How the addon of the firefox is accessing the file sytem
firefox wont allow the javascript to save a file in client machine is the browser security policy
https://addons.mozilla.org/en-US/firefox/addon/1046
the above 开发者_JAVA百科linked addon can save a file then why cant we save a file in the filesystem using javascript
Code that is part of an extension the user explicitly chose to install is trusted more than code running on a page the user happens to visit. Thus, Firefox allows extension code this functionality (accessing the filesystem), but does not allow code running in a webpage to do this.
This makes sense: it's much easier for an attacker to get a user to accidentally visit his malicious page and run it's javascript (with invisible iframes, for example), than it is for an attacker to get the user to install a malicious extension. Additionally, Mozilla code reviews every extension on their website to make sure they aren't malicious.
I should also note that extensions don't have to be written in Javascript. Many of them are written in native code (C++ usually), and there are XPCOM (one of the ways extensions interface with the browser) bindings for other languages as well (Python, for example).
Javascript is executed from the webpages you visit ; and, generally speaking, you cannot trust each and every webpage you visit -- which is why there are such security measures.
For the extensions, on the other hand :
- You decide which extension has the right to run on your system, as you are the one installing them
- And installing an extension means you trust it.
- Are tested / reviewed by the team of AMO (correct me if I'm wrong ?)
Add-ons aren't subject to the security restrictions, because the user explicitly installed them (e.g., indicated trust). See the extensions documentation for details. This is very different from JavaScript running on a web page, which the user hasn't indicated they trust.
精彩评论