset 7: 129ffea94266
permissions: -rw-r--r--

Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.

 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "nsIAtom.h"
 #include "nsIContent.h"
 #include "nsString.h"
 #include "nsJSUtils.h"
 #include "jsapi.h"
 #include "js/CharacterEncoding.h"
 #include "nsUnicharUtils.h"
 #include "nsReadableUtils.h"
 #include "nsXBLProtoImplField.h"
 #include "nsIScriptContext.h"
 #include "nsIURI.h"
 #include "nsXBLSerialize.h"
 #include "nsXBLPrototypeBinding.h"
 #include "mozilla/dom/BindingUtils.h"
 #include "mozilla/dom/ScriptSettings.h"
 #include "nsGlobalWindow.h"
 #include "xpcpublic.h"
 #include "WrapperFactory.h"
 using namespace mozilla;
 using namespace mozilla::dom;
 nsXBLProtoImplField::nsXBLProtoImplField(const char16_t* aName, const char16_t* aReadOnly)
   : mNext(nullptr),
     mFieldText(nullptr),
     mFieldTextLength(0),
     mLineNumber(0)
 {
   MOZ_COUNT_CTOR(nsXBLProtoImplField);
   mName = NS_strdup(aName);  // XXXbz make more sense to use a stringbuffer?
   mJSAttributes = JSPROP_ENUMERATE;
   if (aReadOnly) {
     nsAutoString readOnly; readOnly.Assign(aReadOnly);
     if (readOnly.LowerCaseEqualsLiteral("true"))
       mJSAttributes |= JSPROP_READONLY;
   }
 }
 nsXBLProtoImplField::nsXBLProtoImplField(const bool aIsReadOnly)
   : mNext(nullptr),
     mFieldText(nullptr),
     mFieldTextLength(0),
     mLineNumber(0)
 {
   MOZ_COUNT_CTOR(nsXBLProtoImplField);
   mJSAttributes = JSPROP_ENUMERATE;
   if (aIsReadOnly)
     mJSAttributes |= JSPROP_READONLY;
 }
 nsXBLProtoImplField::~nsXBLProtoImplField()
 {
   MOZ_COUNT_DTOR(nsXBLProtoImplField);
   if (mFieldText)
     nsMemory::Free(mFieldText);
   NS_Free(mName);
   NS_CONTENT_DELETE_LIST_MEMBER(nsXBLProtoImplField, this, mNext);
 }
 void
 nsXBLProtoImplField::AppendFieldText(const nsAString& aText)
 {
   if (mFieldText) {
     nsDependentString fieldTextStr(mFieldText, mFieldTextLength);
     nsAutoString newFieldText = fieldTextStr + aText;
     char16_t* temp = mFieldText;
     mFieldText = ToNewUnicode(newFieldText);
     mFieldTextLength = newFieldText.Length();
     nsMemory::Free(temp);
   }
   else {
     mFieldText = ToNewUnicode(aText);
     mFieldTextLength = aText.Length();
   }
 }
 // XBL fields are represented on elements inheriting that field a bit trickily.
 // When setting up the XBL prototype object, we install accessors for the fields
 // on the prototype object. Those accessors, when used, will then (via
 // InstallXBLField below) reify a property for the field onto the actual XBL-backed
 // element.
 //
 // The accessor property is a plain old property backed by a getter function and
 // a setter function.  These properties are backed by the FieldGetter and
 // FieldSetter natives; they're created by InstallAccessors.  The precise field to be
 // reified is identified using two extra slots on the getter/setter functions.
 // XBLPROTO_SLOT stores the XBL prototype object that provides the field.
 // FIELD_SLOT stores the name of the field, i.e. its JavaScript property name.
