Closed Bug 1717710 Opened 3 years ago Closed 2 years ago

Private Fields inadvertently tunnel through to the Window object, rather than being stored on WindowProxy as expected

Categories

(Core :: JavaScript Engine, task, P1)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1726039

People

(Reporter: mgaudet, Assigned: mgaudet)

References

Details

Attachments

(4 obsolete files)

While investigating Bug 1652868 I discovered that our implementation of Private Fields were stamping fields onto the target object, as WindowProxy is a transparent proxy type, rather than storing the fields on the proxy as one would expect from the weak map.

Note: While having this patch is strictly better than not having this patch,
it's still not 100% compliant with the standard. I would be interested in if
it was possible to draw the distinction between the Window and the WindowProxy
in ways that don't trigger some of the other problems with WindowProxy and
private fields...

Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Severity: -- → N/A
Priority: -- → P1
Attachment #9228450 - Attachment is obsolete: true
Blocks: 1652868
No longer depends on: 1652868

To recap briefly for those who weren't involved: Private Fields are actually
modelled as hidden properties on objects; this works out fairly well right up
until one encounters proxies. At that point, one is forced to acknowledge that
the specification of Private Fields is thought in terms of a 'hidden WeakMap',
associated with a class, where the key is the object that 'has' a given private
field.

This means that if you stamp a private field on a Proxy, it does -not- tunnel
through to the target object. The problem is, Firefox is riddled with transparent
proxies, for example CCWs, where you want the private field to land on the target,
not the proxy.

To handle this, the Proxy implementation was made configurable. Classes which need
transparent behaviour return false from useProxyExpandoObjectForPrivateFields, and
classes which desire private fields to end up on the proxy itself, return true.

WindowProxies are special however. These objects are transplanted during
navigation, and so as a result we need to ensure that JS_TransplantObject does
the right thing for transplanting a proxy with an expando.

A status update here: D118414 has a semi-functional version of this working, however, it turns out to be incorrect -- it ends up not handling the peculiar compartment oddities around transplanted window proxies.

D141519 may be better. It takes a totally different approach of teaching nsOuterWindowProxy about the private field expando. Unfortunately, it's likely insufficient in the face of RemoteOuterWindowProxies (i've yet to write the test case, but I would likely have to write something similar to dom/tests/browser/browser_windowProxy_transplant.js)

At this point, I'm annoyed. I actually think we should do Bug 1726039, which would make cross origin objects ineligible for private fields, and sidestep this whole problem; I would follow that up with work to specify this.

Will be fixed via Bug 1726039

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Attachment #9265548 - Attachment is obsolete: true
Attachment #9265549 - Attachment is obsolete: true
Attachment #9268507 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: