On Tue, Jun 16, 2015 at 7:50 PM, Bobby Holley <[email protected]> wrote: > On Tue, Jun 16, 2015 at 10:38 AM, Paul Rouget <[email protected]> wrote: >> >> I don't how this work (Xray vision). > > > Given what you're doing, it's definitely worth learning about. A basic > overview is here: https://developer.mozilla.org/en-US/docs/Xray_vision > > For more detail and a bigger-picture view of why this is a tricky problem, > I'd recommend watching the talk I gave in Portland: > https://air.mozilla.org/safe-by-default/ . Currently accessible for vouched > mozillians, but we should get rid of that soon. > >> >> Code, in the child process, is executed this way: >> >> + let sandbox = new Cu.Sandbox(content, { >> + sandboxPrototype: content, >> + wantXrays: false, >> + sandboxName: "browser-api-execute-script" >> + }); >> + >> + let sandboxRv = Cu.evalInSandbox(script, sandbox, "1.8"); >> >> I use `wantXrays: false`, but I don't know what we really want here. > > > wantXrays is a deprecated option - it doesn't actually help you unless you > run with sandbox with an Expanded Principal ([content] instead of content), > which begs the whole "web platform not supporting asymmetric privilege > relationships" question. > > This is a pretty complicated topic, and requires a fair amount of background > to discuss meaningfully, unfortunately. The links above should help a lot.
You mentioned XSS. If I understand what you're saying, introducing `executeScript` allows anything that has access to the Browser API to inject code to any web pages. That's exactly what it is designed for. The Browser API already allows plenty of things. And when you have access to the Browser API, you most certainly have access to other critical APIs (bluetooth, file system, …). So I was under the assumption that, at this point, we already gave a lot of permissions, and adding a way to run arbitrary scripts is just one more of these super power. But maybe this is a step too far. Xrays. Is the problem that the script that is injected can be fooled? I don't know yet if we want Xrays or not. Naively, I would say yes. But maybe we want the script to be "fool-able". That could be an option in the executeScript method. But anyway, what is returned by the script (a JSON object) is obviously not something that should be trusted. It comes from the content. If wantXrays=true doesn't work with the principal of the content, I think it's ok. You mentioned that this is like UniversalXPConnect. I don't understand that. It's just one more API on top of many others. Like we have `drawWindow` accessible as with chrome privileges, we also have `getScreenshot()` from the Browser API. It sounds like what you're saying about "is it still the web" applies to almost all the APIs we have in B2G. I don't see what's special about executeScript that makes it less web than all the other things we build for Gaia. Or maybe I'm misunderstanding something. -- Paul _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
