stackoom
  简体   繁体   中英

Firefox Scratchpad's javascript code has more privileges than a standard website javascript code?

 原文  2016-01-28 10:32:41       javascript/ security/ firefox/ privileges/ scratchpad

Question

I've just copy paste and run through the Scratchpad a code form the source code of a website.

I want to know if this code has more privileges when it runs through the Scratchpad of Firefox or has the same privileges as when it runs directly through the webpage.

Before pasting on Scratchpad Firefox alerts this message:

Scam Warning: Take care when pasting things you don't understand.
This could allow attackers to steal your identity or take control of your computer .

I know that there are javascript exploits that could run through a website but..

The message from Firefox seems like:

"The javascript on Scratchpad has more privileges than a Javascript of a webpage and the attackers can steal without exploits, just with standar code"

Is it true?

The same code can act differently from a website and differently from the Scratchpad in terms of security?

Or it's just like including it inside the html , with all safety measures that has the javascript inside a website?

Why Firefox alert us on Scratchpad about something that could be done anyway just by visiting a malicious webpage (potential javascript attack)?

1 answers

solution1
 3 ACCPTED  2016-01-28 22:38:49

By default, code running in the scratchpad can do anything that JavaScript on the web site you're looking at can do, no more and no less. That means it can access your data from that site, and possibly send it somewhere else without telling you, or it can take actions pretending to be you on that site. The message you're seeing is a warning to unwary users who are not coders, to keep them from pasting malicious code that might do some of those things into the scratchpad just because someone told them to, because they won't be able to tell that the code is malicious. If you go to Facebook and look at the browser console, you'll see a similar warning explaining the same thing, because this is a fairly common type of social engineering attack.

Now, I said "by default" earlier, let me explain what I meant. It's also possible to change the scratchpad from "content" mode to "browser" mode. To do that, you have to enable the option in the developer tools settings (it's called "Enable browser chrome and add-on debugging toolboxes"), and then switch the scratchpad to Browser mode using the Environment menu. If you do those things, then the scratchpad can do anything that the browser itself , not a particular web site, can do. So the scratchpad running in that mode really does have more permissions than a web page does; it can do anything that a native application could. But content mode is the default mode, and it has exactly the same permission set as web pages do.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Inconsistent ReferenceError in javascript using firefox's scratchpad Code works in Firefox Scratchpad but not in code JavaScript runs in Firefox Scratchpad, but not when loaded with the HTML What's the standard way of executing JavaScript code? Javascript code running function more than once Javascript Code not working on Firefox Edit javascript code in Firefox why javascript ++ operator increase more than one step in my code? javascript code bing search - get more than 30 results How to loop same javascript code for more than one div elements?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM