mirror of
https://github.com/roytam1/palemoon27.git
synced 2026-05-26 14:18:48 +00:00
roytam1
68ea640f88
- Bug 1246575 - Inline RegExp.prototype.{global,ignoreCase,multiline,sticky,unicode} getters. r=h4writer (4c1dd91f65)
- Bug 1240796 - Inline SIMD operations that return scalars. r=bbouvier (e9a4985d96)
- Bug 1241872: Fix inlining of SIMD extractLanes in self-hosting; r=jolesen (337ab5c171)
- Bug 1240796 - Detemplatize getOrCreateSimdTypeDescr(). r=bbouvier (d1721d193d)
- Bug 1240796 - Extract baseline code to GetTemplateObjectForSimd(). r=bbouvier (302921629a)
- Bug 1240796 - Connect SIMD.Uint32x4 operations to the Ion inliner. r=bbouvier (24a2e4801b)
- Bug 1243810: Remove storage class of SimdOperation; r=jolesen (b5f74d5d74)
- Bug 1224374 - Profiler labels for the 25 top chrome hangs;r=BenWa,MarcoZ (b0ee441936)
- Bug 1211401 - Use global message manager as parent of <iframe mozbrowser> MM (r=smaug,ahal) (496e94f133)
- When mix-blending, only copy intersecting backdrop pixels. (bug 1235995 part 2, r=mattwoodrow) (f3a2211866)
- Fix the backdrop copy rect in nested mix-blend containers. (bug 1241273, r=mstange) (00ae1f2375)
- Bug 1246403: Implement call_import when caller returns float32; r=luke (f59d6303a6)
- Bug 1239506 - Make console formatter return NaN instead of nan with %f;r=baku (44aa78fba7)
- Bug 1202735 - Add nsIObserver to avoid warning. r=eeejay (93bf7d87e7)
- Bug 1228134 - Should check media.webspeech.synth.enabled on Windows SAPI backend. r=eeejay (4e04c701cb)
- Bug 1003464 - Support Web Speech API synthesis via speech-dispatcher. r=kdavis (bc6c839f1d)
- Bug 1003452 - Implement OSX backend for WebSpeech Synthesis. r=eeejay (85c3b95baa)
- Bug 1223153 - Create new thread to enumerate voice items. r=eeejay (6246ad40a0)
- fix refptr (075d2a7614)
- Bug 1211974 - Implement nsIObserver in SpeechDispatcherService. r=smaug (1fe398291f)
- Bug 1227848 - Separate construction from off-main-thread setup in SpeechDispatcherService. r=smaug (df4e431ad0)
- Bug 1191667 - Part 1. Add onVolumeChanged method to nsISpeechTaskCallback. r=eitan (119271d432)
- Bug 1191667 - Part 2. Call onVolumeChanged when changing volume. r=eitan (9aeb12f90f)
- Bug 1191667 - Part 3. Call NotifyStartedPlaying to show audio indicator. r=eitan (7c0a62f004)
- Bug 1187151 (part 13) - Replace nsBaseHashtable::Enumerate() calls in dom/ with iterators. r=baku. (aac6428d17)
- Bug 1225928 - Fix hang on linux when sending an empty string to speech synth. r=smaug (f21d1d9c2e)
- Bug 1221520 - nullcheck for mSpeechdClient. r=eeejay (3b38bd7fda)
- Bug 1230428 - Part 1. Check mTask since end event is posted asynchronized. r=eeejay (5b5ecaddd8)
- Bug 1239494 - Followup to fix a spurious hazard analysis failure; r=meow (7c6eac2f31)
- Bug 1224374 - Profiler labels for the top 26-100 chrome hangs;r=BenWa (f3edb68e7e)
- Bug 1242214 - Rename JSPropertyDescriptor JS::PropertyDescriptor in js. r=sstangl (b5fa6fc75c)
- Bug 1242072 - Continue using getPropertyDescriptor for get in Sandbox. r=bholley (3315e39b91)
- Bug 1242072 - Continue using getPropertyDescriptor for get in XrayWrapper. r=bholley (d9506cbe6a)
- Bug 1242214 - Rename JSPropertyDescriptor JS::PropertyDescriptor everywhere else. r=smaug (f5bf388f8b)
- Bug 1239822: Part 1 - Add a close method to windowless browsers, and only destroy when safe. r=bz (28cd84032e)
- apply (and revert little bit of PM) Bug 1218364 - windowless browser windows should not crash on Troubleshoot. (2ef4a8e4f7)
- Bug 1224105 - [webext] Use <browser> element for background page (r=kmag) (34b4e7a807)
- Bug 1239822: Part 2a - [webext] Explicitly destroy windowless browsers on unload. r=billm (737d05f57c)
- Bug 1239822: Part 2b - Destroy windowless browsers created for add-on SDK page workers. (de9bcd0438)
- Bug 1239822: Part 2c - Destroy windowless browsers created by browser parsable CSS tests. r=gijs (6e04b09bc6)
- Bug 1217307 - Remove some unnecessary null checks in dom/xslt/. r=njn (4208056baf)
- Bug 1222624: Make XSLT stylesheet parsing use nsIPrincipals and nsIURIs rather than strings. r=peterv (34984e2115)
- Bug 1222475 - use UniquePtr<T[]> instead of nsAutoArrayPtr<T> in dom/; r=baku,bz,terrence (2d33fa1b22)
- Bug 1237445 - Use GCHashSet for BaseShapeSet and InitialShapeSet, r=terrence (a4c8056f3a)
- Bug 1244365 - Remove Traceable; r=sfink (5a7d3ed42e)
- Bug 1236473 - Do not merge scripts that didn't successfully compile. (r=jandem) (8f03cbd52c)
- Bug 1240416 Disallow setting GC mark stack size to zero, and assert on attempt to realloc() zero bytes r=terrence (f28ea7d8f3)
- Bug 1232113 - "Make the format specifiers in JS_snprintf() invocations more portable". r=sphink (deb4e3bd14)
- Bug 1232672 - Use MOZ_WARN_UNUSED_RESULT to make ordered hash table clients check for failure r=sfink (541737edf1)
- Bug 1220703 - Remove AutoDisableStoreBuffer; r=jonco (e1b44b7696)
- Bug 1236523 part 1 - Remove Shape NON_NATIVE flag. r=bhackett (64dfe2f282)
- Bug 1236523 part 2 - Cache isBigEnoughForAShapeTable on the Shape. r=bhackett (86b6c65dc6)
- Bug 1236523 part 3 - Templatize Shape::search and ShapeTable::search. r=bhackett (9ca2f75776)
293 lines
10 KiB
C++
293 lines
10 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "WindowNamedPropertiesHandler.h"
|
|
#include "mozilla/dom/EventTargetBinding.h"
|
|
#include "mozilla/dom/WindowBinding.h"
|
|
#include "nsContentUtils.h"
|
|
#include "nsDOMClassInfo.h"
|
|
#include "nsGlobalWindow.h"
|
|
#include "nsHTMLDocument.h"
|
|
#include "nsJSUtils.h"
|
|
#include "xpcprivate.h"
|
|
|
|
namespace mozilla {
|
|
namespace dom {
|
|
|
|
static bool
|
|
ShouldExposeChildWindow(nsString& aNameBeingResolved, nsIDOMWindow *aChild)
|
|
{
|
|
nsCOMPtr<nsPIDOMWindow> piWin = do_QueryInterface(aChild);
|
|
NS_ENSURE_TRUE(piWin, false);
|
|
Element* e = piWin->GetFrameElementInternal();
|
|
if (e && e->IsInShadowTree()) {
|
|
return false;
|
|
}
|
|
|
|
// If we're same-origin with the child, go ahead and expose it.
|
|
nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(aChild);
|
|
NS_ENSURE_TRUE(sop, false);
|
|
if (nsContentUtils::SubjectPrincipal()->Equals(sop->GetPrincipal())) {
|
|
return true;
|
|
}
|
|
|
|
// If we're not same-origin, expose it _only_ if the name of the browsing
|
|
// context matches the 'name' attribute of the frame element in the parent.
|
|
// The motivations behind this heuristic are worth explaining here.
|
|
//
|
|
// Historically, all UAs supported global named access to any child browsing
|
|
// context (that is to say, window.dolske returns a child frame where either
|
|
// the "name" attribute on the frame element was set to "dolske", or where
|
|
// the child explicitly set window.name = "dolske").
|
|
//
|
|
// This is problematic because it allows possibly-malicious and unrelated
|
|
// cross-origin subframes to pollute the global namespace of their parent in
|
|
// unpredictable ways (see bug 860494). This is also problematic for browser
|
|
// engines like Servo that want to run cross-origin script on different
|
|
// threads.
|
|
//
|
|
// The naive solution here would be to filter out any cross-origin subframes
|
|
// obtained when doing named lookup in global scope. But that is unlikely to
|
|
// be web-compatible, since it will break named access for consumers that do
|
|
// <iframe name="dolske" src="http://cross-origin.com/sadtrombone.html"> and
|
|
// expect to be able to access the cross-origin subframe via named lookup on
|
|
// the global.
|
|
//
|
|
// The optimal behavior would be to do the following:
|
|
// (a) Look for any child browsing context with name="dolske".
|
|
// (b) If the result is cross-origin, null it out.
|
|
// (c) If we have null, look for a frame element whose 'name' attribute is
|
|
// "dolske".
|
|
//
|
|
// Unfortunately, (c) would require some engineering effort to be performant
|
|
// in Gecko, and probably in other UAs as well. So we go with a simpler
|
|
// approximation of the above. This approximation will only break sites that
|
|
// rely on their cross-origin subframes setting window.name to a known value,
|
|
// which is unlikely to be very common. And while it does introduce a
|
|
// dependency on cross-origin state when doing global lookups, it doesn't
|
|
// allow the child to arbitrarily pollute the parent namespace, and requires
|
|
// cross-origin communication only in a limited set of cases that can be
|
|
// computed independently by the parent.
|
|
return e && e->AttrValueIs(kNameSpaceID_None, nsGkAtoms::name,
|
|
aNameBeingResolved, eCaseMatters);
|
|
}
|
|
|
|
bool
|
|
WindowNamedPropertiesHandler::getOwnPropDescriptor(JSContext* aCx,
|
|
JS::Handle<JSObject*> aProxy,
|
|
JS::Handle<jsid> aId,
|
|
bool /* unused */,
|
|
JS::MutableHandle<JS::PropertyDescriptor> aDesc)
|
|
const
|
|
{
|
|
if (!JSID_IS_STRING(aId)) {
|
|
// Nothing to do if we're resolving a non-string property.
|
|
return true;
|
|
}
|
|
|
|
bool hasOnPrototype;
|
|
if (!HasPropertyOnPrototype(aCx, aProxy, aId, &hasOnPrototype)) {
|
|
return false;
|
|
}
|
|
if (hasOnPrototype) {
|
|
return true;
|
|
}
|
|
|
|
nsAutoJSString str;
|
|
if (!str.init(aCx, JSID_TO_STRING(aId))) {
|
|
return false;
|
|
}
|
|
|
|
if (str.IsEmpty()) {
|
|
return true;
|
|
}
|
|
|
|
// Grab the DOM window.
