mirror of
https://github.com/roytam1/palemoon27.git
synced 2026-05-26 13:23:07 +00:00
roytam1
520d6b7062
- Don't upgrade gfx features after device resets. (bug 1183910 part 5, r=mattwoodrow) (e53d0f91f) - Use the same graphics device parameters across processes. (bug 1183910 part 7, r=mattwoodrow) (083ae4f15) - Rename DriverInitCrashDetection to DriverCrashGuard. (bug 1190281 part 2, r=mattwoodrow) (9bd189d09) - Make DriverCrashGuard initialization lazy. (bug 1190281 part 3, r=mattwoodrow) (6821dc386) - Pull D3D11 logic out of DriverCrashGuard. (bug 1190281 part 4, r=mattwoodrow) (e499a0079) - Move telemetry recording into D3D11LayersCrashGuard. (bug 1190281 part 5, r=mattwoodrow) (b50a4c2b4) - Factor prefs out of DriverCrashGuard. (bug 1190281 part 6, r=mattwoodrow) (a3a1166ab) - Bug 1170939 - Close PBontentBridge when receving shut dwon message, r=khuey (5473d07f0) - Allow DriverCrashGuard to be used in content processes. (bug 1190281 part 7, r=mattwoodrow) (c9eaf8315) - Add a crash guard for DXVA2D3D9. (bug 1190281 part 8, r=mattwoodrow) (eceff5212) - Add driver crash guards to WebGL (bug 1190281 part 9, r=jgilbert,mattwoodrow) (c362b60c6) - Fix bogus assert in DriverCrashGuard. (bug 1190281 followup, r=mattwoodrow) (d4a7145bd) - Bug 968923 - part 5b - add nsIDOMWindowUtils::forceUseCounterFlush; r=bz (138d30251) - Bug 968923 - part 5c - add tests for use counters; r=bz (0c4b745e0) - Bug 554186 - Part 1: Unimplement NPN_Status API. r=josh (8759dad40) - Bug 554186 - Part 2: Remove unused nsPluginInstanceOwner::ShowNativeContextMenu(). r=josh (ad2ac0c4d) - Bug 1174913 - anchor and area mochitests. r=bz (ab2c58a34) - Bug 959992. Go back to not treating properties that the named properties object exposes as enumerable. r=peterv (0adeeb910) - Bug 1154974 (Part 1) - Give blobs serial numbers. r=bent (4602ca2cd) - Bug 1154974 (Part 2) - Merge image cache entries for blobs URIs with the same underlying blob. r=baku (3b64b409e) - Bug 1173314 - Make GetMozFullPath and GetMozFullPathInternal const. r=sicking (f8eaabb1e) - Bug 1167389 - Make FileList::mParent a smart pointer, and declare it to the cycle collector. r=ehsan (d1217e547) - Bug 1173390 - Remove the majority of the old directory picker implementation to prepare for the new implementation under bug 1164310. r=baku (750049972) - Bug 1164310, part 1 - Make the code for bypassing mobile security checks more general so that it can be used on non-mobile. r=baku (0486fb5ff) - Bug 1164310, part 2 - Implement an abstraction for a rooted filesystem for non-mobile devices. r=baku (f1d906bd6) - Bug 1164310, part 3 - Allow the DirState of blobs to be set explicitly. r=baku (13d832700) - Bug 1164310, part 4 - Implement the new HTMLInputElement API including the new Promise returning GetFilesAndDirectories. r=baku (d0f93ec19) - Bug 1164310, part 5 - Implement new anonymous content and layout pieces for directory picking via input elements. r=tnikkel (ac5a00781) - Bug 1164310, part 6 - Implement the new Promise returning DataTransfer.getFilesAndDirectories() API. r=baku (375fba953) - Bug 1164310 - Follow-up: Fix build bustage with --disable-accessibility. r=me (da0e6745b) - Bug 1164310, part 7 - Touch CLOBBER since bug 1177844 isn't fixed yet. r=me (5fa829742) - Bug 1185381 - Make FileList clonable - patch 1 - move code into FileList.h/.cpp, r=smaug (b85483178) - Bug 1185381 - Make FileList clonable - patch 2 - rename FILEIMPL_IID to BLOBIMPL_IID, r=smaug (0f920cd05) - Bug 1185360 - PostMessageEvent should not have a different behavior if the main principal subsumes the destination one., r=smaug (070ab034b) - Bug 1185381 - Make FileList clonable - patch 3 - FileListClonedData implementation, r=smaug (f4f082d18) - Bug 1185381 - Make FileList clonable - patch 4 - tests, r=smaug (fb3637313)
