Talk:XPCNativeWrapper: Difference between revisions
No edit summary |
mNo edit summary |
||
Line 6: | Line 6: | ||
[[User:Asqueella|asqueella]] 04:13, 22 Mar 2005 (PST) | [[User:Asqueella|asqueella]] 04:13, 22 Mar 2005 (PST) | ||
---- | ---- | ||
There are two bugs related to this attack on [http://www.squarefree.com/securitytips/mozilla-developers.html Jesse Ruderman's Security Page]: | |||
There are | |||
[http://bugzilla.mozilla.org/show_bug.cgi?id=249332 security hole in markLinkVisited (exploit with link.href setter = eval)] | [http://bugzilla.mozilla.org/show_bug.cgi?id=249332 security hole in markLinkVisited (exploit with link.href setter = eval)] | ||
[http://bugzilla.mozilla.org/show_bug.cgi?id=249332 Bypassing CheckLoadURI using custom getters and changing toString returns] | [http://bugzilla.mozilla.org/show_bug.cgi?id=249332 Bypassing CheckLoadURI using custom getters and changing toString returns] | ||
Revision as of 17:21, 22 March 2005
You scared me with "Attack Scenarios" paragraph, because *a lot* of extensions access _content.document
's properties without this wrapper. However, when I tried to access Components.classes in document.title setter and accessed that from Extension Developer's Extension's JS Shell (chrome priviledges) it (fortunately) failed with permission denied error.
I see however, that code in Firefox uses XPCNativeWrapper when accessing page's document.
Can someone explain me it / give a working attack page, because if we should really use XPCNativeWrapper, then almost everybody using extensions is vulnerable.
asqueella 04:13, 22 Mar 2005 (PST)
There are two bugs related to this attack on Jesse Ruderman's Security Page:
security hole in markLinkVisited (exploit with link.href setter = eval)
Bypassing CheckLoadURI using custom getters and changing toString returns