This bug is already in bugzilla as
http://bugzilla.mozilla.org/show_bug.cgi?id=48583.
Mitchell Stoltz wrote:
> Seems reasonable to me. Could you file a bug and put this patch in the bug?
> -Mitch
>
> Martin Kutschker wrote:
>
>> Hi!
>>
>> In
>> http://lxr.mozilla.org/mozilla/source/xpfe/components/sidebar/src/nsSidebar.
>>
>> js there is the follwing check:
>>
>> function sidebarURLSecurityCheck(url)
>> {
>> if (url.search(/(^http:|^ftp:|^https:)/) == -1)
>> throw "Script attempted to add sidebar panel from illegal
>> source";
>> }
>>
>> Could we change it to this check?
>>
>> function sidebarURLSecurityCheck(url, win)
>> {
>> var re = new RegExp("(^chrome://[^/]+/content/)","");
>> var res = re.exec(window.location.href);
>>
>> // url is part of the same package as script source
>> if (res && url.substring(0, res[1].length) == res[1])
>> return;
>>
>> if (url.search(/(^http:|^ftp:|^https:)/) == -1)
>> throw "Script attempted to add sidebar panel from illegal
>> source";
>> }
>>
>> It would allow a package to add itself to the sidebar. I anyone trusts a
>> package, she will probably trust it also in the sidebar.
>>
>> Masi
>>
>>
>>
>
>
