Right, so we all know what protected scripts, trusted windows and
trusted objects are [1].
All I want to do here is outline a problem with the model, I haven't
thought about ways to solve it (or whether anyone else will care - they
often don't).
- Everyone loves extensions [2].
- Everyone loves tabs.
- Everyone tries to load everything into a tab.
- Tabs, and the browser view, are (of course) untrusted.
This means you invariably get an (extension's window) untrusted window
loaded with its own code protected. I have been lead to believe that
code loaded 'for' a window automatically has access to its 'owner'
window, or this case would already have fallen over.
The problem is when the window has its own sub-content. Then you get:
+- browser Trusted window + Protected code
+- tab Untrusted window + Protected code
+- sub-content Untrusted window
The code loaded into the tab can't access its own sub-content without
getting attacked by the security manager and XPCNativeWrappers.
Now, the real gotcha here is that the sub-content has been specifically
flagged by the outer window as content it trusts. (What's going on, of
course, is that the browser does NOT trust said sub-content.)
I suppose the problem can be thought of in two separate ways:
- The protect code should not be protected, as it is already in an
untrusted place. (Of course, not protecting it and at the same time
giving it chrome permissions isn't... so nice.)
- The protected code should be allowed access to the sub-content
because it is a child of the code's "own" window and is flagged trusted
in that window.
Would it make sense to have a "trust tree" kinda thing, where the page
in the tab can properly trust itself and its sub-content, but have
neither trusted by the browser?
/discuss
--
James Ross <[EMAIL PROTECTED]>
ChatZilla Developer
[1] http://developer.mozilla.org/en/docs/XPCNativeWrapper
[2] Ish.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
