On Mon, Oct 02, 2017 at 11:39:21AM -0700, Kris Maglione wrote:
On Mon, Oct 02, 2017 at 11:13:20AM -0400, Boris Zbarsky wrote:
Passing along a JSContext would work. We could have something like
"null means no scripted caller, otherwise caller's compartment is
the part that matters". This relies on no one on the setattr path
messing with the compartment, but that shouldn't be too hard to
ensure, especially since we only have a few attributes on a few
elements for which this is relevant...
I'd love it if we could pass along something that couldn't be
abused/misused like a JSContext. We could make up a wrapper class,
but no matter what we do we'd have the fundamental tradeoff that
either we grab the principal eagerly, and pay the cost for all the
cases where it doesn't matter, or we grab it lazily and run the risk
of thing changing under us. We should probably measure how
expensive setAttribute is and how expensive grabbing the principal
from a JSContext (e.g. by marking the method as
[NeedsCallerPrincipal]) is...
OK, I'll try a talos run with [NeedsCallerPrincipal] added to
setAttribute and see where that comes out. If it looks good, I'll
investigate that route some more. Otherwise, I'll probably go with a
JSContext wrapper and retrieve the principal on demand.
So far it doesn't look like there's any significant difference
on any talos test from adding [NeedsCallerPrincipal] to
setAttribute/setAttributeNS/Attr.value, so I'm going to go that
route for now. If it turns out to be a problem later, I'll
refactor it to pass a context object that lazily extracts the
principal.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
