800495 - Warn when nsITransferable.init is called with a null first argument

Status: RESOLVED FIXED

(addons.mozilla.org Graveyard :: Add-on Validation, defect)

Description

[Kris Maglione [:kmag]]

In bug 722872, an init method was added to the nsITransferable interface in order to allow the clipboard service to clear clipboard data from PBM windows when necessary. Bug 795423 added a warning prompting users to call this with a null first argument, which has the potential to cause data to leak across PBM sessions. We need to warn users that an appropriate context needs to be passed where appropriate.

I'll write the message and do some devmo updates. Josh, can you provide some examples of when null would be an appropriate argument? I'll provide the ones where it's not.

Comment 1

[Josh Matthews [:jdm]]

null is appropriate when:
* the transferable object is not being placed on the clipboard (eg. when obtaining data from the clipboard)
* the contents of the transferable object do not originate from web content (eg. synthesizing a string unrelated to any tab, etc.)

Comment 2

[Josh Matthews [:jdm]]

In case it's not clear, the context contains data that is used to indicate whether clipboard data should be cleared when exiting private browsing mode. A null context means that no clearing will occur, while a non-null context has its privacy status checked to make the decision.

Comment 3

[Matt Basta [:basta]]

What is the heuristic for this? Simply flagging the init method with a null first argument? It sounds like there's more to this.

Comment 4

[Kris Maglione [:kmag]]

Just checking for an explicit null is all we need. I don't think there's a programmatic way to determine when it's appropriate.

Comment 5

[Matt Basta [:basta]]

https://github.com/mozilla/amo-validator/commit/11434f5ca2bc4aec3f2dce624fa6d416aee3c70c

This should cover it. Let me know if that's too narrow/broad/doesn't work.