cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian LeRoux...@brian.io>
Subject Re: Security Error in FirefoxOS on reading window.navigator properties
Date Mon, 24 Jun 2013 19:50:48 GMT
But wait, and I'm serious here, why even duck punch navigator to begin with?

I understand we add properties to it. Is that why it needs to be opened?

On Mon, Jun 24, 2013 at 11:50 AM, Ian Clelland <iclelland@google.com> wrote:
> Can the SecurityError be caught in an try{} block? If so, then we could
> implement a general solution of "try to clobber the entire object; if that
> doesn't work, try to clobber each of its properties instead."
>
> In the second case, a debug log line for each property that cannot be
> copied would give us a list of any platform-dependent quirks that we need
> to document.
>
>
> On Mon, Jun 24, 2013 at 2:42 PM, Gord Tanner <gtanner@gmail.com> wrote:
>
>> This is from the bootstrap file for all platforms [1].
>>
>> This is to cover us for security issues we were having on other platforms
>> where we are not able to replace existing navigator object methods
>> (geolocation, etc) or add new ones.  We create this object and proxy to the
>> original navigator object to have something that is a bit more flexible for
>> us to work with and modify.
>>
>> Does firefox yell at us if we replace the navigator object without
>> iterating over the old one? We could then just hardcode the list of
>> functions to proxy over to the original for that platform.
>>
>> [1] -
>>
>> https://git-wip-us.apache.org/repos/asf?p=cordova-js.git;a=blob_plain;f=lib/scripts/bootstrap.js;hb=HEAD
>>
>>
>> On Mon, Jun 24, 2013 at 2:34 PM, Brian LeRoux <b@brian.io> wrote:
>>
>> > I'm at a loss why that code even needs to exist.
>> >
>> > Anyone? Herm / Gord?
>> >
>> > On Thu, Jun 20, 2013 at 5:06 AM, Piotr Zalewa <pzalewa@mozilla.com>
>> wrote:
>> > > I came to a point where I need to use the group wisdom.
>> > >
>> > > In
>> >
>> https://github.com/apache/cordova-firefoxos/blob/master/lib/cordova.firefoxos.js#L5929Cordovais
trying to replace window.navigator with something which looks
>> > like a copy of itself. window.navigator is protected in FirefoxOS - even
>> > browsing through its properties is not allowed.
>> > >
>> > > alert('pre'); for (var key in window.navigator)
>> {window.navigator[key]};
>> > alert('post');
>> > >
>> > > Above code will work in browser, but not on the device or Simulator. It
>> > will throw "SecurityError: The operation is insecure." and 'post' will
>> not
>> > get alerted. Example in JSFiddle -
>> > http://jsfiddle.net/zalun/VkCyH/embedded/result/ (just install in
>> > Simulator)
>> > >
>> > > I'm looking for a solution for that issue.
>> > >
>> > > Is the step with replacing window.navigator needed? The comment in the
>> > code says
>> > > // We replace it so that properties that can't be clobbered can instead
>> > be overridden.
>> > >
>> > >
>> > > Piotr
>> >
>>

Mime
View raw message