Hi!
In
http://lxr.mozilla.org/mozilla/source/xpfe/components/sidebar/src/nsSidebar.
js there is the follwing check:
function sidebarURLSecurityCheck(url)
{
if (url.search(/(^http:|^ftp:|^https:)/) == -1)
throw "Script attempted to add sidebar panel from illegal source";
}
Could we change it to this check?
function sidebarURLSecurityCheck(url, win)
{
var re = new RegExp("(^chrome://[^/]+/content/)","");
var res = re.exec(window.location.href);
// url is part of the same package as script source
if (res && url.substring(0, res[1].length) == res[1])
return;
if (url.search(/(^http:|^ftp:|^https:)/) == -1)
throw "Script attempted to add sidebar panel from illegal source";
}
It would allow a package to add itself to the sidebar. I anyone trusts a
package, she will probably trust it also in the sidebar.
Masi
