Last Comment Bug 553102 - Flip __exposedProps__ default for non-WN objects to default-safe
: Flip __exposedProps__ default for non-WN objects to default-safe
Status: RESOLVED FIXED
: addon-compat, dev-doc-needed, relnote, sec-want
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: Trunk
: All All
: -- normal with 2 votes (vote)
: mozilla17
Assigned To: Bobby Holley (busy)
:
Mentors:
Depends on: 783485 611485 758203 758563 762250 764091 781521 783057 783173 783825 783925 783931 784071 784770 789278
Blocks: 628903 748618 756341 784045 786639 789298
  Show dependency treegraph
 
Reported: 2010-03-17 16:35 PDT by Blake Kaplan (:mrbkap) (please use needinfo!)
Modified: 2013-08-27 19:46 PDT (History)
52 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.x+


Attachments
patch (828 bytes, patch)
2011-01-07 18:26 PST, Andreas Gal :gal
no flags Details | Diff | Review
patch (1.59 KB, patch)
2011-01-07 18:51 PST, Andreas Gal :gal
no flags Details | Diff | Review
patch (8.03 KB, patch)
2011-01-13 14:51 PST, Andreas Gal :gal
no flags Details | Diff | Review
Latest version (24.26 KB, patch)
2011-01-14 19:10 PST, Jonas Sicking (:sicking) PTO Until July 5th
mrbkap: review+
Details | Diff | Review
Part 1 - Fix test_cows.xul. v1 (1.12 KB, patch)
2012-05-17 14:01 PDT, Bobby Holley (busy)
mrbkap: review+
Details | Diff | Review
Part 2 - Fix SpecialPowers DOMWindowUtils. v1 (1.85 KB, patch)
2012-05-17 14:02 PDT, Bobby Holley (busy)
ted: review+
Details | Diff | Review
Part 3 - Waive COW checks on SpecialPowers wrapper objects. v1 (2.86 KB, patch)
2012-05-17 14:02 PDT, Bobby Holley (busy)
mrbkap: review+
Details | Diff | Review
Part 4 - Add __exposedProps__ for MockFilePicker. v1 (1.02 KB, patch)
2012-05-17 14:03 PDT, Bobby Holley (busy)
ted: review+
Details | Diff | Review
Part 5 - Fix mock prompt service. v1 (2.64 KB, patch)
2012-05-17 14:04 PDT, Bobby Holley (busy)
ted: review+
Details | Diff | Review
Part 6 - Fix open web apps. v1 (2.71 KB, patch)
2012-05-17 14:07 PDT, Bobby Holley (busy)
fabrice: review-
Details | Diff | Review
Part 7 - Make content-> access default to deny if __exposedProps__ is not defined. v1 (1.28 KB, patch)
2012-05-17 14:08 PDT, Bobby Holley (busy)
mrbkap: review+
Details | Diff | Review
Part 0 - Make the SpecialPowers wrapping API a bit nicer. v1 (1.18 KB, patch)
2012-05-22 10:14 PDT, Bobby Holley (busy)
ted: review+
Details | Diff | Review
Part 6 - Fix open web apps. v2 (6.64 KB, patch)
2012-05-22 10:18 PDT, Bobby Holley (busy)
fabrice: review+
Details | Diff | Review

Description Blake Kaplan (:mrbkap) (please use needinfo!) 2010-03-17 16:35:41 PDT
Right now, things are default-unsafe. We should make an object that has no __exposedProps__ not expose anything by default.
Comment 1 Atul Varma [:atul] 2010-03-17 16:40:09 PDT
This would be really great for Jetpack's security model, as we really don't want to accidentally leak chrome-privileged objects into less-privileged code. :)
Comment 2 Blake Kaplan (:mrbkap) (please use needinfo!) 2010-03-19 17:32:19 PDT
One open question: what do we do for returned arrays? Do they need __exposedProps__ too?
Comment 3 Jonas Sicking (:sicking) PTO Until July 5th 2010-03-30 00:30:03 PDT
Can they default to allowing all numbered names and .length to be exposed?
Comment 4 Jonas Sicking (:sicking) PTO Until July 5th 2010-08-30 14:08:11 PDT
This is a relatively big API change, so we have to do it sooner rather than later if we ever want to do it.
Comment 5 Jonas Sicking (:sicking) PTO Until July 5th 2010-08-30 14:10:18 PDT
Can we make it so that any object that returns true for "isArray" defaults to exposing .length and all numeric property names?
Comment 6 Johnny Stenback (:jst, jst@mozilla.com) 2010-09-14 14:11:09 PDT
This is not important for feature freeze.
Comment 7 Benjamin Smedberg [:bsmedberg] 2010-09-14 14:13:02 PDT
No? This is a significant change in the behavior of __exposedProps__ and will impact extension developers significantly.
Comment 8 Johnny Stenback (:jst, jst@mozilla.com) 2010-12-08 19:15:09 PST
Over to Andreas who will start looking into this.
Comment 9 christian 2011-01-04 15:42:25 PST
As per today's meeting, beta 9 will be a time-based release. Marking these all betaN+. Please move it back to beta9+ if  you believe it MUST be in the next beta (ie: trunk is in an unshippable state without this)
Comment 10 christian 2011-01-04 18:13:34 PST
Fixing fields my automated script accidentally blanked. Apologies for the bugspam
Comment 11 Jonas Sicking (:sicking) PTO Until July 5th 2011-01-07 18:21:57 PST
Arg! Are we shipping another beta with this unfixed :(

We really need to make this a beta10 hardblocker. It should have been a beta9 hardblocker IMHO, but I guess it's too late for that?
Comment 12 Jonas Sicking (:sicking) PTO Until July 5th 2011-01-07 18:22:47 PST
Actually, moving this one back to be beta9 so we don't lose track of it.
Comment 13 Andreas Gal :gal 2011-01-07 18:23:32 PST
Its easy to fix but we fail a bunch of tests. I could use help with fixing the tests.
Comment 14 Jonas Sicking (:sicking) PTO Until July 5th 2011-01-07 18:25:54 PST
How many? Can we disable the tests for now to get this into beta9? (Have been out sick mostly this week, so not sure if beta9 is a gonner)
Comment 15 Andreas Gal :gal 2011-01-07 18:26:48 PST
Created attachment 502168 [details] [diff] [review]
patch
Comment 16 Andreas Gal :gal 2011-01-07 18:27:17 PST
Jonas, want to help with fixing up the mochitests for this? I am really busy with the compartments landing.
Comment 17 Jonas Sicking (:sicking) PTO Until July 5th 2011-01-07 18:28:38 PST
Heading out for tonight, but I'll look tomorrow.
Comment 18 Jonas Sicking (:sicking) PTO Until July 5th 2011-01-07 18:29:23 PST
I thought we needed some extra magic for arrays though?
Comment 19 Andreas Gal :gal 2011-01-07 18:51:37 PST
Created attachment 502179 [details] [diff] [review]
patch
Comment 20 Andreas Gal :gal 2011-01-07 18:52:33 PST
Always allow access to "length" and 0..MAXINT of arrays. Needs testing/try and adjusting mochitests.
Comment 21 Andreas Gal :gal 2011-01-07 21:53:34 PST
'platform' can't be accessed here: (crashtest)

