[Project_owners] Javascript (de)serialization question

Nickolay Ponomarev asqueella at gmail.com
Mon Mar 13 04:12:43 EST 2006

On 3/13/06, Paul Tomlin <paul at paultomlin.com> wrote:
> here. I'd be tempted to reset the __proto__ property to regain you class
> data to allow for this, or create a wrapper class which deals with the
> details...
I agree with this suggestion but the code looks too java-ish. I would
just access the data object directly instead.
> var DataHandler = new Object();
> DataHandler.getFoo = function (obj)

> >> Do you care/need to know if the data is maliciously changed to include
> >> new functions that will now run inside chrome in your extension?
> >
> > No.
> You should, to be fair.. Though I wonder how many people check things
> like preference values in their extensions?
I thought about before deciding to use toSource/eval, and decided that
I don't care about this problem. To get their code executed, an
attacker would have to either
1) set the prefs - they'd need full access to machine for that anyway
or 2) get user to save a file with contents like this: ({get mypref()
{ doSomethingEvil() }}) - to the profile folder. I find this very
unlikely that a normal user would do it. Or rather that this scenario
is any more probable than running a random executable downloaded from
the internet (which is a lot easier to do, by the way).

> If you store & use, without checking, something like a web URL that's
> used, for instance, with some user account info (social bookmarking,
> hotmail/google, etc) then a naughty extension could switch that to a
> proxy...
A naughty extension could send the passwords file to its creators
right away. No need to rely on a security "vulnerability" in your


More information about the Project_owners mailing list