/src/mozilla-central/dom/base/WindowNamedPropertiesHandler.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ |
2 | | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ |
3 | | /* This Source Code Form is subject to the terms of the Mozilla Public |
4 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
5 | | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
6 | | |
7 | | #include "WindowNamedPropertiesHandler.h" |
8 | | #include "mozilla/dom/EventTargetBinding.h" |
9 | | #include "mozilla/dom/WindowBinding.h" |
10 | | #include "nsContentUtils.h" |
11 | | #include "nsDOMWindowList.h" |
12 | | #include "nsGlobalWindow.h" |
13 | | #include "nsHTMLDocument.h" |
14 | | #include "nsJSUtils.h" |
15 | | #include "xpcprivate.h" |
16 | | |
17 | | namespace mozilla { |
18 | | namespace dom { |
19 | | |
20 | | static bool |
21 | | ShouldExposeChildWindow(nsString& aNameBeingResolved, nsPIDOMWindowOuter* aChild) |
22 | 0 | { |
23 | 0 | Element* e = aChild->GetFrameElementInternal(); |
24 | 0 | if (e && e->IsInShadowTree()) { |
25 | 0 | return false; |
26 | 0 | } |
27 | 0 | |
28 | 0 | // If we're same-origin with the child, go ahead and expose it. |
29 | 0 | nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(aChild); |
30 | 0 | NS_ENSURE_TRUE(sop, false); |
31 | 0 | if (nsContentUtils::SubjectPrincipal()->Equals(sop->GetPrincipal())) { |
32 | 0 | return true; |
33 | 0 | } |
34 | 0 | |
35 | 0 | // If we're not same-origin, expose it _only_ if the name of the browsing |
36 | 0 | // context matches the 'name' attribute of the frame element in the parent. |
37 | 0 | // The motivations behind this heuristic are worth explaining here. |
38 | 0 | // |
39 | 0 | // Historically, all UAs supported global named access to any child browsing |
40 | 0 | // context (that is to say, window.dolske returns a child frame where either |
41 | 0 | // the "name" attribute on the frame element was set to "dolske", or where |
42 | 0 | // the child explicitly set window.name = "dolske"). |
43 | 0 | // |
44 | 0 | // This is problematic because it allows possibly-malicious and unrelated |
45 | 0 | // cross-origin subframes to pollute the global namespace of their parent in |
46 | 0 | // unpredictable ways (see bug 860494). This is also problematic for browser |
47 | 0 | // engines like Servo that want to run cross-origin script on different |
48 | 0 | // threads. |
49 | 0 | // |
50 | 0 | // The naive solution here would be to filter out any cross-origin subframes |
51 | 0 | // obtained when doing named lookup in global scope. But that is unlikely to |
52 | 0 | // be web-compatible, since it will break named access for consumers that do |
53 | 0 | // <iframe name="dolske" src="http://cross-origin.com/sadtrombone.html"> and |
54 | 0 | // expect to be able to access the cross-origin subframe via named lookup on |
55 | 0 | // the global. |
56 | 0 | // |
57 | 0 | // The optimal behavior would be to do the following: |
58 | 0 | // (a) Look for any child browsing context with name="dolske". |
59 | 0 | // (b) If the result is cross-origin, null it out. |
60 | 0 | // (c) If we have null, look for a frame element whose 'name' attribute is |
61 | 0 | // "dolske". |
62 | 0 | // |
63 | 0 | // Unfortunately, (c) would require some engineering effort to be performant |
64 | 0 | // in Gecko, and probably in other UAs as well. So we go with a simpler |
65 | 0 | // approximation of the above. This approximation will only break sites that |
66 | 0 | // rely on their cross-origin subframes setting window.name to a known value, |
67 | 0 | // which is unlikely to be very common. And while it does introduce a |
68 | 0 | // dependency on cross-origin state when doing global lookups, it doesn't |
69 | 0 | // allow the child to arbitrarily pollute the parent namespace, and requires |
70 | 0 | // cross-origin communication only in a limited set of cases that can be |
71 | 0 | // computed independently by the parent. |
72 | 0 | return e && e->AttrValueIs(kNameSpaceID_None, nsGkAtoms::name, |
