michael@0: /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
michael@0: /* vim: set ts=2 sw=2 et tw=78: */
michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0: 
michael@0: #include "WindowNamedPropertiesHandler.h"
michael@0: #include "mozilla/dom/WindowBinding.h"
michael@0: #include "nsDOMClassInfo.h"
michael@0: #include "nsGlobalWindow.h"
michael@0: #include "nsHTMLDocument.h"
michael@0: #include "nsJSUtils.h"
michael@0: #include "xpcprivate.h"
michael@0: 
michael@0: namespace mozilla {
michael@0: namespace dom {
michael@0: 
michael@0: static bool
michael@0: ShouldExposeChildWindow(nsString& aNameBeingResolved, nsIDOMWindow *aChild)
michael@0: {
michael@0:   // If we're same-origin with the child, go ahead and expose it.
michael@0:   nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(aChild);
michael@0:   NS_ENSURE_TRUE(sop, false);
michael@0:   if (nsContentUtils::GetSubjectPrincipal()->Equals(sop->GetPrincipal())) {
michael@0:     return true;
michael@0:   }
michael@0: 
michael@0:   // If we're not same-origin, expose it _only_ if the name of the browsing
michael@0:   // context matches the 'name' attribute of the frame element in the parent.
michael@0:   // The motivations behind this heuristic are worth explaining here.
michael@0:   //
michael@0:   // Historically, all UAs supported global named access to any child browsing
michael@0:   // context (that is to say, window.dolske returns a child frame where either
michael@0:   // the "name" attribute on the frame element was set to "dolske", or where
michael@0:   // the child explicitly set window.name = "dolske").
michael@0:   //
michael@0:   // This is problematic because it allows possibly-malicious and unrelated
michael@0:   // cross-origin subframes to pollute the global namespace of their parent in
michael@0:   // unpredictable ways (see bug 860494). This is also problematic for browser
michael@0:   // engines like Servo that want to run cross-origin script on different
michael@0:   // threads.
michael@0:   //
michael@0:   // The naive solution here would be to filter out any cross-origin subframes
michael@0:   // obtained when doing named lookup in global scope. But that is unlikely to
michael@0:   // be web-compatible, since it will break named access for consumers that do
michael@0:   // <iframe name="dolske" src="http://cross-origin.com/sadtrombone.html"> and
michael@0:   // expect to be able to access the cross-origin subframe via named lookup on
michael@0:   // the global.
michael@0:   //
michael@0:   // The optimal behavior would be to do the following:
michael@0:   // (a) Look for any child browsing context with name="dolske".
michael@0:   // (b) If the result is cross-origin, null it out.
michael@0:   // (c) If we have null, look for a frame element whose 'name' attribute is
michael@0:   //     "dolske".
michael@0:   //
michael@0:   // Unfortunately, (c) would require some engineering effort to be performant
michael@0:   // in Gecko, and probably in other UAs as well. So we go with a simpler
michael@0:   // approximation of the above. This approximation will only break sites that
michael@0:   // rely on their cross-origin subframes setting window.name to a known value,
michael@0:   // which is unlikely to be very common. And while it does introduce a
michael@0:   // dependency on cross-origin state when doing global lookups, it doesn't
michael@0:   // allow the child to arbitrarily pollute the parent namespace, and requires
michael@0:   // cross-origin communication only in a limited set of cases that can be
michael@0:   // computed independently by the parent.
