Thanks a lot for your reply, Boris !
However, I don't see how to put all the code in a signed jar, as JSP
will generate HTML code dynamically for each client request.
Maybe someone know if this is possible, and how ?
Otherwise, I will have to write an extension, as you suggested, but I
would like to avoid this if possible.
Boris Zbarsky a écrit :
Marine wrote:
<object type="text/html" data=""
width="0px" height="0px" name="jsUtilsAvecPrivileges">
</object>
...
I wonder if this could be due to vulnerability correction in Firefox
2.0.0.15 : http://www.mozilla.org/security/announce/2008/mfsa2008-23.html
Yes. What you were doing before was exploitable.
==> But now, how can I get it work again ?
Either put all your code into a signed jar, or put the parts that need
privileges into an extension and communicate with it from your untrusted
code using events or whatnot.
In Fx3 you can also use window.postMessage, but that won't help with Fx2.
-Boris
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
|
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
