|
|
| Line 1: |
Line 1: |
| {{DISPLAYTITLE:unsafeWindow}}
| |
| {{security}}
| |
|
| |
|
| == Description ==
| |
|
| |
| This [[API_reference|API]] object allows a [[User script]] to access "custom" properties--variable and functions defined in the page--set by the web page. The unsafeWindow object is shorthand for <code>window.wrappedJSObject</code>. It is the raw window object inside the XPCNativeWrapper provided by the Greasemonkey [[sandbox]].
| |
|
| |
| :*'''USE OF UNSAFEWINDOW IS INSECURE, AND IT SHOULD BE AVOIDED WHENEVER POSSIBLE.'''
| |
|
| |
| unsafeWindow bypasses [[Greasemonkey]]'s [[XPCNativeWrapper]]-based [[security]] model, which exists to make sure that malicious web pages cannot alter objects in such a way as to make greasemonkey scripts (which execute with more privileges than ordinary JavaScript running in a web page) do things that their authors or users did not intend. User scripts should therefore avoid calling or in any other way depending on any properties on unsafeWindow - especally if if they are executed for arbitrary web pages, such as those with <code>@[[Include and exclude rules|include]] *</code>, where the page authors may have subverted the environment in this way.
| |
|
| |
| [[User script]] authors are '''strongly''' encouraged to learn how [[XPCNativeWrapper]]s work, and how to perform the desired function within their security context, instead of using unsafeWindow to break out.
| |
|
| |
| Compatibility: [[Version_history#0.5_beta|Greasemonkey 0.5b+]]
| |
|
| |
| == Examples ==
| |
|
| |
| <pre class='sample'>
| |
| unsafeWindow.SomeVarInPage = "Testing";
| |
| </pre>
| |
|
| |
| <pre class='sample'>
| |
| unsafeWindow.SomeFunctionInPage("Test");
| |
| </pre>
| |
|
| |
| <pre class='sample'>
| |
| var oldFunction = unsafeWindow.SomeFunctionInPage;
| |
| unsafeWindow.SomeFunctionInPage = function(text) {
| |
| alert('Hijacked! Argument was ' + text + '.');
| |
| return oldFunction(text);
| |
| };
| |
| </pre>
| |
|
| |
| == Alternatives to unsafeWindow ==
| |
|
| |
| ''Sometimes'', you just can't get around using unsafeWindow.
| |
| Most of the time, however, you can!
| |
| See [[:Category:Coding Tips:Interacting With The Page]] for details on various methods to interact with the page that do '''not''' use unsafeWindow.
| |
|
| |
| == Notes ==
| |
|
| |
| BUG: In Firefox 3.0 the <tt>prototype</tt> field will always be <tt>undefined</tt> for objects accessed through <tt>unsafeWindow</tt>.
| |
| The techniques in [[:Category:Coding Tips:Interacting With The Page]] can work around this problem.
| |
|
| |
| [[Category:API_Reference|U]]
| |
| [[Category:Scripting context]]
| |
| [[Category:Security]]
| |
