Closed
Bug 758203
Opened 12 years ago
Closed 12 years ago
Define __exposedProps__ on all chrome objects exposed to content
Categories
(Add-on SDK Graveyard :: General, defect, P1)
Add-on SDK Graveyard
General
Tracking
(Not tracked)
RESOLVED
FIXED
1.8
People
(Reporter: ochameau, Assigned: ochameau)
References
Details
Attachments
(1 file)
Bug 553102 is aiming to set a new default security pattern for wrappers of chrome objects exposed to content. So that for any such object, none of its attributes will be accessible to content. In order to give access to any attribute, you will now have to explicitely define this priviledge through __exposedProps__ attribute.
Attachment #626787 -
Flags: review?(rFobic)
|
Assignee | |
Comment 1•12 years ago
|
||
We may want to push this fix in 1.8 release, based on decisions made in bug 553102.
|
||
Comment 2•12 years ago
|
||
I'd be fine with aggressively taking this in 1.8 regardless of whether it looks likely that platform will flip the switch.
|
||
Updated•12 years ago
|
Attachment #626787 -
Flags: review?(rFobic) → review+
Priority: -- → P1
Target Milestone: --- → 1.8
Assignee: nobody → poirot.alex
|
||
Comment 3•12 years ago
|
||
Commits pushed to master at https://github.com/mozilla/addon-sdk https://github.com/mozilla/addon-sdk/commit/1472d2ba3b3715004f1f3c489a108a61db548c3e Bug 758203: Fix upcoming breakage from bug 553102 flipping __exposedProps__ default behavior. https://github.com/mozilla/addon-sdk/commit/2dbc97ffa2a14325c03b76f3a293c5917d36e74e Merge pull request #451 from ochameau/fix-exposedProps Bug 758203: Fix upcoming breakage from bug 553102 flipping __exposedProps__ default behavior r=@gozala
|
|
Assignee | |
Comment 4•12 years ago
|
||
kwierso: could you include this for 1.8?
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Comment 5•12 years ago
|
||
Commit pushed to stabilization at https://github.com/mozilla/addon-sdk https://github.com/mozilla/addon-sdk/commit/2ab2e352150d855d6cb34fff5a70469c13bb2b15 Bug 758203: Fix upcoming breakage from bug 553102 flipping __exposedProps__ default behavior. (cherry picked from commit 1472d2ba3b3715004f1f3c489a108a61db548c3e)
Blocks: 784045
|
||
Comment 6•12 years ago
|
||
I'm getting this message on a previously-working add-on built today with SDK 1.11. Mine is a pure Jetpack add-on which never uses unsafe windows or Chrome, so I shouldn't be able to make this happen. The error is reported on a piece of obfusicated Javascript found on Google search result pages. Note that it's doing some work with timers, and there were some recent fixes to wrapping of timers in SDK 1.11 to fix bug 795746. Timestamp: 10/30/2012 2:09:01 PM Error: Exposing chrome JS objects to content without __exposedProps__ is insecure and deprecated. See https://developer.mozilla.org/en/XPConnect_wrappers for more information. Source File: https://www.google.com/xjs/_/js/s/c,sb,wta,cr,cdos,jsa,nos,sf,tbpr,tbui,tng,rsn,ob,mb,lc,hv,ada,klc,kat,aut,bihu,amcl,kp,lu,m,rtis,shb,sfa,hsm,j,p,pcc,csi/rt=j/ver=o7cElVfSvDw.en_US./d=1/sv=1/rs=AItRSTOvkQBV6j7QMQ1W1kkQL_PBGsyfSA Line: 1381 (0,_.Ec)(_.P.H(),"csi");if(window.google.timers&&window.google.timers.load.t){window.google.timers.load.t.xjsee=window.google.time();_.lk=(0,_.Cf)("qsubts");if(_.lk&&_.lk.match("^[0-9]+$")){_.mk=(0,window.parseInt)(_.lk,10);_.Zaa=window.google.time();_.mk<=_.Zaa&&window.google.tick("load","qsubts",_.mk)}_.$aa=window.google.sn;window.setTimeout(function(){if(window.google.timers.load.t){var a=window.google.sn;window.google.sn=_.$aa;window.google.timers.load.t.xjs=window.google.time();for(var b="ist_rc ist_rn ist_nr ist_cdts ist_dp ist_rrx ist_rxr ist_rs ist_sr".split(" "), c=0,d;d=b[c++];){var e;a:{try{var f=window.external[d];if(f!=_.k){window.google.kCSI[d]=f;e=_.m;break a}}catch(g){}e=_.z}if(e===_.z)break}(0,_.ik)();window.google.sn=a}},0)};
You need to log in
before you can comment on or make changes to this bug.
Description
•