[chromium-dev] Re: Enabled isolation for content scripts
Nope, but I've cc'ed myself. Listening to the channel should keep script alive. Adam On Wed, Aug 5, 2009 at 5:14 PM, Antony Sargent wrote: > Adam, speaking of garbage collection and content scripts, have you seen > http://crbug.com/17410? > > On Sun, Aug 2, 2009 at 2:17 AM, Adam Barth wrote: >> >> On Sun, Aug 2, 2009 at 2:12 AM, dwh wrote: >> > >> > I believe as a side-effect of this, content scripts can no longer at >> > all access frames in pages (window.frames is a single frame, rather >> > than a collection of them all)... I view this decidedly as a bug >> > rather than feature, and cannot see a reason to intentionally do this >> > (if we can access the DOM of the page, why not also of sub-pages?) >> > >> > Could this be looked at and fixed? >> >> Yes. This is a known issue (although I'm not sure if there is a bug >> on file for it). I haven't quite figured out the right way to do this >> yet because it involves some tricky garbage collection issues. Rest >> assured that it will get fixed in due course. >> >> If you run into other issues, please let me know. >> >> Thanks, >> Adam >> >> >> > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Enabled isolation for content scripts
Adam, speaking of garbage collection and content scripts, have you seen http://crbug.com/17410? On Sun, Aug 2, 2009 at 2:17 AM, Adam Barth wrote: > > On Sun, Aug 2, 2009 at 2:12 AM, dwh wrote: > > > > I believe as a side-effect of this, content scripts can no longer at > > all access frames in pages (window.frames is a single frame, rather > > than a collection of them all)... I view this decidedly as a bug > > rather than feature, and cannot see a reason to intentionally do this > > (if we can access the DOM of the page, why not also of sub-pages?) > > > > Could this be looked at and fixed? > > Yes. This is a known issue (although I'm not sure if there is a bug > on file for it). I haven't quite figured out the right way to do this > yet because it involves some tricky garbage collection issues. Rest > assured that it will get fixed in due course. > > If you run into other issues, please let me know. > > Thanks, > Adam > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Enabled isolation for content scripts
On Sun, Aug 2, 2009 at 2:12 AM, dwh wrote: > > I believe as a side-effect of this, content scripts can no longer at > all access frames in pages (window.frames is a single frame, rather > than a collection of them all)... I view this decidedly as a bug > rather than feature, and cannot see a reason to intentionally do this > (if we can access the DOM of the page, why not also of sub-pages?) > > Could this be looked at and fixed? Yes. This is a known issue (although I'm not sure if there is a bug on file for it). I haven't quite figured out the right way to do this yet because it involves some tricky garbage collection issues. Rest assured that it will get fixed in due course. If you run into other issues, please let me know. Thanks, Adam --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Enabled isolation for content scripts
I believe as a side-effect of this, content scripts can no longer at all access frames in pages (window.frames is a single frame, rather than a collection of them all)... I view this decidedly as a bug rather than feature, and cannot see a reason to intentionally do this (if we can access the DOM of the page, why not also of sub-pages?) Could this be looked at and fixed? On Jul 16, 3:05 pm, Adam Barth wrote: > Today I landed a patch that enables a security feature for extensions. > Now when an extension runs a content script, that script runs in a > "parallel universe" with the page. In its isolated world, the content > script can see the page's DOM, but it can't see any of the page's > JavaScript objects. This helps protect the extension from getting > hacked by the page's JavaScript. If you're interested in how a page > can hack a non-isolated content script, you might enjoy > readinghttp://www.adambarth.com/papers/2009/adida-barth-jackson.pdf > > This is a "breaking change" in the sense that it changes the content > script's API (by hiding the page's JavaScript). If you notice your > favorite user script acting up after this change, please let me know > and we'll try to get to the bottom of the issue. > > Adam --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Enabled isolation for content scripts
awesome work! On Thu, Jul 16, 2009 at 1:05 PM, Adam Barth wrote: > > Today I landed a patch that enables a security feature for extensions. > Now when an extension runs a content script, that script runs in a > "parallel universe" with the page. In its isolated world, the content > script can see the page's DOM, but it can't see any of the page's > JavaScript objects. This helps protect the extension from getting > hacked by the page's JavaScript. If you're interested in how a page > can hack a non-isolated content script, you might enjoy reading > http://www.adambarth.com/papers/2009/adida-barth-jackson.pdf > > This is a "breaking change" in the sense that it changes the content > script's API (by hiding the page's JavaScript). If you notice your > favorite user script acting up after this change, please let me know > and we'll try to get to the bottom of the issue. > > Adam > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Enabled isolation for content scripts
+chromium-extensions BTW, this will *not* be in 194.x, as it was checked in after the branch was cut. It will be in the next dev channel release. - a On Thu, Jul 16, 2009 at 1:10 PM, Aaron Boodman wrote: > abarth++ > > This is a super important change for the extension system and > increases my confidence in the system significantly. If you didn't > understand Adam's summary and you want something with more pictures, I > have a (personal) blog post that covers some of the issues, here: > > http://www.aaronboodman.com/2009/04/content-scripts-in-chromium.html > > The beginning of the blog post talks about how content scripts work > today (pre-isolated worlds). At the end it talks about how isolated > worlds would change things. > > - a > > On Thu, Jul 16, 2009 at 1:05 PM, Adam Barth wrote: >> >> Today I landed a patch that enables a security feature for extensions. >> Now when an extension runs a content script, that script runs in a >> "parallel universe" with the page. In its isolated world, the content >> script can see the page's DOM, but it can't see any of the page's >> JavaScript objects. This helps protect the extension from getting >> hacked by the page's JavaScript. If you're interested in how a page >> can hack a non-isolated content script, you might enjoy reading >> http://www.adambarth.com/papers/2009/adida-barth-jackson.pdf >> >> This is a "breaking change" in the sense that it changes the content >> script's API (by hiding the page's JavaScript). If you notice your >> favorite user script acting up after this change, please let me know >> and we'll try to get to the bottom of the issue. >> >> Adam >> >> >> >> > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Enabled isolation for content scripts
abarth++ This is a super important change for the extension system and increases my confidence in the system significantly. If you didn't understand Adam's summary and you want something with more pictures, I have a (personal) blog post that covers some of the issues, here: http://www.aaronboodman.com/2009/04/content-scripts-in-chromium.html The beginning of the blog post talks about how content scripts work today (pre-isolated worlds). At the end it talks about how isolated worlds would change things. - a On Thu, Jul 16, 2009 at 1:05 PM, Adam Barth wrote: > > Today I landed a patch that enables a security feature for extensions. > Now when an extension runs a content script, that script runs in a > "parallel universe" with the page. In its isolated world, the content > script can see the page's DOM, but it can't see any of the page's > JavaScript objects. This helps protect the extension from getting > hacked by the page's JavaScript. If you're interested in how a page > can hack a non-isolated content script, you might enjoy reading > http://www.adambarth.com/papers/2009/adida-barth-jackson.pdf > > This is a "breaking change" in the sense that it changes the content > script's API (by hiding the page's JavaScript). If you notice your > favorite user script acting up after this change, please let me know > and we'll try to get to the bottom of the issue. > > Adam > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
