Revert "Bug 2017797 - Part 3: Preserve legacy structuredClone behaviour for WebExtensions, r=robwu,asuth" for causing hazard failures at js/xpconnect/src/Sandbox.cpp:X

rperta · rperta · commit 147fa4a7e5da · 2026-02-27T15:39:55.000Z
This reverts commit 6654e59. This reverts commit b5186a6. This reverts commit 1cd2ed3.
diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp
@@ -11950,9 +11950,6 @@ void nsContentUtils::StructuredClone(JSContext* aCx, nsIGlobalObject* aGlobal,
     clonePolicy.allowSharedMemoryObjects();
   }
 
-  // 2.7.10 Structured cloning API
-  // Step 1: Let serialized be
-  //   ? StructuredSerializeWithTransfer(value, options["transfer"])
   StructuredCloneHolder holder(StructuredCloneHolder::CloningSupported,
                                StructuredCloneHolder::TransferringSupported,
                                JS::StructuredCloneScope::SameProcess);
@@ -11961,16 +11958,11 @@ void nsContentUtils::StructuredClone(JSContext* aCx, nsIGlobalObject* aGlobal,
     return;
   }
 
-  // Step 2: Let deserializeRecord be
-  //   ? StructuredDeserializeWithTransfer(serialized, this's relevant realm).
-  JSAutoRealm ar(aCx, aGlobal->GetGlobalJSObject());
   holder.Read(aCx, aRetval, clonePolicy, aError);
   if (NS_WARN_IF(aError.Failed())) {
     return;
   }
 
-  // Step 3: Return deserializeRecord.[[Deserialized]].
-  //   (discarding deserializeRecord.[[TransferredValues]])
   nsTArray<RefPtr<MessagePort>> ports = holder.TakeTransferredPorts();
   (void)ports;
 }
diff --git a/dom/bindings/BindingUtils.h b/dom/bindings/BindingUtils.h
@@ -172,8 +172,10 @@ inline bool IsDOMObject(JSObject* obj) { return IsDOMClass(JS::GetClass(obj)); }
       obj, value, cx)
 
 // Test whether the given object is an instance of the given interface.
-#define IS_INSTANCE_OF(Interface, obj) \
-  mozilla::dom::IsInstanceOf<mozilla::dom::prototypes::id::Interface>(obj)
+#define IS_INSTANCE_OF(Interface, obj)                                       \
+  mozilla::dom::IsInstanceOf<mozilla::dom::prototypes::id::Interface,        \
+                             mozilla::dom::Interface##_Binding::NativeType>( \
+      obj)
 
 // Unwrap the given non-wrapper object.  This can be used with any obj that
 // converts to JSObject*; as long as that JSObject* is live the return value
@@ -420,11 +422,11 @@ MOZ_ALWAYS_INLINE nsresult UnwrapObjectWithCrossOriginAsserts(V&& obj,
 }
 }  // namespace binding_detail
 
-template <prototypes::ID PrototypeID>
+template <prototypes::ID PrototypeID, class T>
 MOZ_ALWAYS_INLINE bool IsInstanceOf(JSObject* obj) {
   AssertStaticUnwrapOK<PrototypeID>();
   void* ignored;
-  nsresult unwrapped = binding_detail::UnwrapObjectInternal<void, true>(
+  nsresult unwrapped = binding_detail::UnwrapObjectInternal<T, true>(
       obj, ignored, PrototypeID, PrototypeTraits<PrototypeID>::Depth, nullptr);
   return NS_SUCCEEDED(unwrapped);
 }
diff --git a/js/xpconnect/src/Sandbox.cpp b/js/xpconnect/src/Sandbox.cpp
@@ -379,31 +379,6 @@ static bool SandboxCreateStorage(JSContext* cx, JS::HandleObject obj) {
   return JS_DefineProperty(cx, obj, "storage", wrapped, JSPROP_ENUMERATE);
 }
 
-// Prior to bug 2013389, the following DOM objects would be structured-cloned
-// into the inner window's realm when `structuredClone` is called from an
-// extension content script. All other objects would remain within the content
-// script's realm. This method is used to retain this historic behaviour.
-//
-// See bug 2017797 for discussion about this behaviour.
-static bool LegacyShouldCloneIntoWindow(JSObject* obj) {
-  return IS_INSTANCE_OF(Blob, obj) || IS_INSTANCE_OF(Directory, obj) ||
-         IS_INSTANCE_OF(FileList, obj) || IS_INSTANCE_OF(FormData, obj) ||
-         IS_INSTANCE_OF(ImageBitmap, obj) || IS_INSTANCE_OF(VideoFrame, obj) ||
-         IS_INSTANCE_OF(EncodedVideoChunk, obj) ||
-         IS_INSTANCE_OF(AudioData, obj) ||
-         IS_INSTANCE_OF(EncodedAudioChunk, obj) ||
-#ifdef MOZ_WEBRTC
-         IS_INSTANCE_OF(RTCEncodedVideoFrame, obj) ||
-         IS_INSTANCE_OF(RTCEncodedAudioFrame, obj) ||
-         IS_INSTANCE_OF(RTCDataChannel, obj) ||
-#endif
-         IS_INSTANCE_OF(MessagePort, obj) ||
-         IS_INSTANCE_OF(OffscreenCanvas, obj) ||
-         IS_INSTANCE_OF(ReadableStream, obj) ||
-         IS_INSTANCE_OF(WritableStream, obj) ||
-         IS_INSTANCE_OF(TransformStream, obj);
-}
-
 static bool SandboxStructuredClone(JSContext* cx, unsigned argc, Value* vp) {
   CallArgs args = CallArgsFromVp(argc, vp);
 
@@ -412,43 +387,25 @@ static bool SandboxStructuredClone(JSContext* cx, unsigned argc, Value* vp) {
   }
 
   RootedDictionary<dom::StructuredSerializeOptions> options(cx);
+  BindingCallContext callCx(cx, "structuredClone");
   if (!options.Init(cx, args.hasDefined(1) ? args[1] : JS::NullHandleValue,
                     "Argument 2", false)) {
     return false;
   }
 
-  // NOTE: A spec-compliant structuredClone should determine & use the relevant
-  // global instead of the current global.
-  nsCOMPtr<nsIGlobalObject> global = CurrentNativeGlobal(cx);
+  nsIGlobalObject* global = CurrentNativeGlobal(cx);
   if (!global) {
     JS_ReportErrorASCII(cx, "structuredClone: Missing global");
     return false;
   }
 
-  // If this is a content script, we may want to clone into that window instead.
-  // See the comment on LegacyShouldCloneIntoWindow for details.
-  if (IsWebExtensionContentScriptSandbox(global->GetGlobalJSObject()) &&
-      StaticPrefs::extensions_webextensions_legacyStructuredCloneBehavior() &&
-      args[0].isObject() && LegacyShouldCloneIntoWindow(&args[0].toObject())) {
-    if (nsGlobalWindowInner* window =
-            SandboxWindowOrNull(global->GetGlobalJSObject(), cx)) {
-      global = window;
-    }
-  }
-
   JS::Rooted<JS::Value> result(cx);
   ErrorResult rv;
   nsContentUtils::StructuredClone(cx, global, args[0], options, &result, rv);
   if (rv.MaybeSetPendingException(cx)) {
     return false;
   }
 
-  // Because we specified a custom `global`, the returned value may not be in
-  // our realm.
-  if (!mozilla::dom::MaybeWrapValue(cx, &result)) {
-    return false;
-  }
-
   MOZ_ASSERT_IF(result.isGCThing(),
                 !JS::GCThingIsMarkedGray(result.toGCCellPtr()));
   args.rval().set(result);
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
@@ -6217,16 +6217,6 @@
 #endif
   mirror: always
 
-# Prior to bug 2013389 and bug 2017797, calling structuredClone within a
-# content script would clone most objects within the content script's realm,
-# however a subset of DOM objects would be cloned into the underlying content
-# window's realm. When enabled, this pref preserves this legacy behaviour for
-# compatibility with existing content scripts.
-- name: extensions.webextensions.legacyStructuredCloneBehavior
-  type: bool
-  value: true
-  mirror: always
-
 # This pref governs whether we run webextensions in a separate process (true)
 # or the parent/main process (false)
 - name: extensions.webextensions.remote
diff --git a/testing/web-platform/meta/html/webappapis/structured-clone/structured-clone-cross-realm-method.html.ini b/testing/web-platform/meta/html/webappapis/structured-clone/structured-clone-cross-realm-method.html.ini
@@ -0,0 +1,12 @@
+[structured-clone-cross-realm-method.html]
+  [Object instance]
+    expected: FAIL
+
+  [Array instance]
+    expected: FAIL
+
+  [Date instance]
+    expected: FAIL
+
+  [RegExp instance]
+    expected: FAIL
diff --git a/toolkit/components/extensions/ExtensionContent.sys.mjs b/toolkit/components/extensions/ExtensionContent.sys.mjs
@@ -1039,20 +1039,16 @@ export class ContentScriptContextChild extends BaseContext {
         addonId: extensionPrincipal.addonId,
       };
 