michael@0:   nsCOMPtr<nsPIDOMWindow> piWin = do_QueryInterface(aChild);
michael@0:   NS_ENSURE_TRUE(piWin, false);
michael@0:   Element* e = piWin->GetFrameElementInternal();
michael@0:   return e && e->AttrValueIs(kNameSpaceID_None, nsGkAtoms::name,
michael@0:                              aNameBeingResolved, eCaseMatters);
michael@0: }
michael@0: 
michael@0: static nsGlobalWindow*
michael@0: GetWindowFromGlobal(JSObject* aGlobal)
michael@0: {
michael@0:   nsGlobalWindow* win;
michael@0:   if (NS_SUCCEEDED(UNWRAP_OBJECT(Window, aGlobal, win))) {
michael@0:     return win;
michael@0:   }
michael@0:   XPCWrappedNative* wrapper = XPCWrappedNative::Get(aGlobal);
michael@0:   nsCOMPtr<nsPIDOMWindow> piWin = do_QueryWrappedNative(wrapper);
michael@0:   MOZ_ASSERT(piWin);
michael@0:   return static_cast<nsGlobalWindow*>(piWin.get());
michael@0: }
michael@0: 
michael@0: bool
michael@0: WindowNamedPropertiesHandler::getOwnPropDescriptor(JSContext* aCx,
michael@0:                                                    JS::Handle<JSObject*> aProxy,
michael@0:                                                    JS::Handle<jsid> aId,
michael@0:                                                    bool /* unused */,
michael@0:                                                    JS::MutableHandle<JSPropertyDescriptor> aDesc)
michael@0: {
michael@0:   if (!JSID_IS_STRING(aId)) {
michael@0:     // Nothing to do if we're resolving a non-string property.
michael@0:     return true;
michael@0:   }
michael@0: 
michael@0:   JS::Rooted<JSObject*> global(aCx, JS_GetGlobalForObject(aCx, aProxy));
michael@0:   if (HasPropertyOnPrototype(aCx, aProxy, aId)) {
michael@0:     return true;
michael@0:   }
michael@0: 
michael@0:   nsDependentJSString str(aId);
michael@0: 
michael@0:   // Grab the DOM window.
michael@0:   nsGlobalWindow* win = GetWindowFromGlobal(global);
michael@0:   if (win->Length() > 0) {
michael@0:     nsCOMPtr<nsIDOMWindow> childWin = win->GetChildWindow(str);
michael@0:     if (childWin && ShouldExposeChildWindow(str, childWin)) {
michael@0:       // We found a subframe of the right name. Shadowing via |var foo| in
michael@0:       // global scope is still allowed, since |var| only looks up |own|
michael@0:       // properties. But unqualified shadowing will fail, per-spec.
michael@0:       JS::Rooted<JS::Value> v(aCx);
michael@0:       if (!WrapObject(aCx, childWin, &v)) {
michael@0:         return false;
michael@0:       }
michael@0:       aDesc.object().set(aProxy);
michael@0:       aDesc.value().set(v);
michael@0:       aDesc.setAttributes(JSPROP_ENUMERATE);
michael@0:       return true;
michael@0:     }
michael@0:   }
michael@0: 
michael@0:   // The rest of this function is for HTML documents only.
michael@0:   nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc());
michael@0:   if (!htmlDoc) {
michael@0:     return true;
michael@0:   }
michael@0:   nsHTMLDocument* document = static_cast<nsHTMLDocument*>(htmlDoc.get());
michael@0: 
michael@0:   Element* element = document->GetElementById(str);
michael@0:   if (element) {
michael@0:     JS::Rooted<JS::Value> v(aCx);
michael@0:     if (!WrapObject(aCx, element, &v)) {
michael@0:       return false;
michael@0:     }
michael@0:     aDesc.object().set(aProxy);
michael@0:     aDesc.value().set(v);
michael@0:     aDesc.setAttributes(JSPROP_ENUMERATE);
michael@0:     return true;
michael@0:   }
michael@0: 
michael@0:   nsWrapperCache* cache;
michael@0:   nsISupports* result = document->ResolveName(str, &cache);
michael@0:   if (!result) {
michael@0:     return true;
michael@0:   }
michael@0: 
michael@0:   JS::Rooted<JS::Value> v(aCx);
michael@0:   if (!WrapObject(aCx, result, cache, nullptr, &v)) {
michael@0:     return false;
michael@0:   }
michael@0:   aDesc.object().set(aProxy);
michael@0:   aDesc.value().set(v);
michael@0:   aDesc.setAttributes(JSPROP_ENUMERATE);
michael@0:   return true;
michael@0: }
michael@0: 
michael@0: bool
michael@0: WindowNamedPropertiesHandler::defineProperty(JSContext* aCx,
michael@0:                                              JS::Handle<JSObject*> aProxy,
michael@0:                                              JS::Handle<jsid> aId,
michael@0:                                              JS::MutableHandle<JSPropertyDescriptor> aDesc)
michael@0: {
michael@0:   ErrorResult rv;
michael@0:   rv.ThrowTypeError(MSG_DEFINEPROPERTY_ON_GSP);
michael@0:   rv.ReportTypeError(aCx);
michael@0:   return false;
michael@0: }
michael@0: 
michael@0: bool
michael@0: WindowNamedPropertiesHandler::ownPropNames(JSContext* aCx,
michael@0:                                            JS::Handle<JSObject*> aProxy,
michael@0:                                            unsigned flags,
michael@0:                                            JS::AutoIdVector& aProps)
michael@0: {
michael@0:   // Grab the DOM window.
