Details

Reviewers

robwu
asuth

Commits

rFIREFOXAUTOLAND3ac30f60397d: Bug 2017797 - Part 3: Preserve legacy structuredClone behaviour for…
rFIREFOXAUTOLAND6654e59ff082: Bug 2017797 - Part 3: Preserve legacy structuredClone behaviour for…
rFIREFOXAUTOLAND08e7de1d8afd: Bug 2017797 - Part 3: Preserve legacy structuredClone behaviour for…

Bugzilla Bug ID

2017797

Summary

This change attempts to preserve the behaviour from before bug 2013389 for
WebExtensions, putting the janky type-dependant behaviour behind a pref. This
is done by making the webextension content script globals shadow
'structuredClone' with an alternative implementation based in the content
script's global.

This alternative implementation will, when being called from a webextension
content script, only change the global of the cloned object when called on one
of the set of DOM objects which previously were impacted by the bug.

Note that previously 'structuredClone' would do this odd behaviour even for a
nested object, but this is very unlikely to happen intentionally (and would be
much more difficult to implement), so that behaviour has not been preserved.

Diff Detail

Repository: rFIREFOXAUTOLAND firefox-autoland

Event Timeline

nika created this revision.Feb 23 2026, 9:03 PM

Herald added a project: secure-revision. · View Herald TranscriptFeb 23 2026, 9:03 PM

phab-bot published this revision for review.Feb 23 2026, 9:04 PM

phab-bot changed the visibility from "Custom Policy" to "Public (No Login Required)".

phab-bot changed the edit policy from "Custom Policy" to "Restricted Project (Project)".

phab-bot removed a project: secure-revision.

Harbormaster completed remote builds in B917879: Diff 1210430.Feb 23 2026, 9:28 PM

Restating:

Bug 1734320 in https://phabricator.services.mozilla.com/D127641 introduced SandboxStructuredClone and making it accessible via wantGlobalProperties including factoring out nsContentUtils::StructuredClone from nsGlobalWindowInner::StructuredClone and mozilla::dom::WorkerGlobalScope::StructuredClone. An additional usage in mozilla::dom::PerformanceMark::Constructor in https://phabricator.services.mozilla.com/D142625 as part of https://bugzilla.mozilla.org/show_bug.cgi?id=1724645.
- The motivation was for devtools to be able to use it for https://bugzilla.mozilla.org/show_bug.cgi?id=1734166 but the performance hit decided for it not to be used, so the only use was in the xpcshell test_structuredClone.js introduced with the functionality.
This patch leverages that existing-but-unused implementation by making the webextension content script sandbox always "wantGlobalProperties" that "structuredClone" implementation while also introducing a pref extensions.webextensions.legacyStructuredCloneBehavior which enables the old behavior as perceived by web extensions which is conditioned on:
- being a webext content script sandbox (as reported by xpc::IsWebExtensionContentScriptSandbox) AND
- if the thing being cloned is an object (per JS::Value::isObject which does not have the typeof(null)=='object' weirdness) and if the object-to-be-cloned is one of the types that would previously have been serialized into the window global, we change the target global to be the window global (as compared to the window and worker cases where we use the window/worker global, which previously for content scripts was the window global because of the prototype chain)
A critical call to mozilla::dom::MaybeWrapValue was added to sandboxStructuredClone; the xpcshell test only ever ran the test in a sandbox global and did not interact with multiple globals. The generated WebIDL bindings (non-permalink linux64 WindowBinding.cpp inherently have that, but the sandbox dynamic definition stuff is not that and does not have any extra WebIDL binding goop.
The test infra seems to most closely match test_ext_contentscript_context_isolation.js in terms of the ExtensionContent.getContextByExtensionId and seems reasonable to me but I am not an expert at that infra and I'm assuming @robwu will validate this is a reasonable approach for scaffolding. But the actual checks look good to me; we have the major checks on a JS object versus a Blob, where Blob is one of the set of legacy supported objects. Because the legacy object checks are done in C++ we don't have to worry about exhaustively testing all of the types because it's not like JS where we could be doing a check against something that ends up being undefined, etc.

js/xpconnect/src/Sandbox.cpp
420–423	nit: missing word

nika updated this revision to Diff 1211436.Feb 24 2026, 9:41 PM

nika updated this revision to Diff 1211437.

nika marked an inline comment as done.Feb 24 2026, 9:42 PM

Harbormaster completed remote builds in B918645: Diff 1211436.Feb 24 2026, 9:55 PM

Harbormaster completed remote builds in B918646: Diff 1211437.

robwu added inline comments.Feb 25 2026, 1:24 AM

toolkit/components/extensions/test/xpcshell/test_ext_contentscript_structured_clone.js
50	The test here leans heavily on internals, where the impact on real world extensions is not immediately obvious. Have you tried the test case that stay 100% in content script land like the ones shown in: https://bugzilla.mozilla.org/show_bug.cgi?id=2017797#c9 ? Specifically https://bugzilla.mozilla.org/show_bug.cgi?id=2017797#:~:text=Appendix%3A%20test%20behavior%20of%20structuredClone to test whether it is from the content script, `instanceof Object`, to test whether it came from the web page, `instanceof window.Object`.