(In reply to Nicolas Chevobbe [:nchevobbe] from comment #12) > yes, we have access to it there (e.g. https://searchfox.org/mozilla-central/rev/abf6758ed833c203f84703aa2e3e3d317571b1e9/devtools/server/actors/webconsole/eval-with-debugger.js#529-536) Thanks. so far, I can get the `window` reference, but it's the debuggee's window, and at the point of creating the debugger, the window's properties can already be modified. (`document` property is not configurable, but for example `performance` property is configurable) So, we cannot add the those getters to allowlist. I'll see if I can get unmodified getter values via Xray or something from the `window`. if that doesn't work, the other options I can think of are: * use some other window, such as browser window itself * question: is there any case that devtools debugger gets initialized without any browser window? * add special function to return `window`'s all getters * add special function that checks if given function is window getters * or maybe just check is given function is safe?
Bug 1806598 Comment 13 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Nicolas Chevobbe [:nchevobbe] from comment #12) > yes, we have access to it there (e.g. https://searchfox.org/mozilla-central/rev/abf6758ed833c203f84703aa2e3e3d317571b1e9/devtools/server/actors/webconsole/eval-with-debugger.js#529-536) Thanks. so far, I can get the `window` reference, but it's the debuggee's window, and at the point of creating the debugger, the window's properties can already be modified. (`document` property is not configurable, but for example `performance` property is configurable) So, we cannot add the those getters to allowlist. I'll see if I can get unmodified getter values via Xray or something from the `window`. if that doesn't work, the other options I can think of are: * use some other window, such as browser window itself * question: is there any case that devtools debugger gets initialized without any browser window? * add special function to return `window`'s all getters * add special function that checks if given function is window getters * or maybe just check if given function is safe?