[Greasemonkey] say horray for evalInSandbox()

Godmar Back godmar at gmail.com
Tue Jul 19 00:01:10 EDT 2005


Judging from https://bugzilla.mozilla.org/attachment.cgi?id=186324&action=diff
this appears to create a temporary security context and execute the
given script in it, then it destroy that context.

Suppose the code contains
addEventListener("someevent", function () { .... }, false)
or 
setTimeout(10, function () { ... })

In which security context will those functions execute?

Suppose the code contained:
window.f = function () { ... }
and some malicious code did window.f(), in which context would f() execute?

 - Godmar

On 7/18/05, Aaron Boodman <zboogs at gmail.com> wrote:
> Thanks to help from Shaver and Brendan I was able to get this working
> with basically zero compatibility loss from previous versions.
> 
> This should be more or less immune to script or API leakage. Check it out.
> 
> Only problems:
> 
> * it's pretty slow! ~20-40ms for each insertion
> * having trouble getting decent error reports when user scripts fail
> 
> 
> --
> Aaron
> 
> 
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
> 
> 
> 
>


More information about the Greasemonkey mailing list