Hi, I have a question about Mozilla's CAPS system. I am trying to
disable DOM's Window.postMessage method in Firefox 3, so I added this
line to user.js:
user_pref("capability.policy.default.Window.postMessage.get",
"noAccess");
And got the following behavior:
I have two windows, A and B from different origins.
In window A:
(1) window.dump (windowA.postMessage)
-> prints out "function postMessage() {[native code]}"
(2) window.dump (windowB.postMessage)
-> raises "Permission denied to get property Window.postMessage"
>From the policy I added to user.js, I expected to get the permission
error for both commands (1) and (2), but I only got it for command
(2).
Is this how the CAPS system is supposed to work? It seems like the
policy may only be enforced on same-origin scripts.
Without the user_pref, windowA can read windowB.postMessage.
Any idea why I'm seeing this behavior?
Thanks, Alex
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
