I am in a xulrunner app. A part needs to communicate a lot with the
Internet, and I want to wall that off. (Specifically, I want to need a
map using OpenLayers and OpenStreetMap vector data APIs.)
Thus. I want to load an HTML file that is part of the app with
restricted web content rights - it must not be able to load local files
ouTside the xul app code.
What's the best way?
I have a <browser type="content"> and load the HTML file via resource:
(by adding a resource line to chrome.manifest).
My questions:
1. I am not sure that resource: can't load local files outside
resource:, but I could test that. some definite statement would be nice,
though.
2. if my resource://...html page tries to do an XMLHttpRequest to a web
server, and it fails at the same origin check. Is there a way to disable
the check in the prefs? Preferably specifically for this resource: to
this one http server. In any case, the untrusted page must not be able
to access arbitrary local files, e.g. via XMLHttpRequest to file:///,
but only to http:.
(Please follow up to .platform only when replying.)
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
