rvj wrote: > Havent looked at the CVS yet and it looks like a simpler approach than > downloading 'remote package' definitions > There is, to my knowledge, no such thing as a 'remote package." In fact, we specifically disabled remote chrome, and if it has been re-enabled, it was without my knowledge. Please be clear on this point: Pages get privileges based on where they come from, NOT what language they're written in. Anything loaded from the local chrome directory using a chrome: URL, whether XUL or HTML, is fully privileged. Anything loaded from the network, or from the local drive outside the chrome directory, whether XUL or HTML, is untrusted by default, but can gain privileges by being signed.
Remotely loaded chrome has not been implemented yet. Frankly, it makes me very nervous and would require a lot of careful security review. It would also require signing or some other sort of cryptographic verification. -Mitch