Closed Bug 758203 Opened 12 years ago Closed 12 years ago

Define __exposedProps__ on all chrome objects exposed to content


(Add-on SDK Graveyard :: General, defect, P1)



(Not tracked)



(Reporter: ochameau, Assigned: ochameau)




(1 file)

Attached file Pull request 451
Bug 553102 is aiming to set a new default security pattern for wrappers of chrome objects exposed to content. So that for any such object, none of its attributes will be accessible to content. In order to give access to any attribute, you will now have to explicitely define this priviledge through __exposedProps__ attribute.
Attachment #626787 - Flags: review?(rFobic)
We may want to push this fix in 1.8 release, based on decisions made in bug 553102.
I'd be fine with aggressively taking this in 1.8 regardless of whether it looks likely that platform will flip the switch.
Attachment #626787 - Flags: review?(rFobic) → review+
Commits pushed to master at
Bug 758203: Fix upcoming breakage from bug 553102 flipping __exposedProps__ default behavior.
Merge pull request #451 from ochameau/fix-exposedProps

Bug 758203: Fix upcoming breakage from bug 553102 flipping __exposedProps__ default behavior r=@gozala
kwierso: could you include this for 1.8?
Closed: 12 years ago
Resolution: --- → FIXED
Commit pushed to stabilization at
Bug 758203: Fix upcoming breakage from bug 553102 flipping __exposedProps__ default behavior.
(cherry picked from commit 1472d2ba3b3715004f1f3c489a108a61db548c3e)
I'm getting this message on a previously-working add-on built today with SDK 1.11.
Mine is a pure Jetpack add-on which never uses unsafe windows or Chrome, so I shouldn't be able to make this happen.
The error is reported on a piece of obfusicated Javascript found on Google search result pages.  Note that it's doing some work with timers, and there were some recent fixes to wrapping of timers in SDK 1.11 to fix bug 795746.  

Timestamp: 10/30/2012 2:09:01 PM
Error: Exposing chrome JS objects to content without __exposedProps__ is insecure and deprecated. 
See for more information.
Source File:,sb,wta,cr,cdos,jsa,nos,sf,tbpr,tbui,tng,rsn,ob,mb,lc,hv,ada,klc,kat,aut,bihu,amcl,kp,lu,m,rtis,shb,sfa,hsm,j,p,pcc,csi/rt=j/ver=o7cElVfSvDw.en_US./d=1/sv=1/rs=AItRSTOvkQBV6j7QMQ1W1kkQL_PBGsyfSA
Line: 1381

(0,_.Ec)(_.P.H(),"csi");if({;,_.Cf)("qsubts");if("^[0-9]+$")){,window.parseInt)(,10);;<=_.Zaa&&"load","qsubts",}_.$;window.setTimeout(function(){if({var;$aa;;for(var b="ist_rc ist_rn ist_nr ist_cdts ist_dp ist_rrx ist_rxr ist_rs ist_sr".split(" "), c=0,d;d=b[c++];){var e;a:{try{var f=window.external[d];if(f!=_.k){[d]=f;e=_.m;break a}}catch(g){}e=_.z}if(e===_.z)break}(0,_.ik)();}},0)};
You need to log in before you can comment on or make changes to this bug.