The script "principal" comes from the page origin, so in order to run privileged script the page itself needs to be in the signed archive. What you're trying to do simply won't work. It's been this way for a long time because the type of mixing you are trying to do led to security holes.
Although code-signing is still in the product it's never been an advertised Firefox feature (it was inherited from Netscape 6), and support will be removed in a future version. No date set, maybe next year. What you should do instead is create a "JetPack" that will do whatever privileged operation you're trying to do. If you're OK with users having to say "OK" to a big ugly permission dialog then asking them to installa "restart-less" add-on one time shouldn't be a problem. The obvious temptation is to inject an object or method into the page, but it would be more secure to listen for events instead. Most important would be to limit the effects of your add-on only to your own site(s) to prevent your users from being hacked when visiting malicious sites. -Dan Veditz On 8/18/11 12:53 PM, Luis Fernando Mendoza Cáceres wrote: > Hello, first, sorry for this email, but I need a help, I'm a ASP > developer and have 2 javascript files ( utilities.js and getdata.js) , I > need to sign this files , so my users don't need to go to "about:config" > and set signed.applets.codebase_principal_support in true. > > I create a file secure-scripts.jar with signtool comands (-Z), but in my > site (Ex. First_page.ASP ) added the lines: > > <script SRC="jar:secure-scripts.jar!/js/utilities.js"></script> > <script SRC="jar:secure-scripts.jar!//js/getdata.js"></script> > > The site is loading the scripts, but display this error: > > Error: A script from "http://mysite"; was denied UniversalXPConnect > privileges > > But If in this .jar I create a test.html and in the url of browser write : > jar:http://mysite\secure-scripts.jar!//test.html , this works. But I can't > do it this, because the javascript files are loading in every page of my > site and I can't package all site. Also if I add a ASP page in .jar file, > don't works. > > I need this working very soon and can't fix the problem. If you can help me > please, I hope that you can help me. > > Sorry for this. I'm not speak english, my language is spanish. > > > Atte. Luis Fernando _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
