Ka-Ping Yee wrote:
The problem of denying permission when it should
be granted could turn out to be a more serious problem than it
seems at first
Yeah, that's basically what Brendan and I were thinking...
To implement this in the Limited Power scheme, you would set up
the namespace so that "window" refers not to the real window object,
but an object with a read-only "status" property.
We do this to some extent. We can't use this in general, for at least the
following reasons:
1) Objects in JS get passed around. The "window" object can get passed to
someone who is allowed to set window.status.
2) Permissions are not statically bound to a script (see enablePrivilege).
Therefore the same script may or may not be allowed to set window.status,
depending on what else it's done. We can't really switch the
object out from under it, easily.
3) Permissions are not time-invariant. For example, setting of window.status
is controlled by a user pref; if the user changes that pref we want behavior
to change for all scripts, including already-loaded ones.
4) Setting a readonly property would throw an exception, whereas we want
setting window.status to simply be a no-op if the script is not in
fact allowed to change the status text.
This last is the one that makes things sort of hard. A lot of our "security"
checks are like that -- don't actually throw a security exception, just ignore
the call...
-Boris
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
