Closed Bug 1520823 Opened 1 year ago Closed 1 year ago

Silently denied access to listener.listenerObject.handleEvent

Categories

(DevTools :: Console, defect, P2)

defect

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: miker, Assigned: miker)

References

Details

Attachments

(3 files)

Attached file test.html

STR:

  1. Apply the attached patch.
  2. Build Firefox (debug build).
  3. Open the attached file test.html.
  4. Open the Browser Content Toolbox and select the debugger tab.
  5. Right-click the div and choose "Inspect Element."
  6. Switch the Browser Content Toolbox to the content tab.

Actual:

See screenshot.

listener.listenerObject is logged and contains a handleEvent property but when listener.listenerObject.handleEvent is logged it is undefined.

In the browser toolbox you can see the following warning:

WARNING: Silently denied access to property "handleEvent": value is callable
(@resource://devtools/server/actors/inspector/event-parsers.js:188:10): file
/builds/worker/workspace/build/src/js/xpconnect/wrappers/XrayWrapper.cpp,
line 223

The inability to check for handleEvent breaks the few lines at the end of the patch.

Expected:

listener.listenerObject.handleEvent should be accessible.

Attached patch patch.diffSplinter Review
Assignee: nobody → mratcliffe

@Rob bholley said you are likely to know what is going on here.

Flags: needinfo?(rob)

The listener.listenerObject object from your patch originates from the (untrusted) compartment of test.html, while the devtools script is running with the (trusted) system principal. Because of this, listenerObject is not the object that you're expecting, but an XrayWrapper over it.
To see the original value, use listener.listenerObject.wrappedJSObject.handleEvent.
Be careful though: When Xrays are waived (through .wrappedJSObject), the untrusted page will be able to intercept access to the property (and lie about the actual value, throw errors, etc.).

For more info, see https://developer.mozilla.org/docs/Mozilla/Gecko/Script_security#Privileged_to_unprivileged_code and https://developer.mozilla.org/docs/Mozilla/Tech/Xray_vision

There seems to be existing devtools code that has already solved the problem of accessing "handleEvent" from untrusted content; you might be interested in reading https://searchfox.org/mozilla-central/rev/dac799c9f4e9f5f05c1071cba94f2522aa31f7eb/devtools/server/actors/thread.js#1060-1076

Flags: needinfo?(rob)

Holy cow, it is just wrapped... I totally overthought it.

/me mumbles thanks and scurries away faster than the eye can see.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.