Security:Security Checks In Glue: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 2: | Line 2: | ||
This is a proposal for a security model for Gecko. The key idea of this proposal is that all security and access checks are performed immediately upon entry from JavaScript into C++ code. Contrast this with the proposal at [[Security:Scattered_Security_Checks]]. | This is a proposal for a security model for Gecko. The key idea of this proposal is that all security and access checks are performed immediately upon entry from JavaScript into C++ code. Contrast this with the proposal at [[Security:Scattered_Security_Checks]]. | ||
= Conceptual description = | |||
In this model, security checks are performed only at known entry points from JavaScript into C++. For example, consider the following JavaScript: | |||
document.importNode(node); | |||
This code needs to perform a security check to see whether <code>document</code> and <code>node</code> are same-origin. In this model, this check could be performed in the following places: | |||
# The code mapping Document.importNode to nsDocument::ImportNode | |||
# The implementation of nsDocument::ImportNode | |||
The check could NOT be performed in nsNodeUtils::Clone, which is called by nsDocument::ImportNode to do the actual work of importing in this case. | |||
= Pros and cons = | |||
= Implementation notes = | |||
Revision as of 18:57, 12 September 2006
Abstract
This is a proposal for a security model for Gecko. The key idea of this proposal is that all security and access checks are performed immediately upon entry from JavaScript into C++ code. Contrast this with the proposal at Security:Scattered_Security_Checks.
Conceptual description
In this model, security checks are performed only at known entry points from JavaScript into C++. For example, consider the following JavaScript:
document.importNode(node);
This code needs to perform a security check to see whether document and node are same-origin. In this model, this check could be performed in the following places:
- The code mapping Document.importNode to nsDocument::ImportNode
- The implementation of nsDocument::ImportNode
The check could NOT be performed in nsNodeUtils::Clone, which is called by nsDocument::ImportNode to do the actual work of importing in this case.