exports.isSafeJSObject = function(obj) {
// If we are running on a worker thread, Cu is not available. In this case,
// we always return false, just to be on the safe side.
if (isWorker) {
return false;
}
if (Cu.getGlobalForObject(obj) ==
Cu.getGlobalForObject(exports.isSafeJSObject)) {
// obj is not a cross-compartment wrapper.
return true;
}
// Xray wrappers protect against unintended code execution.
if (Cu.isXrayWrapper(obj)) {
return true;
}
// If there aren't Xrays, only allow chrome objects.
const principal = Cu.getObjectPrincipal(obj);
if (!Services.scriptSecurityManager.isSystemPrincipal(principal)) {
return false;
}
// Scripted proxy objects without Xrays can run their proxy traps.
if (Cu.isProxy(obj)) {
return false;
}
// Even if `obj` looks safe, an unsafe object in its prototype chain may still
// run unintended code, e.g. when using the `instanceof` operator.
const proto = Object.getPrototypeOf(obj);
if (proto && !exports.isSafeJSObject(proto)) {
return false;
}
// Allow non-problematic chrome objects.
return true;
};