Bug 2017797 - Part 3: Preserve legacy structuredClone behaviour for WebExtensions, r=robwu,asuth

mystor · mystor · commit 08e7de1d8afd · 2026-02-26T06:20:58.000Z
This change attempts to preserve the behaviour from before bug 2013389 for WebExtensions, putting the janky type-dependant behaviour behind a pref. This is done by making the webextension content script globals shadow 'structuredClone' with an alternative implementation based in the content script's global. This alternative implementation will, when being called from a webextension content script, only change the global of the cloned object when called on one of the set of DOM objects which previously were impacted by the bug. Note that previously 'structuredClone' would do this odd behaviour even for a nested object, but this is very unlikely to happen intentionally (and would be much more difficult to implement), so that behaviour has not been preserved. Differential Revision: https://phabricator.services.mozilla.com/D284524
diff --git a/js/xpconnect/src/Sandbox.cpp b/js/xpconnect/src/Sandbox.cpp
@@ -379,6 +379,29 @@ static bool SandboxCreateStorage(JSContext* cx, JS::HandleObject obj) {
   return JS_DefineProperty(cx, obj, "storage", wrapped, JSPROP_ENUMERATE);
 }
 
+// Prior to bug 2013389, the following DOM objects would be structured-cloned
+// into the inner window's realm when `structuredClone` is called from an
+// extension content script. All other objects would remain within the content
+// script's realm. This method is used to retain this historic behaviour.
+//
+// See bug 2017797 for discussion about this behaviour.
+static bool LegacyShouldCloneIntoWindow(JSObject* obj) {
+  return IS_INSTANCE_OF(Blob, obj) || IS_INSTANCE_OF(Directory, obj) ||
+         IS_INSTANCE_OF(FileList, obj) || IS_INSTANCE_OF(FormData, obj) ||
+         IS_INSTANCE_OF(ImageBitmap, obj) || IS_INSTANCE_OF(VideoFrame, obj) ||
+         IS_INSTANCE_OF(EncodedVideoChunk, obj) ||
+         IS_INSTANCE_OF(AudioData, obj) ||
+         IS_INSTANCE_OF(EncodedAudioChunk, obj) ||
+         IS_INSTANCE_OF(RTCEncodedVideoFrame, obj) ||
+         IS_INSTANCE_OF(RTCEncodedAudioFrame, obj) ||
+         IS_INSTANCE_OF(MessagePort, obj) ||
+         IS_INSTANCE_OF(OffscreenCanvas, obj) ||
+         IS_INSTANCE_OF(ReadableStream, obj) ||
+         IS_INSTANCE_OF(WritableStream, obj) ||
+         IS_INSTANCE_OF(TransformStream, obj) ||
+         IS_INSTANCE_OF(RTCDataChannel, obj);
+}
+
 static bool SandboxStructuredClone(JSContext* cx, unsigned argc, Value* vp) {
   CallArgs args = CallArgsFromVp(argc, vp);
 
@@ -387,25 +410,43 @@ static bool SandboxStructuredClone(JSContext* cx, unsigned argc, Value* vp) {
   }
 
   RootedDictionary<dom::StructuredSerializeOptions> options(cx);
-  BindingCallContext callCx(cx, "structuredClone");
   if (!options.Init(cx, args.hasDefined(1) ? args[1] : JS::NullHandleValue,
                     "Argument 2", false)) {
     return false;
   }
 
-  nsIGlobalObject* global = CurrentNativeGlobal(cx);
+  // NOTE: A spec-compliant structuredClone should determine & use the relevant
+  // global instead of the current global.
+  nsCOMPtr<nsIGlobalObject> global = CurrentNativeGlobal(cx);
   if (!global) {
     JS_ReportErrorASCII(cx, "structuredClone: Missing global");
     return false;
   }
 
+  // If this is a content script, we may want to clone into that window instead.
+  // See the comment on LegacyShouldCloneIntoWindow for details.
+  if (IsWebExtensionContentScriptSandbox(global->GetGlobalJSObject()) &&
+      StaticPrefs::extensions_webextensions_legacyStructuredCloneBehavior() &&
+      args[0].isObject() && LegacyShouldCloneIntoWindow(&args[0].toObject())) {
+    if (nsGlobalWindowInner* window =
+            SandboxWindowOrNull(global->GetGlobalJSObject(), cx)) {
+      global = window;
+    }
+  }
+
   JS::Rooted<JS::Value> result(cx);
   ErrorResult rv;
   nsContentUtils::StructuredClone(cx, global, args[0], options, &result, rv);
   if (rv.MaybeSetPendingException(cx)) {
     return false;
   }
 
+  // Because we specified a custom `global`, the returned value may not be in
+  // our realm.
+  if (!mozilla::dom::MaybeWrapValue(cx, &result)) {
+    return false;
+  }
+
   MOZ_ASSERT_IF(result.isGCThing(),
                 !JS::GCThingIsMarkedGray(result.toGCCellPtr()));
   args.rval().set(result);
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
@@ -6210,6 +6210,16 @@
 #endif
   mirror: always
 
+# Prior to bug 2013389 and bug 2017797, calling structuredClone within a
+# content script would clone most objects within the content script's realm,
+# however a subset of DOM objects would be cloned into the underlying content
+# window's realm. When enabled, this pref preserves this legacy behaviour for
+# compatibility with existing content scripts.
+- name: extensions.webextensions.legacyStructuredCloneBehavior
+  type: bool
+  value: true
+  mirror: always
+
 # This pref governs whether we run webextensions in a separate process (true)
 # or the parent/main process (false)
 - name: extensions.webextensions.remote
diff --git a/toolkit/components/extensions/ExtensionContent.sys.mjs b/toolkit/components/extensions/ExtensionContent.sys.mjs
@@ -1039,16 +1039,20 @@ export class ContentScriptContextChild extends BaseContext {
         addonId: extensionPrincipal.addonId,
       };
 
+      // Within a content script, we want the 'structuredClone' method to clone
+      // the object within the content script's global, rather than cloning it
+      // into the the embedding scope. (see bug 2017797)
+      let wantGlobalProperties = ["structuredClone"];
+
       let isMV2 = extension.manifestVersion == 2;
-      let wantGlobalProperties;
       let sandboxContentSecurityPolicy;
       if (isMV2) {
         // In MV2, fetch/XHR support cross-origin requests.
         // WebSocket was also included to avoid CSP effects (bug 1676024).
-        wantGlobalProperties = ["XMLHttpRequest", "fetch", "WebSocket"];
+        wantGlobalProperties.push("XMLHttpRequest", "fetch", "WebSocket");
       } else {
         // In MV3, fetch/XHR have the same capabilities as the web page.
-        wantGlobalProperties = [];
+
         // In MV3, the base CSP is enforced for content scripts. Overrides are
         // currently not supported, but this was considered at some point, see
         // https://bugzilla.mozilla.org/show_bug.cgi?id=1581611#c10
diff --git a/toolkit/components/extensions/ExtensionUserScriptsContent.sys.mjs b/toolkit/components/extensions/ExtensionUserScriptsContent.sys.mjs
@@ -258,6 +258,10 @@ class WorldCollection {
       wantXrays: true,
       isWebExtensionContentScript: true,
       wantExportHelpers: true,
+      // The 'structuredClone' method in content scripts should clone within the
+      // content script global by default, rather than cloning into the target
+      // contentWindow.
+      wantGlobalProperties: ["structuredClone"],
       originAttributes: docPrincipal.originAttributes,
     });
 
