The Tor Browser / annotate

js/xpconnect/wrappers/AccessCheck.h@129ffea94266 (annotated)

js/xpconnect/wrappers/AccessCheck.h

Sat, 03 Jan 2015 20:18:00 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Sat, 03 Jan 2015 20:18:00 +0100
branch
TOR_BUG_3246
changeset 7
129ffea94266
permissions
-rw-r--r--

Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.

michael@0 1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
michael@0 2 /* vim: set ts=8 sts=4 et sw=4 tw=99: */
michael@0 3 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 4 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 6
michael@0 7 #ifndef __AccessCheck_h__
michael@0 8 #define __AccessCheck_h__
michael@0 9
michael@0 10 #include "jswrapper.h"
michael@0 11 #include "js/Id.h"
michael@0 12
michael@0 13 class nsIPrincipal;
michael@0 14
michael@0 15 namespace xpc {
michael@0 16
michael@0 17 class AccessCheck {
michael@0 18 public:
michael@0 19 static bool subsumes(JSCompartment *a, JSCompartment *b);
michael@0 20 static bool subsumes(JSObject *a, JSObject *b);
michael@0 21 static bool wrapperSubsumes(JSObject *wrapper);
michael@0 22 static bool subsumesConsideringDomain(JSCompartment *a, JSCompartment *b);
michael@0 23 static bool isChrome(JSCompartment *compartment);
michael@0 24 static bool isChrome(JSObject *obj);
michael@0 25 static bool callerIsChrome();
michael@0 26 static nsIPrincipal *getPrincipal(JSCompartment *compartment);
michael@0 27 static bool isCrossOriginAccessPermitted(JSContext *cx, JSObject *obj, jsid id,
michael@0 28 js::Wrapper::Action act);
michael@0 29 };
michael@0 30
michael@0 31 struct Policy {
michael@0 32 };
michael@0 33
michael@0 34 // This policy allows no interaction with the underlying callable. Everything throws.
michael@0 35 struct Opaque : public Policy {
michael@0 36 static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
michael@0 37 return false;
michael@0 38 }
michael@0 39 static bool deny(js::Wrapper::Action act, JS::HandleId id) {
michael@0 40 return false;
michael@0 41 }
michael@0 42 static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
michael@0 43 return false;
michael@0 44 }
michael@0 45 };
michael@0 46
michael@0 47 // Like the above, but allows CALL.
michael@0 48 struct OpaqueWithCall : public Policy {
michael@0 49 static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
michael@0 50 return act == js::Wrapper::CALL;
michael@0 51 }
michael@0 52 static bool deny(js::Wrapper::Action act, JS::HandleId id) {
michael@0 53 return false;
michael@0 54 }
michael@0 55 static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
michael@0 56 return false;
michael@0 57 }
michael@0 58 };
michael@0 59
michael@0 60 // This policy is designed to protect privileged callers from untrusted non-
michael@0 61 // Xrayable objects. Nothing is allowed, and nothing throws.
michael@0 62 struct GentlyOpaque : public Policy {
michael@0 63 static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
michael@0 64 return false;
michael@0 65 }
michael@0 66 static bool deny(js::Wrapper::Action act, JS::HandleId id) {
michael@0 67 return true;
michael@0 68 }
michael@0 69 static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
michael@0 70 // We allow nativeCall here because the alternative is throwing (which
michael@0 71 // happens in SecurityWrapper::nativeCall), which we don't want. There's
michael@0 72 // unlikely to be too much harm to letting this through, because this
michael@0 73 // wrapper is only used to wrap less-privileged objects in more-privileged
michael@0 74 // scopes, so unwrapping here only drops privileges.
michael@0 75 return true;
michael@0 76 }
michael@0 77 };
michael@0 78
michael@0 79 // This policy only permits access to properties that are safe to be used
michael@0 80 // across origins.
michael@0 81 struct CrossOriginAccessiblePropertiesOnly : public Policy {
michael@0 82 static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
michael@0 83 return AccessCheck::isCrossOriginAccessPermitted(cx, wrapper, id, act);
michael@0 84 }
michael@0 85 static bool deny(js::Wrapper::Action act, JS::HandleId id) {
michael@0 86 // Silently fail for enumerate-like operations.
michael@0 87 if (act == js::Wrapper::ENUMERATE)
michael@0 88 return true;
michael@0 89 return false;
michael@0 90 }
michael@0 91 static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
michael@0 92 return false;
michael@0 93 }
michael@0 94 };
michael@0 95
michael@0 96 // This policy only permits access to properties if they appear in the
michael@0 97 // objects exposed properties list.
michael@0 98 struct ExposedPropertiesOnly : public Policy {
michael@0 99 static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act);
michael@0 100
michael@0 101 static bool deny(js::Wrapper::Action act, JS::HandleId id) {
michael@0 102 // Fail silently for GETs and ENUMERATEs.
michael@0 103 return act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE;
michael@0 104 }
michael@0 105 static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl);
michael@0 106 };
michael@0 107
michael@0 108 }
michael@0 109
michael@0 110 #endif /* __AccessCheck_h__ */

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial