Open Bug 900034 Opened 11 years ago Updated 2 years ago

Implement a checker for DOM properties on different branches

Categories

(Core :: DOM: Core & HTML, defect)

x86
macOS
defect

Tracking

()

People

(Reporter: ehsan.akhgari, Unassigned)

References

Details

Attachments

(1 file)

We need to have a tool which can help us inspect the DOM properties exposed to web content in order to verify that we're not exposing an API that we don't want by accident.  Such a tool can be written by recursively traversing all objects reachable from the global object (window or worker globals.)
This file has something very close to what you want:
https://github.com/DavidBruant/OoI/blob/76e3d1058dc38c26850a7645af3d1e701ed6ee65/Firefox/src/ts/traverseGraph.ts
The traverse function traverses the global object passed as argument. The FORBIDDEN_PATHS blacklist could be turned into a whitelist.
It's after running this tool that I filed bug 898687 ;-)
(In reply to comment #1)
> This file has something very close to what you want:
> https://github.com/DavidBruant/OoI/blob/76e3d1058dc38c26850a7645af3d1e701ed6ee65/Firefox/src/ts/traverseGraph.ts
> The traverse function traverses the global object passed as argument. The
> FORBIDDEN_PATHS blacklist could be turned into a whitelist.

Yes, thanks for pointing this out!

Do you know where in your code you're relying on chrome privileges?  My goal is to build a simple web page which you can load in non-privileged context.
(In reply to :Ehsan Akhgari (needinfo? me!) from comment #0)
> We need to have a tool which can help us inspect the DOM properties exposed
> to web content in order to verify that we're not exposing an API that we
> don't want by accident.  Such a tool can be written by recursively
> traversing all objects reachable from the global object (window or worker
> globals.)

You don't expect that to catch everything, do you?
(In reply to :Ehsan Akhgari (needinfo? me!) from comment #3)
> Do you know where in your code you're relying on chrome privileges?
I use the Debugger API. So a good share of the code disqualifies.

> My goal
> is to build a simple web page which you can load in non-privileged context.
Yeah, I thought about it afterwards that you might want a non-privileged thing.

What's the exact intent? Global properties and for those which are interface objects, the prototype and attributes/constants/methods?
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #4)
> (In reply to :Ehsan Akhgari (needinfo? me!) from comment #0)
> > We need to have a tool which can help us inspect the DOM properties exposed
> > to web content in order to verify that we're not exposing an API that we
> > don't want by accident.  Such a tool can be written by recursively
> > traversing all objects reachable from the global object (window or worker
> > globals.)
> 
> You don't expect that to catch everything, do you?
What would be missing?
Anything with NoInterfaceObject, for starters?
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #7)
> Anything with NoInterfaceObject, for starters?
I always misinterpret WebIDL, so sorry if what I say is dumb, but trying to reformulate the problem:
objects with NoInterfaceObject have properties that can only be found in their [[Prototype]], so we need an actual instance to climb the prototype and find the property. (tell me if I'm wrong)

If that's the case, I guess a solution is to add functions that provide such instances for traversal (so the roots to traverse from isn't just the global object but also these instances).
Do you have in mind some instances that are really hard to acquire?
(In reply to comment #7)
> Anything with NoInterfaceObject, for starters?

Yes, those will be missed.

The goal here is to have a tool which can help us determine if a given build of Gecko exposes APIs which we don't expect.  The initial concrete use case will be Firefox OS 1.2 builds.
(In reply to David Bruant from comment #8)
> (In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #7)
> > Anything with NoInterfaceObject, for starters?
> I always misinterpret WebIDL, so sorry if what I say is dumb, but trying to
> reformulate the problem:
> objects with NoInterfaceObject have properties that can only be found in
> their [[Prototype]], so we need an actual instance to climb the prototype
> and find the property. (tell me if I'm wrong)

Right.

> If that's the case, I guess a solution is to add functions that provide such
> instances for traversal (so the roots to traverse from isn't just the global
> object but also these instances).
> Do you have in mind some instances that are really hard to acquire?

Any of the NoInterfaceObject WebGL extensions, which require you to have a valid WebGLRenderingContext and call getExtension with the appropriate magic string.
I don't think there is any way for us to get 100% coverage here.  I'm less interested in a tool which fixes all of the problems than a tool which fixes a large portion of it.
Attached file trav.html
draft tool to traverse from the global and list the unexpected objects
So I started as "it sounds easy and should take me 5 minutes"...
But it does a good share of the job (without throwing "too much recursion" :-p )
The whitelist (expected) needs to be completed. I imagine generated from IDL files or else could make sense.

Ehsan, did you have something more accurate in mind?
Is WeakMap useful to detect recursion?
Yep, WeakMap should work well here. Or you can use a custom expando __visited or something.
(In reply to Masatoshi Kimura [:emk] from comment #14)
> Is WeakMap useful to detect recursion?
I thought about a "done" Set, but I was worries it would miss cases if an object is duplicated in a place where it's not expected. Maybe that's worry is unimportant.
(In reply to David Bruant from comment #16)
> (In reply to Masatoshi Kimura [:emk] from comment #14)
> > Is WeakMap useful to detect recursion?
> I thought about a "done" Set, but I was worries it would miss cases if an
> object is duplicated in a place where it's not expected. Maybe that's worry
> is unimportant.

I think that shouldn't be a problem in practice.  We can also remember the parent object and break ties based on that.
Component: DOM → DOM: Core & HTML
Assignee: ehsan → nobody
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: