Skip to content
/ laproscope Public

A horribly insecure Firefox add-on for debugging chrome code.

3 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jimblandy/laproscope

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
content
content
 
 
elisp
elisp
 
 
locale/en-US
locale/en-US
 
 
skin
skin
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
bootstrap.js
bootstrap.js
 
 
chrome.manifest
chrome.manifest
 
 
install.rdf
install.rdf
 
 
options.xul
options.xul
 
 

Repository files navigation

Laproscope: A Horrible Firefox Extension

Laproscope is the culmination of a series of ill-considered design choices, brought together so as to make the worst possible outcomes all but certain. Don't do something you'll regret.

Laproscope is a Firefox extension that adds a Laproscope server checkbox menu item to your Tools menu. When that item is checked, Firefox listens for TCP connections from the local machine on port 17428 (just because). You can then connect to that port with a tool like nc to get a prompt at which you can evaluate JavaScript with chrome privileges.

For example:

$ nc localhost 17428
surely there are better alternatives
l> 1+3
4
l> window
({})
[object ChromeWindow]
l> function f(n) { if (n > 0) f(n-1); else null.x; } 
l> f(3)
Exception: TypeError: null has no properties
Stack:
f@chrome://laproscope/content/browserOverlay.js:20
f@chrome://laproscope/content/browserOverlay.js:20
f@chrome://laproscope/content/browserOverlay.js:20
f@chrome://laproscope/content/browserOverlay.js:20
@chrome://laproscope/content/browserOverlay.js:20
onInput@chrome://laproscope/content/browserOverlay.js:20
Connection.prototype.onDataAvailable@chrome://laproscope/content/server.js:110
l>

Now you can really hack on Firefox from within Emacs.

Please note: when the Laproscope server menu item is checked, any process on your machine can connect the port and do anything Firefox chrome code can do: delete files, send sensitive data off to shady web servers, et cetera. It's a terrible design. Honestly, why would you want to use such a thing?

Building and installation

Running 'make' in the top of the source tree will produce a file named 'laproscope.xpi'. If you visit this file with Firefox, it will offer to install it as an extension. In the name of good form, it will express a reassuringly generic skepticism about the wisdom of doing so, which will almost certainly fail to elicit the merited degree of hesitation on your part.

Hacking

If you're going to hack on Laproscope, you may find it convenient to have Firefox read Laproscope's sources straight from your working copy, instead of from the .xpi file. Then, you can test your changes simply by re-starting Firefox, instead of re-building and re-installing the .xpi.

To work this way, replace the laproscope@red-bean.com.xpi file in the extensions subdirectory of your profile directory with a file named laproscope@red-bean.com (no .xpi extension), whose contents are, simply, the path of your Laproscope working directory - the directory containing this README.md file.

Spelling

The word "Laproscope" is more commonly spelt "Laparoscope". That this extension should use (what one might charitably call) a non-standard spelling is fitting, and there are no plans to change the name.

About

A horribly insecure Firefox add-on for debugging chrome code.

Resources

Readme
Activity

Stars

3 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages