javascriptjavascript-objectsfirefox-addon-webextensions

What is a restricted JavaScript object?


I'm trying to use custom DOM events to communicate between the main world and the isolated world for a page in a webextension in Firefox. When trying to access an event object property, I get an access denied error. Most of what follows is just context. I really want to know what a "restricted" object is rather than how to make it unrestricted.

listener

function onCustom( e ) {
  console.log( e );
  console.log( e.detail );
  console.log( e.detail.plugh );
}
document.addEventListener( 'custom', onCustom );

sender

e = new CustomEvent( 'custom', { detail: {
  plugh: 'xyzzy'
} } );

document.dispatchEvent( e );

If the listener and the sender are both in the same world, it works fine. (This case is just a sanity check, since the point is to communicate between worlds.)

If the listener is in the isolated world and the sender is in the main world, it works fine.

If the listener is in the main world and the sender is in the isolated world, it pukes as follows.

console output

custom { blah, blah, blah, lots of properties }
Object { plugh: "xyzzy" }
Uncaught Error: Permission denied to access property "plugh"

That's all the error information that there is: an untyped error and a message string.

I can expand the Object (second line) in the devtools console. It's there.

If I expand the "custom" object (first line) in the devtools console, it says (in part):

  detail: Restricted {  }

The detail property of a CustomEvent can be anything serializable. I can do my own serialization with JSON.stringify() in the sender and deserialize it with JSON.parse() in the listener. It's a workaround that does work. I still want to know what's going on with the object that I cannot access it after it was serialized and deserialized transparently for me.

EDIT (from the comments): The documented way to send objects from the isolated world into the main world is cloneInto().

sender (isolated to main only)

e = new CustomEvent( 'custom', cloneInto( { detail: {
  plugh: 'xyzzy'
} }, wrappedJSObject ) );

document.dispatchEvent( e );

Solution

  • This answer represents what I've learned today from (what I can remember of) a deleted answer from another poster plus the comments.

    Because it's structured data, when sending { detail: { plugh: "xyzzy" } } in an event, the browser makes a structured clone. A common example of structured cloning is passing objects back and forth between realms with web workers. The question doesn't deal with web workers, but the main and isolated worlds of the content context are different realms, which have different window objects. (Having different window objects is part of how the isolation of "isolated world" works, even though the main and isolated worlds share the DOM and, hence, DOM events. That part I already knew.)

    When Firefox serializes the detail object, the object (or at least members of it) retains the characterization of belonging to the isolated world. (I would have thought serialization discards it, but it doesn't.) In the main world, the deserialized object still belongs to the isolated world. Because the isolated world has a higher privilege level, the deserialized object is inaccessible ("restricted") in the main world.

    Explicitly serializing the object with JSON.stringify() does discard the realm information, so the object can be deserialized without the origin realm information (and it works). Primitives, like strings, apparently don't have realm information. Mozilla has another solution for content scripts, however.

    cloneInto() sets the realm information to whatever else is specified, usng the window of the target realm. Since wrappedJSObject is a reference in the isolated world to the window object in the main world, detail can be characterized as belonging to the main world before serialization. When it's deserialized, it still belongs to the main world, so it is accessible (not "restricted") in the main world.

    TL;DR: Serialization and deserialization across the main/isolated world boundary retains world information for complex data. Objects belonging to the higher-privileged isolated world are restricted from access in the lower-privileged main world.