michael@0: /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ michael@0: // vim: ft=cpp tw=78 sw=2 et ts=2 michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: /* Utilities for managing the script settings object stack defined in webapps */ michael@0: michael@0: #ifndef mozilla_dom_ScriptSettings_h michael@0: #define mozilla_dom_ScriptSettings_h michael@0: michael@0: #include "nsCxPusher.h" michael@0: #include "MainThreadUtils.h" michael@0: #include "nsIGlobalObject.h" michael@0: #include "nsIPrincipal.h" michael@0: michael@0: #include "mozilla/Maybe.h" michael@0: michael@0: class nsIGlobalObject; michael@0: michael@0: namespace mozilla { michael@0: namespace dom { michael@0: michael@0: /* michael@0: * System-wide setup/teardown routines. Init and Destroy should be invoked michael@0: * once each, at startup and shutdown (respectively). michael@0: */ michael@0: void InitScriptSettings(); michael@0: void DestroyScriptSettings(); michael@0: michael@0: // This mostly gets the entry global, but doesn't entirely match the spec in michael@0: // certain edge cases. It's good enough for some purposes, but not others. If michael@0: // you want to call this function, ping bholley and describe your use-case. michael@0: nsIGlobalObject* BrokenGetEntryGlobal(); michael@0: michael@0: // Note: We don't yet expose GetEntryGlobal, because in order for it to be michael@0: // correct, we first need to replace a bunch of explicit cx pushing in the michael@0: // browser with AutoEntryScript. But GetIncumbentGlobal is simpler, because it michael@0: // can mostly be inferred from the JS stack. michael@0: nsIGlobalObject* GetIncumbentGlobal(); michael@0: michael@0: // JS-implemented WebIDL presents an interesting situation with respect to the michael@0: // subject principal. A regular C++-implemented API can simply examine the michael@0: // compartment of the most-recently-executed script, and use that to infer the michael@0: // responsible party. However, JS-implemented APIs are run with system michael@0: // principal, and thus clobber the subject principal of the script that michael@0: // invoked the API. So we have to do some extra work to keep track of this michael@0: // information. michael@0: // michael@0: // We therefore implement the following behavior: michael@0: // * Each Script Settings Object has an optional WebIDL Caller Principal field. michael@0: // This defaults to null. michael@0: // * When we push an Entry Point in preparation to run a JS-implemented WebIDL michael@0: // callback, we grab the subject principal at the time of invocation, and michael@0: // store that as the WebIDL Caller Principal. michael@0: // * When non-null, callers can query this principal from script via an API on michael@0: // Components.utils. michael@0: nsIPrincipal* GetWebIDLCallerPrincipal(); michael@0: michael@0: // This may be used by callers that know that their incumbent global is non- michael@0: // null (i.e. they know there have been no System Caller pushes since the michael@0: // inner-most script execution). michael@0: inline JSObject& IncumbentJSGlobal() michael@0: { michael@0: return *GetIncumbentGlobal()->GetGlobalJSObject(); michael@0: } michael@0: michael@0: class ScriptSettingsStack; michael@0: struct ScriptSettingsStackEntry { michael@0: nsCOMPtr mGlobalObject; michael@0: bool mIsCandidateEntryPoint; michael@0: michael@0: ScriptSettingsStackEntry(nsIGlobalObject *aGlobal, bool aCandidate) michael@0: : mGlobalObject(aGlobal) michael@0: , mIsCandidateEntryPoint(aCandidate) michael@0: { michael@0: MOZ_ASSERT(mGlobalObject); michael@0: MOZ_ASSERT(mGlobalObject->GetGlobalJSObject(), michael@0: "Must have an actual JS global for the duration on the stack"); michael@0: MOZ_ASSERT(JS_IsGlobalObject(mGlobalObject->GetGlobalJSObject()), michael@0: "No outer windows allowed"); michael@0: } michael@0: michael@0: ~ScriptSettingsStackEntry() { michael@0: // We must have an actual JS global for the entire time this is on the stack. michael@0: MOZ_ASSERT_IF(mGlobalObject, mGlobalObject->GetGlobalJSObject()); michael@0: } michael@0: michael@0: bool NoJSAPI() { return this == &NoJSAPISingleton; } michael@0: static ScriptSettingsStackEntry NoJSAPISingleton; michael@0: michael@0: private: michael@0: ScriptSettingsStackEntry() : mGlobalObject(nullptr) michael@0: , mIsCandidateEntryPoint(true) michael@0: {} michael@0: }; michael@0: michael@0: /* michael@0: * For any interaction with JSAPI, an AutoJSAPI (or one of its subclasses) michael@0: * must be on the stack. michael@0: * michael@0: * This base class should be instantiated as-is when the caller wants to use michael@0: * JSAPI but doesn't expect to run script. Its current duties are as-follows: michael@0: * michael@0: * * Grabbing an appropriate JSContext, and, on the main thread, pushing it onto michael@0: * the JSContext stack. michael@0: * * Entering a null compartment, so that the consumer is forced to select a michael@0: * compartment to enter before manipulating objects. michael@0: * michael@0: * Additionally, the following