Closed Bug 625559 Opened 9 years ago Closed 9 years ago
catch escaping chrome eval with wrappers
Even though, in a perfect world, chrome eval would not escape to content, we need to handle our imperfect world where lame addons can leak it. Right now, we have a privilege check in EvalKernel (js_EvalFramePrinipals) that neuters chrome eval, but this check depends on the presence of dummy frames (which bug 625199 is going to kill). Instead, we can do something even strong and just stop eval cold in the wrapper membrane. Blake said he could cook it up in a few lines.
Also the Function constructor.
IMO we should block on this. This is very dangerous, because it's very difficult to plug all the leaks.
Comment on attachment 507334 [details] [diff] [review] Proposed fix This doesn't have a UXP bypass but we probably don't need and we should start getting rid of UXP anyway.
Attachment #507334 - Flags: review?(gal) → review+
Whiteboard: [hardblocker] → [hardblocker], fixed-in-tracemonkey
Some JS_FRIEND_API magic to make Windows happy. http://hg.mozilla.org/tracemonkey/rev/0a28e819fb0a
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/9ac5cb7a9aee http://hg.mozilla.org/mozilla-central/rev/0a28e819fb0a
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.