73 | 0 | aNameBeingResolved, eCaseMatters); |
74 | 0 | } |
75 | | |
76 | | bool |
77 | | WindowNamedPropertiesHandler::getOwnPropDescriptor(JSContext* aCx, |
78 | | JS::Handle<JSObject*> aProxy, |
79 | | JS::Handle<jsid> aId, |
80 | | bool /* unused */, |
81 | | JS::MutableHandle<JS::PropertyDescriptor> aDesc) |
82 | | const |
83 | 0 | { |
84 | 0 | if (!JSID_IS_STRING(aId)) { |
85 | 0 | // Nothing to do if we're resolving a non-string property. |
86 | 0 | return true; |
87 | 0 | } |
88 | 0 | |
89 | 0 | bool hasOnPrototype; |
90 | 0 | if (!HasPropertyOnPrototype(aCx, aProxy, aId, &hasOnPrototype)) { |
91 | 0 | return false; |
92 | 0 | } |
93 | 0 | if (hasOnPrototype) { |
94 | 0 | return true; |
95 | 0 | } |
96 | 0 | |
97 | 0 | nsAutoJSString str; |
98 | 0 | if (!str.init(aCx, JSID_TO_STRING(aId))) { |
99 | 0 | return false; |
100 | 0 | } |
101 | 0 | |
102 | 0 | if(str.IsEmpty()) { |
103 | 0 | return true; |
104 | 0 | } |
105 | 0 | |
106 | 0 | // Grab the DOM window. |
107 | 0 | nsGlobalWindowInner* win = xpc::WindowGlobalOrNull(aProxy); |
108 | 0 | if (win->Length() > 0) { |
109 | 0 | nsCOMPtr<nsPIDOMWindowOuter> childWin = win->GetChildWindow(str); |
110 | 0 | if (childWin && ShouldExposeChildWindow(str, childWin)) { |
111 | 0 | // We found a subframe of the right name. Shadowing via |var foo| in |
112 | 0 | // global scope is still allowed, since |var| only looks up |own| |
113 | 0 | // properties. But unqualified shadowing will fail, per-spec. |
114 | 0 | JS::Rooted<JS::Value> v(aCx); |
115 | 0 | if (!ToJSValue(aCx, nsGlobalWindowOuter::Cast(childWin), &v)) { |
116 | 0 | return false; |
117 | 0 | } |
118 | 0 | FillPropertyDescriptor(aDesc, aProxy, 0, v); |
119 | 0 | return true; |
120 | 0 | } |
121 | 0 | } |
122 | 0 |
|
123 | 0 | // The rest of this function is for HTML documents only. |
124 | 0 | nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc()); |
125 | 0 | if (!htmlDoc) { |
126 | 0 | return true; |
127 | 0 | } |
128 | 0 | nsHTMLDocument* document = static_cast<nsHTMLDocument*>(htmlDoc.get()); |
129 | 0 |
|
130 | 0 | JS::Rooted<JS::Value> v(aCx); |
131 | 0 | Element* element = document->GetElementById(str); |
132 | 0 | if (element) { |
133 | 0 | if (!ToJSValue(aCx, element, &v)) { |
134 | 0 | return false; |
135 | 0 | } |
136 | 0 | FillPropertyDescriptor(aDesc, aProxy, 0, v); |
137 | 0 | return true; |
138 | 0 | } |
139 | 0 | |
140 | 0 | ErrorResult rv; |
141 | 0 | bool found = document->ResolveName(aCx, str, &v, rv); |
142 | 0 | if (rv.MaybeSetPendingException(aCx)) { |
143 | 0 | return false; |
144 | 0 | } |
145 | 0 | |
146 | 0 | if (found) { |
147 | 0 | FillPropertyDescriptor(aDesc, aProxy, 0, v); |
148 | 0 | } |
149 | 0 | return true; |
150 | 0 | } |
151 | | |
152 | | bool |
153 | | WindowNamedPropertiesHandler::defineProperty(JSContext* aCx, |
154 | | JS::Handle<JSObject*> aProxy, |
155 | | JS::Handle<jsid> aId, |
156 | | JS::Handle<JS::PropertyDescriptor> aDesc, |
157 | | JS::ObjectOpResult &result) const |
158 | 0 | { |
159 | 0 | ErrorResult rv; |
160 | 0 | rv.ThrowTypeError<MSG_DEFINEPROPERTY_ON_GSP>(); |
161 | 0 | MOZ_ALWAYS_TRUE(rv.MaybeSetPendingException(aCx)); |
162 | 0 | return false; |
163 | 0 | } |
164 | | |
165 | | bool |
166 | | WindowNamedPropertiesHandler::ownPropNames(JSContext* aCx, |
167 | | JS::Handle<JSObject*> aProxy, |
168 | | unsigned flags, |
169 | | JS::AutoIdVector& aProps) const |
170 | 0 | { |
171 | 0 | if (!(flags & JSITER_HIDDEN)) { |
172 | 0 | // None of our named properties are enumerable. |
173 | 0 | return true; |
174 | 0 | } |
175 | 0 | |
176 | 0 | // Grab the DOM window. |
177 | 0 | nsGlobalWindowInner* win = xpc::WindowGlobalOrNull(aProxy); |
178 | 0 | nsTArray<nsString> names; |
179 | 0 | // The names live on the outer window, which might be null |
180 | 0 | nsGlobalWindowOuter* outer = win->GetOuterWindowInternal(); |
181 | 0 | if (outer) { |
182 | 0 | nsDOMWindowList* childWindows = outer->GetFrames(); |
183 | 0 | if (childWindows) { |
