js/public/Principals.h@97036ab72558 (annotated)
js/public/Principals.h
Tue, 06 Jan 2015 21:39:09 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Tue, 06 Jan 2015 21:39:09 +0100
- branch
- TOR_BUG_9701
- changeset 8
- 97036ab72558
- permissions
- -rw-r--r--
Conditionally force memory storage according to privacy.thirdparty.isolate;
This solves Tor bug #9701, complying with disk avoidance documented in
https://www.torproject.org/projects/torbrowser/design/#disk-avoidance.
| michael@0 | 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- |
| michael@0 | 2 | * vim: set ts=8 sts=4 et sw=4 tw=99: |
| michael@0 | 3 | * This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 6 | |
| michael@0 | 7 | /* JSPrincipals and related interfaces. */ |
| michael@0 | 8 | |
| michael@0 | 9 | #ifndef js_Principals_h |
| michael@0 | 10 | #define js_Principals_h |
| michael@0 | 11 | |
| michael@0 | 12 | #include "mozilla/Atomics.h" |
| michael@0 | 13 | |
| michael@0 | 14 | #include <stdint.h> |
| michael@0 | 15 | |
| michael@0 | 16 | #include "jspubtd.h" |
| michael@0 | 17 | |
| michael@0 | 18 | struct JSPrincipals { |
| michael@0 | 19 | /* Don't call "destroy"; use reference counting macros below. */ |
| michael@0 | 20 | #ifdef JS_THREADSAFE |
| michael@0 | 21 | mozilla::Atomic<int32_t> refcount; |
| michael@0 | 22 | #else |
| michael@0 | 23 | int32_t refcount; |
| michael@0 | 24 | #endif |
| michael@0 | 25 | |
| michael@0 | 26 | #ifdef JS_DEBUG |
| michael@0 | 27 | /* A helper to facilitate principals debugging. */ |
| michael@0 | 28 | uint32_t debugToken; |
| michael@0 | 29 | #endif |
| michael@0 | 30 | |
| michael@0 | 31 | void setDebugToken(uint32_t token) { |
| michael@0 | 32 | # ifdef JS_DEBUG |
| michael@0 | 33 | debugToken = token; |
| michael@0 | 34 | # endif |
| michael@0 | 35 | } |
| michael@0 | 36 | |
| michael@0 | 37 | /* |
| michael@0 | 38 | * This is not defined by the JS engine but should be provided by the |
| michael@0 | 39 | * embedding. |
| michael@0 | 40 | */ |
| michael@0 | 41 | JS_PUBLIC_API(void) dump(); |
| michael@0 | 42 | }; |
| michael@0 | 43 | |
| michael@0 | 44 | extern JS_PUBLIC_API(void) |
| michael@0 | 45 | JS_HoldPrincipals(JSPrincipals *principals); |
| michael@0 | 46 | |
| michael@0 | 47 | extern JS_PUBLIC_API(void) |
| michael@0 | 48 | JS_DropPrincipals(JSRuntime *rt, JSPrincipals *principals); |
| michael@0 | 49 | |
| michael@0 | 50 | // Return whether the first principal subsumes the second. The exact meaning of |
| michael@0 | 51 | // 'subsumes' is left up to the browser. Subsumption is checked inside the JS |
| michael@0 | 52 | // engine when determining, e.g., which stack frames to display in a backtrace. |
| michael@0 | 53 | typedef bool |
| michael@0 | 54 | (* JSSubsumesOp)(JSPrincipals *first, JSPrincipals *second); |
| michael@0 | 55 | |
| michael@0 | 56 | /* |
| michael@0 | 57 | * Used to check if a CSP instance wants to disable eval() and friends. |
| michael@0 | 58 | * See js_CheckCSPPermitsJSAction() in jsobj. |
| michael@0 | 59 | */ |
| michael@0 | 60 | typedef bool |
| michael@0 | 61 | (* JSCSPEvalChecker)(JSContext *cx); |
| michael@0 | 62 | |
| michael@0 | 63 | struct JSSecurityCallbacks { |
| michael@0 | 64 | JSCSPEvalChecker contentSecurityPolicyAllows; |
| michael@0 | 65 | JSSubsumesOp subsumes; |
| michael@0 | 66 | }; |
| michael@0 | 67 | |
| michael@0 | 68 | extern JS_PUBLIC_API(void) |
| michael@0 | 69 | JS_SetSecurityCallbacks(JSRuntime *rt, const JSSecurityCallbacks *callbacks); |
| michael@0 | 70 | |
| michael@0 | 71 | extern JS_PUBLIC_API(const JSSecurityCallbacks *) |
| michael@0 | 72 | JS_GetSecurityCallbacks(JSRuntime *rt); |
| michael@0 | 73 | |
| michael@0 | 74 | /* |
| michael@0 | 75 | * Code running with "trusted" principals will be given a deeper stack |
| michael@0 | 76 | * allocation than ordinary scripts. This allows trusted script to run after |
| michael@0 | 77 | * untrusted script has exhausted the stack. This function sets the |
| michael@0 | 78 | * runtime-wide trusted principal. |
| michael@0 | 79 | * |
| michael@0 | 80 | * This principals is not held (via JS_HoldPrincipals/JS_DropPrincipals) since |
| michael@0 | 81 | * there is no available JSContext. Instead, the caller must ensure that the |
| michael@0 | 82 | * given principals stays valid for as long as 'rt' may point to it. If the |
| michael@0 | 83 | * principals would be destroyed before 'rt', JS_SetTrustedPrincipals must be |
| michael@0 | 84 | * called again, passing nullptr for 'prin'. |
| michael@0 | 85 | */ |
| michael@0 | 86 | extern JS_PUBLIC_API(void) |
| michael@0 | 87 | JS_SetTrustedPrincipals(JSRuntime *rt, const JSPrincipals *prin); |
| michael@0 | 88 | |
| michael@0 | 89 | typedef void |
| michael@0 | 90 | (* JSDestroyPrincipalsOp)(JSPrincipals *principals); |
| michael@0 | 91 | |
| michael@0 | 92 | /* |
| michael@0 | 93 | * Initialize the callback that is called to destroy JSPrincipals instance |
| michael@0 | 94 | * when its reference counter drops to zero. The initialization can be done |
| michael@0 | 95 | * only once per JS runtime. |
| michael@0 | 96 | */ |
| michael@0 | 97 | extern JS_PUBLIC_API(void) |
| michael@0 | 98 | JS_InitDestroyPrincipalsCallback(JSRuntime *rt, JSDestroyPrincipalsOp destroyPrincipals); |
| michael@0 | 99 | |
| michael@0 | 100 | #endif /* js_Principals_h */ |
