Hi, Apologies if this is a novice question...
I am stuck with the following problem: there is an application (it used to be based on Mozilla-1.7 platform and I am trying to "upgrade" it to mozilla-1.9.1, I am using firefox-3.1b2 release). I have more or less got it compiling and "almost working" but there is one big issue which seems to be a blocker for now, namely the security policy which wasn't there for 1.7. In my case, it boils down to the following: there are some resources on the client side (either in the form of file://foo.html or in the form of chrome://bar.xul) which have links to some custom protocol (let's say xxx://whatever). The protocol handler for xxx is a part of the application, and it is implementing nsIProtocolHandler interface. The following flags are set: URI_NORELATIVE | URI_NOAUTH | URI_LOADABLE_BY_ANYONE. The problem: in the case of file://foo.html it is possible to have links to this protocol (nsScriptSecurityManager->CheckLoadURIWithPrincipal called from nsContentUtils->TriggerLink returns OK). But in the case of chrome://bar.xul the same method called (with aFlags=0) from nsFrameLoader->CheckURILoad returns false and produces the following output: Security Error: Content at xxx://whatever may not load or link to chrome://bar.xul. I do have the application content whitelisted in app.manifest with contentaccessible=yes (this solved the problem with files). I have done some debugging and I saw that the reason for this error is the special treatment which chrome scheme gets in CheckLoadURIWithPrincipal. It appears that, if chrome scheme is the target and custom scheme is the source, then either the nsIScriptSecurityManager::ALLOW_CHROME flag should have been set by the CheckLoadURIWithPrincipal caller (nsFrameLoader doesn't set it) or my protocol should have the flag URI_IS_UI_RESOURCE set (but then the links from file://foo.html will be rejected as I've learned already), or there should be some way to whitelist the custom scheme (not present currently). I really don't look much forward to tinkering with nsIScriptSecurityManager::CheckLoadURIWithPrincipal method and force it to accept our custom scheme, I would rather not change the code which belongs to mozilla project. Can I change something on my side, then? -- View this message in context: http://www.nabble.com/nsScriptSecurityManager-and-a-custom-protocol-tp22227469p22227469.html Sent from the Mozilla - Embedding mailing list archive at Nabble.com. _______________________________________________ dev-embedding mailing list [email protected] https://lists.mozilla.org/listinfo/dev-embedding
