1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4  * License, v. 2.0. If a copy of the MPL was not distributed with this
5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 
7 #ifndef _xpc_WRAPPERFACTORY_H
8 #define _xpc_WRAPPERFACTORY_H
9 
10 #include "js/Wrapper.h"
11 
12 namespace xpc {
13 
14 /**
15  * A wrapper that's only used for cross-origin objects. This should be
16  * just like a CrossCompartmentWrapper but (as an implementation
17  * detail) doesn't actually do any compartment-entering and (as an
18  * implementation detail) delegates all the security decisions and
19  * compartment-entering to the target object, which is always a
20  * proxy.
21  *
22  * We could also inherit from CrossCompartmentWrapper but then we
23  * would need to override all the proxy hooks to avoid the
24  * compartment-entering bits.
25  */
26 class CrossOriginObjectWrapper : public js::Wrapper {
27  public:
28   // We want to claim to have a security policy, so code doesn't just
29   // CheckedUnwrap us willy-nilly.  But we're OK with the BaseProxyHandler
30   // implementation of enter(), which allows entering.  Our target is what
31   // really does the security checks.
32   //
33   // We don't want to inherit from CrossCompartmentWrapper, because we don't
34   // want the compartment-entering behavior it has.  But we do want to set the
35   // CROSS_COMPARTMENT flag on js::Wrapper so that we test true for
36   // is<js::CrossCompartmentWrapperObject> and so forth.
CrossOriginObjectWrapper()37   constexpr explicit CrossOriginObjectWrapper()
38       : js::Wrapper(CROSS_COMPARTMENT, /* aHasPrototype = */ false,
39                     /* aHasSecurityPolicy = */ true) {}
40 
41   bool dynamicCheckedUnwrapAllowed(JS::HandleObject obj,
42                                    JSContext* cx) const override;
43 
44   static const CrossOriginObjectWrapper singleton;
45 };
46 
47 class WrapperFactory {
48  public:
49   enum {
50     WAIVE_XRAY_WRAPPER_FLAG = js::Wrapper::LAST_USED_FLAG << 1,
51     IS_XRAY_WRAPPER_FLAG = WAIVE_XRAY_WRAPPER_FLAG << 1
52   };
53 
54   // Return true if any of any of the nested wrappers have the flag set.
HasWrapperFlag(JSObject * wrapper,unsigned flag)55   static bool HasWrapperFlag(JSObject* wrapper, unsigned flag) {
56     unsigned flags = 0;
57     js::UncheckedUnwrap(wrapper, true, &flags);
58     return !!(flags & flag);
59   }
60 
IsXrayWrapper(JSObject * wrapper)61   static bool IsXrayWrapper(JSObject* wrapper) {
62     return HasWrapperFlag(wrapper, IS_XRAY_WRAPPER_FLAG);
63   }
64 
IsCrossOriginWrapper(JSObject * obj)65   static bool IsCrossOriginWrapper(JSObject* obj) {
66     return (js::IsProxy(obj) &&
67             js::GetProxyHandler(obj) == &CrossOriginObjectWrapper::singleton);
68   }
69 
70   static bool IsOpaqueWrapper(JSObject* obj);
71 
HasWaiveXrayFlag(JSObject * wrapper)72   static bool HasWaiveXrayFlag(JSObject* wrapper) {
73     return HasWrapperFlag(wrapper, WAIVE_XRAY_WRAPPER_FLAG);
74   }
75 
76   static bool IsCOW(JSObject* wrapper);
77 
78   static JSObject* GetXrayWaiver(JS::HandleObject obj);
79   // If allowExisting is true, there is an existing waiver for obj in
80   // its scope, but we want to replace it with the new one.
81   static JSObject* CreateXrayWaiver(JSContext* cx, JS::HandleObject obj,
82                                     bool allowExisting = false);
83   static JSObject* WaiveXray(JSContext* cx, JSObject* obj);
84 
85   // Computes whether we should allow the creation of an Xray waiver from
86   // |target| to |origin|.
87   static bool AllowWaiver(JS::Compartment* target, JS::Compartment* origin);
88 
89   // Convenience method for the above, operating on a wrapper.
90   static bool AllowWaiver(JSObject* wrapper);
91 
92   // Prepare a given object for wrapping in a new compartment.
93   static void PrepareForWrapping(JSContext* cx, JS::HandleObject scope,
94                                  JS::HandleObject origObj, JS::HandleObject obj,
95                                  JS::HandleObject objectPassedToWrap,
96                                  JS::MutableHandleObject retObj);
97 
98   // Rewrap an object that is about to cross compartment boundaries.
99   static JSObject* Rewrap(JSContext* cx, JS::HandleObject existing,
100                           JS::HandleObject obj);
101 
102   // Wrap wrapped object into a waiver wrapper and then re-wrap it.
103   static bool WaiveXrayAndWrap(JSContext* cx, JS::MutableHandleValue vp);
104   static bool WaiveXrayAndWrap(JSContext* cx, JS::MutableHandleObject object);
105 };
106 
107 }  // namespace xpc
108 
109 #endif /* _xpc_WRAPPERFACTORY_H */
110