292 lines
10 KiB
C++
292 lines
10 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "WindowNamedPropertiesHandler.h"
|
|
#include "mozilla/dom/EventTargetBinding.h"
|
|
#include "mozilla/dom/WindowBinding.h"
|
|
#include "nsDOMClassInfo.h"
|
|
#include "nsGlobalWindow.h"
|
|
#include "nsHTMLDocument.h"
|
|
#include "nsJSUtils.h"
|
|
#include "xpcprivate.h"
|
|
|
|
namespace mozilla {
|
|
namespace dom {
|
|
|
|
static bool
|
|
ShouldExposeChildWindow(nsString& aNameBeingResolved, nsIDOMWindow *aChild)
|
|
{
|
|
nsCOMPtr<nsPIDOMWindow> piWin = do_QueryInterface(aChild);
|
|
NS_ENSURE_TRUE(piWin, false);
|
|
Element* e = piWin->GetFrameElementInternal();
|
|
if (e && e->IsInShadowTree()) {
|
|
return false;
|
|
}
|
|
|
|
// If we're same-origin with the child, go ahead and expose it.
|
|
nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(aChild);
|
|
NS_ENSURE_TRUE(sop, false);
|
|
if (nsContentUtils::SubjectPrincipal()->Equals(sop->GetPrincipal())) {
|
|
return true;
|
|
}
|
|
|
|
// If we're not same-origin, expose it _only_ if the name of the browsing
|
|
// context matches the 'name' attribute of the frame element in the parent.
|
|
// The motivations behind this heuristic are worth explaining here.
|
|
//
|
|
// Historically, all UAs supported global named access to any child browsing
|
|
// context (that is to say, window.dolske returns a child frame where either
|
|
// the "name" attribute on the frame element was set to "dolske", or where
|
|
// the child explicitly set window.name = "dolske").
|
|
//
|
|
// This is problematic because it allows possibly-malicious and unrelated
|
|
// cross-origin subframes to pollute the global namespace of their parent in
|
|
// unpredictable ways (see bug 860494). This is also problematic for browser
|
|
// engines like Servo that want to run cross-origin script on different
|
|
// threads.
|
|
//
|
|
// The naive solution here would be to filter out any cross-origin subframes
|
|
// obtained when doing named lookup in global scope. But that is unlikely to
|
|
// be web-compatible, since it will break named access for consumers that do
|
|
// <iframe name="dolske" src="http://cross-origin.com/sadtrombone.html"> and
|
|
// expect to be able to access the cross-origin subframe via named lookup on
|
|
// the global.
|
|
//
|
|
// The optimal behavior would be to do the following:
|
|
// (a) Look for any child browsing context with name="dolske".
|
|
// (b) If the result is cross-origin, null it out.
|
|
// (c) If we have null, look for a frame element whose 'name' attribute is
|
|
// "dolske".
|
|
//
|
|
// Unfortunately, (c) would require some engineering effort to be performant
|
|
// in Gecko, and probably in other UAs as well. So we go with a simpler
|
|
// approximation of the above. This approximation will only break sites that
|
|
// rely on their cross-origin subframes setting window.name to a known value,
|
|
// which is unlikely to be very common. And while it does introduce a
|
|
// dependency on cross-origin state when doing global lookups, it doesn't
|
|
// allow the child to arbitrarily pollute the parent namespace, and requires
|
|
// cross-origin communication only in a limited set of cases that can be
|
|
// computed independently by the parent.
|
|
return e && e->AttrValueIs(kNameSpaceID_None, nsGkAtoms::name,
|
|
aNameBeingResolved, eCaseMatters);
|
|
}
|
|
|
|
bool
|
|
WindowNamedPropertiesHandler::getOwnPropDescriptor(JSContext* aCx,
|
|
JS::Handle<JSObject*> aProxy,
|
|
JS::Handle<jsid> aId,
|
|
bool /* unused */,
|
|
JS::MutableHandle<JSPropertyDescriptor> aDesc)
|
|
const
|
|
{
|
|
if (!JSID_IS_STRING(aId)) {
|
|
// Nothing to do if we're resolving a non-string property.
