How to check if a node is part of a chrome scope or a content scope

Hi all,
From my extension framescript, if i have a DOM node, how do I properly check if it is part of a chrome scope (and potentially security sensitive), or part of a content document? I have been told by a mozilla code reviewer that checking for ‘chrome’ protocol on the ownerDocument url is not enough

Thanks

I don’t understand, it might just be me.

How do you have this DOM node? Didn’t you take it out of the DOM that framescript is in?

Yes, it has been taken out of the DOM in the first place, but:

  • nodes are stored in a collection somewhere, then accessed later by some key, so its not immediately obvious by looking at the code where things are from
  • requests are coming from an external application, so they are somewhat strict in checking for remote script execution, which seems not to be allowed even for unlisted extensions in chrome documents, but only content (thats what we need anyway) …
    so the code reviewer has requested that i check that the node (or the document it belongs to) is in a content scope, not a chrome scope (which host browser UI stuff outside of the actual content is not sandboxed in a way the content is)

anyone? :crying_cat_face:

1 Like

Ah ok to check if a document is content or chrome you check the security principal, let me get an example.

These are the different principals: https://developer.mozilla.org/en-US/docs/Mozilla/Gecko/Script_security#Security_principals

Test it like this:

document.documentElement.nodePrincipal

I think the nodePrincipal attribute is only on the documentElement

So if

document.documentElement.nodePrincipal.origin == '[System Principal]'

Then it is chrome.

These are things that will tell you its a content scope:

moz-nullprincipal:{2cfffab2-4403-47f2-9fb2-c7fc45527b28}

Or a website url

1 Like

i think thats what i was looking for
thanks a lot!

No problem, @the8782 from irc says:

if you have a <browser> you can get .contentPrincipal. and to
check if it’s a system principal you should use a system principal
instance and use .equals()

I’ll write up an example here.

Something like this?

    var systemPrincipal = Components.classes["@mozilla.org/systemprincipal;1"]
                           .createInstance(Components.interfaces.nsIPrincipal);
    var notSafe = systemPrincipal.equals(docToCheck.documentElement.nodePrincipal);
2 Likes

Nice job that looks right! :slight_smile: