Flip __exposedProps__ default for non-WN objects to default-safe

RESOLVED FIXED in mozilla17

Status

()

Core
XPConnect
RESOLVED FIXED
7 years ago
4 years ago

People

(Reporter: mrbkap, Assigned: bholley)

Tracking

(Depends on: 1 bug, 4 keywords)

Trunk
mozilla17
addon-compat, dev-doc-needed, relnote, sec-want
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 .x+)

Details

Attachments

(8 attachments, 5 obsolete attachments)

1.12 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
1.85 KB, patch
ted
: review+
Details | Diff | Splinter Review
2.86 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
1.02 KB, patch
ted
: review+
Details | Diff | Splinter Review
2.64 KB, patch
ted
: review+
Details | Diff | Splinter Review
1.28 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
1.18 KB, patch
ted
: review+
Details | Diff | Splinter Review
6.64 KB, patch
fabrice
: review+
Details | Diff | Splinter Review
(Reporter)

Description

7 years ago
Right now, things are default-unsafe. We should make an object that has no __exposedProps__ not expose anything by default.

Comment 1

7 years ago
This would be really great for Jetpack's security model, as we really don't want to accidentally leak chrome-privileged objects into less-privileged code. :)

Updated

7 years ago
Blocks: 543856
(Reporter)

Comment 2

7 years ago
One open question: what do we do for returned arrays? Do they need __exposedProps__ too?
Can they default to allowing all numbered names and .length to be exposed?
No longer blocks: 543856
This is a relatively big API change, so we have to do it sooner rather than later if we ever want to do it.
blocking2.0: --- → beta6+
Assignee: nobody → mrbkap
Can we make it so that any object that returns true for "isArray" defaults to exposing .length and all numeric property names?
This is not important for feature freeze.
blocking2.0: beta7+ → betaN+
OS: Linux → All
Hardware: x86 → All
No? This is a significant change in the behavior of __exposedProps__ and will impact extension developers significantly.
Over to Andreas who will start looking into this.
Assignee: mrbkap → gal
blocking2.0: betaN+ → beta9+

Comment 9

7 years ago
As per today's meeting, beta 9 will be a time-based release. Marking these all betaN+. Please move it back to beta9+ if  you believe it MUST be in the next beta (ie: trunk is in an unshippable state without this)
blocking2.0: beta9+ → betaN+

Comment 10

7 years ago
Fixing fields my automated script accidentally blanked. Apologies for the bugspam

Updated

7 years ago
Whiteboard: [hardblocker]
Arg! Are we shipping another beta with this unfixed :(

We really need to make this a beta10 hardblocker. It should have been a beta9 hardblocker IMHO, but I guess it's too late for that?
Actually, moving this one back to be beta9 so we don't lose track of it.
blocking2.0: betaN+ → beta9+

Comment 13

7 years ago
Its easy to fix but we fail a bunch of tests. I could use help with fixing the tests.
How many? Can we disable the tests for now to get this into beta9? (Have been out sick mostly this week, so not sure if beta9 is a gonner)

Comment 15

7 years ago
Created attachment 502168 [details] [diff] [review]
patch

Comment 16

7 years ago
Jonas, want to help with fixing up the mochitests for this? I am really busy with the compartments landing.
Heading out for tonight, but I'll look tomorrow.
I thought we needed some extra magic for arrays though?

Comment 19

7 years ago
Created attachment 502179 [details] [diff] [review]
patch
Attachment #502168 - Attachment is obsolete: true

Comment 20

7 years ago
Always allow access to "length" and 0..MAXINT of arrays. Needs testing/try and adjusting mochitests.

Updated

7 years ago
Attachment #502179 - Flags: review?(jst)

Comment 21

7 years ago
'platform' can't be accessed here: (crashtest)

args: ['/home/cltbld/talos-slave/test/build/firefox/firefox-bin', '-no-remote', '-profile', '/tmp/tmpnjeqV8/', '-reftest', '/home/cltbld/talos-slave/test/build/reftest/tests/testing/crashtest/crashtests.list']
INFO | automation.py | Application pid: 1974
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST TEST-UNEXPECTED-FAIL | | EXCEPTION: Error: Permission denied to access property 'platform'
REFTEST FINISHED: Slowest test took 0ms (undefined)
REFTEST INFO | Result summary:
REFTEST INFO | Successful: 0 (0 pass, 0 load only)
REFTEST INFO | Unexpected: 1 (0 unexpected fail, 0 unexpected pass, 0 unexpected asserts, 0 unexpected fixed asserts, 0 failed load, 1 exception)
REFTEST INFO | Known problems: 0 (0 known fail, 0 known asserts, 0 random, 0 skipped, 0 slow)
REFTEST INFO | Total canvas count = 0

Comment 22

7 years ago
15810 ERROR TEST-UNEXPECTED-FAIL | /tests/layout/style/test/test_property_syntax_errors.html | [SimpleTest/SimpleTest.js, window.onerror] An error occurred - Permission denied to access property 'handleEvent' at :0

Here are the full logs:

http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/agal@mozilla.com-9d96b5468ea0

Jonas, looks like not a lot of stuff is failing. If you can fix the underlying issue for these (looks like exposedProps has to be added to a component or two), we can fix this for beta9. I have to get back to the compartment GC stuff but I am around if you need help.
Uh, so, we lost track of this and it's not in beta9 - is that a problem?

Comment 24

7 years ago
Ok, here is the story:

This is an incompatible change to an API. We should have done this much earlier, but we forgot. Jonas thinks this is very important, so we should do this as soon as possible, if we do it for 4.

The patch in the bug is easy, but it reveals a bunch of places where the current code doesn't set __exposedProps__. I posted a couple of the failures. So the patch isn't the problem, its getting all our code to behave properly if we change the behavior of __exposedProps__. This is annoying and a bit time consuming (try server, find missing __exposedProps__, try server again ...). If we parallelize (mrbkap, jonas, me), we can probably fix this in 24-48 hours, if all of us do nothing but this.

Comment 25

7 years ago
To be clear, this patch might break extensions. Probably only very few (those exposing additional APIs), but its a clear risk.
Why if we've lived with default-unsafe for so long must we change this now? Why not take our time and do it for Firefox 5?

/be

Updated

7 years ago
blocking2.0: beta9+ → betaN+

Comment 27

7 years ago
This is a new feature for FF4, so Jonas and Blake both felt that we should fix it before we introduce it wrong. I am not advocating to take this patch. I am just trying to make a fair case until Jonas and Blake show up to argue for themselves :)
This is a new feature but it hasn't worked as designed (more nearly backwards)? Why isn't it too late to add to 4?

If it's necessary for safety, ok.

If the unsafe default masks the need for this feature (properly implemented) then we have an unknown but potentially big risk, which requires some unknown but also bigger than we'd like beta cycle time to assess: flipping to safe-by-default and then evangeliziing those who skated on the thin ice we created.

This ignores follow-on fixes.

Why is this important to do now?

/be
"evangelize" sounds nicer than it often is: we're talking about breaking add-ons and then finding out the hard way, from user complaints in various forums.

/be
Assignee: gal → jonas

Comment 30

7 years ago
Created attachment 503630 [details] [diff] [review]
patch

allow access if __exposedProps__ is not set as long UniversalXPConnect is enabled
Attachment #502179 - Attachment is obsolete: true
Attachment #502179 - Flags: review?(jst)
Created attachment 504058 [details] [diff] [review]
Latest version

Just pushed this to tryserver. This should work, modulo that it needs a patch from Blake to make x-ray wrappers not wrap callbacks in COWs. I've probably missed a few tests as well.

But it's close!
Attachment #503630 - Attachment is obsolete: true
fwiw, I agree with Brendan in comment #26. This feels like it would be better addressed in Fx 5 when we have the opportunity to warn people about it and for add-on developers to be able to have more than a late-breaking beta to test their code in.

It's a little late in Fx4 to take an object behavior changing platform fix.

Comment 33

7 years ago
(In reply to comment #32)
> fwiw, I agree with Brendan in comment #26. This feels like it would be better
> addressed in Fx 5 when we have the opportunity to warn people about it and for
> add-on developers to be able to have more than a late-breaking beta to test
> their code in.
> 
> It's a little late in Fx4 to take an object behavior changing platform fix.

With this patch applied all of our devtools console tests pass. there is no problem.
Depends on: 611485
I'm a bit concerned about removing the __noSuchMethod__ fallback. Can we use this instead for the changes in ConsoleAPI.js?

>    // Lock down the functions so that content can't access evil properties.
>    for (let name in api) {
>      if (typeof(api[name]) == "function") {
>        api[name].__exposedProps__ = {};
>      }
>    }

If that doesn't work, then could we expose a proxy object to content instead?

I can update this patch if you'd like.
To clarify: Changing the "console" object is an easy way to break the web. We are already breaking some sites in 3.6 because the developers only test with Firebug, or test only in Chrome, both of which expose full-featured console objects. The __noSuchMethod__ fallback in the console object is designed to mitigate this.

Comment 36

7 years ago
Use proxies. Thats the standard way of doing this, and you don't have to rely on a deprecated feature we are longing to remove anyway.
There is another patch in the works which might make it unnecessary to remove the __noSuchMethod__ fallback. I'll double-check if that patch is for sure going in.

Proxies is certainly the best way to accomplish this, but I'm not sure how proxies and __exposedProps__ will interact. But it's probably nice if we don't have to rewrite to use proxies given where we are in the release cycle.

Comment 38

7 years ago
I just wanted to point out that in general people shouldn't rely on __noSuchMethod__. We are hell bent on removing it. Building new code with it is a really bad idea. There is a much more powerful alternative available for content and chrome.
Comment 36 exaggerates with "longing to remove". Proxies haven't even shipped yet and __noSuchMethod__ has been out there (with some "potentially regressive but no one complained" restrictions over time) for a long while.

/be
Comment 38 touts proxies and I like proxies too. But my point in the last comment is that we deprecate in release N and remove only in N+M (M=1 if we can). This is not release N+1. It may not be release N yet.

/be

Comment 41

7 years ago
My point is new chrome code should not rely on __noSuchMethod__ if more powerful standard language features are available. Patrick hacked up a version of the console object that uses a proxy and it works great.
(In reply to comment #41)
> My point is new chrome code should not rely on __noSuchMethod__ if more
> powerful standard language features are available. Patrick hacked up a version
> of the console object that uses a proxy and it works great.

That was not your point to which I was responding :-/. ("... longing to remove.")

/be

Comment 43

7 years ago
I agree with every word in comment 39 and comment 40 and I didn't mean to indicate anything to the contrary (nor did I, I think). I am aware that we can't yank out __noSuchMethod__ tomorrow. But we are looking to yank it out as soon as possible. Which is probably N releases out. So maybe end of the year? Or end of next year? Whatever makes sense.
Back to this bug: is it gonna make b10? It better!

