Ubuntu
firefox package

with greasemonkey in firefox 36, "Error: Exposing privileged or cross-origin callable is prohibited"

Bug #1426581 reported by Steve Langasek
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
webapps-sprint
Won't Fix
Medium
David Barth
webapps-sprint sprint-14
firefox (Ubuntu)
Won't Fix
Low
Unassigned
unity-firefox-extension (Ubuntu)
Won't Fix
Medium
David Barth

Bug Description

I use a variety of greasemonkey scripts in firefox. After accepting today's update to firefox 36 from firefox 34, one of these scripts is now failing with the following message on the browser console:

Error: Exposing privileged or cross-origin callable is prohibited

This appears to halt the script.

There is no other information given as to the cause of this error, and the line number given is out of range for the source url.

Googling for this error message turns up some results, but none that reference greasemonkey, and with nothing that would indicate how to fix the problem.

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: firefox 36.0+build2-0ubuntu4
ProcVersionSignature: Ubuntu 3.18.0-8.9-generic 3.18.1
Uname: Linux 3.18.0-8-generic x86_64
AddonCompatCheckDisabled: False
ApportVersion: 2.16.1-0ubuntu2
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC1: vorlon 7801 F.... pulseaudio
 /dev/snd/pcmC0D0p: vorlon 7801 F...m pulseaudio
 /dev/snd/controlC0: vorlon 7801 F.... pulseaudio
BuildID: 20150224111710
Channel: Unavailable
CurrentDesktop: Unity
Date: Fri Feb 27 14:42:42 2015
ForcedLayersAccel: False
IncompatibleExtensions:
 Chinese Simplified (zh-CN) Language Pack - <email address hidden>
 Català Language Pack - <email address hidden>
 Default - {972ce4c6-7e08-4474-a285-3208198ce6fd}
InstallationDate: Installed on 2010-09-24 (1617 days ago)
InstallationMedia: Ubuntu 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.1)
IpRoute:
 default via 192.168.15.1 dev wlan2 proto static metric 1024
 169.254.0.0/16 dev vnet0 scope link metric 1000
 192.168.15.0/24 dev wlan2 proto kernel scope link src 192.168.15.66
 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
 207.224.24.209 via 192.168.15.1 dev wlan2 proto dhcp metric 10
MostRecentCrashID: bp-977de9ee-210d-4d25-b7cd-2420d2140909
Plugins:
 Shockwave Flash - /usr/lib/flashplugin-installer/libflashplayer.so
 iTunes Application Detector - /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so (rhythmbox-mozilla)
 Google Talk Plugin Video Renderer - /opt/google/talkplugin/libnpo1d.so (google-talkplugin)
 Google Talk Plugin - /opt/google/talkplugin/libnpgoogletalk.so (google-talkplugin)
PrefSources:
 prefs.js
 [Profile]/extensions/{3d7eb24f-2740-49df-8937-200b1cc08f8a}/defaults/preferences/flashblock.js
Profiles: Profile0 (Default) - LastVersion=36.0/20150224111710 (In use)
RelatedPackageVersions:
 rhythmbox-mozilla 3.1-1ubuntu2
 google-talkplugin 5.3.1.0-1
RunningIncompatibleAddons: True
SourcePackage: firefox
UpgradeStatus: Upgraded to vivid on 2014-12-06 (83 days ago)
WifiSyslog:

dmi.bios.date: 10/25/2013
dmi.bios.vendor: LENOVO
dmi.bios.version: G2ET97WW (2.57 )
dmi.board.asset.tag: Not Available
dmi.board.name: 2306CTO
dmi.board.vendor: LENOVO
dmi.board.version: Not Defined
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvrG2ET97WW(2.57):bd10/25/2013:svnLENOVO:pn2306CTO:pvrThinkPadX230:rvnLENOVO:rn2306CTO:rvrNotDefined:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 2306CTO
dmi.product.version: ThinkPad X230
dmi.sys.vendor: LENOVO

Revision history for this message
Steve Langasek (vorlon) wrote :
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

This is because of https://lists.mozilla.org/pipermail/dev-platform/2014-June/005290.html, and more specifically https://bugzilla.mozilla.org/show_bug.cgi?id=1082450.

The broken script should be using Components.utils.cloneInto() to expose objects from privileged scopes to web content (see https://developer.mozilla.org/en-US/docs/Components.utils.cloneInto)

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 1426581] Re: with greasemonkey in firefox 36, "Error: Exposing privileged or cross-origin callable is prohibited"

On Fri, Feb 27, 2015 at 11:46:15PM -0000, Chris Coulson wrote:
> The broken script should be using Components.utils.cloneInto() to expose
> objects from privileged scopes to web content (see
> https://developer.mozilla.org/en-US/docs/Components.utils.cloneInto)

That makes sense, but still leaves the problem that the error message
doesn't give me accurate information about where the object is that's being
incorrectly shared across scopes. How can I figure this out so I can fix
the script?

Revision history for this message
Steve Langasek (vorlon) wrote :

OK, I still don't know why this is broken, but I did figure out that even though the line numbers are wrong, they would change if I edited the greasemonkey script; so bisecting line numbers, I get to this function:

  var requestPrototype = (function() {
    for(var topLevel in window) {
      if(!window[topLevel]) continue;
      // need an example for a request object
      for(var property in window[topLevel]) {
        try {
          if(window[topLevel][property] == "getRegionScoreDetails") {
            return Object.getPrototypeOf(window[topLevel]);
          }
        } catch(e) { // might throw SecurityError or others (noticed on top.opener, which might be cross-origin)
          continue;
        }
      }
    }
  })();

The exception is seen to happen on the line
        for(var property in window[topLevel]) {

There's clearly code here intended to trap the security exception, but it looks like that exception is being raised in the wrong place. Might this be a firefox bug?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in firefox (Ubuntu):
status: New → Confirmed
Alberto Salvia Novella (es20490446e)
Changed in firefox (Ubuntu):
importance: Undecided → Medium
importance: Medium → Low
Revision history for this message
autra (autra) wrote :

We might want to raise the importance, as it also affects webapp integration in Firefox.
external.getUnityObject(1) raise the same error.

Revision history for this message
Chris Coulson (chrisccoulson) wrote :

That's because the webapps integration uses the old unsafe method of exposing privileged objects to content. We discussed a couple of weeks ago about just removing this functionality from the webapps addon, given that it no longer works, the addon needs re-writing for e10s and webapps are opened in a dedicated container app now

Revision history for this message
Steve Langasek (vorlon) wrote :

In fact, the failure with my greasemonkey script turned out to also be an adverse interaction with the unity add-on. Disabling that has allowed my script to work again. So this seems to be a bug in unity-firefox-extension.

David Barth (dbarth)
Changed in unity-firefox-extension (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Alexandre Abreu (abreu-alexandre)
Maxim Ermilov (zaspire)
Changed in unity-firefox-extension (Ubuntu):
assignee: Alexandre Abreu (abreu-alexandre) → nobody
Revision history for this message
David Barth (dbarth) wrote :

At this stage, the feature is deprecated and we should start moving it out of the archive

Changed in unity-firefox-extension (Ubuntu):
assignee: nobody → David Barth (dbarth)
Changed in webapps-sprint:
milestone: none → sprint-8
assignee: nobody → David Barth (dbarth)
status: New → Triaged
importance: Undecided → Medium
David Barth (dbarth)
Changed in webapps-sprint:
milestone: sprint-8 → sprint-9
status: Triaged → In Progress
Changed in firefox (Ubuntu):
status: Confirmed → In Progress
Changed in unity-firefox-extension (Ubuntu):
status: Triaged → In Progress
David Barth (dbarth)
Changed in webapps-sprint:
milestone: sprint-9 → sprint-10
David Barth (dbarth)
Changed in webapps-sprint:
milestone: sprint-10 → sprint-11
David Barth (dbarth)
Changed in unity-firefox-extension (Ubuntu):
status: In Progress → Won't Fix
Changed in firefox (Ubuntu):
status: In Progress → Won't Fix
Changed in webapps-sprint:
status: In Progress → Won't Fix
milestone: sprint-11 → sprint-14
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.