You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



Security projects > Component Security > Signed Scripts & Privileges: An Example

Signed Scripts & Privileges: An Example

Mitch Stoltz

This page demonstrates using signed scripts to perform actions not normally permitted to JavaScript on a web page. This example assumes a basic familiarity with the concept of code signing. See the links in the provided documentation at the Component Security main page for more information.

A Privileged Action

JavaScript Security gives a partial list of the actions prohibited to untrusted scripts. One example is access to browser preferences using the navigator.preference property. If an untrusted script attempts to use this property, an exception is thrown. For example, a call such as

var homepage = navigator.preference("browser.startup.homepage");

... will fail, and throw an "access to property denied" exception.

Signed Scripts

Accessing sensitive information or functions requires that a privilege be granted using the netscape.security.PrivilegeManager.enablePrivilege() function. Only a signed script (or a script loaded from a file on the user's hard drive) can call enablePrivilege. Scripts (and their associated HTML files) are signed using a digital signature and a signature-generating utility such as Signtool.

In our example, the privilege that controls access to browser preferences is UniversalPreferencesRead. A script which is signed and loaded from a jar file can call
netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesRead");
If the user has not stored a preference as to whether this privilege should be granted to this signer, a confirmation dialog appears.

The link below runs the following JavaScript function:

function privilegedAction() {
  try {
    netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesRead");   
    var hp = navigator.preference("browser.startup.homepage");
    alert("Permission to read preferences is granted. Your home page is "+hp);
  } catch (e) {
    alert("Permission to read preferences was denied.");
  }
}

Run the Signed Script Example (This link will only work in Mozilla-based browsers)

If you see the "Permission to read preferences was denied" dialog, either you clicked "No" in the security confirmation dialog, or your browser was already configured to deny the UniversalPreferencesRead privilege to scripts signed by this particular certificate.

Levels of Security

The philosophy behind this policy is that in order for a script from the Web to perform sensitive actions, the user must trust the author of the script. In order for the user to trust the author of the script, the user must have proof of the author's identity, and assurance that the script has not been modified with malicious intent. It follows from these requirements that two conditions must be met in order for a script to perform potentially dangerous actions:

  1. The script must be signed with a valid digital certificate. This establishes the identity of the script's origin and gives evidence of any modifications to the script after signing.
  2. The user must grant permission for the signer to perform the requested action. This permission can be preconfigured in browser preferences or granted through a confirmation dialog.

Granting Trust Remotely

Some embedders and distributors of Mozilla may require the ability to perform privileged actions without a dialog box being displayed to the user. While this feature is not present in mozilla.org's software releases, it can be added by other distributors. This feature is explained in The Master Certificate API.

Security projects > Component Security > Signed Scripts & Privileges: An Example