XPConnect Chrome Object Wrappers: Difference between revisions

← Older edit

XPConnect Chrome Object Wrappers (view source)

Revision as of 19:15, 20 August 2012

718 bytes removed , 20 August 2012

m

__exposedProps__ should use colon, not equal sign

D A

1

edit

@@ Line 29: / Line 29: @@
    /* Do something here that requires chrome privileges. */
 }
-foo.__callableByContent__ = true;
 var sandbox = Cu.Sandbox("http://www.mozilla.org");
@@ Line 37: / Line 36: @@
 In the above example, <tt>foo()</tt> is wrapped by a COW when accessed by sandboxed code executed via <tt>Components.utils.evalInSandbox()</tt>.  The object <tt>{bar: 5}</tt> is wrapped in an <tt>XPCSafeJSObjectWrapper</tt> before being passed into <tt>foo()</tt>.
-The metadata attached to <tt>foo()</tt>, <tt>__callableByContent__</tt>, is used to explicitly declare that the function its attached to can be called from content.  This is necessary for security purposes; if a function that's only ever intended to be called from trusted code ever accidentally "falls into the wrong hands", we don't want untrusted code to be able to exploit it.
-If a function without <tt>__callableByContent__</tt> is called from content, a JS <tt>Error</tt> is raised with the text "function is not callable from content".
 === COWing Objects ===
-By default, Chrome objects passed into content space are completely opaque: no information can be accessed from them, and no properties can be defined on them.
+By default, non-function Chrome objects passed into content space are completely opaque: no information can be accessed from them, and no properties can be defined on them.
-'''TODO:''' What happens on read/write of properties on such objects? Is an exception raised, or do all reads simply return <tt>undefined</tt> and are all writes null-ops?
+When a non-writable property is written to, a security exception will be raised. However, when a non-readable property is accessed, its value is <tt>undefined</tt>: a security exception isn't thrown because we don't want to break code that relies on [http://en.wikipedia.org/wiki/Duck_typing duck typing].
-Individual properties can be exposed by defining a <tt>__exposedProps__</tt> property on the object, like so:
+To bypass this default behavior, individual properties can be exposed by defining a <tt>__exposedProps__</tt> property on the object, like so:
 <pre class="brush:js;">
@@ Line 54: / Line 49: @@
 var MyObj = {
-   __exposedProps__ = {foo: "r", bar: "rw"},
+   __exposedProps__: {foo: "r", bar: "rw"},
    foo: function foo(obj) {
@@ Line 64: / Line 59: @@
    baz: "I am protected information"
 }
-MyObj.foo.__callableByContent__ = true;
 </pre>
-In the above example, <tt>MyObj.foo()</tt> can be accessed but not assigned to&mdash;and <tt>foo()</tt> itself is callable from content, since <tt>__callableByContent__</tt> is set&mdash;and <tt>MyObj.bar</tt> is both readable and writable, while <tt>MyObj.baz</tt> can't be accessed at all.
+In the above example, <tt>MyObj.foo()</tt> can be accessed but not assigned to, <tt>foo()</tt> itself is callable from content, and <tt>MyObj.bar</tt> is both readable and writable, while <tt>MyObj.baz</tt> can't be accessed at all.
-If any property is accessed that isn't in <tt>__callableByContent__</tt>&mdash;even if the property doesn't even exist on the original object&mdash;then a JS <tt>Error</tt> is raised with the text "property not accessible from content".
 All properties that are exposed to content are enumerable by content as well.
-'''TODO:''' What should the default <tt>toString()</tt> method of a COW'ed object with no metadata yield?
+Getters and setters on exposed properties are automatically called as necessary.
-'''TODO:''' Does this work okay with getters and setters?
+If an exposed property is writable by content, it is deletable by content as well.
-'''TODO:''' If a property is writable by content, is it deletable by content as well?
+'''TODO:''' What should the default <tt>toString()</tt> method of a COW'ed object with no metadata yield?
 '''TODO:''' Discuss what to do with native objects that get exposed (like the Sidebar object).