1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
/* eslint-disable strict */
function run_test() {
Services.prefs.setBoolPref("security.allow_eval_with_system_principal", true);
registerCleanupFunction(() => {
Services.prefs.clearUserPref("security.allow_eval_with_system_principal");
});
const { addDebuggerToGlobal } = ChromeUtils.importESModule(
"resource://gre/modules/jsdebugger.sys.mjs"
);
addDebuggerToGlobal(globalThis);
const g = createTestGlobal("test", {
wantGlobalProperties: ["ChromeUtils"],
});
const dbg = new Debugger();
const gw = dbg.addDebuggee(g);
g.eval(`
// This is not a CCW.
Object.defineProperty(this, "bar", {
get: function() { return "bar"; },
configurable: true,
enumerable: true
});
const { XPCOMUtils } = ChromeUtils.importESModule(
"resource://gre/modules/XPCOMUtils.sys.mjs"
);
// This is a CCW.
XPCOMUtils.defineLazyScriptGetter(
this, "foo", "chrome://global/content/viewZoomOverlay.js");
`);
// Neither scripted getter should be considered safe.
assert(!DevToolsUtils.hasSafeGetter(gw.getOwnPropertyDescriptor("bar")));
assert(!DevToolsUtils.hasSafeGetter(gw.getOwnPropertyDescriptor("foo")));
// Create an object in a less privileged sandbox.
const obj = gw.makeDebuggeeValue(
Cu.waiveXrays(
Cu.Sandbox(null).eval(`
Object.defineProperty({}, "bar", {
get: function() { return "bar"; },
configurable: true,
enumerable: true
});
`)
)
);
// After waiving Xrays, the object has 2 wrappers. Both must be removed
// in order to detect that the getter is not safe.
assert(!DevToolsUtils.hasSafeGetter(obj.getOwnPropertyDescriptor("bar")));
}
|