As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 464527 - Need wrapper for callbacks
: Need wrapper for callbacks
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
: Andrew Overholt [:overholt]
Depends on:
  Show dependency treegraph
Reported: 2008-11-12 12:23 PST by Jonas Sicking (:sicking) No longer reading bugmail consistently
Modified: 2012-03-16 09:33 PDT (History)
14 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Jonas Sicking (:sicking) No longer reading bugmail consistently 2008-11-12 12:23:17 PST
We need to make it safe for chrome code to pass in callback functions to content code. This will probably be done through wrapper magic which will prevent content from getting a reference to the actual chrome function, as well as wrap as appropriate any arguments to the callback function.
Comment 1 User image Brendan Eich [:brendan] 2008-11-12 12:35:12 PST
This could get costly without more JS engine work. Let's discuss.

How often and with what kinds of args (deep object graphs?) are such callbacks actually invoked?

Comment 2 User image Blake Kaplan (:mrbkap) 2008-11-13 17:05:20 PST
This wrapper would be more general. It's a hole in our system right now that it isn't easy to expose chrome objects (such as GreaseMonkey's console or the geolocation object) to content. These wrappers could automatically be created by XPCNativeWrapper/XPCSafeJSObjectWrapper.

I'm not sure why this particular case could get any more costly than our existing wrappers.
Comment 3 User image Blake Kaplan (:mrbkap) 2009-07-28 16:01:38 PDT
Was this not fixed by bug 480205?
Comment 4 User image Nickolay_Ponomarev 2009-09-19 00:25:27 PDT
This bug is referenced from , please update accordingly when resolving. (That page is not very clear right now and references to private bugs do not help to understand...)
Comment 5 User image Frederik Braun 2011-04-17 05:31:08 PDT
Sorry for digging up old bug reports, but I was wondering whether the warnings are still valid.
I am currently working on an extension that aims to rewrite and replace attributes of window from within chrome, using an observer on the "content-document-global-created" topic. I am getting a wrapped window object and the security warnings at the aforementioned URL made me hesitate :)
Comment 6 User image Boris Zbarsky [:bz] (still a bit busy) 2011-04-20 21:29:34 PDT
I believe that what you want to do is now safe (as of Gecko 2.0).
Comment 7 User image Blake Kaplan (:mrbkap) 2012-03-16 09:33:16 PDT
Yeah, this was fixed (more or less) by COWs.

Note You need to log in before you can comment on or make changes to this bug.