|
|
return true;
|
|
}
|
|
|
|
bool hasOnPrototype;
|
|
if (!HasPropertyOnPrototype(aCx, aProxy, aId, &hasOnPrototype)) {
|
|
return false;
|
|
}
|
|
if (hasOnPrototype) {
|
|
return true;
|
|
}
|
|
|
|
nsAutoJSString str;
|
|
if (!str.init(aCx, JSID_TO_STRING(aId))) {
|
|
return false;
|
|
}
|
|
|
|
if (str.IsEmpty()) {
|
|
return true;
|
|
}
|
|
|
|
// Grab the DOM window.
|
|
JS::Rooted<JSObject*> global(aCx, JS_GetGlobalForObject(aCx, aProxy));
|
|
nsGlobalWindow* win = xpc::WindowOrNull(global);
|
|
if (win->Length() > 0) {
|
|
nsCOMPtr<nsIDOMWindow> childWin = win->GetChildWindow(str);
|
|
if (childWin && ShouldExposeChildWindow(str, childWin)) {
|
|
// We found a subframe of the right name. Shadowing via |var foo| in
|
|
// global scope is still allowed, since |var| only looks up |own|
|
|
// properties. But unqualified shadowing will fail, per-spec.
|
|
JS::Rooted<JS::Value> v(aCx);
|
|
if (!WrapObject(aCx, childWin, &v)) {
|
|
return false;
|
|
}
|
|
FillPropertyDescriptor(aDesc, aProxy, 0, v);
|
|
return true;
|
|
}
|
|
}
|
|
|
|
// The rest of this function is for HTML documents only.
|
|
nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc());
|
|
if (!htmlDoc) {
|
|
return true;
|
|
}
|
|
nsHTMLDocument* document = static_cast<nsHTMLDocument*>(htmlDoc.get());
|
|
|
|
Element* element = document->GetElementById(str);
|
|
if (element) {
|
|
JS::Rooted<JS::Value> v(aCx);
|
|
if (!WrapObject(aCx, element, &v)) {
|
|
return false;
|
|
}
|
|
FillPropertyDescriptor(aDesc, aProxy, 0, v);
|
|
return true;
|
|
}
|
|
|
|
nsWrapperCache* cache;
|
|
nsISupports* result = document->ResolveName(str, &cache);
|
|
if (!result) {
|
|
return true;
|
|
}
|
|
|
|
JS::Rooted<JS::Value> v(aCx);
|
|
if (!WrapObject(aCx, result, cache, nullptr, &v)) {
|
|
return false;
|
|
}
|
|
FillPropertyDescriptor(aDesc, aProxy, 0, v);
|
|
return true;
|
|
}
|
|
|
|
bool
|
|
WindowNamedPropertiesHandler::defineProperty(JSContext* aCx,
|
|
JS::Handle<JSObject*> aProxy,
|
|
JS::Handle<jsid> aId,
|
|
JS::Handle<JSPropertyDescriptor> aDesc,
|
|
JS::ObjectOpResult &result) const
|
|
{
|
|
ErrorResult rv;
|
|
rv.ThrowTypeError(MSG_DEFINEPROPERTY_ON_GSP);
|
|
rv.ReportErrorWithMessage(aCx);
|
|
return false;
|
|
}
|
|
|
|
bool
|
|
WindowNamedPropertiesHandler::ownPropNames(JSContext* aCx,
|
|
JS::Handle<JSObject*> aProxy,
|
|
unsigned flags,
|
|
JS::AutoIdVector& aProps) const
|
|
{
|
|
if (!(flags & JSITER_HIDDEN)) {
|
|
// None of our named properties are enumerable.
|
|
return true;
|
|
}
|
|
|
|
// Grab the DOM window.
|
|
nsGlobalWindow* win = xpc::WindowOrNull(JS_GetGlobalForObject(aCx, aProxy));
|
|
nsTArray<nsString> names;
|
|
win->GetSupportedNames(names);
|
|
// Filter out the ones we wouldn't expose from getOwnPropertyDescriptor.
|
|
// We iterate backwards so we can remove things from the list easily.
