Re: Fallout of non-encapsulated shadow trees from Boris Zbarsky on 2014-07-02 (public-webapps@w3.org from July to September 2014)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 02 Jul 2014 00:03:32 -0400
To: public-webapps@w3.org
Message-ID: <53B38494.4070605@mit.edu>

On 7/1/14, 11:20 PM, Brendan Eich wrote:
> XBL can expose anonymous content via special API:
>
> https://developer.mozilla.org/en-US/docs/XBL/XBL_1.0_Reference/DOM_Interfaces#getAnonymousNodes
>
> https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/Tutorial/XBL_Example
> https://developer.mozilla.org/en-US/docs/XBL/XBL_1.0_Reference/Anonymous_Content
>
> I'm rusty on this stuff; bz should correct anything amiss here.

A few things:

1)  The XBL implementation has not been static over time.  At one point, 
XBL ran in the same global (Realm, whatever you want to call it) as the 
document it was bound to.  This caused obvious encapsulation issues.  We 
attempted to change it to run in a separate global, but ran into compat 
problems with Firefox UI and extensions that depended on the old 
behavior.  At the moment, XBL runs in the same global as the document 
when the document is part of the browser UI, but runs in a separate 
global when the document is untrusted.  This means we can use XBL to 
implement things like <marquee> or the controls of <video> elements 
without worrying about the XBL scripts being affected by whatever the 
web page is doing to its global.

2)  The document.getAnonymousNodes API does exist, but is only exposed 
to trusted globals and the XBL globals associated to untrusted web 
pages.  In other words, you can only use getAnonymousNodes() if you are 
same-global with the XBL code already.

>>    Gecko does*not*  today  leak any
>> internal details of <input type=file>, in the way that type 2 web
>> components would leak; that would be a major security breach.
>
> Right you are -- native anonymous content is special this way. But ES6
> proxies are used (albeit by C++ APIs):

In fact, we place the JS reflections for the innards of the file input 
in the same global as XBL bound to the page, if I recall correctly. 
Though there is no exposed API to get at it, of course.

> So I question whether membranes *and* structured clones are required.
> SES uses membranes without cloning (wrapping, not cloning). This all
> seems doable in-JS with enough care and testing, including
> capability-leak detection. Proxies are awesome!

Membranes are definitely doable, but there's a lot of details to get right.

-Boris

Received on Wednesday, 2 July 2014 04:04:01 UTC