Using win.wrappedJSObject
From FirebugWiki
Johnjbarton (Talk | contribs) |
Johnjbarton (Talk | contribs) m (→Accessing Content Object In Chrome Privileged Scripts) |
||
| Line 11: | Line 11: | ||
# You can safely set properties on content objects to object values, modulo rule 5. All objects/functions reachable via the object value would be visible to content, I think. | # You can safely set properties on content objects to object values, modulo rule 5. All objects/functions reachable via the object value would be visible to content, I think. | ||
# '''You don't want to pass anything coming from content to any place that treats strings as JS source.''' Examples: eval(), setTimeout(), any DOM element attribute that might interpreted as a handler. | # '''You don't want to pass anything coming from content to any place that treats strings as JS source.''' Examples: eval(), setTimeout(), any DOM element attribute that might interpreted as a handler. | ||
| - | # You don't want to allow content to directly call chrome-privilege functions unless they have been _very_ carefully vetted and you understand completely all places that content-controlled data can reach via those functions. | + | # You don't want to allow content to directly call chrome-privilege functions unless they have been _very_ carefully vetted and you understand completely all places that content-controlled data can reach via those functions. (See the next section) |
== Running Chrome Scripts in Content Objects == | == Running Chrome Scripts in Content Objects == | ||
Latest revision as of 04:55, 17 October 2010
To access the values of a Web page variable in Firefox you can use |wrappeddJSObject|. So to get the value seen in the Web page as |window.a|, use |win.wrappedJSObject.a| where |win| is the Web page's nsIDOMWindow (given by context.window in Firebug).
Any object obtained via |wrappedJSObject| is a live Web page object. Hackers can try to use Firebug's access of these objects to attack users. Therefore you need to take care to limit how you use |wrappedJSObject|.
Here are some guidelines from Boris Zbarsky on the moz.dev.platform newsgroup. (Here a content object is the Web page properties)
[edit] Accessing Content Object In Chrome Privileged Scripts
- You can read properties from content objects, and the act of reading them is safe. The result also satisfies this property.
- You can safely set properties on content objects to primitive values.
- You can safely set properties on content objects to object values, modulo rule 5. All objects/functions reachable via the object value would be visible to content, I think.
- You don't want to pass anything coming from content to any place that treats strings as JS source. Examples: eval(), setTimeout(), any DOM element attribute that might interpreted as a handler.
- You don't want to allow content to directly call chrome-privilege functions unless they have been _very_ carefully vetted and you understand completely all places that content-controlled data can reach via those functions. (See the next section)
[edit] Running Chrome Scripts in Content Objects
Among the things that one might like to do in chrome-privilege functions called by content:
- read content objects,
- assign content objects to content objects,
- call DOM platform methods and pass content objects. (but don't violate same-origin restrictions)
- assign strings obtained from content objects to chrome object properties (Beware of rule 4 from the previous section!)
- assign strings obtained from chrome objects to content objects
- avoid passing content objects into chrome functions unless you can ensure that you don't violate the rest of the guidelines.
- beware that chrome functions can close over chrome objects.
You can also make network requests or read the filesystem and combine resulting strings with strings you get from content....
