xbl and security

[dr.c...@gmail.com]

I've noticed that Xbl uses javascript as the scripting language and is
used to build Mozilla Xforms. Would an application built on Xbl such
as Xforms be any more or less secure than using regular javascript in
an xhtml page? And would a custom form control built with Xbl be any
more or less secure than scripting with javascript directly in an
xhtml page?

[Mook]

XBL (1, as found in current Mozilla projects) run with the privileges of
the bound document. At one point there was an error with the Firefox
autocomplete because it assumed it could access privileged things, which
was wrong because web pages can't, and it gets embedded into web pages
:) The autocomplete binding, of course, came from a privileged
chrome:// URL (but of course that isn't enough).

I haven't read XBL2 enough yet to know about that one.

I think that should answer your question?

--
Mook

[dr.c...@gmail.com]

On Jul 12, 12:26 pm, Mook <mook.moz
+nntp.news.mozilla....@gmail.com.please-avoid-direct-mail> wrote:

Would it be safe, then, to say that an xbl extension such as Xforms,
is as secure as the browser itself so long as there are no
vulnerabilities reported (and to date, I can't find any)? And that a
well designed XBL custom control would be just as secure?

[smaug]

If XBL causes XForms security bugs, those would be probably bugs in the browser.
But XForms extension might still have its own security bugs in its C++ implementation.

-S