551355 - Review the securable-module module, jetpack-core/lib/securable-module.js

Status: RESOLVED WONTFIX

(Add-on SDK Graveyard :: General, defect)

Description

[Drew Willcoxon :adw]

http://hg.mozilla.org/labs/jetpack-sdk/file/tip/packages/jetpack-core/lib/securable-module.js

Module description from the docs:

The securable-module module allows for the recursive loading and sandboxing of CommonJS Modules (formerly called SecurableModules). This allows, for instance, the creation of "mini platforms" that manage the sandboxed evaluation of code.

Comment 1

[Nickolay_Ponomarev]

> // Unless specified otherwise, use a principal with 
> // 
> this._defaultPrincipal = resolvePrincipal(defaultPrincipal,
>                                           "http://www.mozilla.org");
Perhaps use the null principal instead? http://mxr.mozilla.org/mozilla-central/search?string=@mozilla.org/nullprincipal;1 ?

Comment 2

[Dietrich Ayala (:dietrich)]

Rob, who would be a good reviewer to make sure Jetpack addon code is properly sandboxed?

Comment 3

[Robert Sayre]

mrbkap

Comment 4

[Dietrich Ayala (:dietrich)]

Blake, can you give the Jetpack module in comment #0 the once-over to make sure it's sandboxing JS code from addons properly?

Comment 5

[Myk Melez [:myk] [@mykmelez]]

The Add-on SDK is no longer a Mozilla Labs experiment and has become a big enough project to warrant its own Bugzilla product, so the "Add-on SDK" product has been created for it, and I am moving its bugs to that product.

To filter bugmail related to this change, filter on the word "looptid".

Comment 6

[Myk Melez [:myk] [@mykmelez]]

Given the length of time this code has been in the tree, and the exposure it has received, it doesn't seem like additional review at this point is worth the cost, with the exception of the cuddlefish module, about which concerns have been raised, so closing these bugs WONTFIX, except for that one.