|
|
for (size_t i = names.Length(); i > 0; ) {
|
|
--i; // Now we're pointing at the next name we want to look at
|
|
nsIDOMWindow* childWin = win->GetChildWindow(names[i]);
|
|
if (!childWin || !ShouldExposeChildWindow(names[i], childWin)) {
|
|
names.RemoveElementAt(i);
|
|
}
|
|
}
|
|
if (!AppendNamedPropertyIds(aCx, aProxy, names, false, aProps)) {
|
|
return false;
|
|
}
|
|
|
|
names.Clear();
|
|
nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc());
|
|
if (!htmlDoc) {
|
|
return true;
|
|
}
|
|
nsHTMLDocument* document = static_cast<nsHTMLDocument*>(htmlDoc.get());
|
|
document->GetSupportedNames(flags, names);
|
|
|
|
JS::AutoIdVector docProps(aCx);
|
|
if (!AppendNamedPropertyIds(aCx, aProxy, names, false, docProps)) {
|
|
return false;
|
|
}
|
|
|
|
return js::AppendUnique(aCx, aProps, docProps);
|
|
}
|
|
|
|
bool
|
|
WindowNamedPropertiesHandler::delete_(JSContext* aCx,
|
|
JS::Handle<JSObject*> aProxy,
|
|
JS::Handle<jsid> aId,
|
|
JS::ObjectOpResult &aResult) const
|
|
{
|
|
return aResult.failCantDeleteWindowNamedProperty();
|
|
}
|
|
|
|
static bool
|
|
ResolveWindowNamedProperty(JSContext* aCx, JS::Handle<JSObject*> aWrapper,
|
|
JS::Handle<JSObject*> aObj, JS::Handle<jsid> aId,
|
|
JS::MutableHandle<JSPropertyDescriptor> aDesc)
|
|
{
|
|
{
|
|
JSAutoCompartment ac(aCx, aObj);
|
|
if (!js::GetProxyHandler(aObj)->getOwnPropertyDescriptor(aCx, aObj, aId,
|
|
aDesc)) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
if (aDesc.object()) {
|
|
aDesc.object().set(aWrapper);
|
|
|
|
return JS_WrapPropertyDescriptor(aCx, aDesc);
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static bool
|
|
EnumerateWindowNamedProperties(JSContext* aCx, JS::Handle<JSObject*> aWrapper,
|
|
JS::Handle<JSObject*> aObj,
|
|
JS::AutoIdVector& aProps)
|
|
{
|
|
JSAutoCompartment ac(aCx, aObj);
|
|
return js::GetProxyHandler(aObj)->ownPropertyKeys(aCx, aObj, aProps);
|
|
}
|
|
|
|
const NativePropertyHooks sWindowNamedPropertiesNativePropertyHooks[] = { {
|
|
ResolveWindowNamedProperty,
|
|
EnumerateWindowNamedProperties,
|
|
{ nullptr, nullptr },
|
|
prototypes::id::_ID_Count,
|
|
constructors::id::_ID_Count,
|
|
nullptr
|
|
} };
|
|
|
|
static const DOMIfaceAndProtoJSClass WindowNamedPropertiesClass = {
|
|
PROXY_CLASS_DEF("WindowProperties",
|
|
JSCLASS_IS_DOMIFACEANDPROTOJSCLASS),
|
|
eNamedPropertiesObject,
|
|
sWindowNamedPropertiesNativePropertyHooks,
|
|
"[object WindowProperties]",
|
|
prototypes::id::_ID_Count,
|
|
0,
|
|
EventTargetBinding::GetProtoObject
|
|
};
|
|
|
|
// static
|
|
JSObject*
|
|
WindowNamedPropertiesHandler::Create(JSContext* aCx,
|
|
JS::Handle<JSObject*> aProto)
|
|
{
|
|
// Note: since the scope polluter proxy lives on the window's prototype
|
|
// chain, it needs a singleton type to avoid polluting type information
|
|
// for properties on the window.
|
|
JS::Rooted<JSObject*> gsp(aCx);
|
|
js::ProxyOptions options;
|
|
options.setSingleton(true);
|
|
options.setClass(&WindowNamedPropertiesClass.mBase);
|
|
return js::NewProxyObject(aCx, WindowNamedPropertiesHandler::getInstance(),
|
|
JS::NullHandleValue, aProto,
|
|
options);
|
|
}
|
|
|
|
} // namespace dom
|
|
} // namespace mozilla
|