rvj wrote:
> Havent looked at the CVS yet and it looks like a simpler approach than
> downloading 'remote package' definitions
>
There is, to my knowledge, no such thing as a 'remote package."
In fact, we specifically disabled remote chrome, and if it has been
re-enabled,
it was without my knowledge. Please be clear on this point: Pages get
privileges based on where they come from, NOT what language they're
written in. Anything loaded from the local chrome directory using a
chrome: URL, whether XUL or HTML, is fully privileged. Anything loaded
from the network, or from the local drive outside the chrome directory,
whether XUL or HTML, is untrusted by default, but can gain privileges by
being signed.
Remotely loaded chrome has not been implemented yet. Frankly, it makes
me very nervous and would require a lot of careful security review. It
would also require signing or some other sort of cryptographic verification.
-Mitch
