Closed Bug 1335654 Opened 7 years ago Closed 7 years ago

Fix the exceptions we throw for our cross-origin objects to actually mostly follow the spec

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox54 --- fixed

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

Details

Attachments

(4 files, 2 obsolete files)

part 1. Propagate AutoEnterPolicy's mayThrow argument to the enter() methods of proxy handlers, so they know whether it's OK to throw some sort of custom exception or whether they should just silently deny
7.74 KB, patch
jandem
: review+
bholley
: review+
Details | Diff | Splinter Review
part 2. Change the deny() methods of our wrapper security policies to take a JSContext and a mayThrow boolean
5.17 KB, patch
bholley
: review+
Details | Diff | Splinter Review
part 3. Implement actually throwing a SecurityError when cross-origin property accesses are denied
23.57 KB, patch
bholley
: review+
Details | Diff | Splinter Review
part 4. Fix some CrossOriginXrayWrapper error reporting bits to follow the HTML spec for cross-origin objects
4.04 KB, patch
bholley
: review+
Details | Diff | Splinter Review 
Got tired of this.  The current exceptions are thrown in general JS Wrapper code, so can't be the DOMExceptions we want.  We just need to throw on the XPConnect side instead.
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
More parts (that actually change behavior) coming once I finish the try run.

I do have one unfixed bit left: the exception thrown by [[SetPrototype]].  In our code, we land in XrayWrapper<Base, Traits>::setPrototype, Base::hasSecurityPolicy() is true, so we call SecurityWrapper<Base>::setPrototype which happily throws a non-TypeError for us.  Now I could change that to throw a TypeError.  Or I could try to take over the throwing myself based on the traits or something.  But I don't understand this setPrototype setup well enough to decide which is better....
Flags: needinfo?(bobbyholley)
Comment on attachment 8832357 [details] [diff] [review]
part 3.  Implement actually throwing a SecurityError when cross-origin property accesses are denied

Review of attachment 8832357 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/wrappers/AccessCheck.cpp
@@ +295,5 @@
> +        // matches what AutoEnterPolicy::reportErrorIfExceptionIsNotPending
> +        // does.
> +        JS::RootedValue idVal(cx, js::IdToValue(id));
> +        nsAutoJSString propName;
> +        if (!propName.init(cx, JS_ValueToSource(cx, idVal))) {

It doesn't seem entirely obvious to be that JS_ValueToSource can't return null
You are absolutely right; it can OOM.  I meantto have null-checks there, then forgot to...
Attachment #8832357 - Attachment is obsolete: true
Attachment #8832357 - Flags: review?(bobbyholley)
Attachment #8832358 - Attachment is obsolete: true
Attachment #8832358 - Flags: review?(bobbyholley)
Attachment #8832343 - Flags: review?(bobbyholley) → review+
Comment on attachment 8832344 [details] [diff] [review]
part 2.  Change the deny() methods of our wrapper security policies to take a JSContext and a mayThrow boolean

Review of attachment 8832344 [details] [diff] [review]:
-----------------------------------------------------------------

It's a little weird to maintain the non-JSAPI calling convention here while taking a cx. But I guess it's ok...

::: js/xpconnect/wrappers/AccessCheck.cpp
@@ +447,5 @@
>      // Fail silently for GET, ENUMERATE, and GET_PROPERTY_DESCRIPTOR.
>      if (act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE ||
>          act == js::Wrapper::GET_PROPERTY_DESCRIPTOR)
>      {
> +        // XXXbz Do we really want to do that if mayThrow is false?

Yes. ReportWrapperDenial is about logging and stuff, which we want to do even if we don't interrupt script over the violation. Please remove this comment.
Attachment #8832344 - Flags: review?(bobbyholley) → review+
Comment on attachment 8832365 [details] [diff] [review]
part 3.  Implement actually throwing a SecurityError when cross-origin property accesses are denied

Review of attachment 8832365 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/wrappers/AccessCheck.cpp
@@ +295,5 @@
> +        // matches what AutoEnterPolicy::reportErrorIfExceptionIsNotPending
> +        // does.
> +        JS::RootedValue idVal(cx, js::IdToValue(id));
> +        nsAutoJSString propName;
> +        JSString* idStr = JS_ValueToSource(cx, idVal);

Does this need to be rooted?
Attachment #8832365 - Flags: review?(bobbyholley) → review+
Comment on attachment 8832366 [details] [diff] [review]
part 4.  Fix some CrossOriginXrayWrapper error reporting bits to follow the HTML spec for cross-origin objects

Review of attachment 8832366 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/wrappers/FilteringWrapper.cpp
@@ +296,5 @@
> +        return false;
> +    }
> +    if (!propName.init(cx, idStr)) {
> +        return false;
> +    }

This junk is in 3 places now. Can you move it to a helper?
Attachment #8832366 - Flags: review?(bobbyholley) → review+
> Does this need to be rooted?

I don't think so, but I guess there's no real harm in rooting it.  Will do that.

> This junk is in 3 places now. Can you move it to a helper?

Good point.  Will add an AccessCheck method for this.
Comment on attachment 8832343 [details] [diff] [review]
part 1.  Propagate AutoEnterPolicy's mayThrow argument to the enter() methods of proxy handlers, so they know whether it's OK to throw some sort of custom exception or whether they should just silently deny

Review of attachment 8832343 [details] [diff] [review]:
-----------------------------------------------------------------

Stealing as discussed on IRC.
Attachment #8832343 - Flags: review?(jwalden+bmo) → review+
> Please remove this comment.

Replaced it with:

        // Note that ReportWrapperDenial doesn't do any _exception_ reporting,
        // so we want to do this regardless of the value of mayThrow.
Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/47f366b5d467
part 1.  Propagate AutoEnterPolicy's mayThrow argument to the enter() methods of proxy handlers, so they know whether it's OK to throw some sort of custom exception or whether they should just silently deny.  r=bholley,jandem
https://hg.mozilla.org/integration/mozilla-inbound/rev/4b8049495d3d
part 2.  Change the deny() methods of our wrapper security policies to take a JSContext and a mayThrow boolean. r=bholley
https://hg.mozilla.org/integration/mozilla-inbound/rev/89525b069d92
part 3.  Implement actually throwing a SecurityError when cross-origin property accesses are denied.  r=bholley
https://hg.mozilla.org/integration/mozilla-inbound/rev/d33dc84d6386
part 4.  Fix some CrossOriginXrayWrapper error reporting bits to follow the HTML spec for cross-origin objects.  r=bholley
(In reply to Boris Zbarsky [:bz] (still a bit busy) from comment #3)
> More parts (that actually change behavior) coming once I finish the try run.
> 
> I do have one unfixed bit left: the exception thrown by [[SetPrototype]]. 
> In our code, we land in XrayWrapper<Base, Traits>::setPrototype,
> Base::hasSecurityPolicy() is true, so we call
> SecurityWrapper<Base>::setPrototype which happily throws a non-TypeError for
> us.  Now I could change that to throw a TypeError.  Or I could try to take
> over the throwing myself based on the traits or something.  But I don't
> understand this setPrototype setup well enough to decide which is better....

Per IRC discussion, we should override setPrototype in CrossOriginXrayWrapper.
Flags: needinfo?(bobbyholley)
Blocks: 1344443
> Per IRC discussion, we should override setPrototype in CrossOriginXrayWrapper.

Filed bug 1344443 on this.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: