Closed Bug 920731 Opened 11 years ago Closed 11 years ago

Stop exporting JS symbols in Firefox

Categories

(Firefox Build System :: General, defect)

x86_64
Linux
defect
Not set
normal

Tracking

(relnote-firefox 27+)

RESOLVED FIXED
mozilla27
Tracking Status
relnote-firefox --- 27+

People

(Reporter: benjamin, Assigned: benjamin)

References

(Blocks 1 open bug, )

Details

(Keywords: addon-compat, dev-doc-needed, relnote)

Attachments

(1 file)

Using the JSAPI from an extension is a recipe for insecurities and stability issues. As discussed in dev.platform, we're going to stop exporting the JS symbols so that extensions are unable to use raw JSAPI.
Assignee: nobody → benjamin
Attachment #810599 - Flags: superreview?(bzbarsky)
Attachment #810599 - Flags: review?(mh+mozilla)
Comment on attachment 810599 [details] [diff] [review]
stop exporting JS symbols from libxul in Firefox builds. r?glandium sr?bz

sr=me
Attachment #810599 - Flags: superreview?(bzbarsky) → superreview+
Comment on attachment 810599 [details] [diff] [review]
stop exporting JS symbols from libxul in Firefox builds. r?glandium sr?bz

Review of attachment 810599 [details] [diff] [review]:
-----------------------------------------------------------------

Is there value in making this optional? I mean, isn't it just fine to make all static-only builds not export symbols?
Flags: needinfo?(benjamin)
Per newsgroup discussion, Thunderbird does not want to make this change until some Lightning changes have landed, so it needs to continue to be per-app configurable for a while.
Flags: needinfo?(benjamin)
Comment on attachment 810599 [details] [diff] [review]
stop exporting JS symbols from libxul in Firefox builds. r?glandium sr?bz

Review of attachment 810599 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/confvars.sh
@@ +23,5 @@
>    fi
>  fi
>  
>  MOZ_CHROME_FILE_FORMAT=omni
> +MOZ_DISABLE_EXPORT_JS=1

Don't we want this in b2g/confvars.sh and mobile/android/confvars.sh too?
Attachment #810599 - Flags: review?(mh+mozilla) → review+
Depends on: 921502
https://hg.mozilla.org/mozilla-central/rev/e0c4be8e37c5
https://hg.mozilla.org/mozilla-central/rev/3b0e9448a2ed
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Btw, 'thank you' from the entire JS team.
Sorry for the bugspam, but I can't not say thank you here as well. Thank you.
Would someone add this to the release notes?
https://developer.mozilla.org/en-US/Firefox/Releases/27
Was there any impact assessment done prior to making this decision?  This completely hoses Google Web Toolkit Development Mode, which relies on direct access to synchronous communication and blocking I/O APIs.  A FF extension is already privileged, so presumably if an extension wanted to own your system, it could--this is just to make bugs less frequent?

It seems like you're breaking legacy functionality where no clear replacement is available.  FF has always been the browser of choice for developers as it's been the most friendly, but this doesn't seem friendly at all - this seems like something Microsoft would do.
> Was there any impact assessment done prior to making this decision?

Yes.

> so presumably if an extension wanted to own your system, it could

This change was not about preventing malice.  It was about not exposing APIs that are very hard to use correctly, even for experts in those APIs, and for which misuse leads to unintentional creation of security vulnerabilities.

Most C++ JSAPI usage in extensions can in fact be replaced by a combination of privileged script and the debugger APIs.
People,

I kind of understand the motivation for not exposing the JSAPI constants but this has caused GWT developer plugin to stop working in Firefox release 25 onwards.  Regardless of the issue with the exposing Firefox JSAPI, would:

1. it be possible for someone from Mozilla to communicate with GWT developpers and propose a solution that could be implemented?
2. it be possible to revert the change that caused the JS symbols to stopped being exported until such time as GWT developpers have implemented the solution proposed in 1.

I see that you have contacted Norton for their toolbar and you made provisions for helping Thunderbird for their transitions I am sure you should be able to do the same for the GWT user community that use Firefox who are currently SOL?
Blocks: 996947
Would it be possible for Mozilla to export the symbols in this upcoming developer release?
https://blog.mozilla.org/blog/2014/11/03/the-first-browser-dedicated-to-developers-is-coming/
Why?  The target of the release is web developers; why would they want JS symbols?
(In reply to Boris Zbarsky [:bz] from comment #16)
> Why?  The target of the release is web developers; why would they want JS
> symbols?

So the GWT dev plugin could work again on this developer only version.
Ah.  That might be worth doing, maybe.  Please file a separate bug on that?
I'm pretty certain we already decided not to support GWT (especially since it's already broken on other platforms, and it would have to be constantly recompiled anyway).
Product: Core → Firefox Build System
You need to log in before you can comment on or make changes to this bug.