Check both browser and chrome objects in enumerateFramesAndNamespaceO…

…bjects https://bugs.webkit.org/show_bug.cgi?id=270657 rdar://123409359 Reviewed by Timothy Hatcher. Some extensions use a polyfill to overwrite the browser object with their own proxy. The Blue Canoe extension was doing this, and it led to WebExtensionContextProxy::enumerateFramesAndNamespaceObjects not being able to find the namespace object for the extension, since we were only checking the `browser` object. To fix this, check both `browser` and `chrome`, and use whichever one is valid. * Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.cpp: (WebKit::WebExtensionContextProxy::enumerateFramesAndNamespaceObjects): Canonical link: https://commits.webkit.org/275809@main
WebKit · Mar 7, 2024 · 5e8c33f · 5e8c33f
1 parent 5381f48
commit 5e8c33f
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.cpp b/Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.cpp
@@ -189,11 +189,18 @@ void WebExtensionContextProxy::enumerateFramesAndNamespaceObjects(const Function
 
         auto context = page->isServiceWorkerPage() ? frame->jsContextForServiceWorkerWorld(world) : frame->jsContextForWorld(world);
         auto globalObject = JSContextGetGlobalObject(context);
-        auto namespaceObject = JSObjectGetProperty(context, globalObject, toJSString("browser").get(), nullptr);
-        if (!namespaceObject || !JSValueIsObject(context, namespaceObject))
-            continue;
 
-        RefPtr namespaceObjectImpl = toWebExtensionAPINamespace(context, namespaceObject);
+        RefPtr<WebExtensionAPINamespace> namespaceObjectImpl;
+        auto browserNamespaceObject = JSObjectGetProperty(context, globalObject, toJSString("browser").get(), nullptr);
+        if (browserNamespaceObject && JSValueIsObject(context, browserNamespaceObject))
+            namespaceObjectImpl = toWebExtensionAPINamespace(context, browserNamespaceObject);
+
+        if (!namespaceObjectImpl) {
+            auto chromeNamespaceObject = JSObjectGetProperty(context, globalObject, toJSString("chrome").get(), nullptr);
+            if (chromeNamespaceObject && JSValueIsObject(context, chromeNamespaceObject))
+                namespaceObjectImpl = toWebExtensionAPINamespace(context, chromeNamespaceObject);
+        }
+
         if (!namespaceObjectImpl)
             continue;