/be
The work here is done. Just blocked by bug 611485.
(Reporter)

Updated

7 years ago
Blocks: 628410
(Reporter)

Updated

7 years ago
Attachment #504058 - Flags: review+
We've decided to punt this one to next release and just do bug 628410 instead.
blocking2.0: betaN+ → .x
Whiteboard: [hardblocker]
No longer blocks: 628410

Comment 47

7 years ago
Jonas, I could make a patch that warns in the console every time we grant access based on the default-unsafe easy out path. That way extension authors might get a warning that we will switch the default soon (FF5?).
That's a great idea! But lets do that once the patch in bug 628410 is in since that's still a work in progress (latest tryserver runs together with bug 611485 is still orange).
Blocks: 628903
Just noticed this bug during a sweep.

Since Comment 48, the mentioned bugs have landed, should we try this again?
Yes, but I'm very swamped right now. Any chance someone else could take it?
Blocks: 748618
We really dropped the ball here. :-(

Picking this one up.
Assignee: jonas → bobbyholley+bmo
Comment on attachment 504058 [details] [diff] [review]
Latest version

You can follow along with my work here: https://github.com/bholley/mozilla-central/commits/exposedprops

I've done some fixing of the failures I could find locally. Pushing to try now to see what else crops up. Could be a little, could be a lot. Only one way to tell: https://tbpl.mozilla.org/?tree=Try&rev=e66c71141090
Attachment #504058 - Attachment is obsolete: true
Made some fixes, and pushed again: https://tbpl.mozilla.org/?tree=Try&rev=ecc821b3d5b9
And s'more:

https://tbpl.mozilla.org/?tree=Try&rev=9dd69672bb2b
This is definitely going to need dev-doc when it lands. Marking it as such so that we don't forget.
Keywords: dev-doc-needed
Looks green! Uploading patches and flagging for review as appropriate.

I'm quite happy that this turned out to not require too many changes in tests and frontend code. CCing some jetpack, thunderbird, and lightning folks just to make sure they know it's coming. The nutshell of this change is that __exposedProps__ is now required for chrome JS objects exposed to content.

See https://developer.mozilla.org/en/XPConnect_wrappers for more information.
Created attachment 624883 [details] [diff] [review]
Part 1 - Fix test_cows.xul. v1
Attachment #624883 - Flags: review?(mrbkap)
Created attachment 624884 [details] [diff] [review]
Part 2 - Fix SpecialPowers DOMWindowUtils. v1
Attachment #624884 - Flags: review?(ted.mielczarek)
Created attachment 624885 [details] [diff] [review]
Part 3 - Waive COW checks on SpecialPowers wrapper objects. v1
Attachment #624885 - Flags: review?(mrbkap)
Created attachment 624886 [details] [diff] [review]
Part 4 - Add __exposedProps__ for MockFilePicker. v1

Ted, if there's a better reviewer for the things I've flagged you for here, feel free to reassign as appropriate.
Attachment #624886 - Flags: review?(ted.mielczarek)
Created attachment 624888 [details] [diff] [review]
Part 5 - Fix mock prompt service. v1
Attachment #624888 - Flags: review?(ted.mielczarek)
Created attachment 624890 [details] [diff] [review]
Part 6 - Fix open web apps. v1

I'm not totally sure that this is correct and/or complete. This was just the minimum to get the tests to pass. Please advise, Fabrice.
Attachment #624890 - Flags: review?(fabrice)
Created attachment 624891 [details] [diff] [review]
Part 7 - Make content-> access default to deny if __exposedProps__ is not defined. v1

And now, the moment you've all been waiting for. :-)
Attachment #624891 - Flags: review?(mrbkap)
Embedders: note that part 7 is the only substantive change to the platform, and the only thing you need to test with. The rest just keep the tree green.
Comment on attachment 624890 [details] [diff] [review]
Part 6 - Fix open web apps. v1

Review of attachment 624890 [details] [diff] [review]:
-----------------------------------------------------------------

I'd like to know more about what this __exposedProps__ magic is. Apart from the issue with this patch, we may need to add it in more places.

::: dom/base/Webapps.js
@@ +50,5 @@
> +    for (var key in aManifest) {
> +      props[key] = 'r';
> +    }
> +    aManifest.__exposedProps__ = props;
> +

I don't understand why you need that here, since aManifest will not be exposed to content : it is send to the DOMApplicationRegistry that stores it.

@@ +209,5 @@
>    _receipts: [],
>    _installOrigin: null,
>    _installTime: 0,
> +  __exposedProps__: {
> +                      status: 'rw',

there is no status property
Attachment #624890 - Flags: review?(fabrice) → review-
Blocks: 756341
(In reply to Fabrice Desré [:fabrice] from comment #65)
> I'd like to know more about what this __exposedProps__ magic is.

__exposedProps__ is an access control list for chrome JS objects exposed to content (native-backed objects still get Xrays). It used to be opt-in, now it's mandatory (that is to say, the object is opaque without __exposedProps__). Exceptions to the opaqueness are functions (they may be called), and arrays (.length and numerically-indexed properties are accessible).


> Apart from
> the issue with this patch, we may need to add it in more places.

Quite likely. Luckily, the worst that will happen with this patch is that stuff breaks (ie, this patch just makes things more restrictive, so it's unlikely to create hidden security vulnerabilities). Unfortunately, I don't know this code at all. I'd feel much more comfortable if someone know knows what they're doing could take the patch. I'm not sure if that's you, Fabrice, or someone else.

> 
> ::: dom/base/Webapps.js
> @@ +50,5 @@
> > +    for (var key in aManifest) {
> > +      props[key] = 'r';
> > +    }
> > +    aManifest.__exposedProps__ = props;
> > +
> 
> I don't understand why you need that here, since aManifest will not be
> exposed to content : it is send to the DOMApplicationRegistry that stores it.

We check for those properties here. If this is supposed to be a test-only thing, then js_traverse probably needs to use SpecialPowers.wrap(object).

