cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Sentino <rich...@mindginative.com>
Subject Re: Security Error in FirefoxOS on reading window.navigator properties
Date Fri, 09 Aug 2013 07:51:04 GMT
Hi Andrew

Thanks for the feedback

I'm trying to spin my head right around but IMHO I'd go with option #1 and let these plugin
do whatever they want with the navigator, great advantage for 3rd party plugins that interacts
with certified-only APIs [1] - although others might have a better opinion and go with the
other option.

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Security/Security_model

Cheers

--
Richard


On 9/08/2013, at 3:45 AM, Andrew Grieve <agrieve@chromium.org> wrote:

I think it makes sense to have this be an option since it's breaking ff.

I think it's actually only required now by the
cordova-plugin-network-information plugin.

1. Maybe we could just move it into that plugin?
2. Or, we could make it a separate plugin that others wanting to override
navigator symbols can depend on.
3. Or, we could move the logic into modulemapper such that the hack is
applied only when clobbering a symbol on navigator doesn't take hold.





On Thu, Aug 8, 2013 at 7:10 AM, Richard Sentino <richard@mindginative.com>wrote:

> Hello
> 
> I just wanted to keep the ball rolling about this issue.
> 
> In response to "SecurityError be caught in an try{} block?", yes and it
> seems to do the trick. At the moment, out of the FirefoxOS-specific APIs it
> gets stuck in the mud at "mozTime" [1] which is only available to certified
> apps [2] therefore a security error will be thrown [3]. With the recently
> refactored cordova-js, do you guys have any intention on clobbering
> navigator at the platform.js level ? I made a test app [4] running on 3.0.x
> from master branch and tested on FirefoxOS 4.0/5.0pre simulator and on a
> Keon device.
> 
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=751011#c3
> [2]
> https://developer.mozilla.org/en-US/docs/Web/API/window.navigator.mozTime
> [3]
> https://github.com/apache/cordova-js/blob/master/lib/common/init.js#L56
> [4] http://rixrix.github.io/cordova-firefoxos-patch/manifest.webapp
> 
> Thanks
> 
> --
> Richard
> 
> 
> On 25/06/2013, at 8:25 AM, Andrew Grieve <agrieve@chromium.org> wrote:
> 
> We also used this to implement navigator.connection. Without this, we can't
> replace the connection property. Another example is the onLine property for
> Android. It needs to be overridden to hide the fact that it is toggled
> on/off by our exec() bridge.
> 
> 
> On Mon, Jun 24, 2013 at 3:59 PM, Gord Tanner <gtanner@gmail.com> wrote:
> 
>> This might be a bad example since most platforms support native
> geolocation
>> now but I know we would run into problems with:
>> 
>>    navigator.geolocation = require('cordova/plugin/geolocation')
>> 
>> When geolocation already existed on navigator it would throw a security
>> exception (or just be a noop).  It is the cost of doing our shit on the
>> navigator object, every platform treats this as a "secure" object
>> (rightfully so) and does things a little differently.  The lowest common
>> denominator was to just dump our own mock object in ASAP to prevent a lot
>> of that security stuff from getting in our way.
>> 
>> Does this still need to happen? (I don't know)
>> What platforms were having problems? (I can't really remember)
>> Should we look into if we still need to do this? (of course)
>> 
>> the bootstrap.js is ment to contain code for bootstrapping all of cordova
>> on every platform.  I am thinking we may need to rethink the navigator
>> clobbering and make this a platform overridable bootstrap step.
>> 
>> 
>> 
>> On Mon, Jun 24, 2013 at 3:50 PM, Brian LeRoux <b@brian.io> wrote:
>> 
>>> But wait, and I'm serious here, why even duck punch navigator to begin
>>> with?
>>> 
>>> I understand we add properties to it. Is that why it needs to be opened?
>>> 
>>> On Mon, Jun 24, 2013 at 11:50 AM, Ian Clelland <iclelland@google.com>
>>> wrote:
>>>> Can the SecurityError be caught in an try{} block? If so, then we could
>>>> implement a general solution of "try to clobber the entire object; if
>>> that
>>>> doesn't work, try to clobber each of its properties instead."
>>>> 
>>>> In the second case, a debug log line for each property that cannot be
>>>> copied would give us a list of any platform-dependent quirks that we
>> need
>>>> to document.
>>>> 
>>>> 
>>>> On Mon, Jun 24, 2013 at 2:42 PM, Gord Tanner <gtanner@gmail.com>
>> wrote:
>>>> 
>>>>> This is from the bootstrap file for all platforms [1].
>>>>> 
>>>>> This is to cover us for security issues we were having on other
>>> platforms
>>>>> where we are not able to replace existing navigator object methods
>>>>> (geolocation, etc) or add new ones.  We create this object and proxy
>> to
>>> the
>>>>> original navigator object to have something that is a bit more
>> flexible
>>> for
>>>>> us to work with and modify.
>>>>> 
>>>>> Does firefox yell at us if we replace the navigator object without
>>>>> iterating over the old one? We could then just hardcode the list of
>>>>> functions to proxy over to the original for that platform.
>>>>> 
>>>>> [1] -
>>>>> 
>>>>> 
>>> 
>> 
> https://git-wip-us.apache.org/repos/asf?p=cordova-js.git;a=blob_plain;f=lib/scripts/bootstrap.js;hb=HEAD
>>>>> 
>>>>> 
>>>>> On Mon, Jun 24, 2013 at 2:34 PM, Brian LeRoux <b@brian.io> wrote:
>>>>> 
>>>>>> I'm at a loss why that code even needs to exist.
>>>>>> 
>>>>>> Anyone? Herm / Gord?
>>>>>> 
>>>>>> On Thu, Jun 20, 2013 at 5:06 AM, Piotr Zalewa <pzalewa@mozilla.com>
>>>>> wrote:
>>>>>>> I came to a point where I need to use the group wisdom.
>>>>>>> 
>>>>>>> In
>>>>>> 
>>>>> 
>>> 
>> 
> https://github.com/apache/cordova-firefoxos/blob/master/lib/cordova.firefoxos.js#L5929Cordovaistryingtoreplace
window.navigator with something which looks
>>>>>> like a copy of itself. window.navigator is protected in FirefoxOS
-
>>> even
>>>>>> browsing through its properties is not allowed.
>>>>>>> 
>>>>>>> alert('pre'); for (var key in window.navigator)
>>>>> {window.navigator[key]};
>>>>>> alert('post');
>>>>>>> 
>>>>>>> Above code will work in browser, but not on the device or
>>> Simulator. It
>>>>>> will throw "SecurityError: The operation is insecure." and 'post'
>> will
>>>>> not
>>>>>> get alerted. Example in JSFiddle -
>>>>>> http://jsfiddle.net/zalun/VkCyH/embedded/result/ (just install in
>>>>>> Simulator)
>>>>>>> 
>>>>>>> I'm looking for a solution for that issue.
>>>>>>> 
>>>>>>> Is the step with replacing window.navigator needed? The comment
in
>>> the
>>>>>> code says
>>>>>>> // We replace it so that properties that can't be clobbered can
>>> instead
>>>>>> be overridden.
>>>>>>> 
>>>>>>> 
>>>>>>> Piotr
>>>>>> 
>>>>> 
>>> 
>> 
> 
> 


Mime
View raw message