Closed
Bug 1335654
Opened 7 years ago
Closed 7 years ago
Fix the exceptions we throw for our cross-origin objects to actually mostly follow the spec
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox54 | --- | fixed |
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
Details
Attachments
(4 files, 2 obsolete files)
7.74 KB,
patch
|
jandem
:
review+
bholley
:
review+
|
Details | Diff | Splinter Review |
5.17 KB,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
23.57 KB,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
4.04 KB,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
Got tired of this. The current exceptions are thrown in general JS Wrapper code, so can't be the DOMExceptions we want. We just need to throw on the XPConnect side instead.
Assignee | ||
Comment 1•7 years ago
|
||
Attachment #8832343 -
Flags: review?(jwalden+bmo)
Attachment #8832343 -
Flags: review?(bobbyholley)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•7 years ago
|
||
Attachment #8832344 -
Flags: review?(bobbyholley)
Assignee | ||
Comment 3•7 years ago
|
||
More parts (that actually change behavior) coming once I finish the try run. I do have one unfixed bit left: the exception thrown by [[SetPrototype]]. In our code, we land in XrayWrapper<Base, Traits>::setPrototype, Base::hasSecurityPolicy() is true, so we call SecurityWrapper<Base>::setPrototype which happily throws a non-TypeError for us. Now I could change that to throw a TypeError. Or I could try to take over the throwing myself based on the traits or something. But I don't understand this setPrototype setup well enough to decide which is better....
Flags: needinfo?(bobbyholley)
Assignee | ||
Comment 4•7 years ago
|
||
Attachment #8832357 -
Flags: review?(bobbyholley)
Assignee | ||
Comment 5•7 years ago
|
||
Attachment #8832358 -
Flags: review?(bobbyholley)
Comment 6•7 years ago
|
||
Comment on attachment 8832357 [details] [diff] [review] part 3. Implement actually throwing a SecurityError when cross-origin property accesses are denied Review of attachment 8832357 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/xpconnect/wrappers/AccessCheck.cpp @@ +295,5 @@ > + // matches what AutoEnterPolicy::reportErrorIfExceptionIsNotPending > + // does. > + JS::RootedValue idVal(cx, js::IdToValue(id)); > + nsAutoJSString propName; > + if (!propName.init(cx, JS_ValueToSource(cx, idVal))) { It doesn't seem entirely obvious to be that JS_ValueToSource can't return null
Assignee | ||
Comment 7•7 years ago
|
||
You are absolutely right; it can OOM. I meantto have null-checks there, then forgot to...
Assignee | ||
Comment 8•7 years ago
|
||
Attachment #8832365 -
Flags: review?(bobbyholley)
Assignee | ||
Updated•7 years ago
|
Attachment #8832357 -
Attachment is obsolete: true
Attachment #8832357 -
Flags: review?(bobbyholley)
Assignee | ||
Comment 9•7 years ago
|
||
Attachment #8832366 -
Flags: review?(bobbyholley)
Assignee | ||
Updated•7 years ago
|
Attachment #8832358 -
Attachment is obsolete: true
Attachment #8832358 -
Flags: review?(bobbyholley)
Updated•7 years ago
|
Attachment #8832343 -
Flags: review?(bobbyholley) → review+
Comment 10•7 years ago
|
||
Comment on attachment 8832344 [details] [diff] [review] part 2. Change the deny() methods of our wrapper security policies to take a JSContext and a mayThrow boolean Review of attachment 8832344 [details] [diff] [review]: ----------------------------------------------------------------- It's a little weird to maintain the non-JSAPI calling convention here while taking a cx. But I guess it's ok... ::: js/xpconnect/wrappers/AccessCheck.cpp @@ +447,5 @@ > // Fail silently for GET, ENUMERATE, and GET_PROPERTY_DESCRIPTOR. > if (act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE || > act == js::Wrapper::GET_PROPERTY_DESCRIPTOR) > { > + // XXXbz Do we really want to do that if mayThrow is false? Yes. ReportWrapperDenial is about logging and stuff, which we want to do even if we don't interrupt script over the violation. Please remove this comment.
