Bug 1353150. Add a preference that controls whether named properties object properties are exposed on Xrays, with a default of "not exposed in web extension content scripts". r=bholley

MozReview-Commit-ID: E8CqW16uH3M
2017-04-08 13:03:12 -04:00 · 2017-04-08 13:03:12 -04:00 · ca77a52851
--- a/dom/base/WindowNamedPropertiesHandler.cpp
+++ b/dom/base/WindowNamedPropertiesHandler.cpp
@ -7,6 +7,7 @@
 #include "WindowNamedPropertiesHandler.h"
 #include "mozilla/dom/EventTargetBinding.h"
 #include "mozilla/dom/WindowBinding.h"
+#include "mozilla/Preferences.h"
 #include "nsContentUtils.h"
 #include "nsDOMClassInfo.h"
 #include "nsDOMWindowList.h"
@ -237,11 +238,56 @@ WindowNamedPropertiesHandler::delete_(JSContext* aCx,
  return aResult.failCantDeleteWindowNamedProperty();
 }

+static bool
+IsWebExtensionContentScript(JSContext* aCx)
+{
+  auto* priv = xpc::CompartmentPrivate::Get(JS::CurrentGlobalOrNull(aCx));
+  return priv->isWebExtensionContentScript;
+}
+
+static const int32_t kAlwaysAllowNamedPropertiesObject = 0;
+static const int32_t kDisallowNamedPropertiesObjectForContentScripts = 1;
+static const int32_t kDisallowNamedPropertiesObjectForXrays = 2;
+
+static bool
+AllowNamedPropertiesObject(JSContext* aCx)
+{
+  static int32_t sAllowed;
+  static bool sAllowedCached = false;
+  if (!sAllowedCached) {
+    Preferences::AddIntVarCache(&sAllowed,
+                                "dom.allow_named_properties_object_for_xrays",
+                                kDisallowNamedPropertiesObjectForContentScripts);
+    sAllowedCached = true;
+  }
+
+  if (sAllowed == kDisallowNamedPropertiesObjectForXrays) {
+    return false;
+  }
+
+  if (sAllowed == kAlwaysAllowNamedPropertiesObject) {
+    return true;
+  }
+
+  if (sAllowed == kDisallowNamedPropertiesObjectForContentScripts) {
+    return !IsWebExtensionContentScript(aCx);
+  }
+
+  NS_WARNING("Unknown value for dom.allow_named_properties_object_for_xrays");
+  // Fail open for now.
+  return true;
+}
+
+
 static bool
 ResolveWindowNamedProperty(JSContext* aCx, JS::Handle<JSObject*> aWrapper,
                           JS::Handle<JSObject*> aObj, JS::Handle<jsid> aId,
                           JS::MutableHandle<JS::PropertyDescriptor> aDesc)
 {
+  if (!AllowNamedPropertiesObject(aCx)) {
+    return true;
+  }
+
  {
    JSAutoCompartment ac(aCx, aObj);
    if (!js::GetProxyHandler(aObj)->getOwnPropertyDescriptor(aCx, aObj, aId,
@ -264,6 +310,10 @@ EnumerateWindowNamedProperties(JSContext* aCx, JS::Handle<JSObject*> aWrapper,
                               JS::Handle<JSObject*> aObj,
                               JS::AutoIdVector& aProps)
 {
+  if (!AllowNamedPropertiesObject(aCx)) {
+    return true;
+  }
+
  JSAutoCompartment ac(aCx, aObj);
  return js::GetProxyHandler(aObj)->ownPropertyKeys(aCx, aObj, aProps);
 }
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -1,3 +1,4 @@
+
 /* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
@ -1237,6 +1238,13 @@ pref("dom.webapps.useCurrentProfile", false);

 pref("dom.cycle_collector.incremental", true);

+// Whether Xrays expose properties from the named properties object (aka global
+// scope polluter).  Values are:
+//   0 = properties exposed on Xrays
+//   1 = properties exposed on Xrays, except in web extension content scripts.
+//   2 = properties not exposed on xrays
+pref("dom.allow_named_properties_object_for_xrays", 1);
+
 // Parsing perf prefs. For now just mimic what the old code did.
 #ifndef XP_WIN
 pref("content.sink.pending_event_mode", 0);