Open Bug 1743788 Opened 3 years ago Updated 2 years ago

Stop unconditionally using waiveXrays for "in content" script sandboxes

Categories

(Remote Protocol :: Marionette, defect, P3)

Default
defect

Tracking

(Not tracked)

People

(Reporter: jgraham, Unassigned)

References

(Blocks 1 open bug)

Details

Currently marionette is simulating executing a script directly in content by creating a sandbox with wantXrays: false and using waiveXRays on the sandbox. that has a couple of problems:

  • We want to remove wantXrays: False.
  • When using objects returned from scripts, we actually do want X-rays for DOM objects to allow us to safely access the underlying object properties.

(There is also a third problem: the semantics of running in a sandbox are different to that of running in content in a way that's observable and causes compliance issues. But that should be considered a seperate issue).

I think we should create all sandboxes with Xrays enabled by default, and only waive Xrays as required (i.e. when actually executing the user-supplied script, or when serializing a non-DOM object).

The usage James is referring to can be found at:
https://searchfox.org/mozilla-central/rev/e9cd2997be1071b9bb76fc14df0f01a2bd721c30/remote/marionette/evaluate.js#546

Note that such a mutable sandbox is only created when a sandbox name has been specified. The parameter for the WebDriver:ExecuteScript and WebDriver:ExecuteAsyncScript is called sandbox. And that argument is not supported by the WebDriver spec and as such not accepted and forwarded to Marionette by geckodriver.

So this only applies to the Marionette client and other not official WebDriver clients that might make use of it.

Whiteboard: [webdriver:triage]

Hm, but with bug 1491490 we want to have a similar behavior as with wantXRays set to false. So it means setting that value should be ok, but we should make use of expanded principals (see bug 1491490 comment 6)?

Flags: needinfo?(james)

It's the opposite way around, we create a mutable sandbox when we don't have a sandbox name, which is the case for WebDriver execute[Async]Script commands.

I'm not sure if we need expanded principals here. We aren't giving the scripts any capabilities the content wouldn't have, apart from resolving the promise to indicate that script execution is complete.

Having said that, from a brief experiment I didn't get this working; I unset wantsXrays when creating the sandbox and tried to call waiveXrays when evaluating the script, but tests involving returning expando properties on DOM objects still failed, so clearly we're not getting the non-Xray view at the appropriate point.

Flags: needinfo?(james)
See Also: → 1743790

We will most likely get the correct evaluation in content implemented in WebDriver BiDi first, and then update Marionette accordingly.

Whiteboard: [webdriver:triage]

The severity field is not set for this bug.
:whimboo, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(hskupin)
Severity: -- → S3
Flags: needinfo?(hskupin)
Priority: -- → P3
Product: Testing → Remote Protocol
You need to log in before you can comment on or make changes to this bug.