The Tor Browser / file diff

diff: js/xpconnect/wrappers/AccessCheck.h

js/xpconnect/wrappers/AccessCheck.h

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/js/xpconnect/wrappers/AccessCheck.h	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,110 @@
     1.4 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
     1.5 +/* vim: set ts=8 sts=4 et sw=4 tw=99: */
     1.6 +/* This Source Code Form is subject to the terms of the Mozilla Public
     1.7 + * License, v. 2.0. If a copy of the MPL was not distributed with this
     1.8 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
     1.9 +
    1.10 +#ifndef __AccessCheck_h__
    1.11 +#define __AccessCheck_h__
    1.12 +
    1.13 +#include "jswrapper.h"
    1.14 +#include "js/Id.h"
    1.15 +
    1.16 +class nsIPrincipal;
    1.17 +
    1.18 +namespace xpc {
    1.19 +
    1.20 +class AccessCheck {
    1.21 +  public:
    1.22 +    static bool subsumes(JSCompartment *a, JSCompartment *b);
    1.23 +    static bool subsumes(JSObject *a, JSObject *b);
    1.24 +    static bool wrapperSubsumes(JSObject *wrapper);
    1.25 +    static bool subsumesConsideringDomain(JSCompartment *a, JSCompartment *b);
    1.26 +    static bool isChrome(JSCompartment *compartment);
    1.27 +    static bool isChrome(JSObject *obj);
    1.28 +    static bool callerIsChrome();
    1.29 +    static nsIPrincipal *getPrincipal(JSCompartment *compartment);
    1.30 +    static bool isCrossOriginAccessPermitted(JSContext *cx, JSObject *obj, jsid id,
    1.31 +                                             js::Wrapper::Action act);
    1.32 +};
    1.33 +
    1.34 +struct Policy {
    1.35 +};
    1.36 +
    1.37 +// This policy allows no interaction with the underlying callable. Everything throws.
    1.38 +struct Opaque : public Policy {
    1.39 +    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
    1.40 +        return false;
    1.41 +    }
    1.42 +    static bool deny(js::Wrapper::Action act, JS::HandleId id) {
    1.43 +        return false;
    1.44 +    }
    1.45 +    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
    1.46 +        return false;
    1.47 +    }
    1.48 +};
    1.49 +
    1.50 +// Like the above, but allows CALL.
    1.51 +struct OpaqueWithCall : public Policy {
    1.52 +    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
    1.53 +        return act == js::Wrapper::CALL;
    1.54 +    }
    1.55 +    static bool deny(js::Wrapper::Action act, JS::HandleId id) {
    1.56 +        return false;
    1.57 +    }
    1.58 +    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
    1.59 +        return false;
    1.60 +    }
    1.61 +};
    1.62 +
    1.63 +// This policy is designed to protect privileged callers from untrusted non-
    1.64 +// Xrayable objects. Nothing is allowed, and nothing throws.
    1.65 +struct GentlyOpaque : public Policy {
    1.66 +    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
    1.67 +        return false;
    1.68 +    }
    1.69 +    static bool deny(js::Wrapper::Action act, JS::HandleId id) {
    1.70 +        return true;
    1.71 +    }
    1.72 +    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
    1.73 +        // We allow nativeCall here because the alternative is throwing (which
    1.74 +        // happens in SecurityWrapper::nativeCall), which we don't want. There's
    1.75 +        // unlikely to be too much harm to letting this through, because this
    1.76 +        // wrapper is only used to wrap less-privileged objects in more-privileged
    1.77 +        // scopes, so unwrapping here only drops privileges.
    1.78 +        return true;
    1.79 +    }
    1.80 +};
    1.81 +
    1.82 +// This policy only permits access to properties that are safe to be used
    1.83 +// across origins.
    1.84 +struct CrossOriginAccessiblePropertiesOnly : public Policy {
    1.85 +    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
    1.86 +        return AccessCheck::isCrossOriginAccessPermitted(cx, wrapper, id, act);
    1.87 +    }
    1.88 +    static bool deny(js::Wrapper::Action act, JS::HandleId id) {
    1.89 +        // Silently fail for enumerate-like operations.
    1.90 +        if (act == js::Wrapper::ENUMERATE)
    1.91 +            return true;
    1.92 +        return false;
    1.93 +    }
    1.94 +    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
    1.95 +        return false;
    1.96 +    }
    1.97 +};
    1.98 +
    1.99 +// This policy only permits access to properties if they appear in the
   1.100 +// objects exposed properties list.
   1.101 +struct ExposedPropertiesOnly : public Policy {
   1.102 +    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act);
   1.103 +
   1.104 +    static bool deny(js::Wrapper::Action act, JS::HandleId id) {
   1.105 +        // Fail silently for GETs and ENUMERATEs.
   1.106 +        return act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE;
   1.107 +    }
   1.108 +    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl);
   1.109 +};
   1.110 +
   1.111 +}
   1.112 +
   1.113 +#endif /* __AccessCheck_h__ */

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial