Open the browser console and enter this code:
var proxy = new Proxy({}, new Proxy({}, {get: (_, trap) => (_, ...args) => {
throw new Error(`proxy trap ${JSON.stringify(trap)} was called with arguments ${args.map(JSON.stringify).join(", ")}.`);
}}));
var sandbox = Cu.Sandbox(null);
sandbox.inheritsProxy = Object.create(proxy);
sandbox.eval(`Reflect.apply(inheritsProxy, null, [])`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.defineProperty(inheritsProxy, "a", {})`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.deleteProperty(inheritsProxy, "a", {})`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.get(inheritsProxy, "a")`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.getOwnPropertyDescriptor(inheritsProxy, "a")`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.has(inheritsProxy, "a")`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.ownKeys(inheritsProxy)`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.set(inheritsProxy, "a", 1)`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
This should not happen. It does not happen if I use one of these:
sandbox.inheritsProxy = Object.setPrototypeOf(function(){}, proxy);
sandbox.inheritsProxy = Object.setPrototypeOf([], proxy);
sandbox.inheritsProxy = proxy;
Then I only get "Permission denied" errors. So how come the proxy trap runs with Object.create(proxy) ?
The security wrapper is calling traps instead of protecting the proxy!!
This seems like a flag of the security wrapper, so I'm marking this as security sensitive.
Bug 1392026 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Open the browser console and enter this code:
var proxy = new Proxy({}, new Proxy({}, {get: (_, trap) => (_, ...args) => {
throw new Error(`proxy trap ${JSON.stringify(trap)} was called with arguments ${args.map(JSON.stringify).join(", ")}.`);
}}));
var sandbox = Cu.Sandbox(null);
sandbox.inheritsProxy = Object.create(proxy);
sandbox.eval(`Reflect.apply(inheritsProxy, null, [])`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.defineProperty(inheritsProxy, "a", {})`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.deleteProperty(inheritsProxy, "a", {})`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.get(inheritsProxy, "a")`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.getOwnPropertyDescriptor(inheritsProxy, "a")`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.has(inheritsProxy, "a")`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.ownKeys(inheritsProxy)`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
sandbox.eval(`Reflect.set(inheritsProxy, "a", 1)`);
// Error: proxy trap "has" was called with arguments "__exposedProps__".
This should not happen. It does not happen if I use one of these:
sandbox.inheritsProxy = Object.setPrototypeOf(function(){}, proxy);
sandbox.inheritsProxy = Object.setPrototypeOf([], proxy);
sandbox.inheritsProxy = proxy;
Then I only get "Permission denied" errors. So how come the proxy trap runs with Object.create(proxy) ?
The security wrapper is calling traps instead of protecting the proxy!!
This seems like a flaw of the security wrapper, so I'm marking this as security sensitive.