Using win.wrappedJSObject

From FirebugWiki
Jump to: navigation, search

To access the values of a Web page variable in Firefox you can use |wrappeddJSObject|. So to get the value seen in the Web page as |window.a|, use |win.wrappedJSObject.a| where |win| is the Web page's nsIDOMWindow (given by context.window in Firebug).

Any object obtained via |wrappedJSObject| is a live Web page object. Hackers can try to use Firebug's access of these objects to attack users. Therefore you need to take care to limit how you use |wrappedJSObject|.

Here are some guidelines from Boris Zbarsky on the newsgroup. (Here a content object is the Web page properties)

Accessing Content Object In Chrome Privileged Scripts[edit]

  1. You can read properties from content objects, and the act of reading them is safe. The result also satisfies this property.
  2. You can safely set properties on content objects to primitive values.
  3. You can safely set properties on content objects to object values, modulo rule 5. All objects/functions reachable via the object value would be visible to content, I think.
  4. You don't want to pass anything coming from content to any place that treats strings as JS source. Examples: eval(), setTimeout(), any DOM element attribute that might interpreted as a handler.
  5. You don't want to allow content to directly call chrome-privilege functions unless they have been _very_ carefully vetted and you understand completely all places that content-controlled data can reach via those functions. (See the next section)

Running Chrome Scripts in Content Objects[edit]

Among the things that one might like to do in chrome-privilege functions called by content:

  1. read content objects,
  2. assign content objects to content objects,
  3. call DOM platform methods and pass content objects. (but don't violate same-origin restrictions)
  4. assign strings obtained from content objects to chrome object properties (Beware of rule 4 from the previous section!)
  5. assign strings obtained from chrome objects to content objects
  6. avoid passing content objects into chrome functions unless you can ensure that you don't violate the rest of the guidelines.
  7. beware that chrome functions can close over chrome objects.

You can also make network requests or read the filesystem and combine resulting strings with strings you get from content....