mozilla

版本 251564 / 在扩展中下载JSON和JavaScript

  • 版本网址缩略名: 在扩展中下载JSON和JavaScript
  • 版本标题: 在扩展中下载JSON和JavaScript
  • 版本 id: 251564
  • 创建于:
  • 创建者: Laser
  • 是否是当前版本?
  • 评论
标签: 

修订内容


在很多扩展中常见的用法是使用XMLHttpRequest(或者其他机制)从一个远程的网站下载 JavaScript 或者JSON(这两者是不同的!)一旦内容下载完成,扩展的作者就会使用 eval() 继续进行解码的工作,把字串内容转换成 JavaScript 对象。这样的做法是非常危险的,并且,实际上不会通过AMO的审核。所以这样的扩展将不会被允许离开AMO的砂箱。

The practice is dangerous because the decoded JavaScript has full chrome privileges and could perform some nasty actions. How could the JavaScript an extension downloads perform nasty actions? Fairly easy if the webserver where the JavaScript is hosted were to be hijacked or compromised. It happens to the best of us. AMO takes the threat very seriously.

The good news is there are several ways to workaround the problem.

下载 JSON

If the extension is downloading JSON, then the developer should be using one of the JSON decoding methods discussed here and not using eval() at all. JSON is about state and does not allow functions to be decoded. The JSON decoding methods available to extension developers protect the extension from malicious JSON and JavaScript. Downloading state from a remote webserver using JSON is becoming extremely popular. Use the JSON decoders, not eval()!

下载 JavaScript

Of course there are times when JavaScript code modules are downloaded and injected into the extension. This usually happens because the extension is trying to keep some of its code fresh and dynamic, and the developers don't want to create a new version of the extension for each script change. In this case, JavaScript sandboxing should be used to isolate the downloaded JavaScript from the rest of the extension, and host application.

Sandboxing is done using Components.utils.evalInSandbox(). The JavaScript code is added to the sandbox along with any "safe" objects the JavaScript needs to interact. Sandboxing is not without its dangers and developers should read the sandboxing page carefully to make sure untrusted code is not leaked out of the sandbox.

{{ wiki.languages( { "en": "en/Downloading_JSON_and_JavaScript_in_extensions" } ) }}

修订版来源

<p><br>
在很多扩展中常见的用法是使用<a href="cn/XMLHttpRequest">XMLHttpRequest</a>(或者其他机制)从一个远程的网站下载 JavaScript 或者<a href="cn/JSON">JSON</a>(这两者是不同的!)一旦内容下载完成,扩展的作者就会使用 <code><a href="cn/Core_JavaScript_1.5_Reference/Functions/eval"> eval()</a></code> 继续进行解码的工作,把字串内容转换成 JavaScript 对象。这样的做法是<b>非常危险</b>的,并且,实际上不会通过<a class="external" href="http://addons.mozilla.org">AMO</a>的审核。所以这样的扩展将不会被允许离开AMO的砂箱。
</p><p>The practice is dangerous because the decoded JavaScript has full chrome privileges and could perform some nasty actions. How could the JavaScript an extension downloads perform nasty actions? Fairly easy if the webserver where the JavaScript is hosted were to be hijacked or compromised. It happens to the best of us. AMO takes the threat very seriously.
</p><p>The good news is there are several ways to workaround the problem.
</p>
<h3 name=".E4.B8.8B.E8.BD.BD_JSON">下载 JSON</h3>
<p>If the extension is downloading JSON, then the developer should be using one of the JSON decoding methods discussed <a href="cn/JSON"> here</a> and not using <code>eval()</code> at all. JSON is about state and does not allow functions to be decoded. The JSON decoding methods available to extension developers protect the extension from malicious JSON and JavaScript. Downloading state from a remote webserver using JSON is becoming extremely popular. Use the JSON decoders, not <code>eval()</code>!
</p>
<h3 name=".E4.B8.8B.E8.BD.BD_JavaScript">下载 JavaScript</h3>
<p>Of course there are times when JavaScript code modules are downloaded and injected into the extension. This usually happens because the extension is trying to keep some of its code fresh and dynamic, and the developers don't want to create a new version of the extension for each script change. In this case, JavaScript sandboxing should be used to isolate the downloaded JavaScript from the rest of the extension, and host application.
</p><p>Sandboxing is done using <code><a href="cn/Components.utils.evalInSandbox">Components.utils.evalInSandbox()</a></code>. The JavaScript code is added to the sandbox along with any "safe" objects the JavaScript needs to interact. Sandboxing is not without its dangers and developers should read the sandboxing page carefully to make sure untrusted code is not leaked out of the sandbox.
</p>{{ wiki.languages( { "en": "en/Downloading_JSON_and_JavaScript_in_extensions" } ) }}
恢复到这个版本