Components.utils.evalInSandbox

  • Revision slug: Components.utils.evalInSandbox
  • Revision title: Components.utils.evalInSandbox
  • Revision id: 101226
  • Created:
  • Creator: Sheppy
  • Is current revision? No
  • Comment copyedit

Revision Content

Introduction

In certain circumstances, you may want to evaluate JavaScript code with restricted privileges. In Firefox 1.5 (Gecko 1.8) or later, an API exists to allow you to do this. It contains the notion of a "sandbox" that you can create and evaluate code in its context. Code evaluated using this method will always execute with restricted privileges, as on a normal web page.

Use

To use evalInSandbox, you must first create a sandbox object using its constructor, Components.utils.Sandbox. The sandbox must be initialized with a principal URI. This URI is used for same-origin security checks. For example, passing a URI of http://www.example.com/ will allow code evaluated using this sandbox to access data from http://www.example.com. Due to the ability of javascript on a web page to set document.domain, changing same-origin security checks, you can also pass a DOM window object to the sandbox constructor.

// create a sandbox with a given principal
var s = Components.utils.Sandbox("http://www.example.com/");
// the sandbox object is the global scope object
// for script you execute
s.y = 5;
var result = Components.utils.evalInSandbox("x = y + 2; x + 3", s);
// result is 10, s.x is now 7

s.foo = Components;
// this will give a "Permission Denied" error
Components.utils.evalInSandbox("foo.classes", s);

Note {{template.Bug(350558)}}.

{{ wiki.languages( { "ja": "ja/Components.utils.evalInSandbox" } ) }}

Revision Source

<p>
</p>
<h3 name="Introduction"> Introduction </h3>
<p>In certain circumstances, you may want to evaluate <a href="en/JavaScript">JavaScript</a> code with restricted privileges.  In <a href="en/Firefox_1.5">Firefox 1.5</a> (Gecko 1.8) or later, an API exists to allow you to do this.  It contains the notion of a "sandbox" that you can create and evaluate code in its context.  Code evaluated using this method will always execute with restricted privileges, as on a normal web page.
</p>
<h4 name="Use"> Use </h4>
<p>To use <code>evalInSandbox</code>, you must first create a sandbox object using its constructor, <code>Components.utils.Sandbox</code>.  The sandbox must be initialized with a principal URI.  This URI is used for same-origin security checks.  For example, passing a URI of <code><span class="plain">http://www.example.com/</span></code> will allow code evaluated using this sandbox to access data from <span class="plain">http://www.example.com</span>.  Due to the ability of javascript on a web page to set <code><a href="en/DOM/document.domain">document.domain</a></code>, changing same-origin security checks, you can also pass a DOM window object to the sandbox constructor.
</p>
<pre>// create a sandbox with a given principal
var s = Components.utils.Sandbox("http://www.example.com/");
// the sandbox object is the global scope object
// for script you execute
s.y = 5;
var result = Components.utils.evalInSandbox("x = y + 2; x + 3", s);
// result is 10, s.x is now 7

s.foo = Components;
// this will give a "Permission Denied" error
Components.utils.evalInSandbox("foo.classes", s);
</pre>
<p>Note {{template.Bug(350558)}}.
</p>{{ wiki.languages( { "ja": "ja/Components.utils.evalInSandbox" } ) }}
Revert to this revision