|
|
JS::Rooted<JSObject*> global(aCx, JS_GetGlobalForObject(aCx, aProxy));
|
|
nsGlobalWindow* win = xpc::WindowOrNull(global);
|
|
if (win->Length() > 0) {
|
|
nsCOMPtr<nsIDOMWindow> childWin = win->GetChildWindow(str);
|
|
if (childWin && ShouldExposeChildWindow(str, childWin)) {
|
|
// We found a subframe of the right name. Shadowing via |var foo| in
|
|
// global scope is still allowed, since |var| only looks up |own|
|
|
// properties. But unqualified shadowing will fail, per-spec.
|
|
JS::Rooted<JS::Value> v(aCx);
|
|
if (!WrapObject(aCx, childWin, &v)) {
|
|
return false;
|
|
}
|
|
FillPropertyDescriptor(aDesc, aProxy, 0, v);
|
|
return true;
|
|
}
|
|
}
|
|
|
|
// The rest of this function is for HTML documents only.
|
|
nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc());
|
|
if (!htmlDoc) {
|
|
return true;
|
|
}
|
|
nsHTMLDocument* document = static_cast<nsHTMLDocument*>(htmlDoc.get());
|
|
|
|
Element* element = document->GetElementById(str);
|
|
if (element) {
|
|
JS::Rooted<JS::Value> v(aCx);
|
|
if (!WrapObject(aCx, element, &v)) {
|
|
return false;
|
|
}
|
|
FillPropertyDescriptor(aDesc, aProxy, 0, v);
|
|
return true;
|
|
}
|
|
|
|
nsWrapperCache* cache;
|
|
nsISupports* result = document->ResolveName(str, &cache);
|
|
if (!result) {
|
|
return true;
|
|
}
|
|
|
|
JS::Rooted<JS::Value> v(aCx);
|
|
if (!WrapObject(aCx, result, cache, nullptr, &v)) {
|
|
return false;
|
|
}
|
|
FillPropertyDescriptor(aDesc, aProxy, 0, v);
|
|
return true;
|
|
}
|
|
|
|
bool
|
|
WindowNamedPropertiesHandler::defineProperty(JSContext* aCx,
|
|
JS::Handle<JSObject*> aProxy,
|
|
JS::Handle<jsid> aId,
|
|
JS::Handle<JS::PropertyDescriptor> aDesc,
|
|
JS::ObjectOpResult &result) const
|
|
{
|
|
ErrorResult rv;
|
|
rv.ThrowTypeError<MSG_DEFINEPROPERTY_ON_GSP>();
|
|
rv.MaybeSetPendingException(aCx);
|
|
return false;
|
|
}
|
|
|
|
bool
|
|
WindowNamedPropertiesHandler::ownPropNames(JSContext* aCx,
|
|
JS::Handle<JSObject*> aProxy,
|
|
unsigned flags,
|
|
JS::AutoIdVector& aProps) const
|
|
{
|
|
if (!(flags & JSITER_HIDDEN)) {
|
|
// None of our named properties are enumerable.
|
|
return true;
|
|
}
|
|
|
|
// Grab the DOM window.
|
|
nsGlobalWindow* win = xpc::WindowOrNull(JS_GetGlobalForObject(aCx, aProxy));
|
|
nsTArray<nsString> names;
|
|
win->GetSupportedNames(names);
|
|
// Filter out the ones we wouldn't expose from getOwnPropertyDescriptor.
|
|
// We iterate backwards so we can remove things from the list easily.