args: ['/home/cltbld/talos-slave/test/build/firefox/firefox-bin', '-no-remote', '-profile', '/tmp/tmpnjeqV8/', '-reftest', '/home/cltbld/talos-slave/test/build/reftest/tests/testing/crashtest/crashtests.list']
INFO | automation.py | Application pid: 1974
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST INFO | Dumping JSON representation of sandbox
REFTEST INFO | {"isDebugBuild":false,"xulRuntime":{"widgetToolkit":"gtk2","OS":"Linux","XPCOMABI":"x86-gcc3"},"d2d":false,"layersGPUAccelerated":false,"cocoaWidget":false,"gtk2Widget":true,"qtWidget":false,"winWidget":false,"http":{"userAgent":"Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre","appName":"Mozilla","appVersion":"5.0","product":"Gecko","productSub":"20110107","platform":"X11","oscpu":"Linux i686","language":"en-US","misc":"rv:2.0b9pre"},"haveTestPlugin":true,"windowsDefaultTheme":false,"nativeThemePref":true,"prefs":{"__exposedProps__":{"getBoolPref":"r","getIntPref":"r"},"_prefs":{"root":"","PREF_INVALID":0,"PREF_STRING":32,"PREF_INT":64,"PREF_BOOL":128}}}
REFTEST TEST-UNEXPECTED-FAIL | | EXCEPTION: Error: Permission denied to access property 'platform'
REFTEST FINISHED: Slowest test took 0ms (undefined)
REFTEST INFO | Result summary:
REFTEST INFO | Successful: 0 (0 pass, 0 load only)
REFTEST INFO | Unexpected: 1 (0 unexpected fail, 0 unexpected pass, 0 unexpected asserts, 0 unexpected fixed asserts, 0 failed load, 1 exception)
REFTEST INFO | Known problems: 0 (0 known fail, 0 known asserts, 0 random, 0 skipped, 0 slow)
REFTEST INFO | Total canvas count = 0
Comment 22 Andreas Gal :gal 2011-01-07 21:56:39 PST
15810 ERROR TEST-UNEXPECTED-FAIL | /tests/layout/style/test/test_property_syntax_errors.html | [SimpleTest/SimpleTest.js, window.onerror] An error occurred - Permission denied to access property 'handleEvent' at :0

Here are the full logs:

http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/agal@mozilla.com-9d96b5468ea0

Jonas, looks like not a lot of stuff is failing. If you can fix the underlying issue for these (looks like exposedProps has to be added to a component or two), we can fix this for beta9. I have to get back to the compartment GC stuff but I am around if you need help.
Comment 23 Mike Beltzner [:beltzner, not reading bugmail] 2011-01-11 09:35:13 PST
Uh, so, we lost track of this and it's not in beta9 - is that a problem?
Comment 24 Andreas Gal :gal 2011-01-11 09:46:49 PST
Ok, here is the story:

This is an incompatible change to an API. We should have done this much earlier, but we forgot. Jonas thinks this is very important, so we should do this as soon as possible, if we do it for 4.

The patch in the bug is easy, but it reveals a bunch of places where the current code doesn't set __exposedProps__. I posted a couple of the failures. So the patch isn't the problem, its getting all our code to behave properly if we change the behavior of __exposedProps__. This is annoying and a bit time consuming (try server, find missing __exposedProps__, try server again ...). If we parallelize (mrbkap, jonas, me), we can probably fix this in 24-48 hours, if all of us do nothing but this.
Comment 25 Andreas Gal :gal 2011-01-11 09:48:14 PST
To be clear, this patch might break extensions. Probably only very few (those exposing additional APIs), but its a clear risk.
Comment 26 Brendan Eich [:brendan] 2011-01-11 10:15:18 PST
Why if we've lived with default-unsafe for so long must we change this now? Why not take our time and do it for Firefox 5?

/be
Comment 27 Andreas Gal :gal 2011-01-11 10:20:37 PST
This is a new feature for FF4, so Jonas and Blake both felt that we should fix it before we introduce it wrong. I am not advocating to take this patch. I am just trying to make a fair case until Jonas and Blake show up to argue for themselves :)
Comment 28 Brendan Eich [:brendan] 2011-01-11 10:45:52 PST
This is a new feature but it hasn't worked as designed (more nearly backwards)? Why isn't it too late to add to 4?

If it's necessary for safety, ok.

If the unsafe default masks the need for this feature (properly implemented) then we have an unknown but potentially big risk, which requires some unknown but also bigger than we'd like beta cycle time to assess: flipping to safe-by-default and then evangeliziing those who skated on the thin ice we created.

This ignores follow-on fixes.

Why is this important to do now?

/be
Comment 29 Brendan Eich [:brendan] 2011-01-11 10:48:04 PST
"evangelize" sounds nicer than it often is: we're talking about breaking add-ons and then finding out the hard way, from user complaints in various forums.

/be
Comment 30 Andreas Gal :gal 2011-01-13 14:51:34 PST
Created attachment 503630 [details] [diff] [review]
patch

allow access if __exposedProps__ is not set as long UniversalXPConnect is enabled
Comment 31 Jonas Sicking (:sicking) PTO Until July 5th 2011-01-14 19:10:21 PST
Created attachment 504058 [details] [diff] [review]
Latest version

Just pushed this to tryserver. This should work, modulo that it needs a patch from Blake to make x-ray wrappers not wrap callbacks in COWs. I've probably missed a few tests as well.

But it's close!
Comment 32 Rob Campbell [:rc] (:robcee) 2011-01-17 06:42:05 PST
fwiw, I agree with Brendan in comment #26. This feels like it would be better addressed in Fx 5 when we have the opportunity to warn people about it and for add-on developers to be able to have more than a late-breaking beta to test their code in.

It's a little late in Fx4 to take an object behavior changing platform fix.
Comment 33 David Dahl :ddahl 2011-01-20 07:59:28 PST
(In reply to comment #32)
> fwiw, I agree with Brendan in comment #26. This feels like it would be better
> addressed in Fx 5 when we have the opportunity to warn people about it and for
> add-on developers to be able to have more than a late-breaking beta to test
> their code in.
> 
> It's a little late in Fx4 to take an object behavior changing platform fix.

With this patch applied all of our devtools console tests pass. there is no problem.
Comment 34 Patrick Walton (:pcwalton) 2011-01-20 15:04:20 PST
I'm a bit concerned about removing the __noSuchMethod__ fallback. Can we use this instead for the changes in ConsoleAPI.js?

>    // Lock down the functions so that content can't access evil properties.
>    for (let name in api) {
>      if (typeof(api[name]) == "function") {
>        api[name].__exposedProps__ = {};
>      }
>    }

If that doesn't work, then could we expose a proxy object to content instead?

I can update this patch if you'd like.
Comment 35 Patrick Walton (:pcwalton) 2011-01-20 15:05:57 PST
To clarify: Changing the "console" object is an easy way to break the web. We are already breaking some sites in 3.6 because the developers only test with Firebug, or test only in Chrome, both of which expose full-featured console objects. The __noSuchMethod__ fallback in the console object is designed to mitigate this.
Comment 36 Andreas Gal :gal 2011-01-20 15:09:04 PST
Use proxies. Thats the standard way of doing this, and you don't have to rely on a deprecated feature we are longing to remove anyway.
Comment 37 Jonas Sicking (:sicking) PTO Until July 5th 2011-01-20 15:20:13 PST
There is another patch in the works which might make it unnecessary to remove the __noSuchMethod__ fallback. I'll double-check if that patch is for sure going in.

Proxies is certainly the best way to accomplish this, but I'm not sure how proxies and __exposedProps__ will interact. But it's probably nice if we don't have to rewrite to use proxies given where we are in the release cycle.
Comment 38 Andreas Gal :gal 2011-01-20 15:23:57 PST
I just wanted to point out that in general people shouldn't rely on __noSuchMethod__. We are hell bent on removing it. Building new code with it is a really bad idea. There is a much more powerful alternative available for content and chrome.
Comment 39 Brendan Eich [:brendan] 2011-01-22 00:52:31 PST
Comment 36 exaggerates with "longing to remove". Proxies haven't even shipped yet and __noSuchMethod__ has been out there (with some "potentially regressive but no one complained" restrictions over time) for a long while.

/be
Comment 40 Brendan Eich [:brendan] 2011-01-22 00:53:44 PST
Comment 38 touts proxies and I like proxies too. But my point in the last comment is that we deprecate in release N and remove only in N+M (M=1 if we can). This is not release N+1. It may not be release N yet.

/be
Comment 41 Andreas Gal :gal 2011-01-22 00:57:07 PST
My point is new chrome code should not rely on __noSuchMethod__ if more powerful standard language features are available. Patrick hacked up a version of the console object that uses a proxy and it works great.
Comment 42 Brendan Eich [:brendan] 2011-01-22 01:00:33 PST
(In reply to comment #41)
> My point is new chrome code should not rely on __noSuchMethod__ if more
> powerful standard language features are available. Patrick hacked up a version
> of the console object that uses a proxy and it works great.

That was not your point to which I was responding :-/. ("... longing to remove.")

/be
Comment 43 Andreas Gal :gal 2011-01-22 01:10:28 PST
I agree with every word in comment 39 and comment 40 and I didn't mean to indicate anything to the contrary (nor did I, I think). I am aware that we can't yank out __noSuchMethod__ tomorrow. But we are looking to yank it out as soon as possible. Which is probably N releases out. So maybe end of the year? Or end of next year? Whatever makes sense.
Comment 44 Brendan Eich [:brendan] 2011-01-22 22:14:24 PST
Back to this bug: is it gonna make b10? It better!

/be
Comment 45 Jonas Sicking (:sicking) PTO Until July 5th 2011-01-22 22:55:51 PST
The work here is done. Just blocked by bug 611485.
Comment 46 Jonas Sicking (:sicking) PTO Until July 5th 2011-01-25 13:41:13 PST
We've decided to punt this one to next release and just do bug 628410 instead.
Comment 47 Andreas Gal :gal 2011-01-25 13:49:48 PST
Jonas, I could make a patch that warns in the console every time we grant access based on the default-unsafe easy out path. That way extension authors might get a warning that we will switch the default soon (FF5?).
Comment 48 Jonas Sicking (:sicking) PTO Until July 5th 2011-01-25 14:14:21 PST
That's a great idea! But lets do that once the patch in bug 628410 is in since that's still a work in progress (latest tryserver runs together with bug 611485 is still orange).
Comment 49 Rob Campbell [:rc] (:robcee) 2011-07-22 12:09:40 PDT
Just noticed this bug during a sweep.

Since Comment 48, the mentioned bugs have landed, should we try this again?
Comment 50 Jonas Sicking (:sicking) PTO Until July 5th 2011-07-22 13:23:23 PDT
Yes, but I'm very swamped right now. Any chance someone else could take it?
Comment 51 Bobby Holley (busy) 2012-04-30 03:46:25 PDT
We really dropped the ball here. :-(

Picking this one up.
Comment 52 Bobby Holley (busy) 2012-04-30 08:35:30 PDT
Comment on attachment 504058 [details] [diff] [review]
Latest version

You can follow along with my work here: https://github.com/bholley/mozilla-central/commits/exposedprops

I've done some fixing of the failures I could find locally. Pushing to try now to see what else crops up. Could be a little, could be a lot. Only one way to tell: https://tbpl.mozilla.org/?tree=Try&rev=e66c71141090
Comment 53 Bobby Holley (busy) 2012-05-15 04:53:04 PDT
Made some fixes, and pushed again: https://tbpl.mozilla.org/?tree=Try&rev=ecc821b3d5b9
Comment 54 Bobby Holley (busy) 2012-05-17 10:23:20 PDT
And s'more:

https://tbpl.mozilla.org/?tree=Try&rev=9dd69672bb2b
Comment 55 Bobby Holley (busy) 2012-05-17 10:32:39 PDT
This is definitely going to need dev-doc when it lands. Marking it as such so that we don't forget.
Comment 56 Bobby Holley (busy) 2012-05-17 13:58:42 PDT
Looks green! Uploading patches and flagging for review as appropriate.

I'm quite happy that this turned out to not require too many changes in tests and frontend code. CCing some jetpack, thunderbird, and lightning folks just to make sure they know it's coming. The nutshell of this change is that __exposedProps__ is now required for chrome JS objects exposed to content.

