Last Comment Bug 529474 - evalInGlobalScope as a secure alternative to eval
: evalInGlobalScope as a secure alternative to eval
Status: RESOLVED DUPLICATE of bug 785174
[firebug-p2]
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Windows XP
: -- normal with 1 vote (vote)
: ---
Assigned To: general
:
:
Mentors:
Depends on:
Blocks: 529079
  Show dependency treegraph
 
Reported: 2009-11-17 21:05 PST by John J. Barton
Modified: 2012-09-06 03:23 PDT (History)
16 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description John J. Barton 2009-11-17 21:05:48 PST
We have eval() which dynamically compiles code into the current scope and runs it with the current security principal. We have evalInSandbox which compiles code in an container and runs it with a security principal given at sandbox construction. The missing combination is an eval which compiles code into a given scope and runs it under the security principal of that scope.

For an inner nsIDOMWindow 'win', evalInGlobalScope(str, win) should give an XPCSafeJSObjectWrapper around an object that is precisely as one would get by running win.eval(str) with the principal of 'win'.

This would allow Firebug's command line to be implemented very simply. It would also allow extension code to generally avoid eval() with extension (system) principal.

See also
http://groups.google.com/group/mozilla.dev.platform/browse_thread/thread/9d6404c7c940097b#

If possible, then for jsdIStackframe.scope 'scope', then evalInGlobalScope(str, scope) would be supported. If not we may want to call the function evalInDOMWindow().

The option filename and line numbers of evalInSandbox() would nice.
Comment 1 Robert Sayre 2010-01-25 16:09:53 PST
can I get a rationale for this blocking nomination?
Comment 2 John J. Barton 2010-01-25 17:11:09 PST
The short answer is "no", I was trying to express "gee if we had this in the 3.7 plan we could plan to work on the Firebug parts". But it's not so we won't.
Comment 3 Sebastian Zartner 2012-01-17 05:23:49 PST
Just want to add, that one Firebug issue related to this is http://code.google.com/p/fbug/issues/detail?id=1472.

Sebastian
Comment 4 Jim Blandy :jimb 2012-09-06 03:23:02 PDT
I expect the fix for bug 785174 should serve here, as well. If not, please un-dup and explain.

*** This bug has been marked as a duplicate of bug 785174 ***

Note You need to log in before you can comment on or make changes to this bug.