New issue
Advanced search Search tips

Issue 917703 link

Starred by 2 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

CustomEvent.detail transferred as null into content script when the object contains functions

Reported by woxxom@gmail.com, Dec 24

Issue description

PoC in devtools console with any extension that injects a content script:

// content script context
addEventListener('test', e => console.log(e.detail))
// main page context
dispatchEvent(new CustomEvent('test', {detail: {foo: window.alert}}));
// observed
null
// expected
{}

Even though it's apparently considered WAI ( https://crbug.com/598171#c16 ), it still seems weirdly different from how extension messaging works, which does JSON.stringify + JSON.parse so the non-transferrable stuff is simply skipped resulting in at least {} being passed for {foo: window.alert}.

======================================================

Test extension is attached too:
1. open https://examle.org
2. click the extension button
Expected: "{}" is shown
Observed: "null" is shown

======================================================

Bisected to: 210523 (good) - 210534 (bad)
https://chromium.googlesource.com/chromium/src/+log/0061349a01..660ced2c7f?pretty=fuller
Suspecting r210531 "Blink roll 153685:153737"
Specifically 31a455d68c1715eb5b061c983f09940679104bd6
"Remove leak of objects between isolated worlds on custom events, message events, and pop state events."
Landed in 30.0.1561.0

 
ext.zip
806 bytes Download
To reiterate and clarify, the suspected 31a455d68c1715eb5b061c983f09940679104bd6 fixes  bug 85158  - which is fine - but here I'm objecting to discarding the entire 'detail' object just because it has a nontransferrable item inside, because it's different from extension messaging that simply skips such items.
The benefit of restoring the skipping approach would be the ability to transfer a big complex state object. Currently we need to deep-clone it in JS, which may be slow and cause jank due to accumulated GC jobs. Of course, that benefit would make sense only if V8 can automatically skip the "bad" items while transferring the detail object in a secure fashion.
Labels: -Pri-3 Pri-2
Status: Assigned (was: Untriaged)

Sign in to add a comment