Closed
Bug 1015396
Opened 11 years ago
Closed 11 years ago
Prepare Addon-SDK for Object Xrays
Categories
(Add-on SDK Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla32
People
(Reporter: bholley, Assigned: bholley)
References
Details
Attachments
(1 file, 1 obsolete file)
|
9.40 KB,
patch
|
irakli
:
review+
|
Details | Diff | Splinter Review |
XrayToJS is now green aside from Jetpack tests:
https://tbpl.mozilla.org/?tree=Try&rev=75c2360851e4
I did some initial work to fix some failures I encountered earlier, but I don't really understand enough about the architecture to do this properly. I'm hoping that gabor can figure out what the right thing to do here is.
|
Assignee | |
Updated•11 years ago
|
Summary: Prepare Addon-SDK for XrayToJS → Prepare Addon-SDK for XrayToJSObject
|
|
Assignee | |
Comment 1•11 years ago
|
||
I did some initial work here, but I'm not sure if this is the right approach
to solve the issues in comment 0. Gabor, what do you think?
|
|
Assignee | |
Updated•11 years ago
|
Flags: needinfo?(gkrizsanits)
|
|
Assignee | |
Updated•11 years ago
|
Summary: Prepare Addon-SDK for XrayToJSObject → Prepare Addon-SDK for Object Xrays
|
||
Comment 2•11 years ago
|
||
I honestly have no idea... Did you locate what fails exactly in that injection magic? That part of the SDK is unreadable for my eyes. I will try to get back here once I have a good grasp of the object xray patches. Maybe you should consult with Irakli about this, he should have a better understanding what is exactly going on there. But I guess first we have to figure out what fails exactly, why modelFor(...).emitToContent is not a function.
Flags: needinfo?(gkrizsanits)
|
||
Comment 3•11 years ago
|
||
is there some more formal description/documentation of changes introduced by these xray changes? something that could be easier to follow than bugzilla comments and diff patches?
|
|
Assignee | |
Comment 4•11 years ago
|
||
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #2)
> But I guess first we have to
> figure out what fails exactly, why modelFor(...).emitToContent is not a
> function.
Presumably because modelFor(...) returns an untrusted (and therefore Xrayed) object, and we disallow resolving callable properties on such objects. I could fix this by just sprinkling a bunch of Cu.waiveXray calls everywhere, but I don't understand this setup enough to know whether that would be safe.
(In reply to Tomislav Jovanovic [:zombie] from comment #3)
> is there some more formal description/documentation of changes introduced by
> these xray changes? something that could be easier to follow than bugzilla
> comments and diff patches?
In general I followed the model in bug 987111 comment 0, with a couple of adjustments. To see the precise implementation, see parts 8, 9, and 10. To see what this looks like from the JS side, see the tests.
If anyone wants to write documentation about this, I'm happy to go through the changes in gory detail.
|
|
||
Comment 5•11 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #4)
> Presumably because modelFor(...) returns an untrusted (and therefore Xrayed)
> object, and we disallow resolving callable properties on such objects. I
This will break add-ons, so we need some strategy for landing this. Currently Cu
is not available for content-script / GM sandboxes. Is there a wrappedJSObject
property on these xrays or should we expose un/waiveXray methods for these sandboxes?
> could fix this by just sprinkling a bunch of Cu.waiveXray calls everywhere,
> but I don't understand this setup enough to know whether that would be safe.
So this code is about creating sandboxes for content-script from addon scope, and
injecting a few helpers into them (pipes). These sandboxes are not just trusted code,
but at this point in time no code has run in them, so it's absolutely safe I'd say.
Just add waiveXray calls until it's working and make sure you add some short explanation.
> If anyone wants to write documentation about this, I'm happy to go through
> the changes in gory detail.
Since this is (likely) going to break some addons, and they will have to use a new API
(waiveXray) we need a short blog about it as well.
|
|
||
Comment 6•11 years ago
|
||
> Since this is (likely) going to break some addons, and they will have to use
> a new API
> (waiveXray) we need a short blog about it as well.
Ok, so wrappedJSObject is available so no new API is needed, we just have to give some heads-up about this change before breaking add-ons.
|
|
Assignee | |
Comment 7•11 years ago
|
||
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #6)
> Ok, so wrappedJSObject is available so no new API is needed, we just have to
> give some heads-up about this change before breaking add-ons.
