I cant find much documentation or example code but could nsIXPCSecurityManager.CanAccess enable access to unprivileged scripts for only the XMLDocument object I create?
James Newell wrote: > I tried to load the XML document from the same "epaedia://host/" URI as > the unprivileged script hoping that this would solve this issue. This > did not work as I get errors when my epaedia protocol tries to get the > "epaedia://packagename/package.xml" itself. I figured that because > requests for the "package.xml" file are special, and just return the > document without loading "package.xml", that when another file is > requested and the XML doc is retrieved within the request that it would > be successful. > > Is there any way I can make the unprivileged script not need > permissions for this XMLDocument? > > Thanks, > James > > Boris Zbarsky wrote: > > James Newell wrote: > > > "XML", a property of the package component, contains an XML Document > > > returned from an nsIXMLHttpRequest. Unprivileged JS can access this > > > object but each of the XML Documents and methods are in-accessible: > > > > > > Error: uncaught exception: Permission denied to get property > > > XMLDocument.textContent > > > > > > What am I doing wrong? > > > > You're creating an XMLDocument in security context A and trying to use it > > from > > security context B. This is typically called an "XSS Attack" when used on > > the > > web... And we generally try to not allow it to happen. > > > > More precisely, the issue is that the XMLDocument returned by XMLHttpRequest > > doesn't have a security context of its own, so it uses the security context > > of > > whoever called XMLHttpRequest. > > > > -Boris _______________________________________________ dev-tech-xpcom mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-xpcom
