[Mozile] Mozile Extension Security

[James A. Overton]

	I've been working on the Mozile Extension and thinking about  
security issues. Here's how I understand the situation:

	JavaScript doesn't make the distinction between properties and  
methods of an object. A method is just a property with a reference to  
a function as its value. You can overwrite methods and properties of  
any object as you please, including native objects.
	Before Firefox 1.5 this led to a serious security issue: a script in  
a page could overwrite a property of a native object, and if code  
from the browser accessed that property it would get the new code  
instead of what it expected. Since the browser runs with more  
privileges, the new code would gain privileges it wasn't supposed to  
have.
	Firefox 1.5 (Gecko 1.8) introduced XPCNativeWrappers (http:// 
developer.mozilla.org/en/docs/XPCNativeWrapper) to fix this problem.  
Now if code in the browser asks for the document.location from a  
page, then that's exactly what it will get. Inside the page you can  
still do whatever you like, but from the outside the changes won't be  
seen unless you explicitly unwrap the object:  
document.wrappedJSObject.location
	I originally designed the Mozile 0.7 Extension around the idea that  
redefined objects would be accessible from inside and outside a page.  
This caused big problems when Firefox 1.5 came out, and the easiest  
solution was to just unwrap the objects and defeat the whole purpose  
of the wrappers.
	In 0.7.2 I reworked the extension so it doesn't have to unwrap  
anything. Mozile code is injected into the document using <script  
src="chrome://mozile/content/foo.js"/> tags. The code in the page is  
loaded from chrome. Neither the extension nor the Mozill code in the  
page have direct access to each other. When the editable page is  
"enhanced", specific data is shared by passing it back and forth  
through the attributes of a normal element.
	However, just by being stored in chrome, the JavaScript code behaves  
differently. It can't access methods that have been added to native  
objects unless it unwraps them. So it's "outside" the  
XPCNativeWrappers. Still, it doesn't have other privileges like  
access to the browser's preferences system. I'm not sure how secure  
it really is.
	Today I came up with a way to inject Mozile into a page using  
<script> tags with the text contents of files in chrome. Once the  
scripts are in the page they don't run as chrome, and when you try to  
access document.wrappedJSObject you find it's undefined. I think this  
is as secure as it gets.
	I haven't posted these latest changes to CVS yet because there's  
still some polishing to do. Also, I don't know if jumping through the  
extra hoops is necessary.

	I'd like to know more about this. Are scripts loaded from chrome  
secure? Secure enough? Is it worthwhile injecting code into the page  
as text instead?

James