1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-10-24 00:02:08 +00:00
Commit graph

26 commits

Author SHA1 Message Date
Matthew Olsson
7c0c1c8f49 LibJS+LibWeb: Wrap raw JS::Cell*/& fields in GCPtr/NonnullGCPtr 2023-03-15 08:48:49 +01:00
Luke Wilde
7e701f6256 LibWeb: Keep unhandledrejection event promises alive when task is queued
This is fixed by making the "about to be notified rejected promises
list" use JS::Handle instead of JS::NonnullGCPtr. This UAF happens
because notify_about_rejected_promises makes a local copy of this list,
empties the member variable list and then moves the local copy into a
JS::SafeFunction lambda. JS::SafeFunction can only see GC pointers that
are in its storage, not external storage.

Example exploit (requires fixed microtask timing by removing the dummy
execution context):
```html
<script>
Promise.reject(new Error);

// Exit the script block, causing a microtask checkpoint and thus
// queuing of a task to fire the unhandled rejection event for the
// above promise.
// During the time after being queued but before being ran, these
// promises are not kept alive. This is because JS::SafeFunction cannot
// see into a Vector, meaning it can't visit the stored NonnullGCPtrs.
</script>

<script defer>
// Cause a garbage collection, destroying the above promise.
const b = [];
for (var i = 0; i < 200000; i++)
    b.push({});

// Some time after this script block, the queued unhandled rejection
// event task will fire, with the event object containing the dead
// promise.
window.onunhandledrejection = (event) => {
    let value = event.promise;
    console.log(value);
}
</script>
```
2022-12-25 15:32:51 +01:00
Linus Groh
6e19ab2bbc AK+Everywhere: Rename String to DeprecatedString
We have a new, improved string type coming up in AK (OOM aware, no null
state), and while it's going to use UTF-8, the name UTF8String is a
mouthful - so let's free up the String name by renaming the existing
class.
Making the old one have an annoying name will hopefully also help with
quick adoption :^)
2022-12-06 08:54:33 +01:00
Idan Horowitz
efe94d9040 LibWeb: Support parsing a URL relative to environment settings object 2022-11-15 21:48:19 +00:00
Idan Horowitz
f69c135796 LibWeb: Implement the 'Entry Realm/{settings,global} object' concepts 2022-11-15 21:48:19 +00:00
Linus Groh
8db64a8704 LibWeb: Implement 'Is non-secure context' AO 2022-10-30 20:10:29 +00:00
Linus Groh
4baf0a4486 LibWeb: Implement 'Is secure context' AO 2022-10-30 20:10:29 +00:00
networkException
9afea1248f LibWeb: Add disallow further import maps steps to ESO 2022-10-24 23:06:56 +01:00
Linus Groh
93405b4aff LibWeb: Add virtual destructor to Environment
This makes it polymorphic and allows checking the subclass of an
Environment with is<T>().

We also need to change the inheritance order so JS::Cell comes first for
this to work. Unfortunately, I have no idea why that is.

Co-Authored-By: Andreas Kling <kling@serenityos.org>
2022-10-24 22:58:37 +01:00
Linus Groh
4817b7c623 LibWeb: Add policy container to {Window,Worker}EnvironmentSettingsObject 2022-10-24 22:58:37 +01:00
Andreas Kling
83c5ff57d8 LibWeb: Make BrowsingContext GC-allocated
(And BrowsingContextGroup had to come along for the ride as well.)
This solves a number of nasty reference cycles between browsing
contexts, history items, and their documents.
2022-10-20 15:16:23 +02:00
Andreas Kling
18a5c56f14 LibWeb: Don't store JS::Handle<JS::Promise> in EnvironmentSettingsObject
Now that the ESO is a JS::Cell, we can just store them as NonnullGCPtr
and mark them in visit_edges().
2022-10-20 15:16:23 +02:00
networkException
992311c0ee LibWeb: Implement ModuleMap and expose it on EnvironmentSettingsObject
This patch adds the ModuleMap class used to keep track of the type and
url of a module as well as the fetching state associated. Each
environment settings object now also has a module map.
2022-10-06 16:41:36 +02:00
networkException
cfa0c9bf9f LibWeb: Implement module type allowed
This patch adds the module type allowed steps given a module type string
and an environment settings object.
2022-10-06 16:41:36 +02:00
Andrew Kaster
8de7e49a56 LibWeb: Remove unecessary dependence on Window from DOM and WebIDL
These classes only needed Window to get at its realm. Pass a realm
directly to construct DOM and WebIDL classes.

This change importantly removes the guarantee that a Document will
always have a non-null Window object. Only Documents created by a
BrowsingContext will have a non-null Window object. Documents created by
for example, DocumentFragment, will not have a Window (soon).

This incremental commit leaves some workarounds in place to keep other
parts of the code building.
2022-10-01 21:05:32 +01:00
Andrew Kaster
c61a4f35dc LibWeb: Move Web prototypes and constructors to new Intrinsics object
This Intrinsics object hangs off of a new HostDefined struct that takes
the place of EnvironmentSettingsObject as the true [[HostDefined]] slot
on JS::Realm objects created by LibWeb.

This gets the intrinsics off of the GlobalObject, Window, similar to the
previous refactor of LibJS to move the intrinsics into the Realm's
[[Intrinics]] internal slot.

A side effect of this change is that we cannot fully initialize a Window
object until the [[HostDefined]] slot has been installed into the realm,
which happens with the creation of the WindowEnvironmentSettingsObject.

As such, any Window usage that has not been funned through a WindowESO
will not have any cached Web prototyped or constructors, and will not
have Window APIs available to javascript code. Currently this seems
limited to usage of Window in the CSS parser, but a subsequent commit
will clean those up to take Realm as well. However, this commit compiles
so let's cut it off here :^).
2022-10-01 21:05:32 +01:00
Andreas Kling
62fed2a31d LibWeb: Add id field to Environment
This is a unique string that identifies the environment. We just use a
simple incrementing number for now.
2022-09-21 11:51:18 +02:00
Andreas Kling
6f433c8656 LibWeb+LibJS: Make the EventTarget hierarchy (incl. DOM) GC-allocated
This is a monster patch that turns all EventTargets into GC-allocated
PlatformObjects. Their C++ wrapper classes are removed, and the LibJS
garbage collector is now responsible for their lifetimes.

There's a fair amount of hacks and band-aids in this patch, and we'll
have a lot of cleanup to do after this.
2022-09-06 00:27:09 +02:00
Linus Groh
52543fc771 LibJS+LibWeb: Let Realm store a plain Object for [[GlobalObject]]
This removes the requirement of having a global object that actually
inherits from JS::GlobalObject, which is now a perfectly valid scenario.

With the upcoming removal of wrapper objects in LibWeb, the HTML::Window
object will inherit from DOM::EventTarget, which means it cannot also
inherit from JS::GlobalObject.
2022-08-28 16:36:56 +01:00
Andreas Kling
2a7924f96c LibWeb: Bring browsing context creation closer to spec
This patch implements the "create a new browsing context" function from
the HTML spec and replaces our existing logic with it.

The big difference is that browsing contexts now initially navigate to
"about:blank" instead of starting out in a strange "empty" state.
This makes it possible for websites to create a new iframe and start
scripting inside it right away, without having to load an URL into it.
2022-08-05 12:46:42 +02:00
Andreas Kling
602f927982 LibWeb: Start implementing "create and initialize a Document" from HTML
The way we've been creating DOM::Document has been pretty far from what
the spec tells us to do, and this is a first big step towards getting us
closer to spec.

The new Document::create_and_initialize() is called by FrameLoader after
loading a "text/html" resource.

We create the JS Realm and the Window object when creating the Document
(previously, we'd do it on first access to Document::interpreter().)

The realm execution context is owned by the Environment Settings Object.
2022-08-05 12:46:40 +02:00
Linus Groh
22a627fc1a LibWeb: Move Origin into the HTML namespace
Origin is defined in the HTML Standard, and therefore belongs into the
HTML directory and namespace in LibWeb.
https://html.spec.whatwg.org/multipage/origin.html#origin
2022-07-14 00:42:26 +01:00
Linus Groh
7bdbac7fd9 LibWeb: Add 'is scripting enabled' concept to EnvironmentSettingsObject
This is now the source of truth for 'user enabled/disabled scripting',
but it has to ask the window's page, which actually stores the setting.

Also use this new functionality in two places where it was previously
marked as a FIXME.
2022-03-31 17:08:38 +02:00
Linus Groh
11d0e37d8e LibWeb: Implement the 'Relevant realm/{settings,global} object' concepts 2022-03-06 23:27:39 +01:00
Linus Groh
db983b469d LibWeb: Implement the 'Current {settings,global} object' concepts 2022-03-06 23:27:39 +01:00
Luke Wilde
f71f404e0c LibWeb: Introduce the Environment Settings Object
The environment settings object is effectively the context a piece of
script is running under, for example, it contains the origin,
responsible document, realm, global object and event loop for the
current context. This effectively replaces ScriptExecutionContext, but
it cannot be removed in this commit as EventTarget still depends on it.

https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object
2022-02-08 17:47:44 +00:00