XPCNativeWrapper: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
No edit summary
 
No edit summary
Line 1: Line 1:
XPCNativeWrapper is a Javascript object that should be used whenever privileged code is used to access unprivileged code. It is used to create a security wrapper analogous to a sandbox.
XPCNativeWrapper is a Javascript object that should be used whenever privileged code is used to access unprivileged code. It is used to create a security wrapper that is analogous to a sandbox.


==Basic Usage==
==Basic Usage==
Line 5: Line 5:


===Example===
===Example===
This example creates a wrapper around the document object so that it can safely read the title of the document and call one of its methods:
<pre>
<pre>
doc = window._content; //|doc| is unsafe
doc = window._content;
doc = new XPCNativeWrapper(doc, 'title', 'getElementsByTagName()');
doc2 = new XPCNativeWrapper(doc, 'title', 'getElementsByTagName()');
//|doc| is now safe
var tl = doc.title;
var bd = doc.getElementsByTagName('body')[0];
</pre>
</pre>


Line 16: Line 14:


The returned object can be used just like the untrusted object. Methods and properties can be called from it directly.
The returned object can be used just like the untrusted object. Methods and properties can be called from it directly.
<pre>
var tt = doc2.title;
var bd = doc2.getElementsByTagName('body')[0];
</pre>


==Attack Scenarios==
==Attack Scenarios==

Revision as of 09:00, 22 March 2005

XPCNativeWrapper is a Javascript object that should be used whenever privileged code is used to access unprivileged code. It is used to create a security wrapper that is analogous to a sandbox.

Basic Usage

Using XPCNativeWrapper is very simple. You create an instance of an XPCNativeWrapper with the untrusted object as the first parameter and the desired properties and methods of the untrusted object as the additional parameters.

Example

This example creates a wrapper around the document object so that it can safely read the title of the document and call one of its methods:

doc = window._content;
doc2 = new XPCNativeWrapper(doc, 'title', 'getElementsByTagName()');

Notice how the desired properties are specified by their name and the desired methods are specified by their name followed a pair of empty brackets.

The returned object can be used just like the untrusted object. Methods and properties can be called from it directly.

var tt = doc2.title;
var bd = doc2.getElementsByTagName('body')[0];

Attack Scenarios

To illustrate the importance of using XPCNativeWrapper, consider the following scenario:

An extension is written to modify the title property of the document.

document._content.document.title = 'Hello World';

On the surface it looks harmless enough. However, an attacker could execute malicious code if they added a setter to the title property:

document.title getter = function() {
  alert('code executed');  //malicious code...
};

The same analogy applies to calling methods on an untrusted object. Consider the following scenario:

An extension tries to get access to the body element of a document.

var bd = document._content.document.getElementsByTagName('body')[0];

It may also look harmless, but an attacker could execute malicious code if they overwrote the getElementsByTagName method with another:

document.getElementsByTagName = function() {
  alert('code executed');  //malicious code...
};

References

  1. XPCNativeWrapper.js