Thanks Don.
I already see this project in my research, but the agonies to
results pull me to the dark side of the source. I will redesign the plug-in to be
a safer way to run scripts in client side. My intents doing this job is to have
full Lua capabilities in client side, including database/file handling and all
other Lua abilities. Like a signed applet can do. If not so, I like very much _javascript_.
Well well… I will see that lather. Thanks 4 all.
Rafael
De: lua-bounces@bazar2.conectiva.com.br
[mailto:lua-bounces@bazar2.conectiva.com.br] Em
nome de Don Hopkins
Enviada em: quarta-feira, 1 de agosto de 2007 13:00
Para: Lua
list
Assunto: Re: RES: Lua Browser
Plugin
The best way to integrate Lua with
Firefox/Mozilla/xulrunner is via XPCOM, which is an open source cross platform
version of COM.
There is a Lua COM library that would be a good starting point, but integrating
a scripting language with XPCOM or COM is difficult work, bordering on rocket
science.
The incredible Mark Hammond integrated COM and Python (the Python win32com
module), and he also integrated XPCOM and Python (the mozilla pyxpcom
extension).
The pyxpcom effort to integrate Python into Mozilla resulted in cleaning up the
Mozilla code in ways that will make it easier to integrate Lua in the same way.
http://www.mozilla.org/catalog/architecture/xpcom/pyxpcom/
-Don
Jeremy Darling wrote:
Well, first you need to follow the _javascript_ model and disable the io library
completely. This will at least show that you attempted to secure your
module. Try to find the other libraries that could cause a problem and
disable them as well (in fact anything outside of the core lib shouldn't be
active IMHO). Then offer up the "Developer" version with things
like the debug library enabled. Finally, create a module yourself that
will be surfaced that allows you to do things like document.write and
document.location = bla bla bla.
As for OpenSource or not, the Mozilla JS engine is completely opensource and
this has led to many security improvements over the years. So OpenSource
is a good option.
Personally, I think that approaching Mozilla, Opera, etc and asking what their
feelings on the subject of yet another client side scripting language
are. After all, many have tried and failed in the past. The one
that seems to have survived is JS :)
--
Jeremy
"Help I suffer from the oxymoron Corporate Security."
On 8/1/07, Rafael -
SosCpdTerra <soscpd@terra.com.br>
wrote:
>Can the plugin
download Lua code off the 'net and run it? Because if so,
>this
>is a huge security risk --- it's not so much as a security hole as a huge
>gaping abyss! And if it does so without asking the user first (every time),
>then it probably also counts as a back door...
Exactly my point. Yes, that can
be done so far, and I'm not
controlling that right now. I really do not do that thinking in a back door,
but... ;) like father, like sun... I think too in the follow: Who will
distribute this plug-in?
