Closed Bug 823811 Opened 7 years ago Closed 4 years ago

Tracking for AsYouWish addon (which grants Addons SDK API access to websites upon user permission)

Categories

(Core Graveyard :: Tracking, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: brettz9, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Build ID: 20121128204232

Steps to reproduce:

This is just for tracking issues related to the interaction of the [AsYouWish addon](https://github.com/brettz9/asyouwish/)--a community replacement for [enablePrivilege](Bug 546848)--with the Addons SDK or Core. Issues with the AsYouWish are recommended to be reported at https://github.com/brettz9/asyouwish/issues/
Sorry, the addon link is https://github.com/brettz9/asyouwish/
Component: General → Tracking
Product: Add-on SDK → Core
QA Contact: chofmann
Related to this item, I had made a request in Bug 823790 for instanceof to be replaced with duck typing in the Addons SDK code to allow wrapped objects used by AsYouWish and created by users to be considered as valid.
Regarding comment 2, while there may still be issues with certain modules (and I still hold out hope that AsYouWish can be accommodated), it is working with "ui", the replacement for widget. All of my AsYouWish demos are working again, so looking good at the moment....
In FF Nightly (36.0a1), using the latest SpecialPowersAPI file and building with jpm, AsYouWish is getting the message, "Error: Exposing privileged or cross-origin callable is prohibited".

When I use my old copy of SpecialPowers, or adapt the new one to avoid arrow functions, SpecialPowers FF 35.0a2 (Dev. Edition) has problems as well (using jpm).

Please help!
The old SpecialPowers wrapper does a lot of crazy stuff that flies in the face of our modern security policies. I introduced a workaround (Cu.forcePrivilegedCOWs), but unfortunately that won't work outside of test automation.

Instead of using SpecialPowers wrappers (which I've always discouraged), I'd suggest exporting an explicit API using Cu.exportFunction/Cu.cloneInto.
But the idea is to allow ALL of the SDK API (upon user permission), including return objects. I already hard-coded all of the require statements, but it would be nearly impossible to export all functions if I have to do that manually...
You could probably change up the SpecialPowers mechanism so that it created a content proxy (new contentWindow.Proxy()) using a proxy handler made up of exported functions. That seemed pretty gross though, which is why I didn't do it.
If it's gross for you, it would no doubt be gross for me. Looks like AYW will die then...
Would it be possible to rewrite it to expose the functionality you need more directly?
I have been able to expose one subset of functionality of AsYouWish in my add-on WebAppFind (at https://github.com/brettz9/webappfind ). This add-on allows opening (data) files directly from one's desktop into a web app (and optionally being able to save back from the web app to disk) without assigning additional privileges to the web app.

(Jonas Sicking expressed excitement to me at the concept of this, btw; I hope to submit WebAppFind to AMO when I may finish implementing some API tweaks and get working for *nix, hopefully soon. Would love some official review or endorsement, however, as I think this could have wide application and benefit from Mozilla ownership, and it does not raise the same degree of security concerns as AsYouWish.)

Although WebAppFind can be used without AsYouWish, it really only adds to the usefulness of AsYouWish (e.g., having an AsYouWish web app execute privileged batch commands based on the paths of the supplied desktop files or folder).

Anyways, I could provide additional subsets of functionality from AsYouWish to separate add-ons, but:

1. This would be even more cumbersome to users who would have to manage downloading of different add-on

2. Developers would be required to manage different APIs for different add-ons, and not have it "just work" with whatever APIs they wanted as was the whole idea of AsYouWish in the first place.
Marking all tracking bugs which haven't been updated since 2014 as INCOMPLETE.
If this bug is still relevant, please reopen it and move it into a bugzilla component related to the work
being tracked. The Core: Tracking component will no longer be used.
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.