https://wiki.mozilla.org/Apps/Security#Open_questions
point 3 - eval. which someone raised eariler. ok, i'm dealing with a situation in pyjamas-desktop where it can't actually execute javascript. so what has to be done is: you inject a script node into the body of the HTML using python DOM bindings. the code there stores its responses in a hidden iframe. the data in the hidden iframe is monitored for changes (from the python code, using python DOM bindings). you can see what's coming, can't you. in this way, any "security" measures which prevent or prohibit arbitrary execution of code within one security context can be _completely_ bypassed through this technique, when it is deployed in a B2G app. any gaia app that is "locked down" and is not given permission to execute arbitrary code from remote sources.... well... all you have to do is use this iframe trick, cooperate with an external web site to provide the arbitrary code, then get it into the gaia/B2G app security context with the above trick, and run "eval" on it. this would actually be incredibly hard to spot within a rogue app.... unless eval was locked down (within the gaia/B2G app security context). l. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
