Security check basics

この記事はまだ日本語に翻訳されていません。MDN の翻訳はボランティアによって行われています。是非 MDN に登録し、私たちの力になって下さい。

This document outlines the basic concepts on which the Gecko security model is based.

Basic definitions

The Gecko security model is designed to answer questions of the form "Can A do V to O?" Answering such a question requires knowing something about the entity performing the action (in this case A for "actor"), the action being performed (in this case V for "verb") and the object the action is being performed on (in this case O for "object").

In Gecko, there is a limited set of verbs: "get property X", "set property X", "call function F", etc.

Both the actor and the object are represented by principals. In Gecko, these are implemented using the nsIPrincipal interface.

Principals

A principal represents a security context. For example, on the web a typical principal is a scheme + host + port combination.

When asking the question, "Can A do V to O?", A (the entity performing the action) is called the subject principal. O (the object being operated on) is called the object principal.

Special principals

There are two special principals:

The system principal (whose contract ID is @mozilla.org/systemprincipal;1) passes all security checks. It subsumes itself and all other principals, which means it can operate on any principal, regardless of its security settings.

The null principal (whose contract ID is @mozilla.org/nullprincipal;1) fails almost all security checks. It has no privileges and can't be accessed by anything but itself and chrome. They aren't same-origin with anything but themselves.

You can create these principals using createInstance, e.g.:

var systemPrincipal = Components.classes["@mozilla.org/systemprincipal;1"]
                      .createInstance(Components.interfaces.nsIPrincipal); 

You can also get the system principal from the security manager using nsIScriptSecurityManager.getSystemPrincipal().

Other ways to obtain principals

You can get the principal for a document using the document.nodePrincipal property.

You can get the codebase principal for a given URI using nsIScriptSecurityManager.getCodebasePrincipal().

Determining the subject principal

When asked to perform a security check, the security manager needs to determine the current subject principal (the actor performing the action that's being security-checked). As of Gecko 1.9 the security manager asks XPConnect for the "current JSContext" from a stack that XPConnect maintains. This JSContext has a pointer to the JavaScript callstack for the script running on it.

  • If there's no JavaScript on the stack, then the subject principal is "system" (the all-powerful principal)
  • If there's JavaScript on the stack, the stack is walked from the top down until a scripted function is encountered. There's always a principal associated with a scripted function (when you create one of those, you have to tell it who's creating it). This is the subject principal.

Determining the object principal

To determine the object principal of a particular JavaScript object, Gecko starts at that object and walks the __parent__ chain until it gets to an object that knows its own object principal (typically a Window or Document). This is then used as the object principal for the object in question.

Scripted and native JavaScript functions

In JavaScript, there are two types of JSFunctions:

  • the first type just holds a pointer to a C function and when invoked, calls that C function, passing to it the this object it was invoked on, the arguments, etc. An example of native function is Array.sort. When called, it calls a C sorting function and passes it the Array object that sort() was called on.
  • the second type is what's called a "scripted" function, which comes about from a JavaScript function keyword or the appropriate JSAPI calls. Calling such a function executes some JavaScript in the JavaScript interpreters.

For security purposes, the main difference between the two types of functions is that scripted functions have principals compiled into them. That is, they know the principal of the page in whose context the script that defined them was executed.

Document Tags and Contributors

Contributors to this page: Sheppy, Jimb, Nickolay, Bzbarsky
最終更新者: Sheppy,