 //
 // This two-step field installation process -- creating an accessor on the
 // prototype, then have that reify an own property on the actual element -- is
 // admittedly convoluted.  Better would be for XBL-backed elements to be proxies
 // that could resolve fields onto themselves.  But given that XBL bindings are
 // associated with elements mutably -- you can add/remove/change -moz-binding
 // whenever you want, alas -- doing so would require all elements to be proxies,
 // which isn't performant now.  So we do this two-step instead.
 static const uint32_t XBLPROTO_SLOT = 0;
 static const uint32_t FIELD_SLOT = 1;
 bool
 ValueHasISupportsPrivate(JS::Handle<JS::Value> v)
 {
   if (!v.isObject()) {
     return false;
   }
   const DOMClass* domClass = GetDOMClass(&v.toObject());
   if (domClass) {
     return domClass->mDOMObjectIsISupports;
   }
   const JSClass* clasp = ::JS_GetClass(&v.toObject());
   const uint32_t HAS_PRIVATE_NSISUPPORTS =
     JSCLASS_HAS_PRIVATE | JSCLASS_PRIVATE_IS_NSISUPPORTS;
   return (clasp->flags & HAS_PRIVATE_NSISUPPORTS) == HAS_PRIVATE_NSISUPPORTS;
 }
 #ifdef DEBUG
 static bool
 ValueHasISupportsPrivate(JSContext* cx, const JS::Value& aVal)
 {
     JS::Rooted<JS::Value> v(cx, aVal);
     return ValueHasISupportsPrivate(v);
 }
 #endif
 // Define a shadowing property on |this| for the XBL field defined by the
 // contents of the callee's reserved slots.  If the property was defined,
 // *installed will be true, and idp will be set to the property name that was
 // defined.
 static bool
 InstallXBLField(JSContext* cx,
                 JS::Handle<JSObject*> callee, JS::Handle<JSObject*> thisObj,
                 JS::MutableHandle<jsid> idp, bool* installed)
 {
   *installed = false;
   // First ensure |this| is a reasonable XBL bound node.
   //
   // FieldAccessorGuard already determined whether |thisObj| was acceptable as
   // |this| in terms of not throwing a TypeError.  Assert this for good measure.
   MOZ_ASSERT(ValueHasISupportsPrivate(cx, JS::ObjectValue(*thisObj)));
   // But there are some cases where we must accept |thisObj| but not install a
   // property on it, or otherwise touch it.  Hence this split of |this|-vetting
   // duties.
   nsISupports* native =
     nsContentUtils::XPConnect()->GetNativeOfWrapper(cx, thisObj);
   if (!native) {
     // Looks like whatever |thisObj| is it's not our nsIContent.  It might well
     // be the proto our binding installed, however, where the private is the
     // nsXBLDocumentInfo, so just baul out quietly.  Do NOT throw an exception
     // here.
     //
     // We could make this stricter by checking the class maybe, but whatever.
     return true;
   }
   nsCOMPtr<nsIContent> xblNode = do_QueryInterface(native);
   if (!xblNode) {
     xpc::Throw(cx, NS_ERROR_UNEXPECTED);
     return false;
   }
   // Now that |this| is okay, actually install the field.
   // Because of the possibility (due to XBL binding inheritance, because each
   // XBL binding lives in its own global object) that |this| might be in a
   // different compartment from the callee (not to mention that this method can
   // be called with an arbitrary |this| regardless of how insane XBL is), and
   // because in this method we've entered |this|'s compartment (see in
   // Field[GS]etter where we attempt a cross-compartment call), we must enter
   // the callee's compartment to access its reserved slots.
   nsXBLPrototypeBinding* protoBinding;
   nsDependentJSString fieldName;
   {
     JSAutoCompartment ac(cx, callee);
     JS::Rooted<JSObject*> xblProto(cx);
     xblProto = &js::GetFunctionNativeReserved(callee, XBLPROTO_SLOT).toObject();
     JS::Rooted<JS::Value> name(cx, js::GetFunctionNativeReserved(callee, FIELD_SLOT));
     JSFlatString* fieldStr = JS_ASSERT_STRING_IS_FLAT(name.toString());
     fieldName.init(fieldStr);
     MOZ_ALWAYS_TRUE(JS_ValueToId(cx, name, idp));
     // If a separate XBL scope is being used, the callee is not same-compartment
     // with the xbl prototype, and the object is a cross-compartment wrapper.
