This document outlines the basic concepts on which the Gecko security model is based.
The Gecko security model is designed to answer questions of the form "Can A do V to O?" Answering such a question requires knowing something about the entity performing the action (in this case A for "actor"), the action being performed (in this case V for "verb") and the object the action is being performed on (in this case O for "object").
In Gecko, there is a limited set of verbs: "get property X", "set property X", "call function F", etc.
A principal represents a security context. For example, on the web a typical principal is a scheme + host + port combination.
When asking the question, "Can A do V to O?", A (the entity performing the action) is called the subject principal. O (the object being operated on) is called the object principal.
There are two special principals:
The system principal (whose contract ID is
@mozilla.org/systemprincipal;1) passes all security checks. It subsumes itself and all other principals, which means it can operate on any principal, regardless of its security settings.
The null principal (whose contract ID is
@mozilla.org/nullprincipal;1) fails almost all security checks. It has no privileges and can't be accessed by anything but itself and chrome. They aren't same-origin with anything but themselves.
You can create these principals using
var systemPrincipal = Components.classes["@mozilla.org/systemprincipal;1"] .createInstance(Components.interfaces.nsIPrincipal);
You can also get the system principal from the security manager using
Other ways to obtain principals
You can get the principal for a document using the
You can get the codebase principal for a given URI using
Determining the subject principal
When asked to perform a security check, the security manager needs to determine the current subject principal (the actor performing the action that's being security-checked). As of Gecko 1.9 the security manager asks XPConnect for the "current
JSContext" from a stack that XPConnect maintains. This
Determining the object principal
__parent__ chain until it gets to an object that knows its own object principal (typically a
Document). This is then used as the object principal for the object in question.
- the first type just holds a pointer to a C function and when invoked, calls that C function, passing to it the
thisobject it was invoked on, the arguments, etc. An example of native function is
Array.sort. When called, it calls a C sorting function and passes it the
sort()was called on.
For security purposes, the main difference between the two types of functions is that scripted functions have principals compiled into them. That is, they know the principal of the page in whose context the script that defined them was executed.