corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
071931b71650fedd376afb51c7e5df80d741dff6
tubestation/dom/clients/manager/ClientSourceParent.cpp
Andrew Sutherland 7c0675aae0 Bug 1544232 - Limit lifetime extension of SWs by SWs to the sender's lifetime. r=edenchuang 
This patch introduces an explicit concept of lifetimes with mechanisms
in place so that actions taken by Clients (windows or non-ServiceWorker
orkers) will extend the lifetime of a ServiceWorker, but a ServiceWorker
cannot extend the life of another ServiceWorker.

The areas of concern are:
- ServiceWorker.postMessage: With ServiceWorkers exposed on workers and
  the ability to access other registrations via ServiceWorkerContainer
  being exposed, ServiceWorkers can message other ServiceWorkers.  It's
  essential that they never be allowed to give a ServiceWorker a
  lifetime longer than their own.
- ServiceWorkerRegistration.update(): Requesting an update of a
  registration should not allow any installed/updated ServiceWorker to
  have a lifetime longer than the ServiceWorker creating the request.
- ServiceWorkerContainer.register(): Requesting the installation of a
  new ServiceWorker should likewise constrain the lifetime of the newly
  installed ServiceWorker.

Note that in cases where we would potentially spawn a ServiceWorker,
whether it be in response to postMessage or as part of an install or
update, a key criteria is whether the lifetime extends far enough into
the future for us to believe the ServiceWorker can accomplish anything.
Currently we have a constant of 5 seconds against a normal full
lifetime of 30 seconds (before 30 second grace period).  So once a SW
has < 5 seconds of lifetime left, it won't be able to spawn a SW.  Note
that in the case of install/update, we do not prevent the creation of
the job at this time, instead the job will fail during the check script
evaluation step as failure to spawn the ServiceWorker is equivalent to
a script load failure.

A somewhat ugly part of this implementation is that because Bug 1853706
is not yet implemented, our actors that are fundamentally associated
with a global don't have an inherent understanding of their relationship
to that global.  So we approximate that by:
- For postMessage, we always have a ServiceWorkerDescriptor if we are
  being messaged by a ServiceWorker, allowing us direct lookup.
- ServiceWorkerRegistration.update(): In a previous patch in the stack
  we had ServiceWorkerRegistrationProxy latch the ClientInfo of its
  owning global when it was created.  Note that in the case of a
  ServiceWorker's own registration, this will be created at startup
  before the worker hits the execution ready state.
  - Note that because we have at most one live
    ServiceWorkerRegistration per global at a time, and the
    registration is fundamentally associated with the
    ServiceWorkerGlobalScope, that registration and its proxy will
    remain alive for the duration of the global.
- ServiceWorkerContainer.register(): We already were sending the client
  info along with the register call (as well as all other calls on the
  container).

Looking up the ServiceWorker from its client is not something that was
really intended.  This is further complicated by ServiceWorkerManager
being authoritative for ServiceWorkers on the parent process main thread
whereas the ClientManagerService is authoritative on PBackground and
actor-centric, making sketchy multi-threaded maps not really an option.

Looking up the ServiceWorker from a ServiceWorkerDescriptor is intended,
but the primary intent in those cases is so that the recipient of such a
descriptor can easily create a ServiceWorker instance that is
live-updating (by way of its owning ServiceWorkerRegistration; we don't
have IPC actors directly for ServiceWorkers, just the registration).
Adding the descriptor to clients until Bug 1853706 is implemented would
be an exceedingly ugly workaround because it would greatly complicate
the existing plumbing code, and a lot of the code is confusing enough
as-is.

This patch initially adopted an approach of encoding the scope of a
ServiceWorker as its client URL, but it turns out web extension
ServiceWorker support (reasonably) assumed the URL would be the script
URL so the original behavior was restored and when performing our
lookup we just check all registrations associated with the given
origin.  This is okay because register and update calls are inherently
expensive, rare operations and the overhead of the additional checks is
marginal.  Additionally, we can remove this logic once Bug 1853706 is
implemented.

As part of that initial scope tunneling was that, as noted above, we
do sample the ClientInfo for a ServiceWorker's own registration before
the worker is execution-ready.  And prior to this patch, we only would
populate the URL during execution-ready because for most globals, we
can't possibly know the URL when the ClientSource is created.  However,
for ServiceWorkers we can.  Because we also want to know what the id of
the ServiceWorker client would be, we also change the creation of the
ServiceWorker ClientSource so that it uses a ClientInfo created by the
authoritative ServiceWorkerPrivate in its Initialize method.