     xblProto = js::UncheckedUnwrap(xblProto);
     JSAutoCompartment ac2(cx, xblProto);
     JS::Value slotVal = ::JS_GetReservedSlot(xblProto, 0);
     protoBinding = static_cast<nsXBLPrototypeBinding*>(slotVal.toPrivate());
     MOZ_ASSERT(protoBinding);
   }
   nsXBLProtoImplField* field = protoBinding->FindField(fieldName);
   MOZ_ASSERT(field);
   nsresult rv = field->InstallField(thisObj, protoBinding->DocURI(), installed);
   if (NS_SUCCEEDED(rv)) {
     return true;
   }
   if (!::JS_IsExceptionPending(cx)) {
     xpc::Throw(cx, rv);
   }
   return false;
 }
 bool
 FieldGetterImpl(JSContext *cx, JS::CallArgs args)
 {
   JS::Handle<JS::Value> thisv = args.thisv();
   MOZ_ASSERT(ValueHasISupportsPrivate(thisv));
   JS::Rooted<JSObject*> thisObj(cx, &thisv.toObject());
   // We should be in the compartment of |this|. If we got here via nativeCall,
   // |this| is not same-compartment with |callee|, and it's possible via
   // asymmetric security semantics that |args.calleev()| is actually a security
   // wrapper. In this case, we know we want to do an unsafe unwrap, and
   // InstallXBLField knows how to handle cross-compartment pointers.
   bool installed = false;
   JS::Rooted<JSObject*> callee(cx, js::UncheckedUnwrap(&args.calleev().toObject()));
   JS::Rooted<jsid> id(cx);
   if (!InstallXBLField(cx, callee, thisObj, &id, &installed)) {
     return false;
   }
   if (!installed) {
     args.rval().setUndefined();
     return true;
   }
   JS::Rooted<JS::Value> v(cx);
   if (!JS_GetPropertyById(cx, thisObj, id, &v)) {
     return false;
   }
   args.rval().set(v);
   return true;
 }
 static bool
 FieldGetter(JSContext *cx, unsigned argc, JS::Value *vp)
 {
   JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
   return JS::CallNonGenericMethod<ValueHasISupportsPrivate, FieldGetterImpl>
                                  (cx, args);
 }
 bool
 FieldSetterImpl(JSContext *cx, JS::CallArgs args)
 {
   JS::Handle<JS::Value> thisv = args.thisv();
   MOZ_ASSERT(ValueHasISupportsPrivate(thisv));
   JS::Rooted<JSObject*> thisObj(cx, &thisv.toObject());
   // We should be in the compartment of |this|. If we got here via nativeCall,
   // |this| is not same-compartment with |callee|, and it's possible via
   // asymmetric security semantics that |args.calleev()| is actually a security
   // wrapper. In this case, we know we want to do an unsafe unwrap, and
   // InstallXBLField knows how to handle cross-compartment pointers.
   bool installed = false;
   JS::Rooted<JSObject*> callee(cx, js::UncheckedUnwrap(&args.calleev().toObject()));
   JS::Rooted<jsid> id(cx);
   if (!InstallXBLField(cx, callee, thisObj, &id, &installed)) {
     return false;
   }
   if (installed) {
     if (!::JS_SetPropertyById(cx, thisObj, id, args.get(0))) {
       return false;
     }
   }
   args.rval().setUndefined();
   return true;
 }
 static bool
 FieldSetter(JSContext *cx, unsigned argc, JS::Value *vp)
 {
   JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
   return JS::CallNonGenericMethod<ValueHasISupportsPrivate, FieldSetterImpl>
                                  (cx, args);
 }
 nsresult
 nsXBLProtoImplField::InstallAccessors(JSContext* aCx,
                                       JS::Handle<JSObject*> aTargetClassObject)
 {
   MOZ_ASSERT(js::IsObjectInContextCompartment(aTargetClassObject, aCx));
   JS::Rooted<JSObject*> globalObject(aCx, JS_GetGlobalForObject(aCx, aTargetClassObject));
   JS::Rooted<JSObject*> scopeObject(aCx, xpc::GetXBLScopeOrGlobal(aCx, globalObject));
   NS_ENSURE_TRUE(scopeObject, NS_ERROR_OUT_OF_MEMORY);
   // Don't install it if the field is empty; see also InstallField which also must
   // implement the not-empty requirement.
   if (IsEmpty()) {
     return NS_OK;
   }
   // Install a getter/setter pair which will resolve the field onto the actual
   // object, when invoked.
   // Get the field name as an id.
   JS::Rooted<jsid> id(aCx);
   JS::TwoByteChars chars(mName, NS_strlen(mName));
   if (!JS_CharsToId(aCx, chars, &id))
     return NS_ERROR_OUT_OF_MEMORY;
   // Properties/Methods have historically taken precendence over fields. We
   // install members first, so just bounce here if the property is already
   // defined.
   bool found = false;
   if (!JS_AlreadyHasOwnPropertyById(aCx, aTargetClassObject, id, &found))
     return NS_ERROR_FAILURE;
   if (found)
     return NS_OK;
   // FieldGetter and FieldSetter need to run in the XBL scope so that they can
   // see through any SOWs on their targets.
   // First, enter the XBL scope, and compile the functions there.
   JSAutoCompartment ac(aCx, scopeObject);
   JS::Rooted<JS::Value> wrappedClassObj(aCx, JS::ObjectValue(*aTargetClassObject));
   if (!JS_WrapValue(aCx, &wrappedClassObj) || !JS_WrapId(aCx, &id))
     return NS_ERROR_OUT_OF_MEMORY;
   JS::Rooted<JSObject*> get(aCx,
     JS_GetFunctionObject(js::NewFunctionByIdWithReserved(aCx, FieldGetter,
 , 0, scopeObject, id)));
   if (!get) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
   js::SetFunctionNativeReserved(get, XBLPROTO_SLOT, wrappedClassObj);
   js::SetFunctionNativeReserved(get, FIELD_SLOT,
                                 JS::StringValue(JSID_TO_STRING(id)));
   JS::Rooted<JSObject*> set(aCx,
     JS_GetFunctionObject(js::NewFunctionByIdWithReserved(aCx, FieldSetter,
 , 0, scopeObject, id)));
   if (!set) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
   js::SetFunctionNativeReserved(set, XBLPROTO_SLOT, wrappedClassObj);
   js::SetFunctionNativeReserved(set, FIELD_SLOT,
                                 JS::StringValue(JSID_TO_STRING(id)));
   // Now, re-enter the class object's scope, wrap the getters/setters, and define
   // them there.
   JSAutoCompartment ac2(aCx, aTargetClassObject);
   if (!JS_WrapObject(aCx, &get) || !JS_WrapObject(aCx, &set) ||
       !JS_WrapId(aCx, &id))
   {
     return NS_ERROR_OUT_OF_MEMORY;
   }
   if (!::JS_DefinePropertyById(aCx, aTargetClassObject, id, JS::UndefinedValue(),
                                JS_DATA_TO_FUNC_PTR(JSPropertyOp, get.get()),
                                JS_DATA_TO_FUNC_PTR(JSStrictPropertyOp, set.get()),
                                AccessorAttributes())) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
   return NS_OK;
 }
 nsresult
 nsXBLProtoImplField::InstallField(JS::Handle<JSObject*> aBoundNode,
                                   nsIURI* aBindingDocURI,
                                   bool* aDidInstall) const
 {
   NS_PRECONDITION(aBoundNode,
                   "uh-oh, bound node should NOT be null or bad things will "
                   "happen");
   *aDidInstall = false;
   // Empty fields are treated as not actually present.
   if (IsEmpty()) {
     return NS_OK;
   }
   nsAutoMicroTask mt;
   // EvaluateString and JS_DefineUCProperty can both trigger GC, so
   // protect |result| here.
   nsresult rv;
   nsAutoCString uriSpec;
   aBindingDocURI->GetSpec(uriSpec);
   nsIGlobalObject* globalObject = xpc::WindowGlobalOrNull(aBoundNode);
   if (!globalObject) {
     return NS_OK;
   }
   // We are going to run script via EvaluateString, so we need a script entry
   // point, but as this is XBL related it does not appear in the HTML spec.
