Marine a écrit : > Jonas Sicking a écrit : >> Marine wrote: >> >>> Boris Zbarsky a écrit : >>> >>>> Marine wrote: >>>> >>>>> However, I don't see how to put all the code in a signed jar, as >>>>> JSP will generate HTML code dynamically for each client request. >>>>> >>>> Is it possible to dynamically generate the signed jar? Or move the >>>> logic from server to client? >>>> >>> I fear it won't be easy... and I don't want to waste a lot of time >>> on this, to finally see it's not possible :( >>> Except if someone can tell me he has already done that, and how ? >>> >>> >>>> I don't claim this is easy to do, basically. The signed jar model >>>> is not the easiest thing in the world to work with. :( >>>> >>> Yes, another way to certficate code would be nice. For example, >>> register in Firefox the url of a given website that may use advanced >>> privileges. >>> But maybe it wouldn't be safe, I'm a newbie in browser security ! >>> >> >> The signed script feature is something that we really want to kill. >> As you have noticed, it is far from easy to work with. Additionally >> it increases our attack surface for people trying to hack firefox and >> its users a lot. >> >> The recommended solution is instead to write a firefox extension. >> This extension can download any dynamic resource you want without >> having to bother with signing. >> >> / Jonas >> > OK, nice to know the general development tendancy, to choose the > better way to do things. > So I will write an extension. > Thanks again for your replies. > Marine Hi again,
I'm working on an extension as you suggested : this extension listen on "click" events, and test "event.target" properties in order to decide wether it should do something or not. The webpage have to be able to expose some values/parameters to the extension. So I tried to add properties to button, to document or to window objects, in my webpage. But the extension listener can't see these properties. It can only see standards properties like event.target.id, event.target.value.... If I add a listener inside the webpage, it sees all these properties. How does it come the extension can't see them ? Is it a security limitation ? Thanks in advance for help _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
