Standardize Firefox `exportFunction()` and `cloneInto()`

[minfrin]

Firefox offers two functions that enable functionality and/or objects present in a content script to be exposed in a controlled fashion to a webpage.

This mechanism keeps the security separation between the webpage and content script, while allowing webpages to access functionality defined in a web extension.

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Sharing_objects_with_page_scripts#exportfunction

Standardise this (or a suitable variation) for all browsers.

[ghostwords]

Some context: #57 (comment)

[theseanl]

Documentations on exportFunction and cloneInto seems to be implying that these APIs are deeply integrated into Firefox's implementation details. That said, these APIs are definitely something that I'd love to see in other platforms, and having it well-documented would be great.

The current Firefox documentation on these APIs are quite a mess. Its documentations are very out-of-date, some of them are only available via google search cache. Existing documentations are based on providing examples, not on rigorous specification.

It is also based on very ad-hoc concepts; xray vision will see properties of DOM objects un-altered, but except for Object and Array. However, DOM objects are Object instances anyway, and this special casing leads to many weird behaviors involving prototypes.

It is a permission-based API, which means an innocuous-looking code can suddenly throw errors in runtime, in contrast to your friendly cross-origin errors, which are only thrown during only a few distinguished API calls. It seems that it is not possible to statically analyze a codebase for possibilities of such errors.

Therefore, the current status of this API is inherently developer-hostile. It 'works' for exposing simple callback functions to pages, but if you try to build anything marginally more complex, you will quickly fall into a maze of cryptic errors. I expect that there will be very few people who understands this API through the end. It even feels that Mozilla would want to phase out these APIs eventually.

Some deficiencies of the current API that I'd like to see addressed:

• There is no way to unwaive Xray vision for an object. This was possible with Components.utils.unwaiveXrays in FF add-on SDK.
• There is no reliable way to distinguish normal objects and xrayed objects, waived and unwaived.
• There is no exportFunction counterpart for classes.

[Rob--W]

It is unlikely for other browsers to adopt these methods. This functionality is tied to Firefox's Xrays. There is an effort to standardize on a version that allows content scripts to call functions in the main world and expose a message port (#678, #679). Extensions can use this primitive to run logic and communicate back. The API defines cloning based on structured cloning, and special cases DOM elements, similar to the wrapReflectors option of cloneInto.