Mitchi wrote:
You missed timeless' point. His point was that your component can attach hooks
to the global JS object allowing untrusted content to call into your component
and only your component. That's what XMLHttpRequest does.
I don't catch what you're trying to tell, I'm sorry. Could you explain
it more?
var http = new XMLHttpRequest();
When you do that, a constructor function is called. This constructor function
is attached to the global object by the XMLHttpRequest component. This allows
construction of an XMLHttpRequest object without needing access to
Components.classes or knowing its contract id.
Same this for DOMParser, DOMSerializer.
The problem is that XPCOM is a very powerful way to let developers
extend mozilla's functionality, but the strictness of the access method
makes it completely unusable.
It's not really designed for use from web pages, yeah.
Ok, so there never will be a way to extend the javascript
functionality, right?
All I said is that right now you have to extend by attaching
constructors/getters to the global object instead of just allowing web pages to
instantiate you by contract.
-Boris
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
