1087924 - Sandboxed subscript cannot access arrays in imported functions

Status: RESOLVED INVALID

(Core :: XPConnect, defect)

Description

[Minh Nguyễn]

Attachment: browser-scratchpad.js

Steps to reproduce:

1. Use mozIJSSubScriptLoader to load a subscript with a Sandbox as its target.
2. Import into the Sandbox a function that returns a plain-vanilla array.
3. In the subscript, call valueOf() on the return value of that imported function.

(Run the attached browser-scratchpad.js in Scratchpad using the browser environment. Be sure to set |subscriptUri| to the path to foo.js.)

Actual results:

Security wrapper denied access to property valueOf on privileged Javascript object. Support for exposing privileged objects to untrusted content via __exposedProps__ is being gradually removed - use WebIDL bindings or Components.utils.cloneInto instead. Note that only the first denied property access from a given global object will be reported.

Expected results:

The array should have been treated as a array with the built-in, unmodified Array.prototype as its prototype, as described at <https://developer.mozilla.org/en-US/docs/Xray_vision#Xray_semantics_for_Object_and_Array>. If you evaluate the same JavaScript code in the same sandbox using Components.utils.evalInSandbox(), the sandboxed code can access the array's valueOf().

This error started appearing in Firefox 35.0a1 build 2014-10-04.

Comment 1

[Minh Nguyễn]

Attachment: Subscript file required by browser-scratchpad.js

Comment 2

[Bobby Holley (:bholley)]

This code exposes a chrome array to non-chrome code, which we explicitly turned off in bug 1065186. If you want the code to work, you should have the chrome function create a bonafide content array (var x = new sandbox.Array()), and then pass that back to the sandbox.