Closed Bug 1520823 Opened 1 year ago Closed 1 year ago

Silently denied access to listener.listenerObject.handleEvent


(DevTools :: Console, defect, P2)



(Not tracked)



(Reporter: miker, Assigned: miker)




(3 files)

Attached file test.html


  1. Apply the attached patch.
  2. Build Firefox (debug build).
  3. Open the attached file test.html.
  4. Open the Browser Content Toolbox and select the debugger tab.
  5. Right-click the div and choose "Inspect Element."
  6. Switch the Browser Content Toolbox to the content tab.


See screenshot.

listener.listenerObject is logged and contains a handleEvent property but when listener.listenerObject.handleEvent is logged it is undefined.

In the browser toolbox you can see the following warning:

WARNING: Silently denied access to property "handleEvent": value is callable
(@resource://devtools/server/actors/inspector/event-parsers.js:188:10): file
line 223

The inability to check for handleEvent breaks the few lines at the end of the patch.


listener.listenerObject.handleEvent should be accessible.

Attached patch patch.diffSplinter Review
Assignee: nobody → mratcliffe

@Rob bholley said you are likely to know what is going on here.

Flags: needinfo?(rob)

The listener.listenerObject object from your patch originates from the (untrusted) compartment of test.html, while the devtools script is running with the (trusted) system principal. Because of this, listenerObject is not the object that you're expecting, but an XrayWrapper over it.
To see the original value, use listener.listenerObject.wrappedJSObject.handleEvent.
Be careful though: When Xrays are waived (through .wrappedJSObject), the untrusted page will be able to intercept access to the property (and lie about the actual value, throw errors, etc.).

For more info, see and

There seems to be existing devtools code that has already solved the problem of accessing "handleEvent" from untrusted content; you might be interested in reading

Flags: needinfo?(rob)

Holy cow, it is just wrapped... I totally overthought it.

/me mumbles thanks and scurries away faster than the eye can see.

Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.