Using win.wrappedJSObject

From FirebugWiki

(Difference between revisions)
Jump to: navigation, search
(Created page with 'To access the values of a Web page variable in Firefox you can use |wrappeddJSObject|. So to get the value seen in the Web page as |window.a|, use |win.wrappedJSObject.a| where |…')
m (Accessing Content Object In Chrome Privileged Scripts)
 
(One intermediate revision not shown)
Line 3: Line 3:
Any object obtained via |wrappedJSObject| is a live Web page object. Hackers can try to use Firebug's access of these objects to attack users. Therefore you need to take care to limit how you use |wrappedJSObject|.
Any object obtained via |wrappedJSObject| is a live Web page object. Hackers can try to use Firebug's access of these objects to attack users. Therefore you need to take care to limit how you use |wrappedJSObject|.
-
Here are some guidelines from Boris Zbarsky on the [http://groups.google.com/group/mozilla.dev.platform/browse_thread/thread/8d8470bce0d5b80f/9ec34b4fe93f24bb moz.dev.platform newsgroup]. Here a content object is the Web page properties:
+
Here are some guidelines from Boris Zbarsky on the [http://groups.google.com/group/mozilla.dev.platform/browse_thread/thread/8d8470bce0d5b80f/9ec34b4fe93f24bb moz.dev.platform newsgroup]. (Here a content object is the Web page properties)
-
1) You can read properties from content objects, and the act of reading them is safe.  The result also satisfies this property.
+
== Accessing Content Object In Chrome Privileged Scripts ==
-
2) You can safely set properties on content objects to primitive values.
+
# You can read properties from content objects, and the act of reading them is safe.  The result also satisfies this property.
 +
# You can safely set properties on content objects to primitive values.
 +
# You can safely set properties on content objects to object values, modulo rule 5.  All objects/functions reachable via the object value would be visible to content, I think.
 +
# '''You don't want to pass anything coming from content to any place that treats strings as JS source.''' Examples: eval(), setTimeout(), any DOM element attribute that might interpreted as a handler.
 +
# You don't want to allow content to directly call chrome-privilege functions unless they have been _very_ carefully vetted and you understand completely all places that content-controlled data can reach via those functions. (See the next section)
-
3) You can safely set properties on content objects to object values, modulo rule 5.  All objects/functions reachable via the object value would be visible to content, I think.
+
== Running Chrome Scripts in Content Objects ==
-
 
+
-
4) You don't want to pass anything coming from content to any place that treats strings as JS source.
+
-
 
+
-
5) You don't want to allow content to directly call chrome-privilege functions unless they have been _very_ carefully vetted and you understand completely all places that content-controlled data can reach via those functions.
+
Among the things that one might like to do in chrome-privilege functions called by content:
Among the things that one might like to do in chrome-privilege functions called by content:
-
> 1) read content objects,
 
-
> 2) assign content objects to content objects,
 
-
> 3) call DOM platform methods and pass content objects.
 
-
 
-
Mostly yes, though if you violate same-origin restrictions in #3 there (which you can do, as chrome) you can lose.
 
-
 
-
> 4) assign strings obtained from content objects to chrome object
 
-
> properties
 
-
 
-
If you're guaranteed that they're strings, and if you're careful about what you do with those chrome object properties, yes.
 
-
 
-
> 5) assign strings obtained from chrome objects to content objects
 
-
 
-
Yes.
 
-
 
-
> 6) avoid passing content objects into chrome functions unless you can
 
-
> ensure that you don't violate the rest of the guidelines.
 
-
> 7) beware that chrome functions can close over chrome objects.
 
-
Yes.
+
# read content objects,
 +
# assign content objects to content objects,
 +
# call DOM platform methods and pass content objects. (but don't violate same-origin restrictions)
 +
# assign strings obtained from content objects to chrome object properties (Beware of rule 4 from the previous section!)
 +
# assign strings obtained from chrome objects to content objects
 +
# avoid passing content objects into chrome functions unless you can ensure that you don't violate the rest of the guidelines.
 +
# beware that chrome functions can close over chrome objects.
You can also make network requests or read the filesystem and combine resulting strings with strings you get from content....
You can also make network requests or read the filesystem and combine resulting strings with strings you get from content....

Latest revision as of 04:55, 17 October 2010

To access the values of a Web page variable in Firefox you can use |wrappeddJSObject|. So to get the value seen in the Web page as |window.a|, use |win.wrappedJSObject.a| where |win| is the Web page's nsIDOMWindow (given by context.window in Firebug).

Any object obtained via |wrappedJSObject| is a live Web page object. Hackers can try to use Firebug's access of these objects to attack users. Therefore you need to take care to limit how you use |wrappedJSObject|.

Here are some guidelines from Boris Zbarsky on the moz.dev.platform newsgroup. (Here a content object is the Web page properties)

[edit] Accessing Content Object In Chrome Privileged Scripts

  1. You can read properties from content objects, and the act of reading them is safe. The result also satisfies this property.
  2. You can safely set properties on content objects to primitive values.
  3. You can safely set properties on content objects to object values, modulo rule 5. All objects/functions reachable via the object value would be visible to content, I think.
  4. You don't want to pass anything coming from content to any place that treats strings as JS source. Examples: eval(), setTimeout(), any DOM element attribute that might interpreted as a handler.
  5. You don't want to allow content to directly call chrome-privilege functions unless they have been _very_ carefully vetted and you understand completely all places that content-controlled data can reach via those functions. (See the next section)

[edit] Running Chrome Scripts in Content Objects

Among the things that one might like to do in chrome-privilege functions called by content:

  1. read content objects,
  2. assign content objects to content objects,
  3. call DOM platform methods and pass content objects. (but don't violate same-origin restrictions)
  4. assign strings obtained from content objects to chrome object properties (Beware of rule 4 from the previous section!)
  5. assign strings obtained from chrome objects to content objects
  6. avoid passing content objects into chrome functions unless you can ensure that you don't violate the rest of the guidelines.
  7. beware that chrome functions can close over chrome objects.

You can also make network requests or read the filesystem and combine resulting strings with strings you get from content....

Personal tools