Remove `new Function` from preferencesBindings.js
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox70 | --- | fixed |
People
(Reporter: jallmann, Assigned: jallmann)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(1 file)
Three uses of new Function[1][2][3] for custom event handling in preferencesBindings.js need to be removed as part of Bug 1473549.
[1] https://searchfox.org/mozilla-central/source/toolkit/content/preferencesBindings.js#238
[2] https://searchfox.org/mozilla-central/source/toolkit/content/preferencesBindings.js#350
[3] https://searchfox.org/mozilla-central/source/toolkit/content/preferencesBindings.js#408
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 1•6 years ago
|
||
I would like to eliminate these three new Functions, which are used to evaluate event handling code from XUL-attributes, namely:
onbeforeaccept
onsyncfrompreference
onsynctopreference
The first is easily removed and replaced by JS-eventListeners, but the other two look more complicated.
In both cases, the code invoked upon the respective events returns values other than true/false that are processed further. I don't see an immediate way to replicate this behaviour with eventListeners.
What could be a reasonable approach here?
https://searchfox.org/mozilla-central/source/toolkit/content/preferencesBindings.js#345
https://searchfox.org/mozilla-central/source/toolkit/content/preferencesBindings.js#403
|
||
Comment 2•6 years ago
|
||
Defining a "manual" JS callback/observer infrastructure in preferencesBinding.js that JS on the page can add callbacks/observers to that behave how we want (ie we use returned values if not undefined, or something) seems like the most straightforward way. There's no real need to actually use custom events.
|
|
Assignee | |
Comment 3•5 years ago
|
||
Work in progress.
Add callback infrastructure to preferenceBindings to replace XUL-attributes.
|
|
||
Comment 4•5 years ago
|
||
Jorg, heads-up that we're killing onsync{to,from}preference here. I expect thunderbird might care... I also don't think this will land in soft freeze, so probably early (ish?) in the 70 cycle.
|
||
Comment 5•5 years ago
|
||
Thanks for the heads-up, forwarding ...
|
||
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
|
||
Comment 7•5 years ago
|
||
Umm, what about comment #4. Not landing during soft freeze, which is now. I'll remove the checkin-needed again, no offence intended.
|
|
Assignee | |
Comment 8•5 years ago
|
||
Right, sorry. I missed that, no offence taken.
|
|
||
Comment 9•5 years ago
|
||
Jonas, this needs a rebase now (probably due to the prettier changes). Can you rebase and upload the updated version? Sorry for the churn...
|
|
Assignee | |
Comment 10•5 years ago
|
||
I rebased the patch. Should I flag checkin-needed now?
|
|
||
Updated•5 years ago
|
|
||
Comment 12•5 years ago
|
||
Pushed by opoprus@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d426669c4cba
Remove preferenceBindings.js from eval()-whitelist, r=Gijs
|
||
Comment 13•5 years ago
|
||
| bugherder | ||
Description
•