Like Boris says, JavaScript in add-ons is bad, and it is frowned upon big-time.
https://addons.mozilla.org/en-US/developers/docs/policies/reviews In fact, it is prohibited for an add-on hosted by addons.mozilla.org to fetch remote content in this way, falling into the prohibited add-on category of "Add-ons that provide their own update mechanism for chrome-privileged resources" (see above link and below one). https://developer.mozilla.org/en/Security_best_practices_in_extensions#Remote_JavaScript_and_Content A safer way to run remote scripts is to call "evalInSandbox" on the URL for the code, giving it restricted access (i.e., not chrome privileges), so it can still be run to do some things, but not to play with chrome stuff. -Sid On 12/18/09 2:10 PM, Boris Zbarsky wrote: > On 12/18/09 1:44 PM, EricLaw wrote: >> Quick question for you… When a XUL file in an installed Firefox addon >> pulls in a remote script via HTTP: >> >> e.g. inside firefoxOverlay.xul: >> >> <script src="http://example.com/extensions/script.js?ff"/> >> >> ...is that script accorded the permissions of the chrome:// security >> zone? > > Yes. > >> If so, that can enable a remote EoP if there's a MiTM attack, right? > > Yes. Don't do that. > > -Boris _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
