cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gord Tanner <gtan...@gmail.com>
Subject Re: Security Error in FirefoxOS on reading window.navigator properties
Date Mon, 24 Jun 2013 18:42:18 GMT
This is from the bootstrap file for all platforms [1].

This is to cover us for security issues we were having on other platforms
where we are not able to replace existing navigator object methods
(geolocation, etc) or add new ones.  We create this object and proxy to the
original navigator object to have something that is a bit more flexible for
us to work with and modify.

Does firefox yell at us if we replace the navigator object without
iterating over the old one? We could then just hardcode the list of
functions to proxy over to the original for that platform.

[1] -
https://git-wip-us.apache.org/repos/asf?p=cordova-js.git;a=blob_plain;f=lib/scripts/bootstrap.js;hb=HEAD


On Mon, Jun 24, 2013 at 2:34 PM, Brian LeRoux <b@brian.io> wrote:

> I'm at a loss why that code even needs to exist.
>
> Anyone? Herm / Gord?
>
> On Thu, Jun 20, 2013 at 5:06 AM, Piotr Zalewa <pzalewa@mozilla.com> wrote:
> > I came to a point where I need to use the group wisdom.
> >
> > In
> https://github.com/apache/cordova-firefoxos/blob/master/lib/cordova.firefoxos.js#L5929Cordova
is trying to replace window.navigator with something which looks
> like a copy of itself. window.navigator is protected in FirefoxOS - even
> browsing through its properties is not allowed.
> >
> > alert('pre'); for (var key in window.navigator) {window.navigator[key]};
> alert('post');
> >
> > Above code will work in browser, but not on the device or Simulator. It
> will throw "SecurityError: The operation is insecure." and 'post' will not
> get alerted. Example in JSFiddle -
> http://jsfiddle.net/zalun/VkCyH/embedded/result/ (just install in
> Simulator)
> >
> > I'm looking for a solution for that issue.
> >
> > Is the step with replacing window.navigator needed? The comment in the
> code says
> > // We replace it so that properties that can't be clobbered can instead
> be overridden.
> >
> >
> > Piotr
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message