A minor retained hack is that because the worker scriptloader propagates
its CSP structure onto its ClientInfo (but not its ClientSource, which
feels weird, but makes sense) and that does get sent via register(), we
do also need to normalize the ClientInfo in the parent when we do
equality checking to have it ignore the CSP.

Differential Revision: https://phabricator.services.mozilla.com/D180915
2024-10-24 03:02:42 +00:00

241 lines
8.0 KiB
C++
Raw Blame History

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ClientSourceParent.h"
#include "ClientHandleParent.h"
#include "ClientManagerService.h"
#include "ClientSourceOpParent.h"
#include "ClientValidation.h"
#include "mozilla/dom/ClientIPCTypes.h"
#include "mozilla/dom/ContentParent.h"
#include "mozilla/dom/PClientManagerParent.h"
#include "mozilla/dom/ServiceWorkerManager.h"
#include "mozilla/dom/ServiceWorkerUtils.h"
#include "mozilla/ipc/BackgroundParent.h"
#include "mozilla/SchedulerGroup.h"
#include "mozilla/Unused.h"
namespace mozilla::dom {
using mozilla::ipc::AssertIsOnBackgroundThread;
using mozilla::ipc::BackgroundParent;
using mozilla::ipc::IPCResult;
using mozilla::ipc::PrincipalInfo;
mozilla::ipc::IPCResult ClientSourceParent::RecvWorkerSyncPing() {
AssertIsOnBackgroundThread();
// Do nothing here. This is purely a sync message allowing the child to
// confirm that the actor has been created on the parent process.
return IPC_OK();
}
IPCResult ClientSourceParent::RecvTeardown() {
Unused << Send__delete__(this);
return IPC_OK();
}
IPCResult ClientSourceParent::RecvExecutionReady(
const ClientSourceExecutionReadyArgs& aArgs) {
// Now that we have the creation URL for the Client we can do some validation
// to make sure the child actor is not giving us garbage. Since we validate
// on the child side as well we treat a failure here as fatal.
if (!ClientIsValidCreationURL(mClientInfo.PrincipalInfo(), aArgs.url())) {
return IPC_FAIL(this, "Invalid creation URL!");
}
mClientInfo.SetURL(aArgs.url());
mClientInfo.SetFrameType(aArgs.frameType());
mExecutionReady = true;
for (ClientHandleParent* handle : mHandleList) {
Unused << handle->SendExecutionReady(mClientInfo.ToIPC());
}
mExecutionReadyPromise.ResolveIfExists(true, __func__);
return IPC_OK();
};
IPCResult ClientSourceParent::RecvFreeze() {
#ifdef FUZZING_SNAPSHOT
if (mFrozen) {
return IPC_FAIL(this, "Freezing when already frozen");
}
#endif
MOZ_DIAGNOSTIC_ASSERT(!mFrozen);
mFrozen = true;
return IPC_OK();
}
IPCResult ClientSourceParent::RecvThaw() {
#ifdef FUZZING_SNAPSHOT
if (!mFrozen) {
return IPC_FAIL(this, "Thawing when not already frozen");
}
#endif
MOZ_DIAGNOSTIC_ASSERT(mFrozen);
mFrozen = false;
return IPC_OK();
}
IPCResult ClientSourceParent::RecvInheritController(
const ClientControlledArgs& aArgs) {
mController.reset();
mController.emplace(aArgs.serviceWorker());
// We must tell the parent-side SWM about this controller inheritance.
nsCOMPtr<nsIRunnable> r = NS_NewRunnableFunction(
"ClientSourceParent::RecvInheritController",
[clientInfo = mClientInfo, controller = mController.ref()]() {
RefPtr<ServiceWorkerManager> swm = ServiceWorkerManager::GetInstance();
NS_ENSURE_TRUE_VOID(swm);
swm->NoteInheritedController(clientInfo, controller);
});
MOZ_ALWAYS_SUCCEEDS(SchedulerGroup::Dispatch(r.forget()));
return IPC_OK();
}
IPCResult ClientSourceParent::RecvNoteDOMContentLoaded() {
if (mController.isSome()) {
nsCOMPtr<nsIRunnable> r =
NS_NewRunnableFunction("ClientSourceParent::RecvNoteDOMContentLoaded",
[clientInfo = mClientInfo]() {
RefPtr<ServiceWorkerManager> swm =
ServiceWorkerManager::GetInstance();
NS_ENSURE_TRUE_VOID(swm);
swm->MaybeCheckNavigationUpdate(clientInfo);
});
MOZ_ALWAYS_SUCCEEDS(SchedulerGroup::Dispatch(r.forget()));
}
return IPC_OK();
}
void ClientSourceParent::ActorDestroy(ActorDestroyReason aReason) {
DebugOnly<bool> removed = mService->RemoveSource(this);
MOZ_ASSERT(removed);
for (ClientHandleParent* handle : mHandleList.Clone()) {
// This should trigger DetachHandle() to be called removing
// the entry from the mHandleList.
Unused << ClientHandleParent::Send__delete__(handle);
}
MOZ_DIAGNOSTIC_ASSERT(mHandleList.IsEmpty());
}
PClientSourceOpParent* ClientSourceParent::AllocPClientSourceOpParent(
const ClientOpConstructorArgs& aArgs) {
MOZ_ASSERT_UNREACHABLE(
"ClientSourceOpParent should be explicitly constructed.");
return nullptr;
}
bool ClientSourceParent::DeallocPClientSourceOpParent(
PClientSourceOpParent* aActor) {
delete aActor;
return true;
}
ClientSourceParent::ClientSourceParent(
const ClientSourceConstructorArgs& aArgs,
const Maybe<ContentParentId>& aContentParentId)
: mClientInfo(aArgs.id(), aArgs.agentClusterId(), aArgs.type(),
aArgs.principalInfo(), aArgs.creationTime(), aArgs.url(),
aArgs.frameType()),
mContentParentId(aContentParentId),
mService(ClientManagerService::GetOrCreateInstance()),
mExecutionReady(false),
mFrozen(false) {}
ClientSourceParent::~ClientSourceParent() {
MOZ_DIAGNOSTIC_ASSERT(mHandleList.IsEmpty());
mExecutionReadyPromise.RejectIfExists(NS_ERROR_FAILURE, __func__);
}
IPCResult ClientSourceParent::Init() {
// Ensure the principal is reasonable before adding ourself to the service.
// Since we validate the principal on the child side as well, any failure
// here is treated as fatal.
if (NS_WARN_IF(!ClientIsValidPrincipalInfo(mClientInfo.PrincipalInfo()))) {
mService->ForgetFutureSource(mClientInfo.ToIPC());
return IPC_FAIL(Manager(), "Invalid PrincipalInfo!");
}
// Its possible for AddSource() to fail if there is already an entry for
// our UUID. This should not normally happen, but could if someone is
// spoofing IPC messages.
if (NS_WARN_IF(!mService->AddSource(this))) {
return IPC_FAIL(Manager(), "Already registered!");
}
return IPC_OK();
}
const ClientInfo& ClientSourceParent::Info() const { return mClientInfo; }
bool ClientSourceParent::IsFrozen() const { return mFrozen; }
bool ClientSourceParent::ExecutionReady() const { return mExecutionReady; }
RefPtr<GenericNonExclusivePromise> ClientSourceParent::ExecutionReadyPromise() {
// Only call if ClientSourceParent::ExecutionReady() is false; otherwise,
// the promise will never resolve
MOZ_ASSERT(!mExecutionReady);
return mExecutionReadyPromise.Ensure(__func__);
}
const Maybe<ServiceWorkerDescriptor>& ClientSourceParent::GetController()
const {
return mController;
}
void ClientSourceParent::ClearController() { mController.reset(); }
void ClientSourceParent::AttachHandle(ClientHandleParent* aClientHandle) {
MOZ_DIAGNOSTIC_ASSERT(aClientHandle);
MOZ_ASSERT(!mHandleList.Contains(aClientHandle));
mHandleList.AppendElement(aClientHandle);
}
void ClientSourceParent::DetachHandle(ClientHandleParent* aClientHandle) {
MOZ_DIAGNOSTIC_ASSERT(aClientHandle);
MOZ_ASSERT(mHandleList.Contains(aClientHandle));
mHandleList.RemoveElement(aClientHandle);
}
RefPtr<ClientOpPromise> ClientSourceParent::StartOp(
ClientOpConstructorArgs&& aArgs) {
RefPtr<ClientOpPromise::Private> promise =
new ClientOpPromise::Private(__func__);
// If we are being controlled, remember that data before propagating
// on to the ClientSource. This must be set prior to triggering
// the controllerchange event from the ClientSource since some tests
// expect matchAll() to find the controlled client immediately after.
// If the control operation fails, then we reset the controller value
// to reflect the final state.
if (aArgs.type() == ClientOpConstructorArgs::TClientControlledArgs) {
mController.reset();
mController.emplace(aArgs.get_ClientControlledArgs().serviceWorker());
}
// Constructor failure will reject the promise via ActorDestroy().
ClientSourceOpParent* actor =
new ClientSourceOpParent(std::move(aArgs), promise);
Unused << SendPClientSourceOpConstructor(actor, actor->Args());
return promise;
}
} // namespace mozilla::dom
Reference in New Issue View Git Blame Copy Permalink