Yeah. XPCNativeWrapper.unwrap works as well. I just try to use the Cu API wherever possible because it's clearer.
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #5)
> So this code is about creating sandboxes for content-script from addon
> scope, and
> injecting a few helpers into them (pipes). These sandboxes are not just
> trusted code,
> but at this point in time no code has run in them, so it's absolutely safe
> I'd say.
> Just add waiveXray calls until it's working and make sure you add some short
> explanation.
Ok, I'll give that a try.
|
|
||
Comment 8•11 years ago
|
||
Hey Jeff, I just wanted to get this bug under your radar. Bobby is about to land a special xray for vanilla JSObjects. It will break addons, so we will have to work out a landing strategy.
example that will break:
unsafeWindow.contentDefinedFunction(); <-- will throw a contentDefinedFunction is not defined
workaround:
unsafeWindow.wrappedJSObject.contentDefinedFunction() <-- will waive xray and work as before
there are some other cases too which will fail, like setting/getting some properties on an object from the page script, the workaround will be the same in each scenario. I think if we write a short blog about the different cases, with the workaround and post it before sending the patches to mc then it should be fine...
Flags: needinfo?(jgriffin)
|
|
||
Comment 9•11 years ago
|
||
I'm even considering opting out object xrays for add-ons. I can see how this is incredibly helpful for webidl and in general in the chrome vs content scenario. But frankly, for add-on content-script or grase monkey equivalent it seems to be just another source of frustration. From an add-on developers perspective this is just yet another magic layer that does tricky stuff and have to be waive... I don't really see a scenario where this gives an extra security for add-ons. Bobby, what do you think about opting this out for add-on sandboxes? Haven't thought about the possible consequences, just a wild idea, but I think we should consider it.
|
|
Assignee | |
Comment 10•11 years ago
|
||
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #8)
> example that will break:
> unsafeWindow.contentDefinedFunction(); <-- will throw a
> contentDefinedFunction is not defined
>
> workaround:
> unsafeWindow.wrappedJSObject.contentDefinedFunction() <-- will waive xray
> and work as before
Wait, what? Doesn't unsafeWindow _already_ waive Xrays? That's the only reason you could ever see content-defined expandos.
> there are some other cases too which will fail, like setting/getting some
> properties on an object from the page script
But how will the content script even get a reference to the object in the first place? It seems like that would only happen in cases where Xrays have already been waived.
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #9)
> I'm even considering opting out object xrays for add-ons.
I am open to this if object Xrays really would introduce a lot of pain. But so far I'm not convinced. Can you convince me?
|
|
||
Comment 11•11 years ago
|
||
> Hey Jeff, I just wanted to get this bug under your radar. Bobby is about to land a special xray for
> vanilla JSObjects.
I'm Jonathan, did you mean someone else instead?
|
|
||
Comment 12•11 years ago
|
||
I'm sorry, I accidentally miss-clicked on the wrong name from the list it seems... I meant Jeff Griffith
Flags: needinfo?(jgriffiths)
|
|
||
Comment 13•11 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #10)
> Wait, what? Doesn't unsafeWindow _already_ waive Xrays? That's the only
> reason you could ever see content-defined expandos.
>
OK, I have not tested it and I might be completely wrong here, wrappedJSObject used to be a shallow waiver but that might be completely gone by now. So if you're saying that unsafeWindow does deep waiving, then probably this is just a false alarm, and add-ons should not experience much from this change.
|
|
Assignee | |
Comment 14•11 years ago
|
||
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #13)
> OK, I have not tested it and I might be completely wrong here,
> wrappedJSObject used to be a shallow waiver but that might be completely
> gone by now. So if you're saying that unsafeWindow does deep waiving, then
> probably this is just a false alarm, and add-ons should not experience much
> from this change.
I think we fixed the shallow/deep waiver thing. It used to be an odd effect that came from mixing access to Xrayable and non-Xrayable objects. We only did waivers to Xrayable objects. So if you did someXrayableObject.wrappedJSObject.someXrayableObject, you'd get a waiver. But if you did someXrayableObject.wrappedJSObject.someNonXrayableObject.someXrayableObject, you wouldn't get a waiver.