   AutoEntryScript entryScript(globalObject, true);
   JSContext* cx = entryScript.cx();
   NS_ASSERTION(!::JS_IsExceptionPending(cx),
                "Shouldn't get here when an exception is pending!");
   // First, enter the xbl scope, wrap the node, and use that as the scope for
   // the evaluation.
   JS::Rooted<JSObject*> scopeObject(cx, xpc::GetXBLScopeOrGlobal(cx, aBoundNode));
   NS_ENSURE_TRUE(scopeObject, NS_ERROR_OUT_OF_MEMORY);
   JSAutoCompartment ac(cx, scopeObject);
   JS::Rooted<JSObject*> wrappedNode(cx, aBoundNode);
   if (!JS_WrapObject(cx, &wrappedNode))
       return NS_ERROR_OUT_OF_MEMORY;
   JS::Rooted<JS::Value> result(cx);
   JS::CompileOptions options(cx);
   options.setFileAndLine(uriSpec.get(), mLineNumber)
          .setVersion(JSVERSION_LATEST);
   nsJSUtils::EvaluateOptions evalOptions;
   rv = nsJSUtils::EvaluateString(cx, nsDependentString(mFieldText,
                                                        mFieldTextLength),
                                  wrappedNode, options, evalOptions,
                                  &result);
   if (NS_FAILED(rv)) {
     return rv;
   }
   // Now, enter the node's compartment, wrap the eval result, and define it on
   // the bound node.
   JSAutoCompartment ac2(cx, aBoundNode);
   nsDependentString name(mName);
   if (!JS_WrapValue(cx, &result) ||
       !::JS_DefineUCProperty(cx, aBoundNode,
                              reinterpret_cast<const jschar*>(mName),
                              name.Length(), result, nullptr, nullptr,
                              mJSAttributes)) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
   *aDidInstall = true;
   return NS_OK;
 }
 nsresult
 nsXBLProtoImplField::Read(nsIObjectInputStream* aStream)
 {
   nsAutoString name;
   nsresult rv = aStream->ReadString(name);
   NS_ENSURE_SUCCESS(rv, rv);
   mName = ToNewUnicode(name);
   rv = aStream->Read32(&mLineNumber);
   NS_ENSURE_SUCCESS(rv, rv);
   nsAutoString fieldText;
   rv = aStream->ReadString(fieldText);
   NS_ENSURE_SUCCESS(rv, rv);
   mFieldTextLength = fieldText.Length();
   if (mFieldTextLength)
     mFieldText = ToNewUnicode(fieldText);
   return NS_OK;
 }
 nsresult
 nsXBLProtoImplField::Write(nsIObjectOutputStream* aStream)
 {
   XBLBindingSerializeDetails type = XBLBinding_Serialize_Field;
   if (mJSAttributes & JSPROP_READONLY) {
     type |= XBLBinding_Serialize_ReadOnly;
   }
   nsresult rv = aStream->Write8(type);
   NS_ENSURE_SUCCESS(rv, rv);
   rv = aStream->WriteWStringZ(mName);
   NS_ENSURE_SUCCESS(rv, rv);
   rv = aStream->Write32(mLineNumber);
   NS_ENSURE_SUCCESS(rv, rv);
   return aStream->WriteWStringZ(mFieldText ? mFieldText : MOZ_UTF16(""));
 }

The Tor Browser / annotate

dom/xbl/nsXBLProtoImplField.cpp@129ffea94266 (annotated)

dom/xbl/nsXBLProtoImplField.cpp