Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

loadSubScript is unwrapping XPCNativeWrapper scope parameter

37 views
Skip to first unread message

David Rees

unread,
Apr 14, 2011, 8:22:46 PM4/14/11
to

mozIJSSubScriptLoader.loadSubScript’s behavior with XPCNativeWrapper scope parameters seems to have changed from 3.6 to 4. Specifically in 4 if scope is a XPCNativeWrapper then it is unwrapping it.

I have a simple HTML and JS file that demonstrates this that I can send to anyone interested or attach to an issue, but the basic lines are pretty clear.

The calling code is:
Components.classes["@mozilla.org/moz/jssubscript-loader;1"] .getService(Components.interfaces.mozIJSSubScriptLoader).loadSubScript("chrome://exampleext/content/firefox4loadsubscriptchange.min.js",xpcnWrappedWindow);

And the subscript code is simply:
var windowTS = window.toString();

In 3.6.16 windowTS will be “[object XPCNativeWrapper [object Window]]”. In 4.0 it will be “Window”.

I also have a slightly more elaborate case that verifies in the calling code that anything that is done to the window object is added to the wrapper in 3.6, but added directly to the unwrapped window in 4.0.

The seems like a regression to me since loadSubScript is privileged itself so I don't see a reason for hiding the wrapped object from it.

Thanks,
dave

David Rees

unread,
Apr 15, 2011, 6:32:36 AM4/15/11
to
<Sorry for duplicate, am resending through thunderbird to avoid
threading and spam elimination issues of google groups>

mozIJSSubScriptLoader.loadSubScript’s behavior with XPCNativeWrapper
scope parameters seems to have changed from 3.6 to 4. Specifically in 4

if the scope parameter is a XPCNativeWrapper then loadSubScript is
unwrapping it.

I have a simple HTML and JS file attached that demonstrates this, but
the basic lines are below.

The calling code (firefox4loadsubscriptchange.min.html loaded as
chrome://) is:
Components.classes["@mozilla.org/moz/jssubscript-loader;1"]
.getService(Components.interfaces.mozIJSSubScriptLoader)
.loadSubScript("firefox4loadsubscriptchange.min.js",xpcnWrappedWindow);

And the subscript code (firefox4loadsubscriptchange.min.js) is simply:
var windowTS = window.toString();

In 3.6.16 windowTS will be “[object XPCNativeWrapper [object Window]]”.
In 4.0 it will be “Window”.

I also have attached a slightly more elaborate case that verifies in the

calling code that anything that is done to the window object is added to

the wrapper in 3.6, but in 4.0 is added directly to the unwrapped window.

The seems like issue to me since loadSubScript is privileged itself so I
don't see a reason for hiding the wrapped object from it. And it seems
like a security issue since a wrapped window is being silently unwrapped
and passed to privileged code. From a feature perspective the change
reduces options for the developer, in 3.6 if developer wanted the
unwrapped object passed as scope they could just pass the unwrapped object.

Could someone confirm I am not missing something (I always worry about
that when playing with the magic of wrappers) and then I will create an
issue for it.

Thanks,
dave

firefox4loadsubscriptchange.min.js
firefox4loadsubscriptchange.min.html
firefox4loadsubscriptchange.js
firefox4loadsubscriptchange.html

David Rees

unread,
Apr 30, 2011, 11:51:26 AM4/30/11
to
On 4/15/2011 6:32 AM, David Rees wrote:
> mozIJSSubScriptLoader.loadSubScript’s behavior with XPCNativeWrapper
> scope parameters seems to have changed from 3.6 to 4. Specifically in 4
> if the scope parameter is a XPCNativeWrapper then loadSubScript is
> unwrapping it.

I have created a bug on this at
https://bugzilla.mozilla.org/show_bug.cgi?id=653926.

d

0 new messages