See https://developer.mozilla.org/en/XPConnect_wrappers for more information.
Comment 57 Bobby Holley (busy) 2012-05-17 14:01:52 PDT
Created attachment 624883 [details] [diff] [review]
Part 1 - Fix test_cows.xul. v1
Comment 58 Bobby Holley (busy) 2012-05-17 14:02:09 PDT
Created attachment 624884 [details] [diff] [review]
Part 2 - Fix SpecialPowers DOMWindowUtils. v1
Comment 59 Bobby Holley (busy) 2012-05-17 14:02:25 PDT
Created attachment 624885 [details] [diff] [review]
Part 3 - Waive COW checks on SpecialPowers wrapper objects. v1
Comment 60 Bobby Holley (busy) 2012-05-17 14:03:41 PDT
Created attachment 624886 [details] [diff] [review]
Part 4 - Add __exposedProps__ for MockFilePicker. v1

Ted, if there's a better reviewer for the things I've flagged you for here, feel free to reassign as appropriate.
Comment 61 Bobby Holley (busy) 2012-05-17 14:04:38 PDT
Created attachment 624888 [details] [diff] [review]
Part 5 - Fix mock prompt service. v1
Comment 62 Bobby Holley (busy) 2012-05-17 14:07:11 PDT
Created attachment 624890 [details] [diff] [review]
Part 6 - Fix open web apps. v1

I'm not totally sure that this is correct and/or complete. This was just the minimum to get the tests to pass. Please advise, Fabrice.
Comment 63 Bobby Holley (busy) 2012-05-17 14:08:01 PDT
Created attachment 624891 [details] [diff] [review]
Part 7 - Make content-> access default to deny if __exposedProps__ is not defined. v1

And now, the moment you've all been waiting for. :-)
Comment 64 Bobby Holley (busy) 2012-05-17 14:08:59 PDT
Embedders: note that part 7 is the only substantive change to the platform, and the only thing you need to test with. The rest just keep the tree green.
Comment 65 [:fabrice] Fabrice Desré 2012-05-17 14:39:51 PDT
Comment on attachment 624890 [details] [diff] [review]
Part 6 - Fix open web apps. v1

Review of attachment 624890 [details] [diff] [review]:
-----------------------------------------------------------------

I'd like to know more about what this __exposedProps__ magic is. Apart from the issue with this patch, we may need to add it in more places.

::: dom/base/Webapps.js
@@ +50,5 @@
> +    for (var key in aManifest) {
> +      props[key] = 'r';
> +    }
> +    aManifest.__exposedProps__ = props;
> +

I don't understand why you need that here, since aManifest will not be exposed to content : it is send to the DOMApplicationRegistry that stores it.

@@ +209,5 @@
>    _receipts: [],
>    _installOrigin: null,
>    _installTime: 0,
> +  __exposedProps__: {
> +                      status: 'rw',

there is no status property
Comment 66 Bobby Holley (busy) 2012-05-18 01:14:50 PDT
(In reply to Fabrice Desré [:fabrice] from comment #65)
> I'd like to know more about what this __exposedProps__ magic is.

__exposedProps__ is an access control list for chrome JS objects exposed to content (native-backed objects still get Xrays). It used to be opt-in, now it's mandatory (that is to say, the object is opaque without __exposedProps__). Exceptions to the opaqueness are functions (they may be called), and arrays (.length and numerically-indexed properties are accessible).


> Apart from
> the issue with this patch, we may need to add it in more places.

Quite likely. Luckily, the worst that will happen with this patch is that stuff breaks (ie, this patch just makes things more restrictive, so it's unlikely to create hidden security vulnerabilities). Unfortunately, I don't know this code at all. I'd feel much more comfortable if someone know knows what they're doing could take the patch. I'm not sure if that's you, Fabrice, or someone else.

> 
> ::: dom/base/Webapps.js
> @@ +50,5 @@
> > +    for (var key in aManifest) {
> > +      props[key] = 'r';
> > +    }
> > +    aManifest.__exposedProps__ = props;
> > +
> 
> I don't understand why you need that here, since aManifest will not be
> exposed to content : it is send to the DOMApplicationRegistry that stores it.

We check for those properties here. If this is supposed to be a test-only thing, then js_traverse probably needs to use SpecialPowers.wrap(object).

> there is no status property

http://mxr.mozilla.org/mozilla-central/source/dom/tests/mochitest/webapps/jshelper.js#193

If this is supposed to be a test-only property, the test code needs to either use SpecialPowers.wrap to place the property, or it needs to store that information in a separate object.
Comment 67 Bobby Holley (busy) 2012-05-18 01:22:14 PDT
CCing various other embedders and extension authors as a heads-up: see comments 56 and comments 64.
Comment 68 Bobby Holley (busy) 2012-05-18 01:57:36 PDT
Try builds are available here: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/bobbyholley@gmail.com-9dd69672bb2b/
Comment 69 Ted Mielczarek [:ted.mielczarek] 2012-05-18 09:22:42 PDT
Comment on attachment 624884 [details] [diff] [review]
Part 2 - Fix SpecialPowers DOMWindowUtils. v1

Review of attachment 624884 [details] [diff] [review]:
-----------------------------------------------------------------

These are a pain. We could probably just replace this with your .wrap stuff, couldn't we?
Comment 70 Bobby Holley (busy) 2012-05-18 09:49:54 PDT
(In reply to Ted Mielczarek [:ted] from comment #69)

> These are a pain. We could probably just replace this with your .wrap stuff,
> couldn't we?

I tried that, but there was at least one test that got confused that properties it pulled off the MockFilePicker were wrappers (this can happen if you pass them as an argument to a non-wrapped function, because there's no way for the object to know that it should be unwrapped).
Comment 71 Ted Mielczarek [:ted.mielczarek] 2012-05-18 09:58:06 PDT
More specifically I meant the DOMWindowUtils one, since we're basically implementing a poor-man's wrapper there anyway.
Comment 72 Ted Mielczarek [:ted.mielczarek] 2012-05-18 10:00:00 PDT
Comment on attachment 624886 [details] [diff] [review]
Part 4 - Add __exposedProps__ for MockFilePicker. v1

Review of attachment 624886 [details] [diff] [review]:
-----------------------------------------------------------------

::: testing/mochitest/MockFilePicker.jsm
@@ +168,5 @@
>    }
>  };
> +
> +// Expose everything to content. We call reset() here so that all of the relevant
> +// lazy expandos get added.

Thanks for the comment! It's nice to have an explanation instead of having it be voodoo. :)

@@ +170,5 @@
> +
> +// Expose everything to content. We call reset() here so that all of the relevant
> +// lazy expandos get added.
> +MockFilePicker.reset();
> +props = {};

var props or let props, presumably?

@@ +178,5 @@
> +
> +props = {};
> +for (var prop in MockFilePickerInstance.prototype)
> +  props[prop] = 'rw';
> +MockFilePickerInstance.prototype.__exposedProps__ = props;

Almost feels like this should be a method, but you're only doing it twice. :-/
Comment 73 Bobby Holley (busy) 2012-05-22 10:14:49 PDT
Created attachment 626070 [details] [diff] [review]
Part 0 - Make the SpecialPowers wrapping API a bit nicer. v1

A quite beautification of the wrapping API that I'm using the updated WebApps patch. Flagging ted for review.
Comment 74 Bobby Holley (busy) 2012-05-22 10:18:43 PDT
Created attachment 626072 [details] [diff] [review]
Part 6 - Fix open web apps. v2

Updated the open webapps patch. Flagging fabrice for review. I think I've spent enough time messing around with this stuff, so if it's not satisfactory we should talk about getting someone from the OWA team to make any further changes.

