On Aug 8, 6:41 pm, Boris Zbarsky <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > I have an html page which has an iframe, and this iframe contains > > signed scripts. > > But the page itself is not signed, right? > > > There are javascript function calls and objects need to be accessed in > > some.html from the top frame, like var x = top.whateverfunction(); or > > var s = top.somevar; > > This is no longer possible if one page is signed and one is not. The > fact that it was ever possible was a bug (and a security hole, at that). > > > I would like to get some help to fix this somehow. > > There was an earlier thread in this newsgroup, with the subject "Signed > Jar in JSP / Firefox 2.0.0.15" that covered this ground. > > -Boris
Yes, the container html is not signed, only the inner one. The inner one needs to be signed because it needs to use UniversalXPConnect privileges. However I cannot figure out how to sign all of the scripts and html files. Then all of them would go into a jar file. Then how to open it in the browser? Using the jar protocoll? The container html has an UI. Currently the container html includes a lot of other javascript files. The inner html has one script tag, no include. It was very convenient to access the container frames' javascript objects. Could you please explain more precisely how to fix this situation? I would go the way that every html and script is signed. Thanks giorgio71 _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
