Re-checking-in my fix for 47905, which was backed out last night because of a bug in some other code that was checked in along with it. This checkin was not causing the crasher and is unchanged. See earlier checkin comment - in short, this adds same-origin to XMLHttpRequest and cleans up some function calls in caps, removes some unnecessary parameters. r=vidur, sr=jst.

2001-05-19 00:33:51 +00:00 · 2001-05-19 00:33:51 +00:00 · 8c0cd58b30
--- a/caps/idl/nsIScriptSecurityManager.idl
+++ b/caps/idl/nsIScriptSecurityManager.idl
@ -34,13 +34,19 @@ interface nsIScriptSecurityManager : nsIXPCSecurityManager
    /**
     * Checks whether the running script is allowed to access aProperty.
     */
-    [noscript] void checkPropertyAccess(in PRUint32 aAction,
-                                        in JSContextPtr aJSContext,
+    [noscript] void checkPropertyAccess(in JSContextPtr aJSContext,
                                        in JSObjectPtr aJSObject,
-                                        in nsISupports aObj,
-                                        in nsIClassInfo aClassInfo,
                                        in string aClassName,
-                                        in string aProperty);
+                                        in string aProperty,
+                                        in PRUint32 aAction);
+
+    /**
+     * Checks whether the running script is allowed to connect to aTargetURI
+     */
+    [noscript] void checkConnect(in JSContextPtr aJSContext,
+                                 in nsIURI aTargetURI,
+                                 in string aClassName,
+                                 in string aPropertyName);

    /**
     * Check that the script currently running in context "cx" can load "uri".
--- a/caps/include/nsScriptSecurityManager.h
+++ b/caps/include/nsScriptSecurityManager.h
@ -112,7 +112,8 @@ private:
    nsresult
    CheckPropertyAccessImpl(PRUint32 aAction, nsIXPCNativeCallContext* aCallContext,
                            JSContext* aJSContext, JSObject* aJSObject,
-                            nsISupports* aObj, nsIClassInfo* aClassInfo,
+                            nsISupports* aObj, nsIURI* aTargetURI,
+                            nsIClassInfo* aClassInfo,
                            jsval aName, const char* aClassName, 
                            const char* aProperty, void** aPolicy);

@ -122,7 +123,7 @@ private:
    
    PRInt32 
    GetSecurityLevel(JSContext* aCx, nsIPrincipal *principal,
-                     nsIClassInfo* aClassInfo,
+                     PRBool aIsDOM,
                     const char* aClassName, const char* aProperty,
                     PRUint32 aAction, nsCString &capability, void** aPolicy);

--- a/caps/src/nsScriptSecurityManager.cpp
+++ b/caps/src/nsScriptSecurityManager.cpp
@ -137,23 +137,34 @@ NS_IMPL_THREADSAFE_ISUPPORTS3(nsScriptSecurityManager,

 ///////////////// Security Checks /////////////////
 NS_IMETHODIMP
-nsScriptSecurityManager::CheckPropertyAccess(PRUint32 aAction,
-                                             JSContext* aJSContext,
+nsScriptSecurityManager::CheckPropertyAccess(JSContext* aJSContext,
                                             JSObject* aJSObject,
-                                             nsISupports* aObj,
-                                             nsIClassInfo* aClassInfo,
                                             const char* aClassName,
-                                             const char* aProperty)
+                                             const char* aPropertyName,
+                                             PRUint32 aAction)
 {
-    return CheckPropertyAccessImpl(aAction, nsnull, aJSContext, aJSObject, aObj,
-                                   aClassInfo, nsnull, aClassName, aProperty, nsnull);
+    return CheckPropertyAccessImpl(aAction, nsnull, aJSContext, aJSObject,
+                                   nsnull, nsnull, nsnull, nsnull,
+                                   aClassName, aPropertyName, nsnull);
+}
+
+NS_IMETHODIMP
+nsScriptSecurityManager::CheckConnect(JSContext* aJSContext,
+                                      nsIURI* aTargetURI,
+                                      const char* aClassName,
+                                      const char* aPropertyName)
+{
+    return CheckPropertyAccessImpl(nsIXPCSecurityManager::ACCESS_GET_PROPERTY, nsnull,
+                                   aJSContext, nsnull, nsnull, aTargetURI,
+                                   nsnull, nsnull, aClassName, aPropertyName, nsnull);
 }

 nsresult
 nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction,
                                                 nsIXPCNativeCallContext* aCallContext,
                                                 JSContext* aJSContext, JSObject* aJSObject,
-                                                 nsISupports* aObj, nsIClassInfo* aClassInfo,
+                                                 nsISupports* aObj, nsIURI* aTargetURI,
+                                                 nsIClassInfo* aClassInfo,
                                                 jsval aName, const char* aClassName, 
                                                 const char* aProperty, void** aPolicy)
 {
@ -214,8 +225,11 @@ nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction,
            propertyName.AssignWithConversion((PRUnichar*)JSValIDToString(aJSContext, aName));
        }

-        secLevel = GetSecurityLevel(aJSContext, subjectPrincipal, aClassInfo, className,
-                                    propertyName, aAction, capability, aPolicy);
+        // if (aPropertyStr), we were called from CheckPropertyAccess or checkConnect,
+        // so we can assume this is a DOM class. Otherwise, we ask the ClassInfo.
+        secLevel = GetSecurityLevel(aJSContext, subjectPrincipal,
+                                    (aProperty || IsDOMClass(aClassInfo)),
+                                    className, propertyName, aAction, capability, aPolicy);
    }

    nsresult rv;
@ -232,18 +246,27 @@ nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction,
 #ifdef DEBUG_mstoltz
 		    printf("Level: SameOrigin ");
 #endif
+            nsCOMPtr<nsIPrincipal> objectPrincipal;
            if(aJSObject)
            {
-                nsCOMPtr<nsIPrincipal> objectPrincipal;
                if (NS_FAILED(GetObjectPrincipal(aJSContext, 
                                                 NS_REINTERPRET_CAST(JSObject*, aJSObject),
                                                 getter_AddRefs(objectPrincipal))))
                    return NS_ERROR_FAILURE;
-                rv = CheckSameOrigin(aJSContext, subjectPrincipal, objectPrincipal,
-                                     aAction == nsIXPCSecurityManager::ACCESS_SET_PROPERTY);
+            }
+            else if(aTargetURI)
+            {
+                if (NS_FAILED(GetCodebasePrincipal(aTargetURI, getter_AddRefs(objectPrincipal))))
+                    return NS_ERROR_FAILURE;
            }
            else
+            {
                rv = NS_ERROR_DOM_SECURITY_ERR;
+                break;
+            }
+            rv = CheckSameOrigin(aJSContext, subjectPrincipal, objectPrincipal,
+                                 aAction == nsIXPCSecurityManager::ACCESS_SET_PROPERTY);
+
            break;
        }
    case SCRIPT_SECURITY_CAPABILITY_ONLY:
@ -383,7 +406,7 @@ nsScriptSecurityManager::IsDOMClass(nsIClassInfo* aClassInfo)
 PRInt32 
 nsScriptSecurityManager::GetSecurityLevel(JSContext* aJSContext,
                                          nsIPrincipal *principal,
-                                          nsIClassInfo* aClassInfo,
+                                          PRBool aIsDOM,
                                          const char* aClassName,
                                          const char* aPropertyName,
                                          PRUint32 aAction,
@ -447,7 +470,7 @@ nsScriptSecurityManager::GetSecurityLevel(JSContext* aJSContext,
    }
    //-- No policy for this property.
    //   Use the default policy: sameOrigin for DOM, noAccess for everything else
-    if(IsDOMClass(aClassInfo))
+    if(aIsDOM)
        secLevel = SCRIPT_SECURITY_SAME_ORIGIN_ACCESS;
    if (!classPolicy && aPolicy)
        //-- If there's no stored policy for this property, 
@ -1688,8 +1711,9 @@ nsScriptSecurityManager::CanAccess(PRUint32 aAction,
                                   jsval aName,
                                   void** aPolicy)
 {
-    return CheckPropertyAccessImpl(aAction, aCallContext, aJSContext, aJSObject,
-                                   aObj, aClassInfo, aName, nsnull, nsnull, aPolicy);
+    return CheckPropertyAccessImpl(aAction, aCallContext, aJSContext,
+                                   aJSObject, aObj, nsnull, aClassInfo,
+                                   aName, nsnull, nsnull, aPolicy);
 }

 nsresult
@ -1951,12 +1975,10 @@ nsScriptSecurityManager::InitPolicies(PRUint32 aPrefCount, const char** aPrefNam
        else if (count > 3)
        { // capability.policy.<policyname>.<class>.<property>[.(get|set)]
          // Store the class name so we know this class has a policy set on it
-            const char* className = dots[2] + 1;
-            PRInt32 classNameLen = dots[3] - className;
-            char* classNameNullTerm = PL_strndup(className, classNameLen);
-            if (!classNameNullTerm)
-                return NS_ERROR_OUT_OF_MEMORY;
-            nsCStringKey classNameKey(classNameNullTerm);
+          // Shoving a null into the pref anme string is unorthodox
+          // but it saves a malloc & copy - hash keys require null-terminated strings
+            *(char*)dots[3] = '\0';
+            nsCStringKey classNameKey(dots[2] + 1);
            if (!(mClassPolicies))
                mClassPolicies = new nsHashtable(31);
            // We don't actually have to store the class name as data in the hashtable, 
@ -1966,7 +1988,6 @@ nsScriptSecurityManager::InitPolicies(PRUint32 aPrefCount, const char** aPrefNam
                mClassPolicies->Put(&classNameKey, (void*)CLASS_POLICY_DEFAULT);
            else if (!isDefault && classPolicy != (void*)CLASS_POLICY_SITE)
                mClassPolicies->Put(&classNameKey, (void*)CLASS_POLICY_SITE);
-            PR_Free(classNameNullTerm);
        }
    }
    return NS_OK;
--- a/content/events/src/nsEventListenerManager.cpp
+++ b/content/events/src/nsEventListenerManager.cpp
@ -981,11 +981,9 @@ nsEventListenerManager::RegisterScriptEventListener(nsIScriptContext *aContext,
  if (NS_FAILED(rv))
      return rv;

-  nsCOMPtr<nsIClassInfo> classInfo = do_QueryInterface(aObject);
-
-  if (NS_FAILED(rv = securityManager->CheckPropertyAccess(
-      nsIXPCSecurityManager::ACCESS_SET_PROPERTY, cx, jsobj, aObject, classInfo,
-                  "EventTarget","addEventListener"))) {
+  if (NS_FAILED(rv = securityManager->CheckPropertyAccess(cx, jsobj,
+                "EventTarget","addEventListener",
+                nsIXPCSecurityManager::ACCESS_SET_PROPERTY))) {
      // XXX set pending exception on the native call context?
    return rv;
  }
--- a/dom/src/base/nsDOMClassInfo.cpp
+++ b/dom/src/base/nsDOMClassInfo.cpp
@ -1108,9 +1108,9 @@ nsWindowSH::doCheckWriteAccess(JSContext *cx, JSObject *obj, jsval id,
  PRBool isLocation = JSVAL_IS_STRING(id) &&
    JSVAL_TO_STRING(id) == sLocation_id;

-  rv = sSecMan->CheckPropertyAccess(nsIXPCSecurityManager::ACCESS_SET_PROPERTY,
-                                    cx, obj, native, this, "Window",
-                                    isLocation ? "location" : "scriptglobals");
+  rv = sSecMan->CheckPropertyAccess(cx, obj, "Window",
+                                    isLocation ? "location" : "scriptglobals",
+                                    nsIXPCSecurityManager::ACCESS_SET_PROPERTY);

  if (NS_SUCCEEDED(rv)) {
    return rv;
@ -1146,9 +1146,9 @@ nsWindowSH::doCheckReadAccess(JSContext *cx, JSObject *obj, jsval id,
  PRBool isLocation = JSVAL_IS_STRING(id) &&
    JSVAL_TO_STRING(id) == sLocation_id;

