On 7/1/14, 11:20 PM, Brendan Eich wrote:
XBL can expose anonymous content via special API:
https://developer.mozilla.org/en-US/docs/XBL/XBL_1.0_Reference/DOM_Interfaces#getAnonymousNodes
https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/Tutorial/XBL_Example
https://developer.mozilla.org/en-US/docs/XBL/XBL_1.0_Reference/Anonymous_Content
I'm rusty on this stuff; bz should correct anything amiss here.
A few things:
1) The XBL implementation has not been static over time. At one point,
XBL ran in the same global (Realm, whatever you want to call it) as the
document it was bound to. This caused obvious encapsulation issues. We
attempted to change it to run in a separate global, but ran into compat
problems with Firefox UI and extensions that depended on the old
behavior. At the moment, XBL runs in the same global as the document
when the document is part of the browser UI, but runs in a separate
global when the document is untrusted. This means we can use XBL to
implement things like <marquee> or the controls of <video> elements
without worrying about the XBL scripts being affected by whatever the
web page is doing to its global.
2) The document.getAnonymousNodes API does exist, but is only exposed
to trusted globals and the XBL globals associated to untrusted web
pages. In other words, you can only use getAnonymousNodes() if you are
same-global with the XBL code already.
Gecko does*not* today leak any
internal details of <input type=file>, in the way that type 2 web
components would leak; that would be a major security breach.
Right you are -- native anonymous content is special this way. But ES6
proxies are used (albeit by C++ APIs):
In fact, we place the JS reflections for the innards of the file input
in the same global as XBL bound to the page, if I recall correctly.
Though there is no exposed API to get at it, of course.
So I question whether membranes *and* structured clones are required.
SES uses membranes without cloning (wrapping, not cloning). This all
seems doable in-JS with enough care and testing, including
capability-leak detection. Proxies are awesome!
Membranes are definitely doable, but there's a lot of details to get right.
-Boris