michael@0:   nsGlobalWindow* win = GetWindowFromGlobal(JS_GetGlobalForObject(aCx, aProxy));
michael@0:   nsTArray<nsString> names;
michael@0:   win->GetSupportedNames(names);
michael@0:   // Filter out the ones we wouldn't expose from getOwnPropertyDescriptor.
michael@0:   // We iterate backwards so we can remove things from the list easily.
michael@0:   for (size_t i = names.Length(); i > 0; ) {
michael@0:     --i; // Now we're pointing at the next name we want to look at
michael@0:     nsCOMPtr<nsIDOMWindow> childWin = win->GetChildWindow(names[i]);
michael@0:     if (!childWin || !ShouldExposeChildWindow(names[i], childWin)) {
michael@0:       names.RemoveElementAt(i);
michael@0:     }
michael@0:   }
michael@0:   if (!AppendNamedPropertyIds(aCx, aProxy, names, false, aProps)) {
michael@0:     return false;
michael@0:   }
michael@0: 
michael@0:   names.Clear();
michael@0:   nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc());
michael@0:   if (!htmlDoc) {
michael@0:     return true;
michael@0:   }
michael@0:   nsHTMLDocument* document = static_cast<nsHTMLDocument*>(htmlDoc.get());
michael@0:   document->GetSupportedNames(flags, names);
michael@0: 
michael@0:   JS::AutoIdVector docProps(aCx);
michael@0:   if (!AppendNamedPropertyIds(aCx, aProxy, names, false, docProps)) {
michael@0:     return false;
michael@0:   }
michael@0: 
michael@0:   return js::AppendUnique(aCx, aProps, docProps);
michael@0: }
michael@0: 
michael@0: bool
michael@0: WindowNamedPropertiesHandler::delete_(JSContext* aCx,
michael@0:                                       JS::Handle<JSObject*> aProxy,
michael@0:                                       JS::Handle<jsid> aId, bool* aBp)
michael@0: {
michael@0:   *aBp = false;
michael@0:   return true;
michael@0: }
michael@0: 
michael@0: // static
michael@0: void
michael@0: WindowNamedPropertiesHandler::Install(JSContext* aCx,
michael@0:                                       JS::Handle<JSObject*> aProto)
michael@0: {
michael@0:   JS::Rooted<JSObject*> protoProto(aCx);
michael@0:   if (!::JS_GetPrototype(aCx, aProto, &protoProto)) {
michael@0:     return;
michael@0:   }
michael@0: 
michael@0:   // Note: since the scope polluter proxy lives on the window's prototype
michael@0:   // chain, it needs a singleton type to avoid polluting type information
michael@0:   // for properties on the window.
michael@0:   JS::Rooted<JSObject*> gsp(aCx);
michael@0:   js::ProxyOptions options;
michael@0:   options.setSingleton(true);
michael@0:   gsp = js::NewProxyObject(aCx, WindowNamedPropertiesHandler::getInstance(),
michael@0:                            JS::NullHandleValue, protoProto,
michael@0:                            js::GetGlobalForObjectCrossCompartment(aProto),
michael@0:                            options);
michael@0:   if (!gsp) {
michael@0:     return;
michael@0:   }
michael@0: 
michael@0:   // And then set the prototype of the interface prototype object to be the
michael@0:   // global scope polluter.
michael@0:   ::JS_SplicePrototype(aCx, aProto, gsp);
michael@0: }
michael@0: 
michael@0: } // namespace dom
michael@0: } // namespace mozilla