> there is no status property

http://mxr.mozilla.org/mozilla-central/source/dom/tests/mochitest/webapps/jshelper.js#193

If this is supposed to be a test-only property, the test code needs to either use SpecialPowers.wrap to place the property, or it needs to store that information in a separate object.
CCing various other embedders and extension authors as a heads-up: see comments 56 and comments 64.
Try builds are available here: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/bobbyholley@gmail.com-9dd69672bb2b/
Comment on attachment 624884 [details] [diff] [review]
Part 2 - Fix SpecialPowers DOMWindowUtils. v1

Review of attachment 624884 [details] [diff] [review]:
-----------------------------------------------------------------

These are a pain. We could probably just replace this with your .wrap stuff, couldn't we?
Attachment #624884 - Flags: review?(ted.mielczarek) → review+
(In reply to Ted Mielczarek [:ted] from comment #69)

> These are a pain. We could probably just replace this with your .wrap stuff,
> couldn't we?

I tried that, but there was at least one test that got confused that properties it pulled off the MockFilePicker were wrappers (this can happen if you pass them as an argument to a non-wrapped function, because there's no way for the object to know that it should be unwrapped).
More specifically I meant the DOMWindowUtils one, since we're basically implementing a poor-man's wrapper there anyway.
Comment on attachment 624886 [details] [diff] [review]
Part 4 - Add __exposedProps__ for MockFilePicker. v1

Review of attachment 624886 [details] [diff] [review]:
-----------------------------------------------------------------

::: testing/mochitest/MockFilePicker.jsm
@@ +168,5 @@
>    }
>  };
> +
> +// Expose everything to content. We call reset() here so that all of the relevant
> +// lazy expandos get added.

Thanks for the comment! It's nice to have an explanation instead of having it be voodoo. :)

@@ +170,5 @@
> +
> +// Expose everything to content. We call reset() here so that all of the relevant
> +// lazy expandos get added.
> +MockFilePicker.reset();
> +props = {};

var props or let props, presumably?

@@ +178,5 @@
> +
> +props = {};
> +for (var prop in MockFilePickerInstance.prototype)
> +  props[prop] = 'rw';
> +MockFilePickerInstance.prototype.__exposedProps__ = props;

Almost feels like this should be a method, but you're only doing it twice. :-/
Attachment #624886 - Flags: review?(ted.mielczarek) → review+
Attachment #624888 - Flags: review?(ted.mielczarek) → review+
Created attachment 626070 [details] [diff] [review]
Part 0 - Make the SpecialPowers wrapping API a bit nicer. v1

A quite beautification of the wrapping API that I'm using the updated WebApps patch. Flagging ted for review.
Attachment #626070 - Flags: review?(ted.mielczarek)
Created attachment 626072 [details] [diff] [review]
Part 6 - Fix open web apps. v2

Updated the open webapps patch. Flagging fabrice for review. I think I've spent enough time messing around with this stuff, so if it's not satisfactory we should talk about getting someone from the OWA team to make any further changes.

NB: the "array" case goes away because it's dead per spec: typeof [] === "object".
Attachment #624890 - Attachment is obsolete: true
Attachment #626072 - Flags: review?(fabrice)
(Reporter)

Comment 75

5 years ago
Comment on attachment 624885 [details] [diff] [review]
Part 3 - Waive COW checks on SpecialPowers wrapper objects. v1

Review of attachment 624885 [details] [diff] [review]:
-----------------------------------------------------------------

::: testing/mochitest/tests/SimpleTest/specialpowersAPI.js
@@ +202,5 @@
> +  // NB: XPConnect denies access if the relevant member of __exposedProps__ is not
> +  // enumerable.
> +  var _permit = { value: 'rw', writable: false, configurable: false, enumerable: true };
> +  return {
> +  getOwnPropertyDescriptor: function(name) { return _permit; },

Nit: Please indent the body of the object.
Attachment #624885 - Flags: review?(mrbkap) → review+
(Reporter)

Updated

5 years ago
Attachment #624883 - Flags: review?(mrbkap) → review+
(Reporter)

Updated

5 years ago
Attachment #624891 - Flags: review?(mrbkap) → review+
(In reply to Bobby Holley (:bholley) from comment #67)
> CCing various other embedders and extension authors as a heads-up: see
> comments 56 and comments 64.

Tossing in some suite people, who might be interested in knowing about things here (I doubt I have time to tackle these issues myself)
The only thing in suite code that comes close to poking a chrome JavaScript object into content is a JavaScript global property object, but that only exposes functions so I can't see how that could be affected.
(In reply to neil@parkwaycc.co.uk from comment #77)
> The only thing in suite code that comes close to poking a chrome JavaScript
> object into content is a JavaScript global property object, but that only
> exposes functions so I can't see how that could be affected.

If the functions are accessed as properties on a JS object, they need to be added to the __exposedProps__ of that object, I'd think.
Attachment #626072 - Flags: review?(fabrice) → review+
Attachment #626070 - Flags: review?(ted.mielczarek) → review+
Thanks for the fast reviews everyone! Pushed to try one last time:

https://tbpl.mozilla.org/?tree=Try&rev=fb2257a60f1f
At gabor's request, doing a try push for jetpack tests:
https://tbpl.mozilla.org/?tree=Try&rev=6ab9dafb4402
(In reply to Bobby Holley (:bholley) from comment #80)
> At gabor's request, doing a try push for jetpack tests:
> https://tbpl.mozilla.org/?tree=Try&rev=6ab9dafb4402

buildbot.slave.commands.TimeoutError: command timed out: 1200 seconds without output, attempting to kill
https://tbpl.mozilla.org/php/getParsedLog.php?id=11998681&tree=Try&full=1
:(
(In reply to Wes Kocher (:KWierso) from comment #81)
> (In reply to Bobby Holley (:bholley) from comment #80)
> > At gabor's request, doing a try push for jetpack tests:
> > https://tbpl.mozilla.org/?tree=Try&rev=6ab9dafb4402
> 
> buildbot.slave.commands.TimeoutError: command timed out: 1200 seconds
> without output, attempting to kill
> https://tbpl.mozilla.org/php/getParsedLog.php?id=11998681&tree=Try&full=1
> :(

Infra related, lots of sad-panda issues today. Easiest is to repush the whole try job
Another jetpack push per Callek's suggestion:

https://tbpl.mozilla.org/?tree=Try&rev=a7c99639ff74
(In reply to Bobby Holley (:bholley) from comment #83)
> Another jetpack push per Callek's suggestion:
> 
> https://tbpl.mozilla.org/?tree=Try&rev=a7c99639ff74

Just updating the link to unhide jetpack results: 
https://tbpl.mozilla.org/?tree=Try&rev=a7c99639ff74&noignore=1

ochameau: can you ping me about this when you are online?
So this patch breaks even our test runner, and bunch of other stuff. Now the more problematic part is that even if we fix it at addon sdk level, releasing this patch will likely break existing (not necessary jetpack based) addons. Any XUL addon doing some content-chrome interaction will likely break. I was just wondering if we have any release strategy for this change?
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #85)
> So this patch breaks even our test runner, and bunch of other stuff. Now the
> more problematic part is that even if we fix it at addon sdk level,
> releasing this patch will likely break existing (not necessary jetpack
> based) addons. Any XUL addon doing some content-chrome interaction will
> likely break. I was just wondering if we have any release strategy for this
> change?

I don't think we can do too much more than "communicate as loudly as possible" and "hope for the best". Fundamentally, the problem is that any code this bites is a security risk, and needs to be fixed. There's not really any way around that. :-(

I'm not a release driver or anything here - I'm doing this because it's something we decided to ship in FF5 and never did, and because jst said that I should. But it might be good to get the opinion of a few other folks.

bz, jorge - any thoughts?
I totally agree that we have to end up using this new default behavior.
It is quite trivial to fix SDK codebase (https://github.com/mozilla/addon-sdk/pull/451)

*But* if we land this as-is, all jetpack addons using a SDK version older than 1.8  will be broken! (1.8 is the next upcoming version, to be released 06/26)
We currently know that most jetpack addons are very rarely repacked to new SDK versions:
https://wiki.mozilla.org/Jetpack/Weekly_Meeting/2012-5-22#AMO_addons_statistics
So landing this would mean breaking all existing SDK addons.
We are currently trying to address this repacking issue but we are still not here.
(automatic repacking and landing SDK module in Firefox are the two main tools)

Other than that, I'm pretty sure we are going to break traditionnal XUL addons too. But I can't say how many addons would be concerned.

Comment 47 from Andreas sounds like a better first thing to land. I'd easily agree that we should do more ASAP. What do you think about making it optional, like when xraywrappers were introduced?
  https://developer.mozilla.org/en/Chrome_Registration#xpcnativewrappers
To me, it sounds like a perfect plan.
Make it optionnal to build safier addons. Evangelize, ask AMO reviewer to request this flag to be set, then make it mandatory during review and finally make it default like xpcnativewrappers flag.
Speaking about jetpack it would allow to use this new flag in 1.8 realease and be safier without breaking all existing jetpack addons!
(In reply to Alexandre Poirot (:ochameau) from comment #87)

> Comment 47 from Andreas sounds like a better first thing to land. I'd easily
> agree that we should do more ASAP. What do you think about making it
> optional, like when xraywrappers were introduced?
>   https://developer.mozilla.org/en/Chrome_Registration#xpcnativewrappers
> To me, it sounds like a perfect plan.
> Make it optionnal to build safier addons. Evangelize, ask AMO reviewer to
> request this flag to be set, then make it mandatory during review and
> finally make it default like xpcnativewrappers flag.

That seems reasonable on the condition that we really do get traction from the AMO side. I also don't have much experience with the logistics of how this ought to be done these days. There are a lot of manifests in Firefox these days, and it would be a shame to pollute each one with "strictexposedprops = yes". Is there any way we can detect that code comes from an addon, and make it only optional there?
(In reply to Bobby Holley (:bholley) from comment #88)
> There are a lot of manifests in Firefox
> these days, and it would be a shame to pollute each one with
> "strictexposedprops = yes". Is there any way we can detect that code comes
> from an addon, and make it only optional there?

I'm not an expert of chrome.manifest parsing, but Mossop may know that or the right person to ping!
Actually I took chrome.manifest/xpcnativewrappers flag as example, but I'm not sure that the exact same pattern would apply here. Especially now that we have bootstrapped addons. Jetpack addons are bootstrapped addons without any chrome.manifest file ...
Then we can put such flag in install.rdf, but I don't see how you would make the link between ExposedPropertiesOnly::check() method and such flag in addon's install.rdf ...

So I'm suggesting the idea of making this new behavior optional per addon,
but I'm not sure it is doable. Or at least I don't know how we could do that.
In the mean time, I decided to push all of the fixup patches (but not the finally switch) to avoid bitrot:

Pushed parts 0-6 to m-i:
http://hg.mozilla.org/integration/mozilla-inbound/rev/bb8a34106b05
http://hg.mozilla.org/integration/mozilla-inbound/rev/1d82125ed0d2
http://hg.mozilla.org/integration/mozilla-inbound/rev/1f939e1737b4
http://hg.mozilla.org/integration/mozilla-inbound/rev/44ff865ed3fa
http://hg.mozilla.org/integration/mozilla-inbound/rev/a28a05787564
http://hg.mozilla.org/integration/mozilla-inbound/rev/905f0f9b54d0
http://hg.mozilla.org/integration/mozilla-inbound/rev/535f5204a65f

Comment 92

5 years ago
Please put "leave open" in the whiteboard.
(In reply to Paul Wright from comment #92)
> Please put "leave open" in the whiteboard.

