Need wrapper for callbacks




9 years ago
6 years ago


(Reporter: sicking, Assigned: mrbkap)



Firefox Tracking Flags

(Not tracked)


We need to make it safe for chrome code to pass in callback functions to content code. This will probably be done through wrapper magic which will prevent content from getting a reference to the actual chrome function, as well as wrap as appropriate any arguments to the callback function.
This could get costly without more JS engine work. Let's discuss.

How often and with what kinds of args (deep object graphs?) are such callbacks actually invoked?


Comment 2

9 years ago
This wrapper would be more general. It's a hole in our system right now that it isn't easy to expose chrome objects (such as GreaseMonkey's console or the geolocation object) to content. These wrappers could automatically be created by XPCNativeWrapper/XPCSafeJSObjectWrapper.

I'm not sure why this particular case could get any more costly than our existing wrappers.

Comment 3

8 years ago
Was this not fixed by bug 480205?

Comment 4

8 years ago
This bug is referenced from , please update accordingly when resolving. (That page is not very clear right now and references to private bugs do not help to understand...)

Comment 5

6 years ago
Sorry for digging up old bug reports, but I was wondering whether the warnings are still valid.
I am currently working on an extension that aims to rewrite and replace attributes of window from within chrome, using an observer on the "content-document-global-created" topic. I am getting a wrapped window object and the security warnings at the aforementioned URL made me hesitate :)
I believe that what you want to do is now safe (as of Gecko 2.0).

Comment 7

6 years ago
Yeah, this was fixed (more or less) by COWs.
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.