diff --git a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_structured_clone.js b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_structured_clone.js
@@ -0,0 +1,149 @@
+"use strict";
+
+const server = createHttpServer({ hosts: ["example.com"] });
+server.registerPathHandler("/test", (request, response) => {
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.setHeader("Content-Type", "text/html", false);
+  response.write("<!DOCTYPE html><html><body></body></html>");
+});
+
+async function testStructuredClone(legacyPref) {
+  Services.prefs.setBoolPref(
+    "extensions.webextensions.legacyStructuredCloneBehavior",
+    legacyPref
+  );
+
+  let extension = ExtensionTestUtils.loadExtension({
+    manifest: {
+      content_scripts: [
+        {
+          matches: ["http://example.com/test"],
+          js: ["cs.js"],
+        },
+      ],
+    },
+    files: {
+      "cs.js"() {
+        /* globals cloneInto, structuredClone */
+        browser.test.assertTrue(
+          location.hash == "#true" || location.hash == "#false",
+          "unexpected legacy pref value"
+        );
+
+        function isWindow(obj, desc) {
+          browser.test.assertTrue(
+            obj instanceof window.Object,
+            `${desc}: is a window.Object`
+          );
+          browser.test.assertFalse(
+            obj instanceof Object,
+            `${desc}: is not a sandbox.Object`
+          );
+        }
+        function isSandbox(obj, desc) {
+          browser.test.assertTrue(
+            obj instanceof Object,
+            `${desc}: is a sandbox.Object`
+          );
+          browser.test.assertFalse(
+            obj instanceof window.Object,
+            `${desc}: is not a window.Object`
+          );
+        }
+
+        let sbObj = { a: 1 };
+        let winObj = cloneInto(sbObj, window);
+        let winBlob = new Blob(["test"]);
+        let sbBlob = cloneInto(winBlob, globalThis);
+
+        // Confirm that our initial objects are in the expected globals.
+        // NOTE: The original blob was constructed in the Window (as the 'Blob'
+        // constructor is provided by Window).
+        isWindow(winObj, "winObj");
+        isSandbox(sbObj, "sbObj");
+        isWindow(winBlob, "winBlob");
+        isSandbox(sbBlob, "sbBlob");
+
+        // structuredClone(obj) should always clone into the sandbox
+        isSandbox(structuredClone(winObj), "structuredClone(winObj)");
+        isSandbox(
+          globalThis.structuredClone(winObj),
+          "globalThis.structuredClone(winObj)"
+        );
+        isSandbox(structuredClone(sbObj), "structuredClone(sbObj)");
+        isSandbox(
+          globalThis.structuredClone(sbObj),
+          "globalThis.structuredClone(sbObj)"
+        );
+
+        // structuredClone(blob) depends on the legacy pref
+        let blobAssertion = location.hash == "#true" ? isWindow : isSandbox;
+        blobAssertion(structuredClone(winBlob), "structuredClone(winBlob)");
+        blobAssertion(
+          globalThis.structuredClone(winBlob),
+          "globalThis.structuredClone(winBlob)"
+        );
+        blobAssertion(structuredClone(sbBlob), "structuredClone(sbBlob)");
+        blobAssertion(
+          globalThis.structuredClone(sbBlob),
+          "globalThis.structuredClone(sbBlob)"
+        );
+
+        // window.structuredClone(...) always clones into the window global
+        isWindow(
+          window.structuredClone(winObj),
+          "window.structuredClone(winObj)"
+        );
+        isWindow(
+          window.structuredClone(sbObj),
+          "window.structuredClone(sbObj)"
+        );
+        isWindow(
+          window.structuredClone(winBlob),
+          "window.structuredClone(winBlob)"
+        );
+        isWindow(
+          window.structuredClone(sbBlob),
+          "window.structuredClone(sbBlob)"
+        );
+
+        // Also test the behaviour of returned xrays. In non-window cases,
+        // there should be no xrays, but when calling window.structuredClone
+        // there are xrays, which will prevent adding function properties.
+        structuredClone(winObj).x = function () {};
+        globalThis.structuredClone(winObj).x = function () {};
+        browser.test.assertThrows(
+          () => (window.structuredClone(winObj).x = function () {}),
+          /Not allowed to define cross-origin object as property/,
+          "window.structuredClone(winObj) should be an xray wrapper"
+        );
+
+        structuredClone(sbObj).x = function () {};
+        globalThis.structuredClone(sbObj).x = function () {};
+        browser.test.assertThrows(
+          () => (window.structuredClone(sbObj).x = function () {}),
+          /Not allowed to define cross-origin object as property/,
+          "window.structuredClone(sbObj) should be an xray wrapper"
+        );
+
+        browser.test.sendMessage("done");
+      },
+    },
+  });
+
+  await extension.startup();
+  let contentPage = await ExtensionTestUtils.loadContentPage(
+    `http://example.com/test#${legacyPref}`
+  );
+  await extension.awaitMessage("done");
+  await contentPage.close();
+  await extension.unload();
+}
+
+add_task(async function test_structuredClone_legacy() {
+  await testStructuredClone(true);
+});
+
+add_task(async function test_structuredClone_nonlegacy() {
+  await testStructuredClone(false);
+});
diff --git a/toolkit/components/extensions/test/xpcshell/xpcshell-common.toml b/toolkit/components/extensions/test/xpcshell/xpcshell-common.toml
@@ -191,6 +191,8 @@ skip-if = [
 
 ["test_ext_contentscript_slow_frame.js"]
 
+["test_ext_contentscript_structured_clone.js"]
+
 ["test_ext_contentscript_teardown.js"]
 skip-if = [
   "tsan", # Bug 1683730
