UnsafeWindow: Difference between revisions

From GreaseSpot Wiki
Jump to navigationJump to search
remove nonsensical "syntax" section; 'page function' & 'attach script' section replaced with link to category with pages dedicated to the topic
Blanked the page
Line 1: Line 1:
{{DISPLAYTITLE:unsafeWindow}}
{{security}}


== Description ==
This [[API_reference|API]] object allows a [[User script]] to access "custom" properties--variable and functions defined in the page--set by the web page.  The unsafeWindow object is shorthand for <code>window.wrappedJSObject</code>. It is the raw window object inside the XPCNativeWrapper provided by the Greasemonkey [[sandbox]].
:*'''USE OF UNSAFEWINDOW IS INSECURE, AND IT SHOULD BE AVOIDED WHENEVER POSSIBLE.'''
unsafeWindow bypasses [[Greasemonkey]]'s [[XPCNativeWrapper]]-based [[security]] model, which exists to make sure that malicious web pages cannot alter objects in such a way as to make greasemonkey scripts (which execute with more privileges than ordinary JavaScript running in a web page) do things that their authors or users did not intend.  User scripts should therefore avoid calling or in any other way depending on any properties on unsafeWindow - especally if if they are executed for arbitrary web pages, such as those with <code>@[[Include and exclude rules|include]] *</code>, where the page authors may have subverted the environment in this way.
[[User script]] authors are '''strongly''' encouraged to learn how [[XPCNativeWrapper]]s work, and how to perform the desired function within their security context, instead of using unsafeWindow to break out.
Compatibility: [[Version_history#0.5_beta|Greasemonkey 0.5b+]]
== Examples ==
<pre class='sample'>
unsafeWindow.SomeVarInPage = "Testing";
</pre>
<pre class='sample'>
unsafeWindow.SomeFunctionInPage("Test");
</pre>
<pre class='sample'>
var oldFunction = unsafeWindow.SomeFunctionInPage;
unsafeWindow.SomeFunctionInPage = function(text) {
  alert('Hijacked! Argument was ' + text + '.');
  return oldFunction(text);
};
</pre>
== Alternatives to unsafeWindow ==
''Sometimes'', you just can't get around using unsafeWindow.
Most of the time, however, you can!
See [[:Category:Coding Tips:Interacting With The Page]] for details on various methods to interact with the page that do '''not''' use unsafeWindow.
== Notes ==
BUG: In Firefox 3.0 the <tt>prototype</tt> field will always be <tt>undefined</tt> for objects accessed through <tt>unsafeWindow</tt>.
The techniques in [[:Category:Coding Tips:Interacting With The Page]] can work around this problem.
[[Category:API_Reference|U]]
[[Category:Scripting context]]
[[Category:Security]]

Revision as of 04:47, 27 March 2010