Security

Security considerations when developing extensions

Sandcat Extensions, built using HTML and Lua, can execute Lua code with file IO support. You should not load a string as part of the HTML of an extension user interface without filtering or validating the content before.

This applies to the following functions:

  • app.showdialogx()
  • app.showmessagex()
  • browser.loadpagex()
  • browser.newtabx()
  • tab:loadx()
  • [anyuizone]:loadx()

Never use the extension user interface for regular browsing

You can use http for displaying media files, such as images, but do not try to load web sites using supported protocols. You will be loading an entirely new user interface, which as mentioned before has desktop application privileges.

If you need to load a web page, use the function tab:gotourl(), which will load the web page using the standard, safe for browsing Chromium navigator.

Page last modified on May 26, 2013, at 03:23 AM
2013 Syhunt