On Tue, Jun 16, 2015 at 10:38 AM, Paul Rouget <[email protected]> wrote:
> I don't how this work (Xray vision). > Given what you're doing, it's definitely worth learning about. A basic overview is here: https://developer.mozilla.org/en-US/docs/Xray_vision For more detail and a bigger-picture view of why this is a tricky problem, I'd recommend watching the talk I gave in Portland: https://air.mozilla.org/safe-by-default/ . Currently accessible for vouched mozillians, but we should get rid of that soon. > Code, in the child process, is executed this way: > > + let sandbox = new Cu.Sandbox(content, { > + sandboxPrototype: content, > + wantXrays: false, > + sandboxName: "browser-api-execute-script" > + }); > + > + let sandboxRv = Cu.evalInSandbox(script, sandbox, "1.8"); > > I use `wantXrays: false`, but I don't know what we really want here. > wantXrays is a deprecated option - it doesn't actually help you unless you run with sandbox with an Expanded Principal ([content] instead of content), which begs the whole "web platform not supporting asymmetric privilege relationships" question. This is a pretty complicated topic, and requires a fair amount of background to discuss meaningfully, unfortunately. The links above should help a lot. bholley _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
