Hello, what I like to do is modify page content with my extension. To do this, I currently just go over "window.content" and then I walk up the DOM tree of the page to find what I need to touch/change/modify. I also call functions in the page code like "getElementById" to find stuff.
I found pages like this one: http://developer.mozilla.org/en/docs/XPCNativeWrapper#Protected_script_accessing_an_untrusted_object My extension is running inside SeaMonkey 1.1.9, which should be "like Firefox 1.5.x". The page seems to say something like "just access the content on untrusted content. The backend will secure you". To test this, I created this simple test page: <html> <head> <title>testpage</title> <script> window.oAlert = window.alert; window.alert = function(message) { oAlert("danger!!!! " + message); } </script> </head> <body> Page to test wrappers <script>alert("test");</script> </body> </html> The script replaces "window.alert" at first and then calls "alert" to test if the replacement worked well. Now I created a new PrefBar button (PrefBar allowes to place buttons, which execute code in privileged context easily) which calls this: window.content.window.alert("test"); I tried the button with this code twice. Once with the above page opened from "file://" and once using a local apache server to serve the test page via "http://";. In both cases I got a message "danger!!!! test". A second test at least showed that the replacement function of alert seems to get called unprivileged and so wouldn't be dangerous. So my question is: What do I have to do to be able to *easily* and *securely* access untrusted content? I *don't* want to call XPCNativeWrappers over and over again for any property and any function I need! Why is there no "recursive XPCNativeWrappers" function which just returns a fully secured object. Another question: What happens if I inject code to hiddenDOMWindow using the subscriptLoader? Does the code in hiddenDOMWindow run in protected or unprotected mode? Thanks in advance CU Manuel _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
