On Monday, October 21, 2013 4:40:08 PM UTC+2, Gijs Kruitbosch wrote:
> Uh, I hope you meant:
> > window.wrappedJSObject.close = function() { ... };
> (ie, no braces after close[()])
Sorry, yes of course. I typed that quickly but obviously the real code doesn't
have parentheses after the function name, and the problem as stated still
stands.
> But *if* you're managing to touch the underlying object, that's a
> security issue waiting to happen, AIUI (what if content defines a setter
> function on the window's "close" property?). CC'ing bholley who gave a
> talk[0] about this stuff and knows more about this (and might have
> solutions and/or assuage my fears as to the security of this).
I'm not sure I see the security risk. If content defines a setter on close()
then... what? Worst case it can access the chrome function that I'm trying to
give it access to anyway.
FYI I load the content into a popup and I want it to be able to close the
popup. So the real chrome function looks like:
contentWindow.wrappedJSObject.close = function() {
chromeWindow.close();
};
But as I said, the default close() method seems to be called instead and I get
an error about not being able to close a window that wasn't opened using script.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
