Security projects | > | Component Security | > | Signed Scripts & Privileges: An Example |
Signed Scripts & Privileges: An Example
Mitch StoltzThis page demonstrates using signed scripts to perform actions not normally permitted to JavaScript on a web page. This example assumes a basic familiarity with the concept of code signing. See the links in the provided documentation at the Component Security main page for more information.
A Privileged Action
JavaScript Security gives a partial
list of the actions prohibited to untrusted scripts. One example is access
to browser preferences using the navigator.preference
property.
If an untrusted script attempts to use this property, an exception is thrown.
For example, a call such as
var homepage = navigator.preference("browser.startup.homepage");
... will fail, and throw an "access to property denied
" exception.
Signed Scripts
Accessing sensitive information or functions requires that a
privilege be granted using the netscape.security.PrivilegeManager.enablePrivilege()
function.
Only a signed script (or a script loaded from a file on the user's hard drive)
can call enablePrivilege
. Scripts (and their associated HTML
files) are signed using a digital signature
and a signature-generating utility such as
Signtool.
In our example, the privilege that controls access to browser
preferences is UniversalPreferencesRead
. A script which is
signed and loaded from a jar file can call
netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesRead");
If the user has not stored a preference as to whether this privilege should be granted to this signer, a
confirmation dialog appears.
The link below runs the following JavaScript function:
function privilegedAction() { try { netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesRead"); var hp = navigator.preference("browser.startup.homepage"); alert("Permission to read preferences is granted. Your home page is "+hp); } catch (e) { alert("Permission to read preferences was denied."); } }
Run the Signed Script Example (This link will only work in Mozilla-based browsers)
If you see the "Permission to read preferences was denied" dialog, either
you clicked "No" in the security confirmation dialog, or your browser was
already configured to deny the UniversalPreferencesRead
privilege to scripts signed by this particular certificate.
Levels of Security
The philosophy behind this policy is that in order for a script from the Web to perform sensitive actions, the user must trust the author of the script. In order for the user to trust the author of the script, the user must have proof of the author's identity, and assurance that the script has not been modified with malicious intent. It follows from these requirements that two conditions must be met in order for a script to perform potentially dangerous actions:
- The script must be signed with a valid digital certificate. This establishes the identity of the script's origin and gives evidence of any modifications to the script after signing.
- The user must grant permission for the signer to perform the requested action. This permission can be preconfigured in browser preferences or granted through a confirmation dialog.
Granting Trust Remotely
Some embedders and distributors of Mozilla may require the ability to perform privileged actions without a dialog box being displayed to the user. While this feature is not present in mozilla.org's software releases, it can be added by other distributors. This feature is explained in The Master Certificate API.
Security projects | > | Component Security | > | Signed Scripts & Privileges: An Example |