Fix inconsistencies between remote object proxies and ordinary cross-origin wrappers
Categories
(Core :: DOM: Bindings (WebIDL), defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox71 | --- | fixed |
People
(Reporter: kmag, Assigned: kmag)
References
(Blocks 1 open bug)
Details
Attachments
(5 files)
We support calling WebIDL prototype methods on cross-compartment objects as long as they're same-type and same-origin. Any attempt to call them on cross-origin wrappers with security policies leads to a security error.
Remote object proxies look and behave like cross-origin objects, but are not technically wrappers. This means that for non-cross-origin-accessible method/getter calls, we just treat them as same-origin objects which do not implement the correct interface. Aside from being confusing, this makes it easy for web content to distinguish between remote and in-process objects with the same interface, which they generally should not be able to do.
Treating remote object proxies as if they were opaque wrappers solves these problems.
Assignee | ||
Comment 1•5 years ago
|
||
We support calling WebIDL prototype methods on cross-compartment objects as
long as they're same-type and same-origin. Any attempt to call them on
cross-origin wrappers with security policies leads to a security error.
Remote object proxies look and behave like cross-origin objects, but are not
technically wrappers. This means that for non-cross-origin-accessible
method/getter calls, we just treat them as same-origin objects which do not
implement the correct interface. Aside from being confusing, this makes it
easy for web content to distinguish between remote and in-process objects with
the same interface, which they generally should not be able to do.
Treating remote object proxies as if they were opaque wrappers solves these
problems.
Assignee | ||
Comment 3•5 years ago
|
||
Slightly morphing this bug to also deal with other inconsistencies I found when I ran the web platform test in Fission mode.
Assignee | ||
Comment 4•5 years ago
|
||
Object.hasOwnProperty called on a cross-origin object needs to return true for
any property returned by its property enumerator or get hook, and throw a
security error for anything else. Ordinary cross-origin objects currently
behave correctly, but RemoteObjectProxy objects return false for indexed
frame getters, and never throw security exceptions for inaccessible
properties.
This patch fixes both of those issues.
Assignee | ||
Comment 5•5 years ago
|
||
Cross-origin objects are supposed to have null prototypes, and throw when
attempting to set the prototype to any value other than null. Ordinary
cross-origin objects handle this correctly. RemoteObjectProxy has hooks which
are meant to give them the same behavior, but which are never actually
triggered, because the proxy objects are missing the required lazy prototype
flags.
Assignee | ||
Comment 6•5 years ago
|
||
Same origin native functions called with a compatible cross-origin this
object are meant to apply the same security checks as if a property getter for
the method had been called on the this
object directly. Firefox has some
tests for this behavior, but the web platform test suite does not.
This patch adds comprehensive tests for all getters/setters/methods on Window
and Location objects for both the allowed and forbidden cases.
Updated•5 years ago
|
Assignee | ||
Comment 7•5 years ago
|
||
Updated•5 years ago
|
Comment 12•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/05dd1a3de4cc
https://hg.mozilla.org/mozilla-central/rev/56d226cfe63c
https://hg.mozilla.org/mozilla-central/rev/aa9059b3f9b0
https://hg.mozilla.org/mozilla-central/rev/2c2c0d216a2f
https://hg.mozilla.org/mozilla-central/rev/1dd5a2e26f9d
Description
•