Hi Boris, > > The other approach I've tried is to create a firefox extension, sign the > > XPI package and then load all .js files via chrome:/// url but it makes > > no difference. It still requires > > signed.applets.codebase_principal_support to be enabled. > > I don't see why, unless you did it wrong.
In other reply I found why this was making no difference (or why it is wrong). It makes sense assuming the Javascript context comes from an external unstrusted webpage (anybody will be allowed to load from chrome:/// which is not appropriate but I had to try ;-). > > This approach also have the chrome:/// problem which is firefox > > specific. > > So are the socket APIs you're using, no? Or at least Gecko-specific. Certainly. But, with the enough isolation it is not a problem at all. I'm trying to provide a BEEP API that hides these details... ..however, making a webpage to load jsVortex files (via <script src="">) using non-standard or firefox-specific urls seems odd. > > 1. Is there a way to allow a user to configure its browser to accept a > > list of "trusted" sites that are allowed to use UniversalXPConnect? > > Yes, you can set the preferences that security manager would set if the > user got prompted and accepted and say to remember that choice. This sounds promising Boris. Sorry but, can you elaborate more on this. Maybe you can point me to some document or code example (or mozilla source). If I understand you there is a way to activate a per-site user controlled setting that will allow UniversalXPConnect without modifying signed.applets.codebase_principal_support. Is this right? > Note that we plan to remove enablePrivilege, so you might be better off > not using it unless you want to redo your stuff in a year or two. Ok. Thanks for the advice Boris. Certainly my intention in near term is to implement all I/O handling with websocket, but I would like to support more firefox versions and people not having a websocket infrastructure. > You could write an extension that listens to particular events from a > particular site, or exposes some APIs to it. Ok, this solution seems to be more robust in the long term if I understand you. I'll try to find how to do this. > The latter is hard right > now, but we're working on providing an easy way to do it. Definitely exposing a particular and limited API looks like the right thing. Is there any document or a working example implementing this concept? Thanks Boris, Cheers! > -Boris _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
