Closed Bug 709966 Opened 13 years ago Closed 12 years ago

Content script `self`methods have security limitations

Categories

(Add-on SDK Graveyard :: General, defect, P2)

defect

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 718666

People

(Reporter: ochameau, Unassigned)

Details

The following bug introduced a security limitation on all objects exposed to the content script from worker.js.
  Bug 679363: Move content script proxies to a sandbox with same principal
  that the web page
All methods can be called but are not working like a regular method. I fixed explicitely postMessage method:
https://github.com/mozilla/addon-sdk/blob/master/packages/api-utils/lib/content/worker.js#L324-334
Without this workaround, you can't call: self.postMessage.apply. 
This is due to COW, because postMessage lives in system principal whereas content script and proxy lives in lower priviledge. And when you expose a method though a COW, apply and call method are throwing exceptions.

There is two way to fix this:
- fix the platform in order to make `apply` and `call` work on COW
- evaluate all these methods in content script sandbox in order to avoid them being COW.


I faced similar issue in bug 636145.
gabor: did you end up landing something about apply/call not working on wrappers?
(In reply to Alexandre Poirot (:ochameau) from comment #0)
> I faced similar issue in bug 636145.
> gabor: did you end up landing something about apply/call not working on
> wrappers?

No, my patch was rejected. And I don't have any better idea, how to solve this problem on platform side. Blake mentioned a workaround: Cu.makeObjectPropsNormal example: http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/content/extensions-content.js#210
As you can see it's not any nicer than your current workaround... Sorry that I don't have any better suggestion.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.