Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Review #13

Open
topdan opened this issue May 26, 2012 · 2 comments
Open

Security Review #13

topdan opened this issue May 26, 2012 · 2 comments
Milestone
1.0 - Security an...

Comments

@topdan
Copy link
Owner

topdan commented May 26, 2012

Need to ensure websites aren't given chrome privileges and userscripts can't expose website data to other websites.
@topdan
Copy link
Owner Author

topdan commented May 26, 2012

The userscript pattern I use from this MDN document: https://developer.mozilla.org/en/Components.utils.evalInSandbox

json = Components.utils.evalInSandbox("render(#{JSON.stringify(limitedRequest)});", sandbox)
if typeof json == 'string'
  # trust the json string

the MDN example uses an integer, which could be a key part to the security with string not working. I don't know

@topdan
Copy link
Owner Author

topdan commented May 26, 2012

Also crossDomain is a userscript API function because flash players sometimes make requests for data across domains. This is a security hole if not made clear to uses when installing scripts.

  • userscripts declare what domains they want access to, users agree to allow it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0 - Security and Platform Support
Development

No branches or pull requests
1 participant
@topdan