Meant to. Sorry.
Whiteboard: [Leave open after merge]
Depends on: 758203
I agree with Alexandre that we need a transition period (at least one cycle, but I would recommend 2 or 3), and that the suggestion on comment #47 is what sounds most reasonable. If we log an error in the console when chrome objects are accessed unsafely, AMO reviewers can easily deny approval for submissions that do this. And we will also start talking about this publicly as soon as we have a plan for it.
I'll just add a "me too" for comment 94.
Ok, I'm working up a patch to do the warning. Jorge, can you (or somebody) put together a definitely MDN page or something that I can link to from the warning message? The current documentation kind of sucks, and I can't find anything good to link to...
I think https://developer.mozilla.org/en/XPConnect_wrappers is the right place to point to. I'll work on clearing it up and adding some examples.
Depends on: 758563
https://hg.mozilla.org/mozilla-central/rev/535f5204a65f
https://hg.mozilla.org/mozilla-central/rev/905f0f9b54d0
https://hg.mozilla.org/mozilla-central/rev/a28a05787564
https://hg.mozilla.org/mozilla-central/rev/44ff865ed3fa
https://hg.mozilla.org/mozilla-central/rev/1f939e1737b4
https://hg.mozilla.org/mozilla-central/rev/1d82125ed0d2
https://hg.mozilla.org/mozilla-central/rev/bb8a34106b05
I just landed the deprecation warning: bug 758563.

We really don't want to drop the ball on this one and let it languish for a year like we did last time. Jorge, can drive the AMO / devrel side of this pretty hard? I'll make a note to myself to come back and land this on July 20th (2 releases from now), if there are no objections.

Updated

5 years ago
Keywords: sec-want

Updated

5 years ago
Depends on: 762250

Comment 100

5 years ago
(In reply to Bobby Holley (:bholley) from comment #99)
> I just landed the deprecation warning: bug 758563.
Is this expected behavior? The following triggers the warning when running it in the Web Console on ay page:

navigator.mozApps.getInstalled().onsuccess = function() this.result.forEach

Note, this.result will be an empty array, but it seems like because __exposedProps__ does not explicitly include forEach, the warning is triggered. And with the flip to default-safe, this would mean .forEach would not exist?

Fabrice, it also seems like each object level needs to have __exposedProps__ because accessing this.result.manifest.name from getSelf() triggers the warning. (Test by running the following on an origin with an app installed.)

navigator.mozApps.getSelf().onsuccess = function() this.result.manifest.name
(In reply to Edward Lee :Mardak from comment #100)

> Fabrice, it also seems like each object level needs to have __exposedProps__
> because accessing this.result.manifest.name from getSelf() triggers the
> warning. (Test by running the following on an origin with an app installed.)
> 
> navigator.mozApps.getSelf().onsuccess = function() this.result.manifest.name

Oh, I thought we didn't need that for plain jsvals... Can you file a bug on this?

Updated

5 years ago
Depends on: 764091
(In reply to Edward Lee :Mardak from comment #100)
> (In reply to Bobby Holley (:bholley) from comment #99)
> > I just landed the deprecation warning: bug 758563.
> Is this expected behavior? The following triggers the warning when running
> it in the Web Console on ay page:
> 
> navigator.mozApps.getInstalled().onsuccess = function() this.result.forEach
> 
> Note, this.result will be an empty array, but it seems like because
> __exposedProps__ does not explicitly include forEach, the warning is
> triggered. And with the flip to default-safe, this would mean .forEach would
> not exist?
> 
> Fabrice, it also seems like each object level needs to have __exposedProps__
> because accessing this.result.manifest.name from getSelf() triggers the
> warning. (Test by running the following on an origin with an app installed.)
> 
> navigator.mozApps.getSelf().onsuccess = function() this.result.manifest.name

this is bug 760109, i think.

Updated

5 years ago
Keywords: addon-compat
(In reply to Bobby Holley (:bholley) from comment #99)
> We really don't want to drop the ball on this one and let it languish for a
> year like we did last time. Jorge, can drive the AMO / devrel side of this
> pretty hard? I'll make a note to myself to come back and land this on July
> 20th (2 releases from now), if there are no objections.

The time has come.

https://tbpl.mozilla.org/?tree=Try&rev=10111dff840e
Depends on: 781521
Fixed new culprits, and pushed again to try:

https://tbpl.mozilla.org/?tree=Try&rev=86f172e9ac5e
Depends on: 783057
Depends on: 783173
https://tbpl.mozilla.org/?tree=Try&rev=c544d157f366
And boom goes the dynamite:

https://hg.mozilla.org/integration/mozilla-inbound/rev/2f210fb9f63c
https://hg.mozilla.org/integration/mozilla-inbound/rev/0f090cc7e9fa
Whiteboard: [Leave open after merge]
https://hg.mozilla.org/mozilla-central/rev/2f210fb9f63c
https://hg.mozilla.org/mozilla-central/rev/0f090cc7e9fa
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Since this commit hit gecko in b2g, homescreen does not show anymore.
(In reply to Alexandre LISSY from comment #108)
> Since this commit hit gecko in b2g, homescreen does not show anymore.

