Firefox3/QuerySelector Security Review: Difference between revisions
< Firefox3
Jump to navigation
Jump to search
(Initial edit) |
mNo edit summary |
||
| Line 19: | Line 19: | ||
== Reliability and configuration == | == Reliability and configuration == | ||
* There is no user interaction or configuration involved, nor any developer configuration. | * There is no user interaction or configuration involved, nor any developer configuration. | ||
== Review Comments == | |||
Revision as of 18:50, 27 August 2008
Overview
This feature allows websites to get a static NodeList containing Element nodes that match a given CSS selector, with the option of only getting Elements that are descendants of a given Node.
- Background links
Security and Privacy
- The code assumes that selector parsing in general can deal with arbitrary byte sequences being input. The main attack point being introduced are a new way to call into selector parsing and matching, and in particular a way to perform selector matching on elements whose current document has no presentation.
Exported APIs
- The code exports the querySelector and querySelectorAll APIs as defined in the specification, except without allowing namespace resolution.
Data
- The code reuses the existing selector-parsing code to parse the selector string, with a minor tweak to allow EOF to correctly terminate the selector.
- The code outputs a thin wrapper implementing nsINodeList around an nsCOMArray containing pointers to the matching Elements.
Reliability and configuration
- There is no user interaction or configuration involved, nor any developer configuration.