[Greasemonkey] say horray for evalInSandbox()
Godmar Back
godmar at gmail.com
Tue Jul 19 00:01:10 EDT 2005
Judging from https://bugzilla.mozilla.org/attachment.cgi?id=186324&action=diff
this appears to create a temporary security context and execute the
given script in it, then it destroy that context.
Suppose the code contains
addEventListener("someevent", function () { .... }, false)
or
setTimeout(10, function () { ... })
In which security context will those functions execute?
Suppose the code contained:
window.f = function () { ... }
and some malicious code did window.f(), in which context would f() execute?
- Godmar
On 7/18/05, Aaron Boodman <zboogs at gmail.com> wrote:
> Thanks to help from Shaver and Brendan I was able to get this working
> with basically zero compatibility loss from previous versions.
>
> This should be more or less immune to script or API leakage. Check it out.
>
> Only problems:
>
> * it's pretty slow! ~20-40ms for each insertion
> * having trouble getting decent error reports when user scripts fail
>
>
> --
> Aaron
>
>
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>
>
>
>
More information about the Greasemonkey
mailing list