NB: the "array" case goes away because it's dead per spec: typeof [] === "object".
Comment 75 Blake Kaplan (:mrbkap) (please use needinfo!) 2012-05-22 16:25:55 PDT
Comment on attachment 624885 [details] [diff] [review]
Part 3 - Waive COW checks on SpecialPowers wrapper objects. v1

Review of attachment 624885 [details] [diff] [review]:
-----------------------------------------------------------------

::: testing/mochitest/tests/SimpleTest/specialpowersAPI.js
@@ +202,5 @@
> +  // NB: XPConnect denies access if the relevant member of __exposedProps__ is not
> +  // enumerable.
> +  var _permit = { value: 'rw', writable: false, configurable: false, enumerable: true };
> +  return {
> +  getOwnPropertyDescriptor: function(name) { return _permit; },

Nit: Please indent the body of the object.
Comment 76 Justin Wood (:Callek) 2012-05-22 19:58:37 PDT
(In reply to Bobby Holley (:bholley) from comment #67)
> CCing various other embedders and extension authors as a heads-up: see
> comments 56 and comments 64.

Tossing in some suite people, who might be interested in knowing about things here (I doubt I have time to tackle these issues myself)
Comment 77 neil@parkwaycc.co.uk 2012-05-23 01:29:15 PDT
The only thing in suite code that comes close to poking a chrome JavaScript object into content is a JavaScript global property object, but that only exposes functions so I can't see how that could be affected.
Comment 78 Bobby Holley (busy) 2012-05-23 06:52:56 PDT
(In reply to neil@parkwaycc.co.uk from comment #77)
> The only thing in suite code that comes close to poking a chrome JavaScript
> object into content is a JavaScript global property object, but that only
> exposes functions so I can't see how that could be affected.

If the functions are accessed as properties on a JS object, they need to be added to the __exposedProps__ of that object, I'd think.
Comment 79 Bobby Holley (busy) 2012-05-23 10:54:32 PDT
Thanks for the fast reviews everyone! Pushed to try one last time:

https://tbpl.mozilla.org/?tree=Try&rev=fb2257a60f1f
Comment 80 Bobby Holley (busy) 2012-05-23 11:00:35 PDT
At gabor's request, doing a try push for jetpack tests:
https://tbpl.mozilla.org/?tree=Try&rev=6ab9dafb4402
Comment 81 Wes Kocher (:KWierso) 2012-05-23 14:41:22 PDT
(In reply to Bobby Holley (:bholley) from comment #80)
> At gabor's request, doing a try push for jetpack tests:
> https://tbpl.mozilla.org/?tree=Try&rev=6ab9dafb4402

buildbot.slave.commands.TimeoutError: command timed out: 1200 seconds without output, attempting to kill
https://tbpl.mozilla.org/php/getParsedLog.php?id=11998681&tree=Try&full=1
:(
Comment 82 Justin Wood (:Callek) 2012-05-23 14:45:39 PDT
(In reply to Wes Kocher (:KWierso) from comment #81)
> (In reply to Bobby Holley (:bholley) from comment #80)
> > At gabor's request, doing a try push for jetpack tests:
> > https://tbpl.mozilla.org/?tree=Try&rev=6ab9dafb4402
> 
> buildbot.slave.commands.TimeoutError: command timed out: 1200 seconds
> without output, attempting to kill
> https://tbpl.mozilla.org/php/getParsedLog.php?id=11998681&tree=Try&full=1
> :(

Infra related, lots of sad-panda issues today. Easiest is to repush the whole try job
Comment 83 Bobby Holley (busy) 2012-05-23 15:37:12 PDT
Another jetpack push per Callek's suggestion:

https://tbpl.mozilla.org/?tree=Try&rev=a7c99639ff74
Comment 84 Gabor Krizsanits [:krizsa :gabor] (PTO until july 3) 2012-05-24 00:41:30 PDT
(In reply to Bobby Holley (:bholley) from comment #83)
> Another jetpack push per Callek's suggestion:
> 
> https://tbpl.mozilla.org/?tree=Try&rev=a7c99639ff74

Just updating the link to unhide jetpack results: 
https://tbpl.mozilla.org/?tree=Try&rev=a7c99639ff74&noignore=1

ochameau: can you ping me about this when you are online?
Comment 85 Gabor Krizsanits [:krizsa :gabor] (PTO until july 3) 2012-05-24 01:57:31 PDT
So this patch breaks even our test runner, and bunch of other stuff. Now the more problematic part is that even if we fix it at addon sdk level, releasing this patch will likely break existing (not necessary jetpack based) addons. Any XUL addon doing some content-chrome interaction will likely break. I was just wondering if we have any release strategy for this change?
Comment 86 Bobby Holley (busy) 2012-05-24 02:23:55 PDT
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #85)
> So this patch breaks even our test runner, and bunch of other stuff. Now the
> more problematic part is that even if we fix it at addon sdk level,
> releasing this patch will likely break existing (not necessary jetpack
> based) addons. Any XUL addon doing some content-chrome interaction will
> likely break. I was just wondering if we have any release strategy for this
> change?

I don't think we can do too much more than "communicate as loudly as possible" and "hope for the best". Fundamentally, the problem is that any code this bites is a security risk, and needs to be fixed. There's not really any way around that. :-(

I'm not a release driver or anything here - I'm doing this because it's something we decided to ship in FF5 and never did, and because jst said that I should. But it might be good to get the opinion of a few other folks.

bz, jorge - any thoughts?
Comment 87 Alexandre Poirot [:ochameau] 2012-05-24 03:06:37 PDT
I totally agree that we have to end up using this new default behavior.
It is quite trivial to fix SDK codebase (https://github.com/mozilla/addon-sdk/pull/451)

*But* if we land this as-is, all jetpack addons using a SDK version older than 1.8  will be broken! (1.8 is the next upcoming version, to be released 06/26)
We currently know that most jetpack addons are very rarely repacked to new SDK versions:
https://wiki.mozilla.org/Jetpack/Weekly_Meeting/2012-5-22#AMO_addons_statistics
So landing this would mean breaking all existing SDK addons.
We are currently trying to address this repacking issue but we are still not here.
(automatic repacking and landing SDK module in Firefox are the two main tools)

Other than that, I'm pretty sure we are going to break traditionnal XUL addons too. But I can't say how many addons would be concerned.

Comment 47 from Andreas sounds like a better first thing to land. I'd easily agree that we should do more ASAP. What do you think about making it optional, like when xraywrappers were introduced?
  https://developer.mozilla.org/en/Chrome_Registration#xpcnativewrappers
To me, it sounds like a perfect plan.
Make it optionnal to build safier addons. Evangelize, ask AMO reviewer to request this flag to be set, then make it mandatory during review and finally make it default like xpcnativewrappers flag.
Speaking about jetpack it would allow to use this new flag in 1.8 realease and be safier without breaking all existing jetpack addons!
Comment 88 Bobby Holley (busy) 2012-05-24 03:23:46 PDT
(In reply to Alexandre Poirot (:ochameau) from comment #87)

> Comment 47 from Andreas sounds like a better first thing to land. I'd easily
> agree that we should do more ASAP. What do you think about making it
> optional, like when xraywrappers were introduced?
>   https://developer.mozilla.org/en/Chrome_Registration#xpcnativewrappers
> To me, it sounds like a perfect plan.
> Make it optionnal to build safier addons. Evangelize, ask AMO reviewer to
> request this flag to be set, then make it mandatory during review and
> finally make it default like xpcnativewrappers flag.

That seems reasonable on the condition that we really do get traction from the AMO side. I also don't have much experience with the logistics of how this ought to be done these days. There are a lot of manifests in Firefox these days, and it would be a shame to pollute each one with "strictexposedprops = yes". Is there any way we can detect that code comes from an addon, and make it only optional there?
Comment 89 Alexandre Poirot [:ochameau] 2012-05-24 03:31:50 PDT
(In reply to Bobby Holley (:bholley) from comment #88)
> There are a lot of manifests in Firefox
> these days, and it would be a shame to pollute each one with
> "strictexposedprops = yes". Is there any way we can detect that code comes
> from an addon, and make it only optional there?

I'm not an expert of chrome.manifest parsing, but Mossop may know that or the right person to ping!
Comment 90 Alexandre Poirot [:ochameau] 2012-05-24 03:50:06 PDT
Actually I took chrome.manifest/xpcnativewrappers flag as example, but I'm not sure that the exact same pattern would apply here. Especially now that we have bootstrapped addons. Jetpack addons are bootstrapped addons without any chrome.manifest file ...
Then we can put such flag in install.rdf, but I don't see how you would make the link between ExposedPropertiesOnly::check() method and such flag in addon's install.rdf ...

So I'm suggesting the idea of making this new behavior optional per addon,
but I'm not sure it is doable. Or at least I don't know how we could do that.
Comment 92 Paul Wright 2012-05-24 04:59:42 PDT
Please put "leave open" in the whiteboard.
Comment 93 Bobby Holley (busy) 2012-05-24 05:50:45 PDT
(In reply to Paul Wright from comment #92)
> Please put "leave open" in the whiteboard.

Meant to. Sorry.
Comment 94 Jorge Villalobos [:jorgev] 2012-05-24 07:57:36 PDT
I agree with Alexandre that we need a transition period (at least one cycle, but I would recommend 2 or 3), and that the suggestion on comment #47 is what sounds most reasonable. If we log an error in the console when chrome objects are accessed unsafely, AMO reviewers can easily deny approval for submissions that do this. And we will also start talking about this publicly as soon as we have a plan for it.
Comment 95 Boris Zbarsky [:bz] (Out June 25-July 6) 2012-05-24 08:20:17 PDT
I'll just add a "me too" for comment 94.
Comment 96 Bobby Holley (busy) 2012-05-24 13:51:27 PDT
Ok, I'm working up a patch to do the warning. Jorge, can you (or somebody) put together a definitely MDN page or something that I can link to from the warning message? The current documentation kind of sucks, and I can't find anything good to link to...
Comment 97 Jorge Villalobos [:jorgev] 2012-05-24 16:03:35 PDT
I think https://developer.mozilla.org/en/XPConnect_wrappers is the right place to point to. I'll work on clearing it up and adding some examples.
Comment 99 Bobby Holley (busy) 2012-05-25 09:48:16 PDT
I just landed the deprecation warning: bug 758563.

We really don't want to drop the ball on this one and let it languish for a year like we did last time. Jorge, can drive the AMO / devrel side of this pretty hard? I'll make a note to myself to come back and land this on July 20th (2 releases from now), if there are no objections.
Comment 100 Ed Lee :Mardak 2012-06-12 11:57:24 PDT
(In reply to Bobby Holley (:bholley) from comment #99)
> I just landed the deprecation warning: bug 758563.
Is this expected behavior? The following triggers the warning when running it in the Web Console on ay page:

navigator.mozApps.getInstalled().onsuccess = function() this.result.forEach

Note, this.result will be an empty array, but it seems like because __exposedProps__ does not explicitly include forEach, the warning is triggered. And with the flip to default-safe, this would mean .forEach would not exist?

Fabrice, it also seems like each object level needs to have __exposedProps__ because accessing this.result.manifest.name from getSelf() triggers the warning. (Test by running the following on an origin with an app installed.)

navigator.mozApps.getSelf().onsuccess = function() this.result.manifest.name
Comment 101 [:fabrice] Fabrice Desré 2012-06-12 12:01:40 PDT
(In reply to Edward Lee :Mardak from comment #100)

> Fabrice, it also seems like each object level needs to have __exposedProps__
> because accessing this.result.manifest.name from getSelf() triggers the
> warning. (Test by running the following on an origin with an app installed.)
> 
> navigator.mozApps.getSelf().onsuccess = function() this.result.manifest.name

Oh, I thought we didn't need that for plain jsvals... Can you file a bug on this?
Comment 102 Bobby Holley (busy) 2012-06-13 02:15:50 PDT
(In reply to Edward Lee :Mardak from comment #100)
> (In reply to Bobby Holley (:bholley) from comment #99)
> > I just landed the deprecation warning: bug 758563.
> Is this expected behavior? The following triggers the warning when running
> it in the Web Console on ay page:
> 
> navigator.mozApps.getInstalled().onsuccess = function() this.result.forEach
> 
> Note, this.result will be an empty array, but it seems like because
> __exposedProps__ does not explicitly include forEach, the warning is
> triggered. And with the flip to default-safe, this would mean .forEach would
> not exist?
> 
> Fabrice, it also seems like each object level needs to have __exposedProps__
> because accessing this.result.manifest.name from getSelf() triggers the
> warning. (Test by running the following on an origin with an app installed.)
> 
> navigator.mozApps.getSelf().onsuccess = function() this.result.manifest.name

this is bug 760109, i think.
Comment 103 Bobby Holley (busy) 2012-08-03 06:55:16 PDT
(In reply to Bobby Holley (:bholley) from comment #99)
> We really don't want to drop the ball on this one and let it languish for a
> year like we did last time. Jorge, can drive the AMO / devrel side of this
> pretty hard? I'll make a note to myself to come back and land this on July
> 20th (2 releases from now), if there are no objections.

