Since http://www.mozilla.org/projects/security/components/ConfigPolicy.html
is pretty bad documentation, I did a bit of code research. I am not a
programmer.
If your wondering about hidden stuff on capabilities.policy.<policy
name>.* this is all I found
capabilities.policy.<policy name>.javascript.enabled (takes an
"enabled" for propertyname (" sEnabledID" in C++ code)) (documented on
configpolicy.html page) source:
http://mxr.mozilla.org/firefox2/source/caps/src/nsScriptSecurityManager.cpp#1797
capabilities.policy.<policy name>.ClassID.<classID Value> source:
http://mxr.mozilla.org/firefox2/source/caps/src/nsScriptSecurityManager.cpp#2870
(I'm going to guess this can be used to kill things with a GUID-like
number (IID? UUID?), most likely XPCOM components)
capabilities.policy.<policy name>.checkloaduri.enabled (documented on
configpolicy.html page) source:http://mxr.mozilla.org/firefox2/source/
caps/src/nsScriptSecurityManager.cpp#1441
capabilities.policy.<policy name>.<class name>.<property name> (here
is what powers the set policy on any element thing) source:
http://mxr.mozilla.org/firefox2/source/caps/src/nsScriptSecurityManager.cpp#671
securityLevels in the code refers to the no access/all access/same
origin/capabilities (@mozilla.org/blah i think)
default securityLevel is most cases for DOM based checks is same
origin source, otherwise no access, stuff that doesn't call
CheckPropertyAccessImpl() is SCRIPT_SECURITY_UNDEFINED_ACCESS usually
and must be delt by the function that asked for a policy lookup
source:
http://mxr.mozilla.org/firefox2/source/caps/src/nsScriptSecurityManager.cpp#676
here are some class names which I don't think are in the DOM or are
explictly checked
XMLHttpRequest open
http://mxr.mozilla.org/firefox2/source/content/base/src/nsXMLHttpRequest.cpp#1098
XMLDocument load
http://mxr.mozilla.org/firefox2/source/content/xml/document/src/nsXMLDocument.cpp#435
SOAPCall invokeVerifySourceHeader
http://mxr.mozilla.org/firefox2/source/extensions/webservices/soap/src/nsHTTPSOAPTransport.cpp#176
SOAPCall invoke
http://mxr.mozilla.org/firefox2/source/extensions/webservices/soap/src/nsHTTPSOAPTransport.cpp#161
here are more pages i found useful if you want to research the policy
system
http://mxr.mozilla.org/firefox2/ident?i=ACCESS_SET_PROPERTY
http://mxr.mozilla.org/firefox2/ident?i=ACCESS_GET_PROPERTY
http://mxr.mozilla.org/firefox2/ident?i=ACCESS_CALL_METHOD
anything that calls this (alot of stuff)
http://mxr.mozilla.org/firefox2/ident?i=CheckPropertyAccessImpl
but it all boils down to what calls
http://mxr.mozilla.org/firefox2/ident?i=LookupPolicy
since that is what retrieves/checks the capabilities.policy collected
prefs
for capabilities.policy.<policy name>.<class name>.<property
name>.<set/get>
if a set/get isn't defined in prefs, the set and get are set to the
securityLevel of the <property name>
http://mxr.mozilla.org/firefox2/source/caps/src/nsScriptSecurityManager.cpp#3510
the set/get members of a PropertyPolicy object are initialized with
"SCRIPT_SECURITY_UNDEFINED_ACCESS" and then if not specifically
defined are set to the securitylevel of the parent "property name"
http://mxr.mozilla.org/firefox2/source/caps/include/nsScriptSecurityManager.h#179
I don't believe there is any <class name>.<property name>.<thing here>
choices other than set and get, if its not a set, and something exists
in the 3rd position, its treated as a get
http://mxr.mozilla.org/firefox2/source/caps/src/nsScriptSecurityManager.cpp#3495
I am not a C++ or Mozilla insides programmer. But this is my
understanding after a couple difficult hours of reading source code. I
guarantee you there are mistakes in this post. This would belong on
the talk page of the configPolicy.html page if it were on Mozilla
Developer Center or Mozilla Wiki.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
