Javascript scope / security concern in Firefox extension
I am developing a FireFox extension and have to store some values that I need to be secure and inaccessible from any other extension/page etc.
I am using a setup for my extension code like seen here:
if(!namesp) var namesp={};
if(!namesp.anothernamesp) namesp.anothernamesp={};
namesp.anothernamesp = function() {
var mySecureValue = ''; //is this variable accessible from anything aside from inside the namesp.anothernamesp scope?
return {
useSecureValue: function() {
//do something here with mySecureValue
}
};
function getSecureValue() { //can this meth开发者_C百科od be called from anywhere besides inside the namesp.anothernamesp scope?
return mySecureValue;
}
}();
Is there any way that anything other than my own extension can access "mySecureValue"? To keep this object global accessible to any windows I might open in my extension etc, I pass the object to the window in the window.openDialog() method and use the window.arguments to access it from the newly created windows. Thank you.
Seems pretty correct. In fact that's a way the majority of tutorials and books teach to simulate private methods and properties.
No, there is no way you can keep one extension from impacting another extension.
The reasons for that are:
- extensions are Zip-archive-files renamed to have a *.xpi filename extension.
- the extensions are writen in plaintextfiles using a JavaScript dialect
- any other extension can at will open and access any file that your browser can access.
If some other extension wants to read your variable mySecureValue
it can do so by:
- accessing the your extensions *.xpi file (using nsIFile to read it from the
profile/extensions
folder) - unzip it nsIZipReader
- read the variable
mySecureValue
from your source file!
The most unfortunate reason for all that is that Mozilla firefox does not implement any form of right separation between the extensions. Every extension can do everything to everybody. It can even excecute a shellcode and do arbitraty other damage.
The only thing you can try is to obfuscate your secret data. This will though not prevent but maybe only complicate the attack.
精彩评论