new JS actor registration property: safeForUntrustedWebProcess

14 views
Skip to first unread message

Andrew McCreight

unread,
Jun 22, 2026, 3:53:22 PMJun 22
to Firefox Dev
Hello all,

I have added a new property that you may need to use when registering a JS window or process actor. Once the dom.jsipc.check_safeForUntrustedWebProcess preference is set to true, which I hope to do this week, an actor cannot be loaded into a web or file content process unless this property is true for the actor. (I landed patches a few days ago to add this annotation where appropriate, in almost 200 places in the code base.)

The default value is false, so if you want it to be true you must set it explicitly:
  safeForUntrustedWebProcess: true,

The idea is that if an actor can be used in a process where we can load random web content, then if a hostile webpage hacks a web content process, it will be able to do whatever it wants with the actor, making it a potential way to escape the sandbox. We have many actors which are intended to only be used from the privilegedabout or parent process which can do powerful things and we don't want to accidentally allow them in a web content process.

Right now, we have the `remoteTypes` mechanism which allows you to specify that an actor can only be loaded into certain processes. This can provide the same protection, but it means you have to opt-in to safer behavior. The goal of `safeForUntrustedWebProcess` is to make it so you have to opt-out of safer behavior instead. As a rule of thumb, you probably want one or the other for your actor.

Anyways, feel free to add this property to your actors, but please take a moment before doing so to make sure this is something you really need to be usable by web content, and keep in mind that it might be a potential attack vector. Sorry for the hassle, but this should help protect our users.

Feel free to reach out if you have questions about this.

Thanks,
Andrew
Reply all
Reply to author
Forward
0 new messages