[Project_owners] Q.: how can trusted chrome code assert its security privileges in FF?

Godmar Back godmar at gmail.com
Tue Jun 2 08:11:37 PDT 2009


I'm wondering if anybody could provide pointers to documentation, or
insight, about FF's security model.

Specifically, I'm being faced with the problem in which JS code
running in a sandbox calls a JS function defined by extension/chrome
code, but FF's security manager appears to apply the security policy
that governs the subject of the sandbox. In the specific case, a call
to XPath's evaluate function fails with a security error because the
document being operated one was retrieved from a different origin that
the origin associated with the sandbox.

My question: does Firefox's JS have something similar to
AccessController.doPrivileged() [1] that would allow trusted chrome
code to assert its privileges when being called from untrusted sandbox
code? If not, how is it possible to provide controlled access to
functionality that requires the system principal to untrusted code?


 - Godmar

[1] http://java.sun.com/j2se/1.4.2/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)

More information about the Project_owners mailing list