My OperaThe My Opera forums have been replaced with forums.opera.com. Please head over there to discuss Opera's products and features
See the new ForumsYou need to be logged in to post in the forums. If you do not have an account, please sign up first.
Protecting extension content from page scripts
I have a note taking Opera extension that currently acts by adding a DIV to the DOM, displaying the note content. Everything works fine, but it strikes me that this approach exposes the notes to malicious scripts. Theoretically, a malicious page could steal the content of any notes the user wrote on it.A simplified example:
The injected JS:
// ==UserScript==
// @include *
// ==/UserScript==
/***************************************
* Security test
***************************************/
window.addEventListener('DOMContentLoaded', function() {
var noteid = document.createElement('div');
noteid.setAttribute('id', 'readthis');
noteid.setAttribute('name','divname');
noteid.style.width = '100px';
noteid.style.height = '100px';
noteid.style.position = "absolute";
noteid.style.left = '100px';
noteid.style.top = '100px';
noteid.className = "injected";
noteid.style.background = "#abcdef";
noteid.innerText = "Security Leak";
document.body.appendChild(noteid);
}, false);
The malicious page:
<html>
<head>
<title>Security Test</title>
<head>
<body>
<h1>Security test</h1>
<div id="leak">Awaiting Content</div>
<input type="button" onClick="document.getElementById('leak').innerText = document.getElementById('readthis').innerText;" value="Steal"/>
</body>
</html>
Now, I realise that once I'm sticking stuff into the DOM, then its fair-game. But I was wondering if there was something I was missing, as I know Firefox provides facilities for drawing content in the viewport, without needing to manipulate the website DOM. (See below) I did try using an iFrame, and appending the div as a child, but that didn't seem to work. I'm assuming I'd need to set up a message handler within the iframe and create the note from within?
Looking at the internote extension for firefox, it appears that it avoids this problem by not adding notes to the pages DOM, but instead displaying them on a separate layer 'above' the website. However, as far as I can tell this is utilizing XUL, and thus isn't open to Opera. It appears to create a <stack> element, which is appended as a child to this.browser.parentNode, although I'm having trouble tracing back exactly what 'browser' is at the point, but I think it is again an XUL object describing the tab.
Yes, the page's scripts do have access to your DOM.
The iframe approach could work, but you'd have to have a way to tell it the actual page URL. There was a post about iframes a while ago, as I understand it, he solved it by sending the URL of the tab in to every injected iframe in the page.
There is no equivalent to Firefox's XUL in Opera, it's a pretty heavyweight system, where the entire browser UI is actually a sort of DOM.
There is no "transparent layer" equivalent in Opera.
Perhaps you could try drawing your notes on a Canvas, that way you'd atleast make it difficult to get the text out.
Also, have you considered showing notes in the toolbar popup?
The iframe approach could work, but you'd have to have a way to tell it the actual page URL. There was a post about iframes a while ago, as I understand it, he solved it by sending the URL of the tab in to every injected iframe in the page.
There is no equivalent to Firefox's XUL in Opera, it's a pretty heavyweight system, where the entire browser UI is actually a sort of DOM.
There is no "transparent layer" equivalent in Opera.
Perhaps you could try drawing your notes on a Canvas, that way you'd atleast make it difficult to get the text out.
Also, have you considered showing notes in the toolbar popup?
Forums » Dev.Opera » Opera Extensions Development Discussions