timeless ha escrito: > Look at how window.sidebar and window.XMLHttpRequest and friends work. > You don't need to require things to be signed.
Sure, but these are part of the DOM, and accessing them is not so critical. The problem is that XPCOM is a very powerful way to let developers extend mozilla's functionality, but the strictness of the access method makes it completely unusable. > However creating such a > thing does mean it's your responsibility to not enable web pages to > harm the users. I don't agree. My responsability is to create a component that offers some functionality and take care it has no security holes that let somebody use it in an unexpected way. The user makes the decission to install a component and to trust the developer and trust that it provides the services he has been told, so I think that the usage of it should be trusted just by letting its instalation (signing the component, not the scripts), the same way is done with the extensions. I mean, You can install an unsigned firefox extension (most of them are unsigned), and they could be as harmless as my component (The only difference is that the extension is activated by an event, but it's really easy to make it react to a structure on the document loaded). ¿Why the extension can work freely and my component has to be accessed by signed scripts and static html docs packed in a jar? The answer is that, installing an extension provides just this functionality, but giving universalXPConnect access lets you use every scriptable component, even the critical ones. So, I belive that the access model should be different, letting you gain access to just a component, not to every one. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security