If you find something like this, try contacting the developer to see if you can get the dev to fix it. Some devs are willing to fix security bugs like this immediately.
On Mon, Dec 21, 2009 at 12:15 PM, EricLaw <bay...@gmail.com> wrote: > Thanks for confirming, all! > > Is there somewhere "official" that extensions that do this should be > reported? > > thanks, > Eric > > On Dec 18, 2:32 pm, Sid Stamm <s...@mozilla.com> wrote: > > Like Boris says, JavaScript in add-ons is bad, and it is frowned upon > > big-time. > > > > https://addons.mozilla.org/en-US/developers/docs/policies/reviews > > > > In fact, it is prohibited for an add-on hosted by addons.mozilla.org to > > fetch remote content in this way, falling into the prohibited add-on > > category of "Add-ons that provide their own update mechanism for > > chrome-privileged resources" (see above link and below one). > > > > https://developer.mozilla.org/en/Security_best_practices_in_extension... > > > > A safer way to run remote scripts is to call "evalInSandbox" on the URL > > for the code, giving it restricted access (i.e., not chrome privileges), > > so it can still be run to do some things, but not to play with chrome > > stuff. > > > > -Sid > > > > On 12/18/09 2:10 PM, Boris Zbarsky wrote: > > > > > > > > > On 12/18/09 1:44 PM, EricLaw wrote: > > >> Quick question for you… When a XUL file in an installed Firefox addon > > >> pulls in a remote script via HTTP: > > > > >> e.g. inside firefoxOverlay.xul: > > > > >> <script src="http://example.com/extensions/script.js?ff"/> > > > > >> ...is that script accorded the permissions of the chrome:// security > > >> zone? > > > > > Yes. > > > > >> If so, that can enable a remote EoP if there's a MiTM attack, right? > > > > > Yes. Don't do that. > > > > > -Boris- Hide quoted text - > > > > - Show quoted text - > > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
