开发者

How the addon of the firefox is accessing the file sytem

firefox wont allow the javascript to save a file in client machine is the browser security policy

https://addons.mozilla.org/en-US/firefox/addon/1046

the above 开发者_JAVA百科linked addon can save a file then why cant we save a file in the filesystem using javascript


Code that is part of an extension the user explicitly chose to install is trusted more than code running on a page the user happens to visit. Thus, Firefox allows extension code this functionality (accessing the filesystem), but does not allow code running in a webpage to do this.

This makes sense: it's much easier for an attacker to get a user to accidentally visit his malicious page and run it's javascript (with invisible iframes, for example), than it is for an attacker to get the user to install a malicious extension. Additionally, Mozilla code reviews every extension on their website to make sure they aren't malicious.

I should also note that extensions don't have to be written in Javascript. Many of them are written in native code (C++ usually), and there are XPCOM (one of the ways extensions interface with the browser) bindings for other languages as well (Python, for example).


Javascript is executed from the webpages you visit ; and, generally speaking, you cannot trust each and every webpage you visit -- which is why there are such security measures.


For the extensions, on the other hand :

  • You decide which extension has the right to run on your system, as you are the one installing them
    • And installing an extension means you trust it.
  • Are tested / reviewed by the team of AMO (correct me if I'm wrong ?)


Add-ons aren't subject to the security restrictions, because the user explicitly installed them (e.g., indicated trust). See the extensions documentation for details. This is very different from JavaScript running on a web page, which the user hasn't indicated they trust.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