Gecko:Overview: Difference between revisions

Jump to navigation Jump to search

Gecko:Overview (view source)

Revision as of 05:48, 30 July 2015

507 bytes removed ,  30 July 2015
Removed mention of COWs
(Linked to the MDN page on script security)
(Removed mention of COWs)
Line 669: Line 669:
* Xray wrappers: Xray wrappers are used when the scope has chrome privileges and the wrappee is the JS reflection of an underlying DOM object.  Beyond the usual CCW duties of making sure that content code does not run with chrome privileges, Xray wrappers also ensure that calling methods or accessing attributes on the wrappee has the "expected" effect.  For example, a web page could replace the <code>close</code> method on its window with a JS function that does something completely different. (e.g. <code>window.close = function() { alert("This isn't what you wanted!") };</code>).  Overwriting methods in this way (or creating entirely new ones) is referred to as '''expando''' properties.  Xrays see through expando properties, invoking the original method/getter/setter if the expando overwrites a builtin or seeing undefined in the expando creates a new property.  This allows chrome code to call methods on content DOM objects without worrying about how the page has changed the object.
* Xray wrappers: Xray wrappers are used when the scope has chrome privileges and the wrappee is the JS reflection of an underlying DOM object.  Beyond the usual CCW duties of making sure that content code does not run with chrome privileges, Xray wrappers also ensure that calling methods or accessing attributes on the wrappee has the "expected" effect.  For example, a web page could replace the <code>close</code> method on its window with a JS function that does something completely different. (e.g. <code>window.close = function() { alert("This isn't what you wanted!") };</code>).  Overwriting methods in this way (or creating entirely new ones) is referred to as '''expando''' properties.  Xrays see through expando properties, invoking the original method/getter/setter if the expando overwrites a builtin or seeing undefined in the expando creates a new property.  This allows chrome code to call methods on content DOM objects without worrying about how the page has changed the object.
* Waived xray wrappers: The xray behavior is not always desirable.  It is possible for chrome to "waive" the xray behavior and see the actual JS object.  The wrapper still guarantees that code runs with the correct privileges, but methods/getters/setters may not behave as expected.  This is equivalent to the behavior chrome sees when it looks at non-DOM content JS objects.
* Waived xray wrappers: The xray behavior is not always desirable.  It is possible for chrome to "waive" the xray behavior and see the actual JS object.  The wrapper still guarantees that code runs with the correct privileges, but methods/getters/setters may not behave as expected.  This is equivalent to the behavior chrome sees when it looks at non-DOM content JS objects.
* Chrome object wrappers: Chrome object wrappers (or COWs) are used when the scope has content privileges but the wrappee is a chrome object.  The default behavior for a COW is to allow access to no properties of the object.  This ensures that chrome objects accidentally exposed to content are safe.  If, however, the wrappee has a property on it called <code>__exposedProps__</code>, the data from __exposedProps__ is used to determine which properties are accessible in the scope.
* For more information, see the [https://developer.mozilla.org/en-US/docs/Mozilla/Gecko/Script_security MDN page]
* For more information, see the [https://developer.mozilla.org/en-US/docs/Mozilla/Gecko/Script_security MDN page]
* XXX khuey keep going


== Images ==
== Images ==
Bholley
Confirmed users
156

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1087267"

Navigation menu