184 | 0 | uint32_t length = childWindows->GetLength(); |
185 | 0 | for (uint32_t i = 0; i < length; ++i) { |
186 | 0 | nsCOMPtr<nsIDocShellTreeItem> item = |
187 | 0 | childWindows->GetDocShellTreeItemAt(i); |
188 | 0 | // This is a bit silly, since we could presumably just do |
189 | 0 | // item->GetWindow(). But it's not obvious whether this does the same |
190 | 0 | // thing as GetChildWindow() with the item's name (due to the complexity |
191 | 0 | // of FindChildWithName). Since GetChildWindow is what we use in |
192 | 0 | // getOwnPropDescriptor, let's try to be consistent. |
193 | 0 | nsString name; |
194 | 0 | item->GetName(name); |
195 | 0 | if (!names.Contains(name)) { |
196 | 0 | // Make sure we really would expose it from getOwnPropDescriptor. |
197 | 0 | nsCOMPtr<nsPIDOMWindowOuter> childWin = win->GetChildWindow(name); |
198 | 0 | if (childWin && ShouldExposeChildWindow(name, childWin)) { |
199 | 0 | names.AppendElement(name); |
200 | 0 | } |
201 | 0 | } |
202 | 0 | } |
203 | 0 | } |
204 | 0 | } |
205 | 0 | if (!AppendNamedPropertyIds(aCx, aProxy, names, false, aProps)) { |
206 | 0 | return false; |
207 | 0 | } |
208 | 0 | |
209 | 0 | names.Clear(); |
210 | 0 | nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc()); |
211 | 0 | if (!htmlDoc) { |
212 | 0 | return true; |
213 | 0 | } |
214 | 0 | nsHTMLDocument* document = static_cast<nsHTMLDocument*>(htmlDoc.get()); |
215 | 0 | // Document names are enumerable, so we want to get them no matter what flags |
216 | 0 | // is. |
217 | 0 | document->GetSupportedNames(names); |
218 | 0 |
|
219 | 0 | JS::AutoIdVector docProps(aCx); |
220 | 0 | if (!AppendNamedPropertyIds(aCx, aProxy, names, false, docProps)) { |
221 | 0 | return false; |
222 | 0 | } |
223 | 0 | |
224 | 0 | return js::AppendUnique(aCx, aProps, docProps); |
225 | 0 | } |
226 | | |
227 | | bool |
228 | | WindowNamedPropertiesHandler::delete_(JSContext* aCx, |
229 | | JS::Handle<JSObject*> aProxy, |
230 | | JS::Handle<jsid> aId, |
231 | | JS::ObjectOpResult &aResult) const |
232 | 0 | { |
233 | 0 | return aResult.failCantDeleteWindowNamedProperty(); |
234 | 0 | } |
235 | | |
236 | | // Note that this class doesn't need any reserved slots, but SpiderMonkey |
237 | | // asserts all proxy classes have at least one reserved slot. |
238 | | static const DOMIfaceAndProtoJSClass WindowNamedPropertiesClass = { |
239 | | PROXY_CLASS_DEF("WindowProperties", |
240 | | JSCLASS_IS_DOMIFACEANDPROTOJSCLASS | |
241 | | JSCLASS_HAS_RESERVED_SLOTS(1)), |
242 | | eNamedPropertiesObject, |
243 | | false, |
244 | | prototypes::id::_ID_Count, |
245 | | 0, |
246 | | &sEmptyNativePropertyHooks, |
247 | | "[object WindowProperties]", |
248 | | EventTarget_Binding::GetProtoObject |
249 | | }; |
250 | | |
251 | | // static |
252 | | JSObject* |
253 | | WindowNamedPropertiesHandler::Create(JSContext* aCx, |
254 | | JS::Handle<JSObject*> aProto) |
255 | 0 | { |
256 | 0 | // Note: since the scope polluter proxy lives on the window's prototype |
257 | 0 | // chain, it needs a singleton type to avoid polluting type information |
258 | 0 | // for properties on the window. |
259 | 0 | js::ProxyOptions options; |
260 | 0 | options.setSingleton(true); |
261 | 0 | options.setClass(&WindowNamedPropertiesClass.mBase); |
262 | 0 |
|
263 | 0 | JS::Rooted<JSObject*> gsp(aCx); |
264 | 0 | gsp = js::NewProxyObject(aCx, WindowNamedPropertiesHandler::getInstance(), |
265 | 0 | JS::NullHandleValue, aProto, |
266 | 0 | options); |
267 | 0 | if (!gsp) { |
268 | 0 | return nullptr; |
269 | 0 | } |
270 | 0 | |
271 | 0 | bool succeeded; |
272 | 0 | if (!JS_SetImmutablePrototype(aCx, gsp, &succeeded)) { |
273 | 0 | return nullptr; |
274 | 0 | } |
275 | 0 | MOZ_ASSERT(succeeded, |
276 | 0 | "errors making the [[Prototype]] of the named properties object " |
277 | 0 | "immutable should have been JSAPI failures, not !succeeded"); |
278 | 0 |
|
279 | 0 | return gsp; |
280 | 0 | } |
281 | | |
282 | | } // namespace dom |
283 | | } // namespace mozilla |