Re: disable security
The simplest and most drastic change would be to open up mozilla/caps/src/nsScriptSecurityManager, and make the CheckPropertyAccessImpl function a no-op that always returns true. That will essentially disable all security and create a browser that's totally unsafe to be used on the public Internet. Or, you could make a more specific change. Try adding these lines to defaults/pref/all.js: pref("signed.applets.codebase_principal_support", true); pref("capability.principal.codebase.foo.id", "http://foo.com http://bar.com";); pref("capability.principal.codebase.foo.granted", "UniversalBrowserRead UniversalBrowserWrite"); Replace "http://foo.com http://bar.com"; with a space-separated list of the hosts to which your Mozilla-based tool needs to connect. Hope this helps, -Mitch hocus wrote: > Hi! > > I need to tailor mozilla as a special-purpose tool. I want to disable > security checks related to javascript and page source domain. > I suppose it has something to do with "principals", but so far I haven't > succeeded in finding the correct place in source code to disable it. I would > be very thankful if someone could tell me, what exactly I should change, to > make possible using javascript on documents loaded into frames/iframes, > originating from different domain than the base page. > > TIA > Hocus > >
Re: disable security
hocus, I think such measures are an extremely bad idea. On the internet, you cannot trust that * a certain host is the one you think it is (esp. so with HTTP and in some cases even with HTTPS) * that the data you receive is unaltered (with HTTP) Giving any http host on the Internet UniversalBrowserWrite (no matter what purpose) is IMO grossly careless, risking your customers' computers and (if that didn't scare you yet) you make yourself a potential subject to a lawsuit from your threatened customers. Ben Mitchell Stoltz wrote: > pref("signed.applets.codebase_principal_support", true); > pref("capability.principal.codebase.foo.id", "http://foo.com > http://bar.com";); > pref("capability.principal.codebase.foo.granted", > "UniversalBrowserRead UniversalBrowserWrite"); > hocus wrote: > >> make possible using javascript on documents loaded into frames/iframes, >> originating from different domain than the base page. >
Re: disable security
Ben Bucksch wrote: > hocus, I think such measures are an extremely bad idea. On the internet, > you cannot trust that Did he say he was doing this on the internet?
Re: disable security
Hi! At the beginning - thank you for reply, that is what I was looking for. What I exactly need is to grant full privileges to one domain - my domain with my scripts which I guarantee to my customers will not do anything more than they are supposed to. I know, that solution is still far from secure in case someone would spoof somehow my domain, but for my purpose I think it is acceptable danger ;) Anyway, I was thinking if this pref("...") stuff wouldn't do what I need, unfortunately when I add the last of the lines (*.granted), the browser does not start properly (tested on two recent source snapshots). So I went back to modifying source code. In CheckPropertyAccessImpl function - is there an easy way to extract the base url of the script requesting access to properties? So I could just explicitly compare it with my domain name. It is probably not to hard to find it out, but as I didn't have much time recently to delve into source, if you just know exactly how to do that I'd be very obliged :-) Regards Hocus > The simplest and most drastic change would be to open up > mozilla/caps/src/nsScriptSecurityManager, and make the > CheckPropertyAccessImpl function a no-op that always returns true. That > will essentially disable all security and create a browser that's > totally unsafe to be used on the public Internet. > > Or, you could make a more specific change. Try adding these lines to > defaults/pref/all.js: > > pref("signed.applets.codebase_principal_support", true); > pref("capability.principal.codebase.foo.id", "http://foo.com > http://bar.com";); > pref("capability.principal.codebase.foo.granted", "UniversalBrowserRead > UniversalBrowserWrite"); > > Replace "http://foo.com http://bar.com"; with a space-separated list of > the hosts to which your Mozilla-based tool needs to connect.