Closed
Bug 1320181
Opened 8 years ago
Closed 8 years ago
Storage sanitizer should return an empty object belonging to the correct scope.
Categories
(WebExtensions :: General, defect, P3)
WebExtensions
General
Tracking
(firefox53 fixed)
RESOLVED
FIXED
mozilla53
Tracking | Status | |
---|---|---|
firefox53 | --- | fixed |
People
(Reporter: 21Naown, Assigned: rpl)
Details
(Whiteboard: triaged)
Attachments
(1 file)
chrome.storage.local.set({mapObject: mapObjectOther}); ... show this message in console: Security wrapper denied access to property (void 0) on privileged Javascript object. Support for exposing privileged objects to untrusted content via __exposedProps__ is being gradually removed - use WebIDL bindings or Components.utils.cloneInto instead. Note that only the first denied property access from a given global object will be reported. (source inconnue)
Comment 1•8 years ago
|
||
The message is only a warning. storage.local only supports storing JSON-compatible objects, which means that maps ignored, and when used as the root object of a storage value, replaced with an empty object.
Status: UNCONFIRMED → NEW
Component: WebExtensions: Untriaged → WebExtensions: General
Ever confirmed: true
Summary: "chrome.storage.local.set()" fails with "security wrapper" alert with Map object → Storage sanitizer should return an empty object belonging to the correct scope.
Hum, my bad for JSON-compatible objects, I did not check if maps were compatible. I assume you are focusing on the "unknown source" now, that is why you let this ticket opened?
Comment 3•8 years ago
|
||
The security wrapper warning still needs to be fixed, yes. It's harmless, but it's also confusing.
Updated•8 years ago
|
Assignee: nobody → lgreco
Priority: -- → P3
Whiteboard: triaged
Comment hidden (mozreview-request) |
Comment 5•8 years ago
|
||
mozreview-review |
Comment on attachment 8815009 [details] Bug 1320181 - Storage sanitizer should return an empty object belonging to the correct scope. https://reviewboard.mozilla.org/r/96026/#review96140 ::: toolkit/components/extensions/ExtensionStorage.jsm:66 (Diff revision 1) > + default: > + Cu.reportError(`${context.contentWindow.location.href} is trying to serialize a ${className} instance into a WebExtensions storage`); I don't think this is necessary. ::: toolkit/components/extensions/ExtensionStorage.jsm:75 (Diff revision 1) > - return {}; > + // NOTE: using cloneInto here to prevent security wrappers errors to be logged. > + return Cu.cloneInto({}, context.contentWindow); `return new context.cloneScope.Object()`
Assignee | ||
Comment 6•8 years ago
|
||
Comment on attachment 8815009 [details] Bug 1320181 - Storage sanitizer should return an empty object belonging to the correct scope. Hi Kris, I've just attached a small patch that change the sanitizer helper to: - return an empty object which belongs to the correct scope. - log a detailed warning message when the saved value of an unsupported type (e.g. if it's a function or an instance of a non-supported constructor like a Map or a Set etc), but without preventing the other properties to be saved correctly. Let me know if the change it is in the right direction or if you had other ideas of how to handle this scenarios.
Attachment #8815009 -
Flags: feedback?(kmaglione+bmo)
Comment hidden (mozreview-request) |
Assignee | ||
Comment 8•8 years ago
|
||
Pushed to try: - https://treeherder.mozilla.org/#/jobs?repo=try&revision=6954aa4fda1573cdfe01781ecbd6110d86cc888c&selectedJob=31972625
Status: NEW → ASSIGNED
Comment 9•8 years ago
|
||
mozreview-review |
Comment on attachment 8815009 [details] Bug 1320181 - Storage sanitizer should return an empty object belonging to the correct scope. https://reviewboard.mozilla.org/r/96026/#review96500 ::: toolkit/components/extensions/ExtensionStorage.jsm:24 (Diff revision 2) > "resource://gre/modules/AsyncShutdown.jsm"); > > -function jsonReplacer(key, value) { > +/** > + * Helper function used to sanitize the objects that have to be saved in the ExtensionStorage. > + * > + * @param {ExtensionBaseContextChild | ContentScriptContextChild} context `@param {BaseContext}` ::: toolkit/components/extensions/ExtensionStorage.jsm:25 (Diff revision 2) > + * the current extension context. > + * @param {string} key > + * the key of the current JSON property. > + * @param {any} value > + * the value of the current JSON property. Please capitalize descriptions. ::: toolkit/components/extensions/ExtensionStorage.jsm:88 (Diff revision 2) > * The extension context in which to sanitize the value > * @returns {value} > * The sanitized value. > */ > sanitize(value, context) { > - let json = context.jsonStringify(value, jsonReplacer); > + let json = context.jsonStringify(value, (...args) => jsonReplacer(context, ...args)); `jsonReplacer.bind(context)`
Attachment #8815009 -
Flags: review+
Comment hidden (mozreview-request) |
Assignee | ||
Updated•8 years ago
|
Keywords: checkin-needed
Comment 11•8 years ago
|
||
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/f46301403352 Storage sanitizer should return an empty object belonging to the correct scope. r=kmag
Keywords: checkin-needed
Comment 12•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/f46301403352
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox53:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Updated•6 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•