Security:Security Checks In Glue
Abstract
This is a proposal for a security model for Gecko. The key idea of this proposal is that all security and access checks are performed immediately upon entry from JavaScript into C++ code. Contrast this with the proposal at Security:Scattered_Security_Checks.
Conceptual description
In this model, security checks are performed only at known entry points from JavaScript into C++. For example, consider the following JavaScript:
document.importNode(node);
This code needs to perform a security check to see whether document and node are same-origin. In this model, this check could be performed in the following places:
- The code mapping Document.importNode to nsDocument::ImportNode
- The implementation of nsDocument::ImportNode
The check could NOT be performed in nsNodeUtils::Clone, which is called by nsDocument::ImportNode to do the actual work of importing in this case.
In general, in this model there is a concept of "the function currently being called from JS". This function is the only function that does security checks.