Hi all,
From my extension framescript, if i have a DOM node, how do I properly check if it is part of a chrome scope (and potentially security sensitive), or part of a content document? I have been told by a mozilla code reviewer that checking for ‘chrome’ protocol on the ownerDocument url is not enough
Yes, it has been taken out of the DOM in the first place, but:
nodes are stored in a collection somewhere, then accessed later by some key, so its not immediately obvious by looking at the code where things are from
requests are coming from an external application, so they are somewhat strict in checking for remote script execution, which seems not to be allowed even for unlisted extensions in chrome documents, but only content (thats what we need anyway) …
so the code reviewer has requested that i check that the node (or the document it belongs to) is in a content scope, not a chrome scope (which host browser UI stuff outside of the actual content is not sandboxed in a way the content is)
if you have a <browser> you can get .contentPrincipal. and to
check if it’s a system principal you should use a system principal
instance and use .equals()
var systemPrincipal = Components.classes["@mozilla.org/systemprincipal;1"]
.createInstance(Components.interfaces.nsIPrincipal);
var notSafe = systemPrincipal.equals(docToCheck.documentElement.nodePrincipal);