Open
Bug 1396145
Opened 7 years ago
Updated 2 years ago
Consider disabling eval/Function in BackstagePass scopes
Categories
(Core :: XPConnect, enhancement, P2)
Core
XPConnect
Tracking
()
NEW
People
(Reporter: kmag, Unassigned)
References
(Depends on 1 open bug)
Details
(Keywords: sec-want)
One of the last sticking points for enabling shared globals for JSMs is that things like (0, eval)("this") and Function("return this") may behave inconsistently.
Ideally, we really shouldn't be using eval in chrome code at all, and there seems to be a pretty strong consensus that disabling it is the way to go.
Unfortunately, we also seem to have a surprising amount of existing code relying on it:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=1ebf240a59b63d4589aac4208e68fd621583ef2b&selectedJob=127871107
These are actually instances of the pattern we're trying to avoid, and can be fixed by adding some variables to the header of the script:
http://searchfox.org/mozilla-central/rev/51b3d67a5ec1758bd2fe7d7b6e75ad6b6b5da223/browser/extensions/activity-stream/vendor/Redux.jsm#689
http://searchfox.org/mozilla-central/rev/51b3d67a5ec1758bd2fe7d7b6e75ad6b6b5da223/browser/extensions/activity-stream/vendor/Redux.jsm#921
http://searchfox.org/mozilla-central/rev/51b3d67a5ec1758bd2fe7d7b6e75ad6b6b5da223/browser/extensions/activity-stream/vendor/Redux.jsm#1248
This one is probably safe, but also entirely unnecessary since it's just eval()ing static JSON-compatible data strings from an adjacent script:
http://searchfox.org/mozilla-central/rev/51b3d67a5ec1758bd2fe7d7b6e75ad6b6b5da223/browser/extensions/formautofill/phonenumberutils/PhoneNumber.jsm#75
Most of the remaining calls are in test files that we can either fix, or add exceptions for when running in automation.
Updated•7 years ago
|
Priority: -- → P2
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•