Add-ons often need to interact with page content, and mixing privileged and unprivileged code can be tricky thing to get right without compromising security. Unintentionally exposing privileged objects to web content is a major security concern, which is why bug 553102 came about.

The idea behind this bug is simple: if you need to share an object to a script in the content, you need to add it to a whitelist. Starting with version 15, Firefox will show an error in the Error Console whenever a privileged object property or function is accessed from the content without it being added to the whitelist. The code will continue to work, but the error is there to let add-on developers know that they need to change this as soon as possible. In Firefox 17, the whitelist will become mandatory and the shared object members will cease to be visible from content.

How It Works

If you wanted to share an object to the content, from your add-on code you would do something like this:

var sharedObject = { foo : "Hello!" };

contentWindow.wrappedJSObject.sharedObject = sharedObject;

Then from a script in the content you can do something like this:

alert(window.sharedObject.foo);

And this would alert the text “Hello!” in the page. Starting with Firefox 17, this won’t work. The page will be able to see window.sharedObject, but none of its properties or functions will be visible. For it to work, you now must do this in your add-on code:

var sharedObject = { foo : "Hello!", __exposedProps__ : { foo : "r"} };

contentWindow.wrappedJSObject.sharedObject = sharedObject;

The __exposedProps__ property is the whitelist that tells Firefox it’s okay to share foo with the content. The value can be “r” (read-only), “w” (write-only), or “rw” (read and write). You generally want to use “r”.

Note that this only affects your add-on if you’re sharing objects with the content. If all you’re doing is passing values like numbers, booleans or strings, they should continue to work.

Still, it is recommended that all add-on devs thoroughly test their add-ons in Firefox 15 (beta at the moment) and look for the deprecation error in the Error Console. Then test it in Firefox 17 (nightly at the moment) and see if anything breaks when interacting with content.

If your add-on is based on the Add-ons SDK, you should update your add-on to the latest release of the SDK and test. You probably won’t need to change any code, since the SDK should take care of this for you.

If you have any questions about this, please share them in the comments.