Sunday, June 6, 2010

Cross Context Scripting with Firefox

Cross Context Scripting (XCS) is a term coined for a browser based content injection in the Firefox chrome zone.This term was originally used by researcher Petro D. Petkov (pdp),when David Kierznowski found a vulnerability in the Sage RSS Reader Firefox extension1. XCS injection occurs between different security zones,an untrusted and a trusted zone.The untrusted zone is not trusted by the browser - this can be an Internet page located on a remote server,for example.Firefox also has a trusted zone,named Chrome. Chrome allows extensions to access and interface with core components of Firefox,such as XPCOM.In this manner,extensions can provide extra functionality to the user and extend the web browsers capability.

Download PDF

No comments: