[英]Javascript scope / security concern in Firefox extension
I am developing a FireFox extension and have to store some values that I need to be secure and inaccessible from any other extension/page etc. 我正在开发FireFox扩展程序,并且必须存储一些我需要保护的值,这些值是安全的,并且无法从其他任何扩展程序/页面等访问。
I am using a setup for my extension code like seen here: 我正在为我的扩展代码使用设置,如下所示:
if(!namesp) var namesp={};
if(!namesp.anothernamesp) namesp.anothernamesp={};
namesp.anothernamesp = function() {
var mySecureValue = ''; //is this variable accessible from anything aside from inside the namesp.anothernamesp scope?
return {
useSecureValue: function() {
//do something here with mySecureValue
}
};
function getSecureValue() { //can this method be called from anywhere besides inside the namesp.anothernamesp scope?
return mySecureValue;
}
}();
Is there any way that anything other than my own extension can access "mySecureValue"? 除了我自己的扩展名之外,还有什么方法可以访问“ mySecureValue”? To keep this object global accessible to any windows I might open in my extension etc, I pass the object to the window in the window.openDialog() method and use the window.arguments to access it from the newly created windows.
为了使该对象可以在扩展程序等中打开的任何窗口全局访问,我将该对象传递给window.openDialog()方法中的窗口,并使用window.arguments从新创建的窗口中访问它。 Thank you.
谢谢。
Seems pretty correct. 似乎很正确。 In fact that's a way the majority of tutorials and books teach to simulate private methods and properties.
实际上,这是大多数教程和书籍教授模拟私有方法和属性的方式。
No , there is no way you can keep one extension from impacting another extension. 没有 ,有没有办法可以保持一个扩展名从影响其他分机。
The reasons for that are: 原因如下:
If some other extension wants to read your variable mySecureValue
it can do so by: 如果其他某个扩展要读取变量
mySecureValue
则可以通过以下方式进行读取:
profile/extensions
folder) profile/extensions
文件夹中读取它) mySecureValue
from your source file! mySecureValue
! The most unfortunate reason for all that is that Mozilla firefox does not implement any form of right separation between the extensions. 所有这些最不幸的原因是Mozilla firefox在扩展之间未实现任何形式的右分隔。 Every extension can do everything to everybody.
每个扩展都可以为所有人做任何事情。 It can even excecute a shellcode and do arbitraty other damage.
它甚至可以执行shellcode并进行其他损害赔偿。
The only thing you can try is to obfuscate your secret data. 您唯一可以尝试的就是混淆您的秘密数据。 This will though not prevent but maybe only complicate the attack.
尽管这不会阻止但可能只会使攻击复杂化。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.