Closed Bug 1582520 Opened 5 years ago Closed 5 years ago

Fix inconsistencies between remote object proxies and ordinary cross-origin wrappers

Categories

(Core :: DOM: Bindings (WebIDL), defect, P1)

Product:
Core
Component:
DOM: Bindings (WebIDL)
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox71 --- fixed

People

(Reporter: kmag, Assigned: kmag)

References

(Blocks 1 open bug)

Details

Attachments

(5 files)

Bug 1582520: Part 1 - Treat remote object proxies as opaque wrappers when unwrapping. r=peterv
47 bytes, text/x-phabricator-request
Details | Review
Bug 1582520: Part 2 - Fix RemoteObjectProxy hasOwnProperty hook behavior. r=bzbarsky
47 bytes, text/x-phabricator-request
Details | Review
Bug 1582520: Part 3 - Fix RemoteObjectProxy immutable prototype implementation. r=bzbarsky
47 bytes, text/x-phabricator-request
Details | Review
Bug 1582520: Part 4 - Update cross-origin-objects web platform tests for cross-origin this objects. r=bzbarsky
47 bytes, text/x-phabricator-request
Details | Review
Bug 1582520: Part 5 - Test that named subframe properties are accessible in cross-origin-objects.html. r=bzbarsky
47 bytes, text/x-phabricator-request
Details | Review

We support calling WebIDL prototype methods on cross-compartment objects as long as they're same-type and same-origin. Any attempt to call them on cross-origin wrappers with security policies leads to a security error.

Remote object proxies look and behave like cross-origin objects, but are not technically wrappers. This means that for non-cross-origin-accessible method/getter calls, we just treat them as same-origin objects which do not implement the correct interface. Aside from being confusing, this makes it easy for web content to distinguish between remote and in-process objects with the same interface, which they generally should not be able to do.

Treating remote object proxies as if they were opaque wrappers solves these problems.

We support calling WebIDL prototype methods on cross-compartment objects as
long as they're same-type and same-origin. Any attempt to call them on
cross-origin wrappers with security policies leads to a security error.

Remote object proxies look and behave like cross-origin objects, but are not
technically wrappers. This means that for non-cross-origin-accessible
method/getter calls, we just treat them as same-origin objects which do not
implement the correct interface. Aside from being confusing, this makes it
easy for web content to distinguish between remote and in-process objects with
the same interface, which they generally should not be able to do.

Treating remote object proxies as if they were opaque wrappers solves these
problems.

_

Priority: -- → P1

Slightly morphing this bug to also deal with other inconsistencies I found when I ran the web platform test in Fission mode.

Summary: UnwrapObjectInternal should treat remote object proxies as opaque wrappers → Fix inconsistencies between remote object proxies and ordinary cross-origin wrappers

Object.hasOwnProperty called on a cross-origin object needs to return true for
any property returned by its property enumerator or get hook, and throw a
security error for anything else. Ordinary cross-origin objects currently
behave correctly, but RemoteObjectProxy objects return false for indexed
frame getters, and never throw security exceptions for inaccessible
properties.

This patch fixes both of those issues.

Cross-origin objects are supposed to have null prototypes, and throw when
attempting to set the prototype to any value other than null. Ordinary
cross-origin objects handle this correctly. RemoteObjectProxy has hooks which
are meant to give them the same behavior, but which are never actually
triggered, because the proxy objects are missing the required lazy prototype
flags.

Same origin native functions called with a compatible cross-origin this
object are meant to apply the same security checks as if a property getter for
the method had been called on the this object directly. Firefox has some
tests for this behavior, but the web platform test suite does not.

This patch adds comprehensive tests for all getters/setters/methods on Window
and Location objects for both the allowed and forbidden cases.

Attachment #9094467 - Attachment description: Bug 1582520: Part 3 - Fix RemoteObjectProxy prototype hooks. r=bzbarsky → Bug 1582520: Part 3 - Fix RemoteObjectProxy immutable prototype implementation. r=bzbarsky
Attachment #9093967 - Attachment description: Bug 1582520: Treat remote object proxies as opaque wrappers when unwrapping. r=peterv → Bug 1582520: Part 1 - Treat remote object proxies as opaque wrappers when unwrapping. r=peterv
Pushed by maglione.k@gmail.com: https://hg.mozilla.org/integration/autoland/rev/05dd1a3de4cc Part 1 - Treat remote object proxies as opaque wrappers when unwrapping. r=peterv
Pushed by maglione.k@gmail.com: https://hg.mozilla.org/integration/autoland/rev/56d226cfe63c Part 2 - Fix RemoteObjectProxy hasOwnProperty hook behavior. r=bzbarsky https://hg.mozilla.org/integration/autoland/rev/aa9059b3f9b0 Part 3 - Fix RemoteObjectProxy immutable prototype implementation. r=bzbarsky https://hg.mozilla.org/integration/autoland/rev/2c2c0d216a2f Part 4 - Update cross-origin-objects web platform tests for cross-origin this objects. r=bzbarsky https://hg.mozilla.org/integration/autoland/rev/1dd5a2e26f9d Part 5 - Test that named subframe properties are accessible in cross-origin-objects.html. r=bzbarsky
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/19305 for changes under testing/web-platform/tests
Upstream web-platform-tests status checks passed, PR will merge once commit reaches central.
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: