Custom CSS

Monday, September 20, 2010

More considerations for using jQuery 1.4.2 in Firefox 3.5 extensions

I wrote about these considerations in an earlier post, but that post only touched on the efforts involved to actually get it working in the first place. There are more security issues to consider once it's actually done (no matter which route you've taken to get things working).

As background for this post, you are invited to read the MDC documentation about XPCNativeWrapper, but it is not necessary. Suffice it to say that it is not safe to manipulate DOM elements within privileged (aka chrome aka extension) code. For example, if I, as a malicious web page author, have overridden document.getElementById to do something nasty (or even something benign like alert("hi");), when you use the document object as a context in jQuery, you'll get my behavior instead of the intended selection behavior. This problem is circumvented by wrapping unsafe DOM elements from my webpage in a wrapper that does not allow unsafe function calls (hence the XPCNativeWrapper).

The problem is that the wrapper limits access to unsafe properties, meaning that some properties that jQuery could expect, could be missing (depending on what you are doing). A tempting alternative is to simply reference the wrappedJSObject property of the wrapper, which will get you the underlying object, but that opens you up to a whole slew of injection attacks (so don't do it).

I don't really have a solution for this either, outside of just making sure you only access what you need. In my mind though, I think the best solution is to simply not use jQuery at all.


Post a Comment