Open Bug 1396145 Opened 3 years ago Updated 1 year ago

Consider disabling eval/Function in BackstagePass scopes

Categories

(Core :: XPConnect, enhancement, P2)

enhancement

Tracking

()

People

(Reporter: kmag, Unassigned)

References

(Depends on 1 open bug)

Details

(Keywords: sec-want)

One of the last sticking points for enabling shared globals for JSMs is that things like (0, eval)("this") and Function("return this") may behave inconsistently.

Ideally, we really shouldn't be using eval in chrome code at all, and there seems to be a pretty strong consensus that disabling it is the way to go.

Unfortunately, we also seem to have a surprising amount of existing code relying on it:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=1ebf240a59b63d4589aac4208e68fd621583ef2b&selectedJob=127871107

These are actually instances of the pattern we're trying to avoid, and can be fixed by adding some variables to the header of the script:

http://searchfox.org/mozilla-central/rev/51b3d67a5ec1758bd2fe7d7b6e75ad6b6b5da223/browser/extensions/activity-stream/vendor/Redux.jsm#689
http://searchfox.org/mozilla-central/rev/51b3d67a5ec1758bd2fe7d7b6e75ad6b6b5da223/browser/extensions/activity-stream/vendor/Redux.jsm#921
http://searchfox.org/mozilla-central/rev/51b3d67a5ec1758bd2fe7d7b6e75ad6b6b5da223/browser/extensions/activity-stream/vendor/Redux.jsm#1248

This one is probably safe, but also entirely unnecessary since it's just eval()ing static JSON-compatible data strings from an adjacent script:

http://searchfox.org/mozilla-central/rev/51b3d67a5ec1758bd2fe7d7b6e75ad6b6b5da223/browser/extensions/formautofill/phonenumberutils/PhoneNumber.jsm#75


Most of the remaining calls are in test files that we can either fix, or add exceptions for when running in automation.
See Also: → 1396050
Priority: -- → P2
No longer blocks: 1186409
Depends on: 1399997
No longer blocks: 1381961
You need to log in before you can comment on or make changes to this bug.