Open
Bug 1207321
Opened 9 years ago
Updated 8 months ago
Stop exposing XPCWrappedNative (XPCWN) to the web
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
NEW
Tracking | Status | |
---|---|---|
firefox44 | --- | affected |
People
(Reporter: bzbarsky, Assigned: mccr8)
References
(Blocks 2 open bugs)
Details
Obviously this depends on the various bugs that track things we still expose via XPCWN. Added some of those, but some stuff listed in https://etherpad.mozilla.org/classinfo doesn't seem to have associated bugs yet.
Reporter | ||
Comment 2•7 years ago
|
||
It depends on your definitions of "web", "expose", and "is". ;)
The current state of things is that nsScriptSecurityManager::CanCreateWrapper allows creation in the following three cases:
1) This is a remote-XUL domain. Hence my thread about removing remote XUL on .platform.
2) This is a global that did enablePrivilege.
3) This is a global that has the system principal.
What that means in terms of resolving this bug, I'm not sure. I'm not even sure what it means in terms of resolving the bugs it blocks (e.g. can we get rid of XPCWN xrays given the above? Replace them with opaque wrappers, presumably?).
Flags: needinfo?(bzbarsky)
Comment 3•7 years ago
|
||
Per vidyo discussion, I think we should:
* Remove the permission stuff around remote XUL, replace it with: IsFileURIWithPrefSet || IsInAutomation
* Move all web-related stuff to a separate object, only instantiate XPCWNScope for the cases where it's allowed, and kill the CanCreateWrapper stuff.
* Try to get somebody to do the work to remove enablePrivilege (see bug 1435113)
Reporter | ||
Comment 4•5 years ago
|
||
OK, enablePrivilege is gone now. So the only weird case left here is the "remote XUL" bit.
Comment 5•5 years ago
|
||
Andrew, do you have the cycles to take this over? Seems like we can just drop the remaining remote XUL stuff and then make the data structures simpler and safer.
Flags: needinfo?(continuation)
Assignee | ||
Updated•5 years ago
|
Assignee: nobody → continuation
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•