So I'm trying to wrap my head around the security policies enforced
when JavaScript crosses contexts. The XPCNativeWrapper doc[*] does a
great job of covering access to untrusted objects by trusted scripts,
but not such much the other way around. In particular, this access
matrix seems to imply something dangerous:
-----------------------------------
What happens when a script accesses an object?
Script Object Effects
Protected Trusted No wrapper is created and therefore the script
gets full access to the object.
...
Unprotected Trusted No wrapper is created, just as in the
protected/trusted case.
...
-------------------------------------
If I understand this correctly, if I give an unprotected script a
reference to a trusted object, that script has full access to the
object? For example, if I give a script in a web page a reference to
an object instantiated in a js XPCOM component, that script could
replace someobject.prototype.foo? That seems so dangerous that I think
I must be mis-reading this doc or missing some part of the equation...
Perhaps someone could walk me through (or better yet, post a page that
walks someone through) the algorithm that's used to make these kinds
of determinations, as well as the explicit security policy the
algorithm is designed to implement.
(BTW, side question: we've been playing around with executing
maybe-untrusted scripts in a sandbox and am trying to reason out why
you can't set sandbox.alert = trustedWindow.alert, but you can set
sandbox.alert = function(x) { trustedWindow.alert(x); };)
[*] http://developer.mozilla.org/en/docs/XPCNativeWrapper
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
