Devdatta wrote:
To me, it looks like (and I might be wrong here), there are two
obvious/simple ways to do it :
* Limit nsIfile to only write to files in a particular directory
(say specific to each extension).
This would cover quite a bit, actually; most things really just want to
stick some persistent data _somewhere_, not anywhere in particular. As
an extension developer who really just wants stuff to keep working with
the minimum effort, of course this is my preferred option - well, next
to having no restrictions of course ;)
* Make extension writers use stuff like localStorage and
disallow/discourage use of nsIFile.
This would cover a smaller subset of the above - it wouldn't be useful
for things like greasemonkey (multiple files), but might be for, say,
adblockplus (giant list of things). This of course assumes that each
extension gets its own localStorage space, since enumeration is used
quite often too.
(is there any other option I have missed?)
For completeness, there's also one sqlite db per extension which can go
create as many tables as it wants). Possibly also free access to the
profile, but not outside of it, but given that the list of extensions is
there too it's uncertain how useful that is.
(There are ofcourse extensions that might require arbitrary file
access, but for them AMO could require intensive review )
I am a fan of option 1.
As long as it's opt-in, yes, that should be fine. I've always
considered the extension mechanism to be successful _precisely_ because
it's totally unrestricted (the one I started poked native window handles
and made Win32 API calls!). Hopefully, with the carrot of shorter
review times, more people would be able to use the safer model, without
having to disallow the unsafe method completely.
Mook : As an extension developer, what problems do you see with either
of the two options ? I am really interested in your viewpoint.
Both options (and, really, anything else too) would require the platform
to suddenly know which extension your code is from; I don't know how
easy it would be for that to happen. But I'm sure there are people
smarter than I am who could do it without breaking the
needs-to-be-unsafe extensions ;)
--
Mook
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
