How does Firebug read style sheets?

52 views
Skip to first unread message

als

unread,
Jan 24, 2016, 4:34:26 PM1/24/16
to Firebug
If I wrote a FF add-on I would find that a content script can't access style sheets from cross domains.
Accessing the sheet.cssRules attribute would produce a SecurityError. But Firebug
shows me all of the style sheets. How is it able to do this?

Sebastian Zartner

unread,
Jan 26, 2016, 1:37:07 AM1/26/16
to Firebug, Simon Lindholm
The main code for this is located within the Css.getAllStyleSheets() function.
It also accesses the rules this way, though IIRC from within the chrome process, which has more privileges. Simon, please correct me if I'm wrong.

Sebastian

Simon Lindholm

unread,
Jan 26, 2016, 3:03:26 AM1/26/16
to Sebastian Zartner, Firebug
Yep, Firebug simply uses the standard APIs but within a more privileged context. (It's not a separate process, even with e10s - it's a chrome-privileged compartment living in the same process as the web page. Ok, well, with e10s one might use CPOW wrappers, but that's mostly deprecated and a digression.) All accesses go through Xray wrappers, which is part of what makes that work. https://developer.mozilla.org/en-US/docs/Mozilla/Gecko/Script_security
 
Finding which styles apply to a certain element uses a special-purpose non-content-exposed API, BTW: inIDOMUtils.getCSSStyleRules.

als

unread,
Jan 27, 2016, 7:08:51 AM1/27/16
to Firebug, sebastia...@gmail.com


On Tuesday, 26 January 2016 19:03:26 UTC+11, Simon Lindholm wrote:
Yep, Firebug simply uses the standard APIs but within a more privileged context. (It's not a separate process, even with e10s - it's a chrome-privileged compartment living in the same process as the web page. Ok, well, with e10s one might use CPOW wrappers, but that's mostly deprecated and a digression.) All accesses go through Xray wrappers, which is part of what makes that work. https://developer.mozilla.org/en-US/docs/Mozilla/Gecko/Script_security
 

I've experimented with doing this from a frame script. According to the Mozilla documentation the frame script has "system principals" which appears to mean the same as chrome-privilege but I still got a SecurityError from the cross-domain access.

Where/how is the Firebug chrome-privileged compartment created?

Sebastian Zartner

unread,
Feb 1, 2016, 3:35:34 PM2/1/16
to Firebug, sebastia...@gmail.com

Firebug's main entry point is the loadIntoWindow() function. This code in it injects the Firebug object into the browser window. The loadIntoWindow() function itself is called on extension startup.

Again, Simon or Honza may give you a more detailed explanation on this.

Sebastian

Simon Lindholm

unread,
Feb 2, 2016, 2:30:05 PM2/2/16
to Firebug, sebastia...@gmail.com

It works for me from a frame script, so you're probably just doing something wrong. I don't have any spontaneous guesses as to what, though.
 
Reply all
Reply to author
Forward
0 new messages