The time has come.

https://tbpl.mozilla.org/?tree=Try&rev=10111dff840e
Comment 104 Bobby Holley (busy) 2012-08-14 20:57:49 PDT
Fixed new culprits, and pushed again to try:

https://tbpl.mozilla.org/?tree=Try&rev=86f172e9ac5e
Comment 105 Bobby Holley (busy) 2012-08-17 15:11:20 PDT
https://tbpl.mozilla.org/?tree=Try&rev=c544d157f366
Comment 108 Alexandre LISSY :gerard-majax 2012-08-18 13:39:29 PDT
Since this commit hit gecko in b2g, homescreen does not show anymore.
Comment 109 Alexandre LISSY :gerard-majax 2012-08-18 13:41:41 PDT
(In reply to Alexandre LISSY from comment #108)
> Since this commit hit gecko in b2g, homescreen does not show anymore.

The precise commit is:
727d3361eafae05eb1de4fbfc8a063666a854910 is the first bad commit
commit 727d3361eafae05eb1de4fbfc8a063666a854910
Author: Bobby Holley <bobbyholley@gmail.com>
Date:   Fri Aug 17 23:14:55 2012 -0700

    Bug 553102 - Make content-> access default to deny if __exposedProps__ is not defined. r=mrbkap

:040000 040000 ffb373457aa8c841ed2692f9bb2b7d0f62b6a3fe 66c9e43f357edb79ca3f03a40d764199d812a403 M	content
:040000 040000 8137a2782c07ab4d1dc7f5cfaccb751a1e4affb8 ea39c4da277d98a27d005f40bd3807f203227dde M	dom
:040000 040000 a62ad5cd9f310ad09ac7fdb51743398e1ff01b01 42512d4d4df59a1ecd7e82fe75a90895b25b209d M	js
Comment 110 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-08-18 13:42:40 PDT
This bug is fixed.  File bugs on B2G for whatever is broken.
Comment 111 Alexandre LISSY :gerard-majax 2012-08-18 13:55:14 PDT
Hm, reading the patch and previous logcat, I suspect it's a fix that breaks buggy homescreen.js:
 115 E/GeckoConsole(   78): [JavaScript Error: "Exposing chrome JS objects to content without __exposedProps__ is insecure and deprecated. See https://developer.mozilla.org/en/XPConn     ect_wrappers for more information." {file: "app://homescreen.gaiamobile.org/js/homescreen.js" line: 113}]
Comment 112 Andreas Gal :gal 2012-08-18 14:27:23 PDT
Kyle, this patch broke the web apps API it seems. This is going to also severely disrupt the marketplace team. Can we back this out until we have a fix and then we re-land? This isn't about who is right or wrong or has enough tests. This is about dozens of people being unable to do their job until we have a fix if we don't do something pragmatic here. What do you think?
Comment 113 :Ms2ger 2012-08-19 00:09:26 PDT
We have been warning that this would happen since late May. If the B2G team refuses to heed these warnings, I'm not sure why this breakage would be to blame on anyone but them. I suggest you fix your bugs instead of wasting time arguing about backouts.
Comment 114 [:fabrice] Fabrice Desré 2012-08-19 00:18:04 PDT
We have a fix. No need to fight there, this is becoming childish.
Comment 115 Bobby Holley (busy) 2012-08-19 20:11:54 PDT
Jorge, did the documentation in comment 97 ever happen?
Comment 116 Bobby Holley (busy) 2012-08-20 09:52:02 PDT
Moving the discussion from bug 783925 to this bug.

(In reply to Andreas Gal :gal from bug 783925 comment #7)
> bholley, I feel your pain, but you have caused massive extension breakage
> with this patch. Burying your head in the sand won't help here.

I don't think that accurately describes the strategy here.

We need extensions to make actual changes to their code (jetpack extensions most likely just need to be repacked). We're pushing out a warning, and then throwing the switch two releases later. Extension authors who are responsive to warnings will have ample time to fix their addons before the next phase hits. Those who aren't need some extra prodding. I think the fact that this warning was firing so much in B2G code (which adheres to our presumably higher development standards) means that gentle warnings won't take us very far.

So if we want this change, at some point we need to suck it up and break some addons on Nightly to make them notice. Now, it's entirely possible that the situation won't look good enough by the time FF17 is ready to roll out the door. In that case, we can easily back this change out on beta for a release or two until we're confident enough to ship. But I don't think we're going to get any traction with the bulk of insecure addons until we start breaking them on Nightly.

> Can we distinguish between wrappers being created from within our jar and
> extension code until we had time to move extensions over?

I'd think so, by examining the chrome:// URI of the object being wrapped.
Comment 117 Andreas Gal :gal 2012-08-20 09:55:27 PDT
The problem with your argument is that you aren't punishing extension authors here. You are punishing users who can't use their extensions, and will end up blaming the browser. I have no issue with leaving this enabled on Nightly to get some traction, but this can't go into Beta or product until we have the bulk of extensions moved over.
Comment 118 Bobby Holley (busy) 2012-08-20 10:33:23 PDT
(In reply to Andreas Gal :gal from comment #117)
> The problem with your argument is that you aren't punishing extension
> authors here. You are punishing users who can't use their extensions, and
> will end up blaming the browser.

Breaking extensions is the only way that bugs will get filed.

> I have no issue with leaving this enabled
> on Nightly to get some traction, but this can't go into Beta or product
> until we have the bulk of extensions moved over.

Then there's no disagreement here.
Comment 119 Andrew McCreight [:mccr8] 2012-08-20 10:37:42 PDT
Bobby just landed bug 784071 to make it re-enable-able without causing l10n headaches.
Comment 120 Gabor Krizsanits [:krizsa :gabor] (PTO until july 3) 2012-08-20 10:41:25 PDT
(In reply to Andreas Gal :gal from comment #117)
> The problem with your argument is that you aren't punishing extension
> authors here. You are punishing users who can't use their extensions, and
> will end up blaming the browser. 

I agree with this. The other side of the problem is that if the addons are insecure
the browser will be blamed again for that too. And I don't see any way currently to land a patch like this nicely, and this scenario can happen again any time in the future. So I think we should find a general solution. 

Just brainstorming here... We could make a security change like this optional for a while. If an addon that is not updated after a security fix like this it will be flagged as potentially unsafe. So if a user is using one or more addon like that he will be promoted to choose between his favorite addon(s) and safety... (this fix in this case) If all the addons he uses are updated, he will just get the security fix by default (until he tries to install a not updated addon). This way the addon developers will be interested in getting away from that annoying security warning pop-up and will more likely update their addons. 

So I'm not saying we should wait for a solution like that with this patch, just a bit concerned that we don't have a way to enforce a security change that requires some action from the addon developers in a simple and sane way.
Comment 121 Axel Hecht 2012-08-20 11:32:38 PDT
FWIW, the add-ons I've seen break are dietrich's wallflower, bugzillajs, and bugzilla tweaks. All of them seem to break within the bundled SDK code, or at least in part break there.

Can we repack SDK-based add-ons to be bundled against sane versions of the SDK before breaking them? It really feels counter-productive to have add-ons fail on our code.
Comment 122 Jorge Villalobos [:jorgev] 2012-08-20 13:43:46 PDT
(In reply to Bobby Holley (:bholley) from comment #115)
> Jorge, did the documentation in comment 97 ever happen?

