Thank you for the response. I file a bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=641342 I hope I have done it right.
I also noticed that this problem only exists if the protocol handler creates a new channel to an "internal" file, I mean, a file that is loaded by a chrome: URL. If the handler opens a channel to an external web site, I get the expected "Permission denied" error. On Mar 11, 6:28 pm, Boris Zbarsky <bzbar...@mit.edu> wrote: > On 3/11/11 6:34 AM, Felix Kling wrote: > > > While making some changes to my plugin I noticed the following: > > > If one injects an iframe into a webpage and the iframe loads a custom > > URL (implemented by a custom protocol handler), in Firefox 3.6, the > > parent page cannot access the content of iframe (due to same-origin > > policy). > > > The only flag set for the protocol is `URI_LOADABLE_BY_ANYONE`. > > > But in Firefox 4, the content can be accessed by the parent page. > > That seems like a bug, if true. Testcase, please? Ideally in a bug in > bugzilla. > > > Is this an intended change or a bug? > > It's certainly not an intended change. > > -Boris _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security