Firefox 扩展中的 Javascript 范围/安全问题
我正在开发一个 FireFox 扩展程序,并且必须存储一些我需要安全且无法从任何其他扩展程序/页面等访问的值。
我正在使用我的扩展程序代码的设置,如下所示:
if(!namesp) var namesp={};
if(!namesp.anothernamesp) namesp.anothernamesp={};
namesp.anothernamesp = function() {
var mySecureValue = ''; //is this variable accessible from anything aside from inside the namesp.anothernamesp scope?
return {
useSecureValue: function() {
//do something here with mySecureValue
}
};
function getSecureValue() { //can this method be called from anywhere besides inside the namesp.anothernamesp scope?
return mySecureValue;
}
}();
除了我的之外,还有其他方法吗自己的扩展可以访问“mySecureValue”吗?为了使我可能在扩展等中打开的任何窗口都可以全局访问此对象,我将对象传递给 window.openDialog() 方法中的窗口,并使用 window.arguments 从新创建的窗口访问它。谢谢。
I am developing a FireFox extension and have to store some values that I need to be secure and inaccessible from any other extension/page etc.
I am using a setup for my extension code like seen here:
if(!namesp) var namesp={};
if(!namesp.anothernamesp) namesp.anothernamesp={};
namesp.anothernamesp = function() {
var mySecureValue = ''; //is this variable accessible from anything aside from inside the namesp.anothernamesp scope?
return {
useSecureValue: function() {
//do something here with mySecureValue
}
};
function getSecureValue() { //can this method be called from anywhere besides inside the namesp.anothernamesp scope?
return mySecureValue;
}
}();
Is there any way that anything other than my own extension can access "mySecureValue"? To keep this object global accessible to any windows I might open in my extension etc, I pass the object to the window in the window.openDialog() method and use the window.arguments to access it from the newly created windows. Thank you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
看起来很正确。事实上,这是大多数教程和书籍教授的模拟私有方法和属性的方法。
Seems pretty correct. In fact that's a way the majority of tutorials and books teach to simulate private methods and properties.
不,您无法阻止一个扩展程序影响另一个扩展程序。
原因是:
如果其他扩展想要读取您的变量
mySecureValue,它可以通过以下方式实现:profile/extensions文件夹中读取它)mySecureValue!最不幸的原因是 Mozilla firefox 没有在扩展之间实现任何形式的正确分离。每个扩展都可以为每个人做任何事情。它甚至可以执行 shellcode 并造成仲裁其他损害。
您唯一可以尝试的就是混淆您的秘密数据。这虽然不能阻止攻击,但可能只会使攻击复杂化。
No, there is no way you can keep one extension from impacting another extension.
The reasons for that are:
If some other extension wants to read your variable
mySecureValueit can do so by:profile/extensionsfolder)mySecureValuefrom your source file!The most unfortunate reason for all that is that Mozilla firefox does not implement any form of right separation between the extensions. Every extension can do everything to everybody. It can even excecute a shellcode and do arbitraty other damage.
The only thing you can try is to obfuscate your secret data. This will though not prevent but maybe only complicate the attack.