Seems reasonable to me. Could you file a bug and put this patch in the bug?
-Mitch
Martin Kutschker wrote:
> Hi!
>
> In
> http://lxr.mozilla.org/mozilla/source/xpfe/components/sidebar/src/nsSidebar.
> js there is the follwing check:
>
> function sidebarURLSecurityCheck(url)
> {
> if (url.search(/(^http:|^ftp:|^https:)/) == -1)
> throw "Script attempted to add sidebar panel from illegal source";
> }
>
> Could we change it to this check?
>
> function sidebarURLSecurityCheck(url, win)
> {
> var re = new RegExp("(^chrome://[^/]+/content/)","");
> var res = re.exec(window.location.href);
>
> // url is part of the same package as script source
> if (res && url.substring(0, res[1].length) == res[1])
> return;
>
> if (url.search(/(^http:|^ftp:|^https:)/) == -1)
> throw "Script attempted to add sidebar panel from illegal source";
> }
>
> It would allow a package to add itself to the sidebar. I anyone trusts a
> package, she will probably trust it also in the sidebar.
>
> Masi
>
>
>
