cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Clelland <iclell...@google.com>
Subject Re: Security Error in FirefoxOS on reading window.navigator properties
Date Mon, 24 Jun 2013 18:50:24 GMT
Can the SecurityError be caught in an try{} block? If so, then we could
implement a general solution of "try to clobber the entire object; if that
doesn't work, try to clobber each of its properties instead."

In the second case, a debug log line for each property that cannot be
copied would give us a list of any platform-dependent quirks that we need
to document.


On Mon, Jun 24, 2013 at 2:42 PM, Gord Tanner <gtanner@gmail.com> wrote:

> This is from the bootstrap file for all platforms [1].
>
> This is to cover us for security issues we were having on other platforms
> where we are not able to replace existing navigator object methods
> (geolocation, etc) or add new ones.  We create this object and proxy to the
> original navigator object to have something that is a bit more flexible for
> us to work with and modify.
>
> Does firefox yell at us if we replace the navigator object without
> iterating over the old one? We could then just hardcode the list of
> functions to proxy over to the original for that platform.
>
> [1] -
>
> https://git-wip-us.apache.org/repos/asf?p=cordova-js.git;a=blob_plain;f=lib/scripts/bootstrap.js;hb=HEAD
>
>
> On Mon, Jun 24, 2013 at 2:34 PM, Brian LeRoux <b@brian.io> wrote:
>
> > I'm at a loss why that code even needs to exist.
> >
> > Anyone? Herm / Gord?
> >
> > On Thu, Jun 20, 2013 at 5:06 AM, Piotr Zalewa <pzalewa@mozilla.com>
> wrote:
> > > I came to a point where I need to use the group wisdom.
> > >
> > > In
> >
> https://github.com/apache/cordova-firefoxos/blob/master/lib/cordova.firefoxos.js#L5929Cordovais
trying to replace window.navigator with something which looks
> > like a copy of itself. window.navigator is protected in FirefoxOS - even
> > browsing through its properties is not allowed.
> > >
> > > alert('pre'); for (var key in window.navigator)
> {window.navigator[key]};
> > alert('post');
> > >
> > > Above code will work in browser, but not on the device or Simulator. It
> > will throw "SecurityError: The operation is insecure." and 'post' will
> not
> > get alerted. Example in JSFiddle -
> > http://jsfiddle.net/zalun/VkCyH/embedded/result/ (just install in
> > Simulator)
> > >
> > > I'm looking for a solution for that issue.
> > >
> > > Is the step with replacing window.navigator needed? The comment in the
> > code says
> > > // We replace it so that properties that can't be clobbered can instead
> > be overridden.
> > >
> > >
> > > Piotr
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message