Open Bug 1808709 Opened 1 year ago Updated 1 year ago

Cloning to JSON fails for objects defined in context of the page and implementing `toJSON()`

Categories

(Remote Protocol :: Marionette, defect, P3)

Product:
Remote Protocol
Component:
Marionette
Version:
Default
Type:
defect

Tracking

(Not tracked)

People

(Reporter: whimboo, Unassigned, NeedInfo)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [webdriver:backlog])

The following test fails in Marionette if not executed in the system sandbox. The reason is that the value within the internal JSON clone algorithm would need waived XRays:

    def test_shadow_dom(self):
        result = self.marionette.execute_script("""
            return {
                toJSON() {
                    return ["foo", "bar"];
                }
            };""")
        self.assertEqual(result, ["foo", "bar"])

Given that this is untrusted code the question is which measures we should apply to safely serialize such an object without allowing an attack vector.

The underlying problem here should definitely be something around waiving XRays because the object that we are evaluating is living in a different sandbox. Other browsers pass the tests for Execute Async Script and Execute Script.

It's still interesting why async script execution is only affected.

Whenever we have to use waiving XRays we should make sure that we do not expose any security issue. A web site could have a custom defined toJSON() method on an object and that should not allow to escape and even reach chrome scope.

I'll have to do a bit more investigation but so far it's not blocking.

Blocks: webdriver, 1743116
Severity: -- → S3
Flags: needinfo?(hskupin)
Priority: -- → P3
Whiteboard: [webdriver:backlog]
Product: Testing → Remote Protocol
You need to log in before you can comment on or make changes to this bug.