Bill Lear wrote: > Thanks for the note. I realize that you can do this, but in our > application, a kiosk, there will be no interaction with the user to > accept these, as they will already have been accepted at the time of > installation. > > In any case, it appears there is no way to get around firefox > security, which is too bad.
It looks like there's an extra check, in addition to having the right privelege (UniversalBrowserWrite) the window in question must have a chrome parent: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp&rev=1.143&mark=1536-1538,1541#1530 I missed the "kiosk" part the first time. If this is something installed on the target machine then don't mess around with signing, just go ahead and install privileged code. For that you don't need security help, just development help from, for instance, the addon developer community. One option, if content has to do this ("safe" non-web stuff, right?) might be to implement a global object with a function call to do this. For example you can look in the Firefox components directory and see how the sidebar object was implemented in nsSidebar.js, but there are other ways to do it. Just remember to be careful handling URIs, especially javascript: and data: uris. Best to whitelist only the schemes you expect (file: ?) and if there's any chance of this application browsing to hostile content you should whitelist the source domains you'll accept the command from. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
