874
edits
XPConnect Chrome Object Wrappers: Difference between revisions
XPConnect Chrome Object Wrappers (view source)
Revision as of 18:11, 18 September 2009
, 18 September 2009added section on 'COWing objects'
(added more) |
(added section on 'COWing objects') |
||
| Line 11: | Line 11: | ||
Also in keeping with this philosophy, however, is the notion that we don't want to expose chrome data or functionality to untrusted code unless the developer explicitly provides permission to do so. This is lexically enforced through the use of metadata, as will be shown shortly. | Also in keeping with this philosophy, however, is the notion that we don't want to expose chrome data or functionality to untrusted code unless the developer explicitly provides permission to do so. This is lexically enforced through the use of metadata, as will be shown shortly. | ||
=== | === COWing Functions === | ||
Assume the following chrome-privileged code: | Assume the following chrome-privileged code: | ||
| Line 31: | Line 31: | ||
The metadata attached to <tt>foo()</tt>, <tt>__callableByContent__</tt>, is used to explicitly declare that the function its attached to can be called from content. This is necessary for security purposes; if a function that's only ever intended to be called from trusted code ever accidentally "falls into the wrong hands", we don't want untrusted code to be able to exploit it. | The metadata attached to <tt>foo()</tt>, <tt>__callableByContent__</tt>, is used to explicitly declare that the function its attached to can be called from content. This is necessary for security purposes; if a function that's only ever intended to be called from trusted code ever accidentally "falls into the wrong hands", we don't want untrusted code to be able to exploit it. | ||
'''TODO:''' What kind of exception should be raised when a function without <tt>__callableByContent__</tt> is called from content? Or should it be a null-op and thus fail silently? | |||
=== COWing Objects === | |||
By default, Chrome objects passed into content space are completely opaque: no information can be accessed from them, and no properties can be defined on them. | |||
'''TODO:''' What happens on read/write of properties on such objects? Is an exception raised, or do all reads simply return <tt>undefined</tt> and are all writes null-ops? | |||
Individual properties can be exposed by defining a <tt>__exposedProps__</tt> property on the object, like so: | |||
<pre class="brush:js;"> | |||
const Cu = Components.utils; | |||
var MyObj = { | |||
__exposedProps__ = {foo: "r", bar: "rw"}, | |||
foo: function foo(obj) { | |||
/* Do something here that requires chrome privileges. */ | |||
}, | |||
bar: "supdog", | |||
baz: "I am protected information" | |||
} | |||
MyObj.foo.__callableByContent__ = true; | |||
</pre> | |||
In the above example, <tt>MyObj.foo()</tt> can be accessed but not assigned to—and <tt>foo()</tt> itself is callable from content, since <tt>__callableByContent__</tt> is set—and <tt>MyObj.bar</tt> is both readable and writable, while <tt>MyObj.baz</tt> can't be accessed at all. | |||
'''TODO:''' What should the default <tt>toString()</tt> method of a COW'ed object with no metadata yield? | |||
'''TODO:''' Does this work okay with getters and setters? | |||