|
|
for (size_t i = names.Length(); i > 0; ) {
|
|
--i; // Now we're pointing at the next name we want to look at
|
|
nsIDOMWindow* childWin = win->GetChildWindow(names[i]);
|
|
if (!childWin || !ShouldExposeChildWindow(names[i], childWin)) {
|
|
names.RemoveElementAt(i);
|
|
}
|
|
}
|
|
if (!AppendNamedPropertyIds(aCx, aProxy, names, false, aProps)) {
|
|
return false;
|
|
}
|
|
|
|
names.Clear();
|
|
nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc());
|
|
if (!htmlDoc) {
|
|
return true;
|
|
}
|
|
nsHTMLDocument* document = static_cast<nsHTMLDocument*>(htmlDoc.get());
|
|
document->GetSupportedNames(flags, names);
|
|
|
|
JS::AutoIdVector docProps(aCx);
|
|
if (!AppendNamedPropertyIds(aCx, aProxy, names, false, docProps)) {
|
|
return false;
|
|
}
|
|
|
|
return js::AppendUnique(aCx, aProps, docProps);
|
|
}
|
|
|
|
bool
|
|
WindowNamedPropertiesHandler::delete_(JSContext* aCx,
|
|
JS::Handle<JSObject*> aProxy,
|
|
JS::Handle<jsid> aId,
|
|
JS::ObjectOpResult &aResult) const
|
|
{
|
|
return aResult.failCantDeleteWindowNamedProperty();
|
|
}
|
|
|
|
static bool
|
|
ResolveWindowNamedProperty(JSContext* aCx, JS::Handle<JSObject*> aWrapper,
|
|
JS::Handle<JSObject*> aObj, JS::Handle<jsid> aId,
|
|
JS::MutableHandle<JS::PropertyDescriptor> aDesc)
|
|
{
|
|
{
|
|
JSAutoCompartment ac(aCx, aObj);
|
|
if (!js::GetProxyHandler(aObj)->getOwnPropertyDescriptor(aCx, aObj, aId,
|
|
aDesc)) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
if (aDesc.object()) {
|
|
aDesc.object().set(aWrapper);
|
|
|
|
return JS_WrapPropertyDescriptor(aCx, aDesc);
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool
|
|
EnumerateWindowNamedProperties(JSContext* aCx, JS::Handle<JSObject*> aWrapper,
|
|
JS::Handle<JSObject*> aObj,
|
|
JS::AutoIdVector& aProps)
|
|
{
|
|
JSAutoCompartment ac(aCx, aObj);
|
|
return js::GetProxyHandler(aObj)->ownPropertyKeys(aCx, aObj, aProps);
|
|
}
|
|
|
|
const NativePropertyHooks sWindowNamedPropertiesNativePropertyHooks[] = { {
|
|
ResolveWindowNamedProperty,
|
|
EnumerateWindowNamedProperties,
|
|
{ nullptr, nullptr },
|
|
prototypes::id::_ID_Count,
|
|
constructors::id::_ID_Count,
|
|
nullptr
|
|
} };
|
|
|
|
static const DOMIfaceAndProtoJSClass WindowNamedPropertiesClass = {
|
|
PROXY_CLASS_DEF("WindowProperties",
|
|
JSCLASS_IS_DOMIFACEANDPROTOJSCLASS),
|
|
eNamedPropertiesObject,
|
|
sWindowNamedPropertiesNativePropertyHooks,
|
|
"[object WindowProperties]",
|
|
prototypes::id::_ID_Count,
|
|
0,
|
|
EventTargetBinding::GetProtoObject
|
|
};
|
|
|
|
// static
|
|
JSObject*
|
|
WindowNamedPropertiesHandler::Create(JSContext* aCx,
|
|
JS::Handle<JSObject*> aProto)
|
|
{
|
|
// Note: since the scope polluter proxy lives on the window's prototype
|
|
// chain, it needs a singleton type to avoid polluting type information
|
|
// for properties on the window.
|
|
JS::Rooted<JSObject*> gsp(aCx);
|
|
js::ProxyOptions options;
|
|
options.setSingleton(true);
|
|
options.setClass(&WindowNamedPropertiesClass.mBase);
|
|
return js::NewProxyObject(aCx, WindowNamedPropertiesHandler::getInstance(),
|
|
JS::NullHandleValue, aProto,
|
|
options);
|
|
}
|
|
|
|
} // namespace dom
|
|
} // namespace mozilla
|