Closed Bug 784233 Opened 7 years ago Closed 7 years ago

Relax mandatory __exposedProps__ for jetpack until we can automatically repack

Categories

(Core :: XPConnect, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla17

People

(Reporter: bholley, Assigned: bholley)

Details

Attachments

(1 file, 1 obsolete file)

It sounds like we should ameliorate the situation with jetpack post bug 553102 until SDK repacks are automatic. My thinking is to revert to the old behavior when the global of the object being wrapped is a sandbox. Gabor, Blake, does this sound like a reasonable heuristic for detecting jetpack?
Comment on attachment 653622 [details] [diff] [review]
Relax __exposedProps__ check for sandboxes until we can repack AMO addons. v1

Review of attachment 653622 [details] [diff] [review]:
-----------------------------------------------------------------

This is pretty magical code. There might be other sandboxes around. I guess its good enough for a temporary hack though.
Attachment #653622 - Flags: review?(gal) → review+
crap. I thought I tested it but I realized I didn't link the build, so the push is busted. Hopefully it gets coalesced with the backout:

https://hg.mozilla.org/integration/mozilla-inbound/rev/ee70e70fb7f8
Enter a compartment this time.
Attachment #653622 - Attachment is obsolete: true
Attachment #653663 - Flags: review?(gal)
Attachment #653663 - Flags: review?(gal) → review+
https://hg.mozilla.org/mozilla-central/rev/6f955c140b60
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Alex, gabor - what's the status on addon repacking? I'd really like to close this security footgun up for good.
(In reply to Bobby Holley (:bholley) from comment #8)
> Alex, gabor - what's the status on addon repacking? I'd really like to close
> this security footgun up for good.

The state of re-packing is that we're trying to figure out if we can re-pack and replace the add-ons we know we can reliably re-pack. This requires some co-ordination with the AMO team. We'll also need to work with them to identify and re-set the compatibility of a large number of add-ons so that they cannot be installed into whatever version this fix goes into.
Thanks for the update. :-) Is there a bug I can follow?
You need to log in before you can comment on or make changes to this bug.