-  rv = sSecMan->CheckPropertyAccess(nsIXPCSecurityManager::ACCESS_GET_PROPERTY,
-                                    cx, obj, native, this, "Window",
-                                    isLocation ? "location" : "scriptglobals");
+  rv = sSecMan->CheckPropertyAccess(cx, obj, "Window",
+                                    isLocation ? "location" : "scriptglobals",
+                                    nsIXPCSecurityManager::ACCESS_GET_PROPERTY);

  if (NS_SUCCEEDED(rv)) {
    return rv;
--- a/dom/src/base/nsGlobalWindow.cpp
+++ b/dom/src/base/nsGlobalWindow.cpp
@ -4123,8 +4123,8 @@ NavigatorImpl::Preference()
      action = nsIXPCSecurityManager::ACCESS_GET_PROPERTY;
  else
      action = nsIXPCSecurityManager::ACCESS_SET_PROPERTY;
-  rv = secMan->CheckPropertyAccess(action, cx, nsnull, nsnull, nsnull,
-                                   "Navigator", "preferenceinternal");
+  rv = secMan->CheckPropertyAccess(cx, nsnull,
+                                   "Navigator", "preferenceinternal", action);
  if (NS_FAILED(rv))
  {
      //-- XXX doing the right thing here? Does the exception propagate?
--- a/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp
+++ b/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp
@ -922,10 +922,26 @@ nsXMLHttpRequest::Open(const char *method, const char *url)
    NS_WITH_SERVICE(nsIScriptSecurityManager, secMan,
                    NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
    if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
- /*
-     rv = secMan->CheckScriptAccessToURL(cx, url, NS_DOM_PROP_XMLHTTPREQUEST_OPEN, PR_FALSE);
-     if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
- */
+
+    nsCOMPtr<nsIURI> targetURI;
+    rv = NS_NewURI(getter_AddRefs(targetURI), url, nsnull);
+    if (NS_FAILED(rv)) return NS_ERROR_FAILURE;
+
+    rv = secMan->CheckConnect(cx, targetURI, "XMLHttpRequest","open");
+    if (NS_FAILED(rv))
+    {
+      // Security check failed. The above call set a JS exception. The
+      // following lines ensure that the exception is propagated.
+
+      NS_WITH_SERVICE(nsIXPConnect, xpc, nsIXPConnect::GetCID(), &rv);
+      nsCOMPtr<nsIXPCNativeCallContext> cc;
+      if(NS_SUCCEEDED(rv))
+        xpc->GetCurrentNativeCallContext(getter_AddRefs(cc));
+      if (cc)
+        cc->SetExceptionWasThrown(PR_TRUE);
+      return NS_OK;
+    }
+
    nsCOMPtr<nsIPrincipal> principal;
    rv = secMan->GetSubjectPrincipal(getter_AddRefs(principal));
    if (NS_SUCCEEDED(rv)) {
--- a/layout/generic/nsImageFrame.cpp
+++ b/layout/generic/nsImageFrame.cpp
@ -1461,8 +1461,10 @@ nsImageFrame::GetLoadGroup(nsIPresContext *aPresContext, nsILoadGroup **aLoadGro
 PRBool
 nsImageFrame::CanLoadImage(nsIURI *aURI)
 {
+
  PRBool shouldLoad = PR_TRUE; // default permit

+#if 0
  nsCOMPtr<nsIScriptSecurityManager> securityManager(do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));

  if (securityManager) {
@ -1473,7 +1475,7 @@ nsImageFrame::CanLoadImage(nsIURI *aURI)
    if (NS_FAILED(proceed))
      return PR_FALSE;
  }
-
+#endif
  // XXX leave this if 0'd until there is a good way to test it.
 #if 0

--- a/layout/html/base/src/nsImageFrame.cpp
+++ b/layout/html/base/src/nsImageFrame.cpp
@ -1461,8 +1461,10 @@ nsImageFrame::GetLoadGroup(nsIPresContext *aPresContext, nsILoadGroup **aLoadGro
 PRBool
 nsImageFrame::CanLoadImage(nsIURI *aURI)
 {
+
  PRBool shouldLoad = PR_TRUE; // default permit

+#if 0
  nsCOMPtr<nsIScriptSecurityManager> securityManager(do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));

  if (securityManager) {
@ -1473,7 +1475,7 @@ nsImageFrame::CanLoadImage(nsIURI *aURI)
    if (NS_FAILED(proceed))
      return PR_FALSE;
  }
-
+#endif
  // XXX leave this if 0'd until there is a good way to test it.
 #if 0