2

I am developing a FireFox extension and have to store some values that I need to be secure and inaccessible from any other extension/page etc.

I am using a setup for my extension code like seen here:

if(!namesp) var namesp={};
if(!namesp.anothernamesp) namesp.anothernamesp={};

namesp.anothernamesp = function() {
  var mySecureValue = ''; //is this variable accessible from anything aside from inside the namesp.anothernamesp scope?

  return {
    useSecureValue: function() {
    //do something here with mySecureValue
    }
  };

  function getSecureValue() { //can this method be called from anywhere besides inside the namesp.anothernamesp scope?
    return mySecureValue;
  }

}();

Is there any way that anything other than my own extension can access "mySecureValue"? To keep this object global accessible to any windows I might open in my extension etc, I pass the object to the window in the window.openDialog() method and use the window.arguments to access it from the newly created windows. Thank you.

offthat
  • 400
  • 2
  • 10
  • I don't know the answer, but on a side note, you are checking whether or not to create `namesp.anothernamesp` in the second line of code but you are overwriting it at the fourth line of code anyway. I don't think the second line of code adds anything. – pimvdb May 10 '11 at 07:33

2 Answers2

1

Seems pretty correct. In fact that's a way the majority of tutorials and books teach to simulate private methods and properties.

Headshota
  • 21,021
  • 11
  • 61
  • 82
0

No, there is no way you can keep one extension from impacting another extension.

The reasons for that are:

  • extensions are Zip-archive-files renamed to have a *.xpi filename extension.
  • the extensions are writen in plaintextfiles using a JavaScript dialect
  • any other extension can at will open and access any file that your browser can access.

If some other extension wants to read your variable mySecureValue it can do so by:

  • accessing the your extensions *.xpi file (using nsIFile to read it from the profile/extensions folder)
  • unzip it nsIZipReader
  • read the variable mySecureValue from your source file!

The most unfortunate reason for all that is that Mozilla firefox does not implement any form of right separation between the extensions. Every extension can do everything to everybody. It can even excecute a shellcode and do arbitraty other damage.

The only thing you can try is to obfuscate your secret data. This will though not prevent but maybe only complicate the attack.

humanityANDpeace
  • 4,350
  • 3
  • 37
  • 63