XPConnect Chrome Object Wrappers: Difference between revisions
(simplified explanation) |
(added more) |
||
| Line 11: | Line 11: | ||
<pre class="brush:js;"> | <pre class="brush:js;"> | ||
const Cu = Components.utils; | const Cu = Components.utils; | ||
function foo(obj) { | |||
/* Do something here that requires chrome privileges. */ | |||
} | |||
foo.__callableByContent__ = true; | |||
var sandbox = Cu.Sandbox("http://www.mozilla.org"); | var sandbox = Cu.Sandbox("http://www.mozilla.org"); | ||
sandbox.foo = | sandbox.foo = foo; | ||
var result = Cu.evalInSandbox("foo({bar: 5});"); | var result = Cu.evalInSandbox("foo({bar: 5});"); | ||
</pre> | </pre> | ||
In the above example, <tt>foo()</tt> is wrapped by a COW when accessed by sandboxed code executed via <tt>Components.utils.evalInSandbox()</tt>. The object <tt>{bar: 5}</tt> is wrapped in an <tt>XPCSafeJSObjectWrapper</tt> before being passed into <tt>foo()</tt>. | In the above example, <tt>foo()</tt> is wrapped by a COW when accessed by sandboxed code executed via <tt>Components.utils.evalInSandbox()</tt>. The object <tt>{bar: 5}</tt> is wrapped in an <tt>XPCSafeJSObjectWrapper</tt> before being passed into <tt>foo()</tt>. | ||
The metadata attached to <tt>foo()</tt>, <tt>__callableByContent__</tt>, is used to explicitly declare that the function its attached to can be called from content. This is necessary for security purposes; if a function that's only ever intended to be called from trusted code ever accidentally "falls into the wrong hands", we don't want untrusted code to be able to exploit it. | |||
Revision as of 04:27, 17 September 2009
Introduction
Chrome Object Wrappers, or COWs for short, allow privileged code to securely expose some subset of its functionality to untrusted or semi-trusted content.
The COW is actually the final step in an epic quest to make the interaction between chrome and content as natural and secure as possible by encasing JavaScript objects in "membranes" that mediate access between their object and the outside world. Before reading the rest of this document, you should be familiar with the story so far, which is explained in detail at XPConnect wrappers.
Usage
COWs are always created automatically whenever an object passes through a trust boundary. For instance, assume the following chrome-privileged code:
const Cu = Components.utils;
function foo(obj) {
/* Do something here that requires chrome privileges. */
}
foo.__callableByContent__ = true;
var sandbox = Cu.Sandbox("http://www.mozilla.org");
sandbox.foo = foo;
var result = Cu.evalInSandbox("foo({bar: 5});");
In the above example, foo() is wrapped by a COW when accessed by sandboxed code executed via Components.utils.evalInSandbox(). The object {bar: 5} is wrapped in an XPCSafeJSObjectWrapper before being passed into foo().
The metadata attached to foo(), __callableByContent__, is used to explicitly declare that the function its attached to can be called from content. This is necessary for security purposes; if a function that's only ever intended to be called from trusted code ever accidentally "falls into the wrong hands", we don't want untrusted code to be able to exploit it.