Module layout_2013::wrapper
source · Expand description
A safe wrapper for DOM nodes that prevents layout from mutating the DOM, from letting DOM nodes escape, and from generally doing anything that it isn’t supposed to. This is accomplished via a simple whitelist of allowed operations, along with some lifetime magic to prevent nodes from escaping.
As a security wrapper is only as good as its whitelist, be careful when adding operations to this list. The cardinal rules are:
-
Layout is not allowed to mutate the DOM.
-
Layout is not allowed to see anything with
LayoutDom
in the name, because it could hang onto these objects and cause use-after-free.
When implementing wrapper functions, be careful that you do not touch the borrow flags, or you will race and cause spurious thread failure. (Note that I do not believe these races are exploitable, but they’ll result in brokenness nonetheless.)
Rules of the road for this file:
-
Do not call any methods on DOM nodes without checking to see whether they use borrow flags.
o Instead of
get_attr()
, use.get_attr_val_for_layout()
.o Instead of
html_element_in_html_document()
, usehtml_element_in_html_document_for_layout()
.