The precise commit is:
727d3361eafae05eb1de4fbfc8a063666a854910 is the first bad commit
commit 727d3361eafae05eb1de4fbfc8a063666a854910
Author: Bobby Holley <bobbyholley@gmail.com>
Date:   Fri Aug 17 23:14:55 2012 -0700

    Bug 553102 - Make content-> access default to deny if __exposedProps__ is not defined. r=mrbkap

:040000 040000 ffb373457aa8c841ed2692f9bb2b7d0f62b6a3fe 66c9e43f357edb79ca3f03a40d764199d812a403 M	content
:040000 040000 8137a2782c07ab4d1dc7f5cfaccb751a1e4affb8 ea39c4da277d98a27d005f40bd3807f203227dde M	dom
:040000 040000 a62ad5cd9f310ad09ac7fdb51743398e1ff01b01 42512d4d4df59a1ecd7e82fe75a90895b25b209d M	js
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
This bug is fixed.  File bugs on B2G for whatever is broken.
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
Hm, reading the patch and previous logcat, I suspect it's a fix that breaks buggy homescreen.js:
 115 E/GeckoConsole(   78): [JavaScript Error: "Exposing chrome JS objects to content without __exposedProps__ is insecure and deprecated. See https://developer.mozilla.org/en/XPConn     ect_wrappers for more information." {file: "app://homescreen.gaiamobile.org/js/homescreen.js" line: 113}]

Updated

5 years ago
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Comment 112

5 years ago
Kyle, this patch broke the web apps API it seems. This is going to also severely disrupt the marketplace team. Can we back this out until we have a fix and then we re-land? This isn't about who is right or wrong or has enough tests. This is about dozens of people being unable to do their job until we have a fix if we don't do something pragmatic here. What do you think?
Depends on: 783825
We have been warning that this would happen since late May. If the B2G team refuses to heed these warnings, I'm not sure why this breakage would be to blame on anyone but them. I suggest you fix your bugs instead of wasting time arguing about backouts.
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
We have a fix. No need to fight there, this is becoming childish.

Updated

5 years ago
Depends on: 783925

Updated

5 years ago
Depends on: 783931
Jorge, did the documentation in comment 97 ever happen?

Updated

5 years ago
Depends on: 783485
Blocks: 784045
Moving the discussion from bug 783925 to this bug.

(In reply to Andreas Gal :gal from bug 783925 comment #7)
> bholley, I feel your pain, but you have caused massive extension breakage
> with this patch. Burying your head in the sand won't help here.

I don't think that accurately describes the strategy here.

We need extensions to make actual changes to their code (jetpack extensions most likely just need to be repacked). We're pushing out a warning, and then throwing the switch two releases later. Extension authors who are responsive to warnings will have ample time to fix their addons before the next phase hits. Those who aren't need some extra prodding. I think the fact that this warning was firing so much in B2G code (which adheres to our presumably higher development standards) means that gentle warnings won't take us very far.

So if we want this change, at some point we need to suck it up and break some addons on Nightly to make them notice. Now, it's entirely possible that the situation won't look good enough by the time FF17 is ready to roll out the door. In that case, we can easily back this change out on beta for a release or two until we're confident enough to ship. But I don't think we're going to get any traction with the bulk of insecure addons until we start breaking them on Nightly.

> Can we distinguish between wrappers being created from within our jar and
> extension code until we had time to move extensions over?

I'd think so, by examining the chrome:// URI of the object being wrapped.

Comment 117

5 years ago
The problem with your argument is that you aren't punishing extension authors here. You are punishing users who can't use their extensions, and will end up blaming the browser. I have no issue with leaving this enabled on Nightly to get some traction, but this can't go into Beta or product until we have the bulk of extensions moved over.
(In reply to Andreas Gal :gal from comment #117)
> The problem with your argument is that you aren't punishing extension
> authors here. You are punishing users who can't use their extensions, and
> will end up blaming the browser.

Breaking extensions is the only way that bugs will get filed.

> I have no issue with leaving this enabled
> on Nightly to get some traction, but this can't go into Beta or product
> until we have the bulk of extensions moved over.

Then there's no disagreement here.
Depends on: 784071
Bobby just landed bug 784071 to make it re-enable-able without causing l10n headaches.
(In reply to Andreas Gal :gal from comment #117)
> The problem with your argument is that you aren't punishing extension
> authors here. You are punishing users who can't use their extensions, and
> will end up blaming the browser. 

I agree with this. The other side of the problem is that if the addons are insecure
the browser will be blamed again for that too. And I don't see any way currently to land a patch like this nicely, and this scenario can happen again any time in the future. So I think we should find a general solution. 

Just brainstorming here... We could make a security change like this optional for a while. If an addon that is not updated after a security fix like this it will be flagged as potentially unsafe. So if a user is using one or more addon like that he will be promoted to choose between his favorite addon(s) and safety... (this fix in this case) If all the addons he uses are updated, he will just get the security fix by default (until he tries to install a not updated addon). This way the addon developers will be interested in getting away from that annoying security warning pop-up and will more likely update their addons. 

So I'm not saying we should wait for a solution like that with this patch, just a bit concerned that we don't have a way to enforce a security change that requires some action from the addon developers in a simple and sane way.

Comment 121

5 years ago
FWIW, the add-ons I've seen break are dietrich's wallflower, bugzillajs, and bugzilla tweaks. All of them seem to break within the bundled SDK code, or at least in part break there.

Can we repack SDK-based add-ons to be bundled against sane versions of the SDK before breaking them? It really feels counter-productive to have add-ons fail on our code.
(In reply to Bobby Holley (:bholley) from comment #115)
> Jorge, did the documentation in comment 97 ever happen?

It didn't, but I'm on it now. FWIW, most add-on developers won't notice this until it hits beta or even release. The deprecation warnings are the first step towards getting add-on code updated, and those aren't even on release yet.
(In reply to Axel Hecht from comment #121)
> Can we repack SDK-based add-ons to be bundled against sane versions of the
> SDK before breaking them? It really feels counter-productive to have add-ons
> fail on our code.

Jorge, do we have the ability to automatically repack AMO addons?
(In reply to Bobby Holley (:bholley) from comment #123)
> Jorge, do we have the ability to automatically repack AMO addons?

It is matter of days now before we can send repacked xpi to addon authors.
That's a first step to see how it goes before automatic updates.
We are having various request about this: bug 751466, bug 783046.
(In reply to Alexandre Poirot (:ochameau) from comment #124)
> (In reply to Bobby Holley (:bholley) from comment #123)
> > Jorge, do we have the ability to automatically repack AMO addons?
> 
> It is matter of days now before we can send repacked xpi to addon authors.

Ok, then it sounds like we should turn this off for jetpack until we can automatically repack (since the addon authors themselves probably have nothing to fix). Gabor, what do you think is the best way to detect that?
It's up on the blog now: https://blog.mozilla.org/addons/2012/08/20/exposing-objects-to-content-safely/. I'll move it to MDN tomorrow. Let me know if there's anything missing or incorrect.
(In reply to Jorge Villalobos [:jorgev] from comment #126)
> It's up on the blog now:
> https://blog.mozilla.org/addons/2012/08/20/exposing-objects-to-content-
> safely/. I'll move it to MDN tomorrow. Let me know if there's anything
> missing or incorrect.

Looks great Jorge! Thanks for writing that. :-)

I think there's very little point to causing pain for jetpack addons, since we have an automatic solution in the works. So I filed bug 784233 to make an exception there.

Updated

5 years ago
Depends on: 784770
(In reply to Jorge Villalobos [:jorgev] from comment #126)
> It's up on the blog now:
> https://blog.mozilla.org/addons/2012/08/20/exposing-objects-to-content-
> safely/. I'll move it to MDN tomorrow. Let me know if there's anything
> missing or incorrect.

I've now updated https://developer.mozilla.org/en-US/docs/XPConnect_wrappers.
Blocks: 786639
Can we throw when people try to inject objects without __exposedProps__ into content rather than just making them silently innocuous? Even with the two releases of warnings, I think this is going to make issues a lot harder to track down in older codebases.
(In reply to Kris Maglione [:kmag] from comment #129)
> Can we throw when people try to inject objects without __exposedProps__ into
> content rather than just making them silently innocuous? Even with the two
> releases of warnings, I think this is going to make issues a lot harder to
> track down in older codebases.

The only way to do this would be to make JS_WrapValue fail for non-exceptional conditions, which I'd rather not do (we did it for e4x objects, and it was a major pain).

We could certainly warn, though. Probably the best thing to do would be to WarnOnceAbout when we compute a ChromeObjectWrapper in WrapperFactory::Rewrap on an object without __exposedProps__. This would add the slight overhead of looking up the __exposedProps__ property at wrap time, but that's probably not such a big deal.

I'm pretty backlogged coming back from vacation, so I'm unlikely to get to it soon. But I think it should be simple for a non-xpcninja to do, and am happy to provide support. Bug 758563 is a good starting point for boilerplate code and tests.

Updated

5 years ago
Blocks: 789298
Filed bug 789298 about comment 130.
Depends on: 789278
Keywords: relnote

Comment 132

4 years ago
Is there any way to permit code using evalInSandbox() to create new properties with arbitrary names? It’s easy enough to explicitly expose existing properties I want to share, but rather inefficient to add to __exposedProps__ every combination of characters that constitute a valid property name.

My particular case is a facility to mutate nested key/value data from a user script while maintaining deep references. The best workaround I can see at this point is passing it in and out of the sandbox via JSON strings and doing some recursive copying from scalar-to-scalar to get things out of the deserialised object.

However, it doesn’t seem like properties created within a sandbox run the risk of "unintentionally exposing privileged objects" (provided the xray wrapper is working to prevent a sneaky .toString from being triggered by a stray == or other such chicanery).

Also, while I can see the need for extreme caution with assumed-malicious web content, sandbox objects can have a variety of applications. It would be nice to be able to create a sandbox without this requirement (pre ff16 style), at the moment it’s all-or-nothing and prevents some opportunistic application of sandboxing to reduce attack surface.
You could have __exposedProps__ return a proxy which returns whatever you want for whatever set of property names you want, right?
(In reply to skomorokh from comment #132)
> Also, while I can see the need for extreme caution with assumed-malicious
> web content, sandbox objects can have a variety of applications. It would be
> nice to be able to create a sandbox without this requirement (pre ff16
> style), at the moment it’s all-or-nothing and prevents some opportunistic
> application of sandboxing to reduce attack surface.

This is only an issue if you set the principal of your sandbox to that of web content. If you trust the code running in your sandbox, you could presumably run with system principal. If you don't, then the security measures here are your friend. :-)

Also, bz's comment about a proxy-implemented __exposedProps__ for more complicated use cases is spot-on.
It would probably be easier to just create the object in the compartment that needs to work with it. The __exposedProps__ is meant for cases where functionality or data needs to be exposed to an untrusted scope, not when the data is flowing the other way.

Comment 136

4 years ago
Thanks, much appreciated.  

Yeah, it's likely in most such situations the sandbox can be created along with the object before it gathers the references. For everything else there's Proxy. 

Forgot about proxy objects, pretty convenient way to bypass it and a good reminder of a neat toy.

> If you trust the code running in your sandbox, you could presumably run with system principal. If you don't, then the security measures here are your friend. :-)

That's the all-or-nothing I was referring to :)
You need to log in before you can comment on or make changes to this bug.