But now we maintain waivers even over non-Xrayable objects, so this should be a non-issue.
Flags: needinfo?(jgriffin)
|
|
||
Comment 15•11 years ago
|
||
Uh, so how exactly will it work?
I'm OoO this week but finally have access to the AMO database again and can look to see what the usage of these patterns are ( I think they're fairly low )
Flags: needinfo?(jgriffiths)
|
|
Assignee | |
Comment 16•11 years ago
|
||
Irakli says we can just git rid of the double sandboxes in the Addon SDK, which seems to fix most of the problems I'd run into. Pushing to try to see if there are any others:
https://tbpl.mozilla.org/?tree=Try&rev=37cd32a438d9
|
|
Assignee | |
Comment 17•11 years ago
|
||
Currently, Jetpack uses two sandboxes for each content script - one for the
content script itself, and another for SDK machinery. And we end up getting Xrays
between the sandboxes, even though they're same-origin (generally with an nsEP)
because Jetpack sandboxes use |wantXrays: true| to get same-origin Xrays.
Object Xrays cause all sorts of communication problems between the sandboxes.
Irakli says we don't actually need the separate sandbox anymore since we've
removed the proxy layer, so let's just get rid of it.
Attachment #8431016 -
Flags: review?(rFobic)
|
|
Assignee | |
Comment 18•11 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #16)
> https://tbpl.mozilla.org/?tree=Try&rev=37cd32a438d9
(This was green modulo the fact that I needed to duplicate the changes in sandbox.js to deprecated/traits-worker.js)
|
|
Assignee | |
Updated•11 years ago
|
Attachment #8427946 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 19•11 years ago
|
||
Green try push: https://tbpl.mozilla.org/?tree=Try&rev=bbd8afc93c21
|
|
||
Comment 20•11 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #17)
> Created attachment 8431016 [details] [diff] [review]
> Get rid of apiSandbox. v1
>
> Currently, Jetpack uses two sandboxes for each content script
> Irakli says we don't actually need the separate sandbox anymore since we've
> removed the proxy layer, so let's just get rid of it.
Actually the proxy layer was not the reason for the two sandboxes. The reasoning behind it was (if I'm not mistaken) that when a content-script modifies its base prototype like Object/Function.prototype etc., that might alter or break the behavior of these basic jetpack API (accidentally). So it's mostly for guarding add-on developers against shooting them-self in the foot. I don't feel very strongly about keeping them, just wanted to make it clear before we ditch it.
|
|
||
Comment 21•11 years ago
|
||
(In reply to Jeff Griffiths (:canuckistani) from comment #15)
> Uh, so how exactly will it work?
I think we don't have to worry about this. It's extremely hard from add-on code to get a reference to an xrayed JSObject. Because we have to waive xrays (like unsafeWindow does) to get a reference to a JSObject from the page scope, and then one would have to explicitly unwaive the xray on that object to get the altered behavior. I don't think any add-on developer ever did something like that, or even aware of the fact that such thing is possible for that matter. TL;DR: it was a false alarm :)
|
||
Updated•11 years ago
|
Attachment #8431016 -
Flags: review?(rFobic) → review+
|
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → bobbyholley
|
|
Assignee | |
Comment 22•11 years ago
|
||
|
||
Comment 23•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
|
||
Comment 24•11 years ago
|
||
Commit pushed to master at https://github.com/mozilla/addon-sdk
https://github.com/mozilla/addon-sdk/commit/c6e0346eb3da51a78f2c7ed1135792f80b6f0283
Bug 1015396 - Get rid of apiSandbox. r=irakli
Currently, Jetpack uses two sandboxes for each content script - one for the
content script itself, and another for SDK machinery. And we end up getting Xrays
between the sandboxes, even though they're same-origin (generally with an nsEP)
because Jetpack sandboxes use |wantXrays: true| to get same-origin Xrays.
Object Xrays cause all sorts of communication problems between the sandboxes.
Irakli says we don't actually need the separate sandbox anymore since we've
removed the proxy layer, so let's just get rid of it.
You need to log in
before you can comment on or make changes to this bug.
Description
•