Attachment #8832344 -
Flags: review?(bobbyholley) → review+
Comment 11•7 years ago
|
||
Comment on attachment 8832365 [details] [diff] [review] part 3. Implement actually throwing a SecurityError when cross-origin property accesses are denied Review of attachment 8832365 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/xpconnect/wrappers/AccessCheck.cpp @@ +295,5 @@ > + // matches what AutoEnterPolicy::reportErrorIfExceptionIsNotPending > + // does. > + JS::RootedValue idVal(cx, js::IdToValue(id)); > + nsAutoJSString propName; > + JSString* idStr = JS_ValueToSource(cx, idVal); Does this need to be rooted?
Attachment #8832365 -
Flags: review?(bobbyholley) → review+
Comment 12•7 years ago
|
||
Comment on attachment 8832366 [details] [diff] [review] part 4. Fix some CrossOriginXrayWrapper error reporting bits to follow the HTML spec for cross-origin objects Review of attachment 8832366 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/xpconnect/wrappers/FilteringWrapper.cpp @@ +296,5 @@ > + return false; > + } > + if (!propName.init(cx, idStr)) { > + return false; > + } This junk is in 3 places now. Can you move it to a helper?
Attachment #8832366 -
Flags: review?(bobbyholley) → review+
Assignee | ||
Comment 13•7 years ago
|
||
> Does this need to be rooted? I don't think so, but I guess there's no real harm in rooting it. Will do that. > This junk is in 3 places now. Can you move it to a helper? Good point. Will add an AccessCheck method for this.
Comment 14•7 years ago
|
||
Comment on attachment 8832343 [details] [diff] [review] part 1. Propagate AutoEnterPolicy's mayThrow argument to the enter() methods of proxy handlers, so they know whether it's OK to throw some sort of custom exception or whether they should just silently deny Review of attachment 8832343 [details] [diff] [review]: ----------------------------------------------------------------- Stealing as discussed on IRC.
Attachment #8832343 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Comment 15•7 years ago
|
||
> Please remove this comment.
Replaced it with:
// Note that ReportWrapperDenial doesn't do any _exception_ reporting,
// so we want to do this regardless of the value of mayThrow.
Comment 16•7 years ago
|
||
Pushed by bzbarsky@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/47f366b5d467 part 1. Propagate AutoEnterPolicy's mayThrow argument to the enter() methods of proxy handlers, so they know whether it's OK to throw some sort of custom exception or whether they should just silently deny. r=bholley,jandem https://hg.mozilla.org/integration/mozilla-inbound/rev/4b8049495d3d part 2. Change the deny() methods of our wrapper security policies to take a JSContext and a mayThrow boolean. r=bholley https://hg.mozilla.org/integration/mozilla-inbound/rev/89525b069d92 part 3. Implement actually throwing a SecurityError when cross-origin property accesses are denied. r=bholley https://hg.mozilla.org/integration/mozilla-inbound/rev/d33dc84d6386 part 4. Fix some CrossOriginXrayWrapper error reporting bits to follow the HTML spec for cross-origin objects. r=bholley
Comment 17•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/47f366b5d467 https://hg.mozilla.org/mozilla-central/rev/4b8049495d3d https://hg.mozilla.org/mozilla-central/rev/89525b069d92 https://hg.mozilla.org/mozilla-central/rev/d33dc84d6386
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Comment 18•7 years ago
|
||
(In reply to Boris Zbarsky [:bz] (still a bit busy) from comment #3) > More parts (that actually change behavior) coming once I finish the try run. > > I do have one unfixed bit left: the exception thrown by [[SetPrototype]]. > In our code, we land in XrayWrapper<Base, Traits>::setPrototype, > Base::hasSecurityPolicy() is true, so we call > SecurityWrapper<Base>::setPrototype which happily throws a non-TypeError for > us. Now I could change that to throw a TypeError. Or I could try to take > over the throwing myself based on the traits or something. But I don't > understand this setPrototype setup well enough to decide which is better.... Per IRC discussion, we should override setPrototype in CrossOriginXrayWrapper.
Flags: needinfo?(bobbyholley)
Assignee | ||
Comment 19•7 years ago
|
||
> Per IRC discussion, we should override setPrototype in CrossOriginXrayWrapper. Filed bug 1344443 on this.
You need to log in
before you can comment on or make changes to this bug.
Description
•