Return-Path: X-Original-To: apmail-cordova-dev-archive@www.apache.org Delivered-To: apmail-cordova-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 607B7CEC1 for ; Mon, 24 Jun 2013 18:51:09 +0000 (UTC) Received: (qmail 66081 invoked by uid 500); 24 Jun 2013 18:51:09 -0000 Delivered-To: apmail-cordova-dev-archive@cordova.apache.org Received: (qmail 66056 invoked by uid 500); 24 Jun 2013 18:51:09 -0000 Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cordova.apache.org Delivered-To: mailing list dev@cordova.apache.org Received: (qmail 66048 invoked by uid 99); 24 Jun 2013 18:51:09 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Jun 2013 18:51:09 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of iclelland@google.com designates 209.85.219.45 as permitted sender) Received: from [209.85.219.45] (HELO mail-oa0-f45.google.com) (209.85.219.45) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Jun 2013 18:51:05 +0000 Received: by mail-oa0-f45.google.com with SMTP id j1so12170847oag.4 for ; Mon, 24 Jun 2013 11:50:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=NU+ozEZZTTtVFOLrtT2s/3H9KbLAjhX+8PFzik/jK2w=; b=NCSeeHMkH05Q1TRXVOGzvD62SO6DwMX6U8RyqV77cnFw1GcqliaXGN759GFW68J3JA 1zK1mFnWI7SuzXYWr2Jz6nVcBmtq+nS2owdAa+nZTTpjZ0BgaP+dXaPcHpwYPmmvNoC7 OYFzUSNiTO7IkacgP4mnvbtFc9zD6ZJsTX3oFlgHVENpykkHcpwC04iD7sw6Md62qVXL /saFnRowCtUh09hWmY/H5piwpdPxwgz1crJyYrgOMJQ5ACBKsOIjm7Lgw/Z+tX+oZHcl zVVbDI3Ge5YK2inHkB2sWZrojo/SgJooDrn5oIv+veCpk64yc4KQyxtB8xlEl5O+WvBL qMOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:x-gm-message-state; bh=NU+ozEZZTTtVFOLrtT2s/3H9KbLAjhX+8PFzik/jK2w=; b=DZA7TjP+EFDqvF9OXONWsmyCAXSRGHv76hvc+7pdCLdiGoObJbgy1sq+6E/pE2xS40 fAfxFpnqaCFe6+3jj4fQeqCVt93bSDQVk4+02gQsQyyOimFdqoL2Go7/hxJ0ThBjrWS6 fJCI0Ef+Gy/DJcUBNLmBrxP3/wM4l7PmaqyDBAc27Y1/1dZY1GaTcPGbXvwTYOS2voE0 PkMFH2AUOF/lVlWc6dgLmKELR/uJwzNkR/35G4UrhlkF8A+Cxk3mQUccaFoZq8BiWF62 s0+IyruQYwl5CtB7iZj/3Z1krUI4FXB79OYqF39wf3JcBSQofPWzWXZLKyS1QsNsaKZV k5rA== X-Received: by 10.182.40.132 with SMTP id x4mr8556547obk.61.1372099844643; Mon, 24 Jun 2013 11:50:44 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.106.196 with HTTP; Mon, 24 Jun 2013 11:50:24 -0700 (PDT) In-Reply-To: References: <180579694.19640458.1371728791131.JavaMail.root@mozilla.com> <2080113123.19641545.1371730014649.JavaMail.root@mozilla.com> From: Ian Clelland Date: Mon, 24 Jun 2013 14:50:24 -0400 Message-ID: Subject: Re: Security Error in FirefoxOS on reading window.navigator properties To: "dev@cordova.apache.org" Content-Type: multipart/alternative; boundary=001a11c339d2d6384304dfeae3e5 X-Gm-Message-State: ALoCoQmFFr2WboFAMbUyhaBj88ANnwfyukclwbM0I0U428Qg9Tv1Vx4p9lKkSHE0nR52QDK3EyLGBM6GSBHQH1S6snj20uL6CnESMRZQpB6A1KwmL6dpnA4sIesyr23T/Qvj4lj3Ts3EIfXBz8sM8w3glFGlUqtMjQAzHzMUTFaaonACBzPSBvj6B6afaJjrNC9x9VUNHZ1g X-Virus-Checked: Checked by ClamAV on apache.org --001a11c339d2d6384304dfeae3e5 Content-Type: text/plain; charset=UTF-8 Can the SecurityError be caught in an try{} block? If so, then we could implement a general solution of "try to clobber the entire object; if that doesn't work, try to clobber each of its properties instead." In the second case, a debug log line for each property that cannot be copied would give us a list of any platform-dependent quirks that we need to document. On Mon, Jun 24, 2013 at 2:42 PM, Gord Tanner wrote: > This is from the bootstrap file for all platforms [1]. > > This is to cover us for security issues we were having on other platforms > where we are not able to replace existing navigator object methods > (geolocation, etc) or add new ones. We create this object and proxy to the > original navigator object to have something that is a bit more flexible for > us to work with and modify. > > Does firefox yell at us if we replace the navigator object without > iterating over the old one? We could then just hardcode the list of > functions to proxy over to the original for that platform. > > [1] - > > https://git-wip-us.apache.org/repos/asf?p=cordova-js.git;a=blob_plain;f=lib/scripts/bootstrap.js;hb=HEAD > > > On Mon, Jun 24, 2013 at 2:34 PM, Brian LeRoux wrote: > > > I'm at a loss why that code even needs to exist. > > > > Anyone? Herm / Gord? > > > > On Thu, Jun 20, 2013 at 5:06 AM, Piotr Zalewa > wrote: > > > I came to a point where I need to use the group wisdom. > > > > > > In > > > https://github.com/apache/cordova-firefoxos/blob/master/lib/cordova.firefoxos.js#L5929Cordovais trying to replace window.navigator with something which looks > > like a copy of itself. window.navigator is protected in FirefoxOS - even > > browsing through its properties is not allowed. > > > > > > alert('pre'); for (var key in window.navigator) > {window.navigator[key]}; > > alert('post'); > > > > > > Above code will work in browser, but not on the device or Simulator. It > > will throw "SecurityError: The operation is insecure." and 'post' will > not > > get alerted. Example in JSFiddle - > > http://jsfiddle.net/zalun/VkCyH/embedded/result/ (just install in > > Simulator) > > > > > > I'm looking for a solution for that issue. > > > > > > Is the step with replacing window.navigator needed? The comment in the > > code says > > > // We replace it so that properties that can't be clobbered can instead > > be overridden. > > > > > > > > > Piotr > > > --001a11c339d2d6384304dfeae3e5--