Firefox3/QuerySelector Security Review

From MozillaWiki
< Firefox3
Revision as of 18:50, 27 August 2008 by Dveditz (talk | contribs)
Jump to navigation Jump to search

Overview

This feature allows websites to get a static NodeList containing Element nodes that match a given CSS selector, with the option of only getting Elements that are descendants of a given Node.

Background links

Security and Privacy

  • The code assumes that selector parsing in general can deal with arbitrary byte sequences being input. The main attack point being introduced are a new way to call into selector parsing and matching, and in particular a way to perform selector matching on elements whose current document has no presentation.

Exported APIs

  • The code exports the querySelector and querySelectorAll APIs as defined in the specification, except without allowing namespace resolution.

Data

  • The code reuses the existing selector-parsing code to parse the selector string, with a minor tweak to allow EOF to correctly terminate the selector.
  • The code outputs a thin wrapper implementing nsINodeList around an nsCOMArray containing pointers to the matching Elements.

Reliability and configuration

  • There is no user interaction or configuration involved, nor any developer configuration.

Review Comments

Retrieved from "https://wiki.allizom.org/index.php?title=Firefox3/QuerySelector_Security_Review&oldid=106050"