It didn't, but I'm on it now. FWIW, most add-on developers won't notice this until it hits beta or even release. The deprecation warnings are the first step towards getting add-on code updated, and those aren't even on release yet.
Comment 123 Bobby Holley (busy) 2012-08-20 14:12:03 PDT
(In reply to Axel Hecht from comment #121)
> Can we repack SDK-based add-ons to be bundled against sane versions of the
> SDK before breaking them? It really feels counter-productive to have add-ons
> fail on our code.

Jorge, do we have the ability to automatically repack AMO addons?
Comment 124 Alexandre Poirot [:ochameau] 2012-08-20 14:19:00 PDT
(In reply to Bobby Holley (:bholley) from comment #123)
> Jorge, do we have the ability to automatically repack AMO addons?

It is matter of days now before we can send repacked xpi to addon authors.
That's a first step to see how it goes before automatic updates.
We are having various request about this: bug 751466, bug 783046.
Comment 125 Bobby Holley (busy) 2012-08-20 14:47:41 PDT
(In reply to Alexandre Poirot (:ochameau) from comment #124)
> (In reply to Bobby Holley (:bholley) from comment #123)
> > Jorge, do we have the ability to automatically repack AMO addons?
> 
> It is matter of days now before we can send repacked xpi to addon authors.

Ok, then it sounds like we should turn this off for jetpack until we can automatically repack (since the addon authors themselves probably have nothing to fix). Gabor, what do you think is the best way to detect that?
Comment 126 Jorge Villalobos [:jorgev] 2012-08-20 17:02:29 PDT
It's up on the blog now: https://blog.mozilla.org/addons/2012/08/20/exposing-objects-to-content-safely/. I'll move it to MDN tomorrow. Let me know if there's anything missing or incorrect.
Comment 127 Bobby Holley (busy) 2012-08-20 18:53:55 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #126)
> It's up on the blog now:
> https://blog.mozilla.org/addons/2012/08/20/exposing-objects-to-content-
> safely/. I'll move it to MDN tomorrow. Let me know if there's anything
> missing or incorrect.

Looks great Jorge! Thanks for writing that. :-)

I think there's very little point to causing pain for jetpack addons, since we have an automatic solution in the works. So I filed bug 784233 to make an exception there.
Comment 128 Jorge Villalobos [:jorgev] 2012-08-22 13:36:25 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #126)
> It's up on the blog now:
> https://blog.mozilla.org/addons/2012/08/20/exposing-objects-to-content-
> safely/. I'll move it to MDN tomorrow. Let me know if there's anything
> missing or incorrect.

I've now updated https://developer.mozilla.org/en-US/docs/XPConnect_wrappers.
Comment 129 Kris Maglione [:kmag] 2012-08-30 17:19:32 PDT
Can we throw when people try to inject objects without __exposedProps__ into content rather than just making them silently innocuous? Even with the two releases of warnings, I think this is going to make issues a lot harder to track down in older codebases.
Comment 130 Bobby Holley (busy) 2012-09-03 16:03:37 PDT
(In reply to Kris Maglione [:kmag] from comment #129)
> Can we throw when people try to inject objects without __exposedProps__ into
> content rather than just making them silently innocuous? Even with the two
> releases of warnings, I think this is going to make issues a lot harder to
> track down in older codebases.

The only way to do this would be to make JS_WrapValue fail for non-exceptional conditions, which I'd rather not do (we did it for e4x objects, and it was a major pain).

We could certainly warn, though. Probably the best thing to do would be to WarnOnceAbout when we compute a ChromeObjectWrapper in WrapperFactory::Rewrap on an object without __exposedProps__. This would add the slight overhead of looking up the __exposedProps__ property at wrap time, but that's probably not such a big deal.

I'm pretty backlogged coming back from vacation, so I'm unlikely to get to it soon. But I think it should be simple for a non-xpcninja to do, and am happy to provide support. Bug 758563 is a good starting point for boilerplate code and tests.
Comment 131 Josh Matthews [:jdm] 2012-09-06 14:57:45 PDT
Filed bug 789298 about comment 130.
Comment 132 skomorokh 2013-08-27 12:10:16 PDT
Is there any way to permit code using evalInSandbox() to create new properties with arbitrary names? It’s easy enough to explicitly expose existing properties I want to share, but rather inefficient to add to __exposedProps__ every combination of characters that constitute a valid property name.

My particular case is a facility to mutate nested key/value data from a user script while maintaining deep references. The best workaround I can see at this point is passing it in and out of the sandbox via JSON strings and doing some recursive copying from scalar-to-scalar to get things out of the deserialised object.

However, it doesn’t seem like properties created within a sandbox run the risk of "unintentionally exposing privileged objects" (provided the xray wrapper is working to prevent a sneaky .toString from being triggered by a stray == or other such chicanery).

Also, while I can see the need for extreme caution with assumed-malicious web content, sandbox objects can have a variety of applications. It would be nice to be able to create a sandbox without this requirement (pre ff16 style), at the moment it’s all-or-nothing and prevents some opportunistic application of sandboxing to reduce attack surface.
Comment 133 Boris Zbarsky [:bz] (Out June 25-July 6) 2013-08-27 12:11:59 PDT
You could have __exposedProps__ return a proxy which returns whatever you want for whatever set of property names you want, right?
Comment 134 Bobby Holley (busy) 2013-08-27 12:15:23 PDT
(In reply to skomorokh from comment #132)
> Also, while I can see the need for extreme caution with assumed-malicious
> web content, sandbox objects can have a variety of applications. It would be
> nice to be able to create a sandbox without this requirement (pre ff16
> style), at the moment it’s all-or-nothing and prevents some opportunistic
> application of sandboxing to reduce attack surface.

This is only an issue if you set the principal of your sandbox to that of web content. If you trust the code running in your sandbox, you could presumably run with system principal. If you don't, then the security measures here are your friend. :-)

Also, bz's comment about a proxy-implemented __exposedProps__ for more complicated use cases is spot-on.
Comment 135 Kris Maglione [:kmag] 2013-08-27 12:19:02 PDT
It would probably be easier to just create the object in the compartment that needs to work with it. The __exposedProps__ is meant for cases where functionality or data needs to be exposed to an untrusted scope, not when the data is flowing the other way.
Comment 136 skomorokh 2013-08-27 19:46:30 PDT
Thanks, much appreciated.  

Yeah, it's likely in most such situations the sandbox can be created along with the object before it gathers the references. For everything else there's Proxy. 

Forgot about proxy objects, pretty convenient way to bypass it and a good reminder of a neat toy.

> If you trust the code running in your sandbox, you could presumably run with system principal. If you don't, then the security measures here are your friend. :-)

That's the all-or-nothing I was referring to :)

Note You need to log in before you can comment on or make changes to this bug.