-      // Within a content script, we want the 'structuredClone' method to clone
-      // the object within the content script's global, rather than cloning it
-      // into the the embedding scope. (see bug 2017797)
-      let wantGlobalProperties = ["structuredClone"];
-
       let isMV2 = extension.manifestVersion == 2;
+      let wantGlobalProperties;
       let sandboxContentSecurityPolicy;
       if (isMV2) {
         // In MV2, fetch/XHR support cross-origin requests.
         // WebSocket was also included to avoid CSP effects (bug 1676024).
-        wantGlobalProperties.push("XMLHttpRequest", "fetch", "WebSocket");
+        wantGlobalProperties = ["XMLHttpRequest", "fetch", "WebSocket"];
       } else {
         // In MV3, fetch/XHR have the same capabilities as the web page.
-
+        wantGlobalProperties = [];
         // In MV3, the base CSP is enforced for content scripts. Overrides are
         // currently not supported, but this was considered at some point, see
         // https://bugzilla.mozilla.org/show_bug.cgi?id=1581611#c10
diff --git a/toolkit/components/extensions/ExtensionUserScriptsContent.sys.mjs b/toolkit/components/extensions/ExtensionUserScriptsContent.sys.mjs
@@ -258,10 +258,6 @@ class WorldCollection {
       wantXrays: true,
       isWebExtensionContentScript: true,
       wantExportHelpers: true,
-      // The 'structuredClone' method in content scripts should clone within the
-      // content script global by default, rather than cloning into the target
-      // contentWindow.
-      wantGlobalProperties: ["structuredClone"],
       originAttributes: docPrincipal.originAttributes,
     });
 
diff --git a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_structured_clone.js b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_structured_clone.js
diff --git a/toolkit/components/extensions/test/xpcshell/xpcshell-common.toml b/toolkit/components/extensions/test/xpcshell/xpcshell-common.toml
@@ -191,8 +191,6 @@ skip-if = [
 
 ["test_ext_contentscript_slow_frame.js"]
 
-["test_ext_contentscript_structured_clone.js"]
-
 ["test_ext_contentscript_teardown.js"]
 skip-if = [
   "tsan", # Bug 1683730

Original file line number	Diff line number	Diff line change
`@@ -11950,9 +11950,6 @@ void nsContentUtils::StructuredClone(JSContext* aCx, nsIGlobalObject* aGlobal,`
`11950`	`11950`	`clonePolicy.allowSharedMemoryObjects();`
`11951`	`11951`	`}`
`11952`	`11952`
`11953`		`- // 2.7.10 Structured cloning API`
`11954`		`- // Step 1: Let serialized be`
`11955`		`- // ? StructuredSerializeWithTransfer(value, options["transfer"])`
`11956`	`11953`	`StructuredCloneHolder holder(StructuredCloneHolder::CloningSupported,`
`11957`	`11954`	`StructuredCloneHolder::TransferringSupported,`
`11958`	`11955`	`JS::StructuredCloneScope::SameProcess);`
`@@ -11961,16 +11958,11 @@ void nsContentUtils::StructuredClone(JSContext* aCx, nsIGlobalObject* aGlobal,`
`11961`	`11958`	`return;`
`11962`	`11959`	`}`
`11963`	`11960`
`11964`		`- // Step 2: Let deserializeRecord be`
`11965`		`- // ? StructuredDeserializeWithTransfer(serialized, this's relevant realm).`
`11966`		`- JSAutoRealm ar(aCx, aGlobal->GetGlobalJSObject());`
`11967`	`11961`	`holder.Read(aCx, aRetval, clonePolicy, aError);`
`11968`	`11962`	`if (NS_WARN_IF(aError.Failed())) {`
`11969`	`11963`	`return;`
`11970`	`11964`	`}`
`11971`	`11965`
`11972`		`- // Step 3: Return deserializeRecord.[[Deserialized]].`
`11973`		`- // (discarding deserializeRecord.[[TransferredValues]])`
`11974`	`11966`	`nsTArray<RefPtr<MessagePort>> ports = holder.TakeTransferredPorts();`
`11975`	`11967`	`(void)ports;`
`11976`	`11968`	`}`