Confirmed users, Bureaucrats and Sysops emeriti
419
edits
XPConnect object wrapping: Difference between revisions
Jump to navigation
Jump to search
m
→Native Wrappers
| Line 75: | Line 75: | ||
+------------------------------------------------------------+ | +------------------------------------------------------------+ | ||
The picture looks similar to the first one, and is similar in terms of memory ''ownership'' semantics. The functional difference is that a <tt>XPCNativeWrapper</tt> performs property lookup differently | The picture looks similar to the first one, and is similar in terms of memory ''ownership'' semantics. The functional difference is that a <tt>XPCNativeWrapper</tt> performs property lookup differently from a normal wrapped native. The difference is related to a certain type of attack vector involving property-name shadowing. | ||
For example, suppose chrome JS associated with some browser logic or extension were to walk the content DOM. Doing so involves acquiring wrappers to content DOM nodes and calling DOM methods on the <tt>JSObject</tt> side of those wrappers, but with chrome privilege. If content were malicious, it could shadow DOM methods that are supposed to pass through to the underlying C++ DOM element, by attaching same-named properties to the wrapper JSObject. If these shadowed properties contained attack code, chrome would call the attack code with chrome privilege. | For example, suppose chrome JS associated with some browser logic or extension were to walk the content DOM. Doing so involves acquiring wrappers to content DOM nodes and calling DOM methods on the <tt>JSObject</tt> side of those wrappers, but with chrome privilege. If content were malicious, it could shadow DOM methods that are supposed to pass through to the underlying C++ DOM element, by attaching same-named properties to the wrapper JSObject. If these shadowed properties contained attack code, chrome would call the attack code with chrome privilege. | ||