堆栈内存溢出
  简体   繁体   English

Firefox扩展中的Javascript范围/安全问题

[英]Javascript scope / security concern in Firefox extension

 原文  2011-05-10 07:18:11       javascript/ security/ firefox-addon/ scope

问题描述

I am developing a FireFox extension and have to store some values that I need to be secure and inaccessible from any other extension/page etc. 我正在开发FireFox扩展程序,并且必须存储一些我需要保护的值,这些值是安全的,并且无法从其他任何扩展程序/页面等访问。

I am using a setup for my extension code like seen here: 我正在为我的扩展代码使用设置,如下所示: 

if(!namesp) var namesp={};
if(!namesp.anothernamesp) namesp.anothernamesp={};

namesp.anothernamesp = function() {
  var mySecureValue = ''; //is this variable accessible from anything aside from inside the namesp.anothernamesp scope?

  return {
    useSecureValue: function() {
    //do something here with mySecureValue
    }
  };

  function getSecureValue() { //can this method be called from anywhere besides inside the namesp.anothernamesp scope?
    return mySecureValue;
  }

}();

Is there any way that anything other than my own extension can access "mySecureValue"? 除了我自己的扩展名之外,还有什么方法可以访问“ mySecureValue”? To keep this object global accessible to any windows I might open in my extension etc, I pass the object to the window in the window.openDialog() method and use the window.arguments to access it from the newly created windows. 为了使该对象可以在扩展程序等中打开的任何窗口全局访问,我将该对象传递给window.openDialog()方法中的窗口,并使用window.arguments从新创建的窗口中访问它。 Thank you. 谢谢。

2 个解决方案

解决方案1
 1  2011-05-10 07:51:10

Seems pretty correct. 似乎很正确。 In fact that's a way the majority of tutorials and books teach to simulate private methods and properties. 实际上,这是大多数教程和书籍教授模拟私有方法和属性的方式。

解决方案2
 0  2013-03-17 12:50:14

No , there is no way you can keep one extension from impacting another extension. 没有 ,有没有办法可以保持一个扩展名从影响其他分机。

The reasons for that are: 原因如下:

  • extensions are Zip-archive-files renamed to have a *.xpi filename extension. 扩展名是Zip存档文件,重命名为* .xpi文件扩展名。
  • the extensions are writen in plaintextfiles using a JavaScript dialect 扩展使用JavaScript方言写在纯文本文件中
  • any other extension can at will open and access any file that your browser can access. 任何其他扩展名都可以打开并访问您的浏览器可以访问的任何文件。

If some other extension wants to read your variable mySecureValue it can do so by: 如果其他某个扩展要读取变量mySecureValue则可以通过以下方式进行读取:

  • accessing the your extensions *.xpi file (using nsIFile to read it from the profile/extensions folder) 访问您的扩展名* .xpi文件(使用nsIFileprofile/extensions文件夹中读取它)
  • unzip it nsIZipReader 解压缩nsIZipReader
  • read the variable mySecureValue from your source file! 从您的源文件中读取变量mySecureValue

The most unfortunate reason for all that is that Mozilla firefox does not implement any form of right separation between the extensions. 所有这些最不幸的原因是Mozilla firefox在扩展之间未实现任何形式的右分隔。 Every extension can do everything to everybody. 每个扩展都可以为所有人做任何事情。 It can even excecute a shellcode and do arbitraty other damage. 它甚至可以执行shellcode并进行其他损害赔偿。

The only thing you can try is to obfuscate your secret data. 您唯一可以尝试的就是混淆您的秘密数据。 This will though not prevent but maybe only complicate the attack. 尽管这不会阻止但可能只会使攻击复杂化。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Javascript范围,安全性和扩展 - Javascript scope, security, and extension Javascript 安全问题 - Javascript Security Concern javascript安全问题(jQuery DataTables) - javascript security concern (jQuery DataTables) 如何从Firefox扩展名执行网页名称空间(范围)中的javascript代码? - How to execute javascript code in the namespace (scope) of the webpage, from a firefox extension? Firefox中的JavaScript范围问题 - Problems with javascript scope in firefox javascript打开firefox扩展名 - javascript to open a firefox extension Mozilla Firefox扩展Javascript - Mozilla Firefox Extension Javascript Firefox扩展javascript中是否存在nsiClientSocket? - Is there nsiClientSocket in firefox extension javascript? Firefox扩展中的Javascript正则表达式 - Javascript regex in firefox extension 使用Webview / javascript的Android应用程序。什么可以是安全问题? - Android App using Webview/javascript. what can be security concern?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM