Closed Bug 1582520 Opened 2 months ago Closed 2 months ago

Fix inconsistencies between remote object proxies and ordinary cross-origin wrappers

Categories

(Core :: DOM: Bindings (WebIDL), defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox71 --- fixed

People

(Reporter: kmag, Assigned: kmag)

References

(Blocks 1 open bug)

Details

Attachments

(5 files)

We support calling WebIDL prototype methods on cross-compartment objects as long as they're same-type and same-origin. Any attempt to call them on cross-origin wrappers with security policies leads to a security error.

Remote object proxies look and behave like cross-origin objects, but are not technically wrappers. This means that for non-cross-origin-accessible method/getter calls, we just treat them as same-origin objects which do not implement the correct interface. Aside from being confusing, this makes it easy for web content to distinguish between remote and in-process objects with the same interface, which they generally should not be able to do.

Treating remote object proxies as if they were opaque wrappers solves these problems.

We support calling WebIDL prototype methods on cross-compartment objects as
long as they're same-type and same-origin. Any attempt to call them on
cross-origin wrappers with security policies leads to a security error.

Remote object proxies look and behave like cross-origin objects, but are not
technically wrappers. This means that for non-cross-origin-accessible
method/getter calls, we just treat them as same-origin objects which do not
implement the correct interface. Aside from being confusing, this makes it
easy for web content to distinguish between remote and in-process objects with
the same interface, which they generally should not be able to do.

Treating remote object proxies as if they were opaque wrappers solves these
problems.

_

Priority: -- → P1

Slightly morphing this bug to also deal with other inconsistencies I found when I ran the web platform test in Fission mode.

Summary: UnwrapObjectInternal should treat remote object proxies as opaque wrappers → Fix inconsistencies between remote object proxies and ordinary cross-origin wrappers

Object.hasOwnProperty called on a cross-origin object needs to return true for
any property returned by its property enumerator or get hook, and throw a
security error for anything else. Ordinary cross-origin objects currently
behave correctly, but RemoteObjectProxy objects return false for indexed
frame getters, and never throw security exceptions for inaccessible
properties.

This patch fixes both of those issues.

Cross-origin objects are supposed to have null prototypes, and throw when
attempting to set the prototype to any value other than null. Ordinary
cross-origin objects handle this correctly. RemoteObjectProxy has hooks which
are meant to give them the same behavior, but which are never actually
triggered, because the proxy objects are missing the required lazy prototype
flags.

Same origin native functions called with a compatible cross-origin this
object are meant to apply the same security checks as if a property getter for
the method had been called on the this object directly. Firefox has some
tests for this behavior, but the web platform test suite does not.

This patch adds comprehensive tests for all getters/setters/methods on Window
and Location objects for both the allowed and forbidden cases.

Attachment #9094467 - Attachment description: Bug 1582520: Part 3 - Fix RemoteObjectProxy prototype hooks. r=bzbarsky → Bug 1582520: Part 3 - Fix RemoteObjectProxy immutable prototype implementation. r=bzbarsky
Attachment #9093967 - Attachment description: Bug 1582520: Treat remote object proxies as opaque wrappers when unwrapping. r=peterv → Bug 1582520: Part 1 - Treat remote object proxies as opaque wrappers when unwrapping. r=peterv
Pushed by maglione.k@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/05dd1a3de4cc
Part 1 - Treat remote object proxies as opaque wrappers when unwrapping. r=peterv
Pushed by maglione.k@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/56d226cfe63c
Part 2 - Fix RemoteObjectProxy hasOwnProperty hook behavior. r=bzbarsky
https://hg.mozilla.org/integration/autoland/rev/aa9059b3f9b0
Part 3 - Fix RemoteObjectProxy immutable prototype implementation. r=bzbarsky
https://hg.mozilla.org/integration/autoland/rev/2c2c0d216a2f
Part 4 - Update cross-origin-objects web platform tests for cross-origin this objects. r=bzbarsky
https://hg.mozilla.org/integration/autoland/rev/1dd5a2e26f9d
Part 5 - Test that named subframe properties are accessible in cross-origin-objects.html. r=bzbarsky
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/19305 for changes under testing/web-platform/tests
Upstream web-platform-tests status checks passed, PR will merge once commit reaches central.
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.