The Tor Browser / file revision

js/xpconnect/wrappers/AccessCheck.h@6474c204b198

js/xpconnect/wrappers/AccessCheck.h

Wed, 31 Dec 2014 06:09:35 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Wed, 31 Dec 2014 06:09:35 +0100
changeset 0
6474c204b198
permissions
-rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

     1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */

     2 /* vim: set ts=8 sts=4 et sw=4 tw=99: */

     3 /* This Source Code Form is subject to the terms of the Mozilla Public

     4  * License, v. 2.0. If a copy of the MPL was not distributed with this

     5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

     6 

     7 #ifndef __AccessCheck_h__

     8 #define __AccessCheck_h__

     9 

    10 #include "jswrapper.h"

    11 #include "js/Id.h"

    12 

    13 class nsIPrincipal;

    14 

    15 namespace xpc {

    16 

    17 class AccessCheck {

    18   public:

    19     static bool subsumes(JSCompartment *a, JSCompartment *b);

    20     static bool subsumes(JSObject *a, JSObject *b);

    21     static bool wrapperSubsumes(JSObject *wrapper);

    22     static bool subsumesConsideringDomain(JSCompartment *a, JSCompartment *b);

    23     static bool isChrome(JSCompartment *compartment);

    24     static bool isChrome(JSObject *obj);

    25     static bool callerIsChrome();

    26     static nsIPrincipal *getPrincipal(JSCompartment *compartment);

    27     static bool isCrossOriginAccessPermitted(JSContext *cx, JSObject *obj, jsid id,

    28                                              js::Wrapper::Action act);

    29 };

    30 

    31 struct Policy {

    32 };

    33 

    34 // This policy allows no interaction with the underlying callable. Everything throws.

    35 struct Opaque : public Policy {

    36     static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {

    37         return false;

    38     }

    39     static bool deny(js::Wrapper::Action act, JS::HandleId id) {

    40         return false;

    41     }

    42     static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {

    43         return false;

    44     }

    45 };

    46 

    47 // Like the above, but allows CALL.

    48 struct OpaqueWithCall : public Policy {

    49     static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {

    50         return act == js::Wrapper::CALL;

    51     }

    52     static bool deny(js::Wrapper::Action act, JS::HandleId id) {

    53         return false;

    54     }

    55     static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {

    56         return false;

    57     }

    58 };

    59 

    60 // This policy is designed to protect privileged callers from untrusted non-

    61 // Xrayable objects. Nothing is allowed, and nothing throws.

    62 struct GentlyOpaque : public Policy {

    63     static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {

    64         return false;

    65     }

    66     static bool deny(js::Wrapper::Action act, JS::HandleId id) {

    67         return true;

    68     }

    69     static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {

    70         // We allow nativeCall here because the alternative is throwing (which

    71         // happens in SecurityWrapper::nativeCall), which we don't want. There's

    72         // unlikely to be too much harm to letting this through, because this

    73         // wrapper is only used to wrap less-privileged objects in more-privileged

    74         // scopes, so unwrapping here only drops privileges.

    75         return true;

    76     }

    77 };

    78 

    79 // This policy only permits access to properties that are safe to be used

    80 // across origins.

    81 struct CrossOriginAccessiblePropertiesOnly : public Policy {

    82     static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {

    83         return AccessCheck::isCrossOriginAccessPermitted(cx, wrapper, id, act);

    84     }

    85     static bool deny(js::Wrapper::Action act, JS::HandleId id) {

    86         // Silently fail for enumerate-like operations.

    87         if (act == js::Wrapper::ENUMERATE)

    88             return true;

    89         return false;

    90     }

    91     static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {

    92         return false;

    93     }

    94 };

    95 

    96 // This policy only permits access to properties if they appear in the

    97 // objects exposed properties list.

    98 struct ExposedPropertiesOnly : public Policy {

    99     static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act);

   100 

   101     static bool deny(js::Wrapper::Action act, JS::HandleId id) {

   102         // Fail silently for GETs and ENUMERATEs.

   103         return act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE;

   104     }

   105     static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl);

   106 };

   107 

   108 }

   109 

   110 #endif /* __AccessCheck_h__ */

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial