Hello,
while browsing through the patches to my bugs i stumbled over the function
uri.schemeIs().
It seems this function gets used to implement blocker conditions in the
code, to prevent that a malicious uri (e.g. javascript) gets used in a piece
of code with chrome priviliges:
if (uri.schemeIs("javascript"))
return
The problem that i see is, that if ever an extension adds support for other
schemes (a vbscript or jscript extension isn't that theoretical) the blocker
condition is useless and a bunch of security errors appear since
vbscript/jscript can basicly do the same as javascript.
>From my point of view possible solutions could be:
1. Make all blockers whitelist only, so that they block if the scheme is
unexpected (if (!expectedSchemes) return ). That causes trouble if ever a
new scheme gets implemented by default or by an extension but it is safer at
least.
2. Every blocker should call global security functions (like
security.schemeIsChromesafe() or something). Every extension than could add
their new or proprietary scheme into a whiteliste that function is checking
for.
I am not so deep into security functions so maybe i misunderstood schemeIs
or there is already something like schemeIsChromesafe. Please let me know :)
Kind regards,
Michael Krax
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