duties are planned, but not yet implemented: michael@0: * michael@0: * * De-poisoning the JSRuntime to allow manipulation of JSAPI. We can't michael@0: * actually implement this poisoning until all the JSContext pushing in the michael@0: * system goes through AutoJSAPI (see bug 951991). For now, this de-poisoning michael@0: * effectively corresponds to having a non-null cx on the stack. michael@0: * * Reporting any exceptions left on the JSRuntime, unless the caller steals michael@0: * or silences them. michael@0: * * Entering a JSAutoRequest. At present, this is handled by the cx pushing michael@0: * on the main thread, and by other code on workers. Depending on the order michael@0: * in which various cleanup lands, this may never be necessary, because michael@0: * JSAutoRequests may go away. michael@0: * michael@0: * In situations where the consumer expects to run script, AutoEntryScript michael@0: * should be used, which does additional manipulation of the script settings michael@0: * stack. In bug 991758, we'll add hard invariants to SpiderMonkey, such that michael@0: * any attempt to run script without an AutoEntryScript on the stack will michael@0: * fail. This prevents system code from accidentally triggering script michael@0: * execution at inopportune moments via surreptitious getters and proxies. michael@0: */ michael@0: class AutoJSAPI { michael@0: public: michael@0: // Public constructor for use when the base class is constructed as-is. It michael@0: // uses the SafeJSContext (or worker equivalent), and enters a null michael@0: // compartment. michael@0: AutoJSAPI(); michael@0: JSContext* cx() const { return mCx; } michael@0: michael@0: bool CxPusherIsStackTop() { return mCxPusher.ref().IsStackTop(); } michael@0: michael@0: protected: michael@0: // Protected constructor, allowing subclasses to specify a particular cx to michael@0: // be used. michael@0: AutoJSAPI(JSContext *aCx, bool aIsMainThread, bool aSkipNullAC = false); michael@0: michael@0: private: michael@0: mozilla::Maybe mCxPusher; michael@0: mozilla::Maybe mNullAc; michael@0: JSContext *mCx; michael@0: }; michael@0: michael@0: // Note - the ideal way to implement this is with an accessor on AutoJSAPI michael@0: // that lets us select the error reporting target. But at present, michael@0: // implementing it that way would require us to destroy and reconstruct michael@0: // mCxPusher, which is pretty wasteful. So we do this for now, since it should michael@0: // be pretty easy to switch things over later. michael@0: // michael@0: // This should only be used on the main thread. michael@0: class AutoJSAPIWithErrorsReportedToWindow : public AutoJSAPI { michael@0: public: michael@0: AutoJSAPIWithErrorsReportedToWindow(nsIScriptContext* aScx); michael@0: // Equivalent to AutoJSAPI if aGlobal is not a Window. michael@0: AutoJSAPIWithErrorsReportedToWindow(nsIGlobalObject* aGlobalObject); michael@0: }; michael@0: michael@0: /* michael@0: * A class that represents a new script entry point. michael@0: */ michael@0: class AutoEntryScript : public AutoJSAPI, michael@0: protected ScriptSettingsStackEntry { michael@0: public: michael@0: AutoEntryScript(nsIGlobalObject* aGlobalObject, michael@0: bool aIsMainThread = NS_IsMainThread(), michael@0: // Note: aCx is mandatory off-main-thread. michael@0: JSContext* aCx = nullptr); michael@0: ~AutoEntryScript(); michael@0: michael@0: void SetWebIDLCallerPrincipal(nsIPrincipal *aPrincipal) { michael@0: mWebIDLCallerPrincipal = aPrincipal; michael@0: } michael@0: michael@0: private: michael@0: JSAutoCompartment mAc; michael@0: dom::ScriptSettingsStack& mStack; michael@0: nsCOMPtr mWebIDLCallerPrincipal; michael@0: friend nsIPrincipal* GetWebIDLCallerPrincipal(); michael@0: }; michael@0: michael@0: /* michael@0: * A class that can be used to force a particular incumbent script on the stack. michael@0: */ michael@0: class AutoIncumbentScript : protected ScriptSettingsStackEntry { michael@0: public: michael@0: AutoIncumbentScript(nsIGlobalObject* aGlobalObject); michael@0: ~AutoIncumbentScript(); michael@0: private: michael@0: dom::ScriptSettingsStack& mStack; michael@0: JS::AutoHideScriptedCaller mCallerOverride; michael@0: }; michael@0: michael@0: /* michael@0: * A class to put the JS engine in an unusable state. The subject principal michael@0: * will become System, the information on the script settings stack is michael@0: * rendered inaccessible, and JSAPI may not be manipulated until the class is michael@0: * either popped or an AutoJSAPI instance is subsequently pushed. michael@0: * michael@0: * This class may not be instantiated if an exception is pending. michael@0: */ michael@0: class AutoNoJSAPI { michael@0: public: michael@0: AutoNoJSAPI(bool aIsMainThread = NS_IsMainThread()); michael@0: ~AutoNoJSAPI(); michael@0: private: michael@0: dom::ScriptSettingsStack& mStack; michael@0: mozilla::Maybe mCxPusher; michael@0: }; michael@0: michael@0: } // namespace dom michael@0: } // namespace mozilla michael@0: michael@0: #endif // mozilla_dom_ScriptSettings_h