Closed Bug 244843 Opened 21 years ago Closed 3 years ago

Security exceptions should create an nsScriptError and pass line info

Categories

(Core :: Security: CAPS, enhancement)

Product:
Core
Component:
Security: CAPS
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Assigned: dveditz)

Details

2467 NS_IMETHODIMP 2468 nsScriptSecurityManager::CanCreateInstance(JSContext *cx, 2469 const nsCID &aCID) 2470 { 2486 //-- Access denied, report an error 2487 nsCAutoString errorMsg("Permission denied to create instance of class. CID="); ... 2491 JS_SetPendingException(cx, 2492 STRING_TO_JSVAL(JS_NewStringCopyZ(cx, errorMsg.get()))); And similar code for other functions. problem #0: this code is very very very very tied to spidermonkey. It shouldn't be. Either caps should live in js/src/xpconnect/caps or this code should be rewritten to use some api which hides spidermonkey from caps. That hiding would enable caps to actually do something useful when a python script wants to get something it shouldn't. -- problem #1: The code just throws a message. XPConnect otoh which has this nice private thing nsScriptError actually fills in details (line numbers) which enable people to figure out what's going on. possible resolutions for problem #1: A. xpconnect exposes an xpcom object which is nsScriptError (the interface for such a thing can live in xpcom) and caps uses it. B. caps reinvents nsScriptError.
oops, it's not private... i just couldn't find the right comment NS_SCRIPTERROR_CONTRACTID "@mozilla.org/scripterror;1" see http://lxr.mozilla.org/seamonkey/source/content/html/style/src/nsCSSLoader.cpp#683
How would you throw the nsScriptError, then? It's important (very, IMO) that CAPS generate an exception here, which is only reported to the console if it's not caught by the calling code.
Probably coerce XPCConvert::ConstructException into special casing nsIScriptError then use XPCThrower::ThrowExceptionObject
Confirming. Timeless, problem #0 is for another bug, and for later. Caps already knows all about jsdbgapi.h. C'mon, prioritize, focus! ;-) How about a patch for the idea in comment #3? /be
Status: UNCONFIRMED → NEW
Ever confirmed: true
Tying to XPConnect is tying to JS, really, but let's not quibble.
Assignee: security-bugs → dveditz
QA Contact: caps
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.