[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mozilla-security
Subject:    js method registry
From:       pete collins <pcollins () ocsny ! com>
Date:       1999-11-02 20:30:55
[Download RAW message or body]

I have an idea i would like to explore.

In addition to the chrome registry why not have a js method registry?

So that all exposed component interfaces that are benign can be
registered as "safe" methods to javascript from remote files.

And all Dangerous methods are only acceptable from registered local
chrome.

It seems like a relatively simple idea.

There are only N amount of exposed methods. (residing in 600 or so .idl
files)
Why not register the "safe" ones as default AOM methods??

for example:

void InsertText(in wstring textToInsert);

from nsIEditorShell.idl

seems to be a safe method to use.

where
void Save(); or void SaveAs();

is bad, a security risk.

If there was a registry of these very specific method names to the
javascript interface, then this could be a clean and hopefully easy way
of dealing with security.

So local chrome can reference all the interfaces contained in one
registry.
SAFE + UNSAFE

and

Remote chrome can reference only registry:
SAFE

if (FILE == remote) { jsMode = SAFE; }

If this is at all feasible and you guys think this is possible, I will
bite the bullet and attempt to do this.

I have the week of thanksgiving off and could try then.

Please let me know what you think.

I am sure there are alot of issues i am missing.


pete

[prev in list] [next in list] [prev in thread] [next in thread]