Please note, this is a STATIC archive of website developer.mozilla.org from 03 Nov 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Revision 73221 of Scripting plugins

  • Revision slug: Gecko_Plugin_API_Reference/Scripting_plugins
  • Revision title: Scripting plugins
  • Revision id: 73221
  • Created:
  • Creator: gemy21ce
  • Is current revision? No
  • Comment 1001 words removed
Tags: 

Revision Content

Security model

The security model for making calls through this API is much like the general same-origin security model enforced by the browser. That means that script from an origin other than the origin of the page that loaded the plugin is not able to access methods and properties on the plugin. The same thing applies the other way too, the plugin can reach only JavaScript objects in the same origin as the page that loaded the plugin.

In addition to this, a further extension to this API is being discussed that would give a plugin greater flexibility by letting the plugin control the origin of the calling code, so that the plugin can specify the origin of calls that come from internally loaded code from other origins. This way such code can be executed with only the privileges of the origin of the code, and not the privileges of the plugin page's origin.

Revision Source

 
<h2 name="Security_model">Security model</h2>
<p>The security model for making calls through this API is much like the general <a class="external" href="https://www.mozilla.org/projects/security/components/same-origin.html">same-origin</a> security model enforced by the browser. That means that script from an origin other than the origin of the page that loaded the plugin is not able to access methods and properties on the plugin. The same thing applies the other way too, the plugin can reach only JavaScript objects in the same origin as the page that loaded the plugin.</p>
<p>In addition to this, a further extension to this API is being discussed that would give a plugin greater flexibility by letting the plugin control the origin of the calling code, so that the plugin can specify the origin of calls that come from internally loaded code from other origins. This way such code can be executed with only the privileges of the origin of the code, and not the privileges of the plugin page's origin.</p>
Revert to this revision