Re: disable security
The simplest and most drastic change would be to open up
mozilla/caps/src/nsScriptSecurityManager, and make the
CheckPropertyAccessImpl function a no-op that always returns true. That
will essentially disable all security and create a browser that's
totally unsafe to be used on the public Internet.
Or, you could make a more specific change. Try adding these lines to
defaults/pref/all.js:
pref("signed.applets.codebase_principal_support", true);
pref("capability.principal.codebase.foo.id", "http://foo.com
http://bar.com";);
pref("capability.principal.codebase.foo.granted", "UniversalBrowserRead
UniversalBrowserWrite");
Replace "http://foo.com http://bar.com"; with a space-separated list of
the hosts to which your Mozilla-based tool needs to connect.
Hope this helps,
-Mitch
hocus wrote:
> Hi!
>
> I need to tailor mozilla as a special-purpose tool. I want to disable
> security checks related to javascript and page source domain.
> I suppose it has something to do with "principals", but so far I haven't
> succeeded in finding the correct place in source code to disable it. I would
> be very thankful if someone could tell me, what exactly I should change, to
> make possible using javascript on documents loaded into frames/iframes,
> originating from different domain than the base page.
>
> TIA
> Hocus
>
>
Re: disable security
hocus, I think such measures are an extremely bad idea. On the internet,
you cannot trust that
* a certain host is the one you think it is (esp. so with HTTP and
in some cases even with HTTPS)
* that the data you receive is unaltered (with HTTP)
Giving any http host on the Internet UniversalBrowserWrite (no matter
what purpose) is IMO grossly careless, risking your customers' computers
and (if that didn't scare you yet) you make yourself a potential subject
to a lawsuit from your threatened customers.
Ben
Mitchell Stoltz wrote:
> pref("signed.applets.codebase_principal_support", true);
> pref("capability.principal.codebase.foo.id", "http://foo.com
> http://bar.com";);
> pref("capability.principal.codebase.foo.granted",
> "UniversalBrowserRead UniversalBrowserWrite");
> hocus wrote:
>
>> make possible using javascript on documents loaded into frames/iframes,
>> originating from different domain than the base page.
>
Re: disable security
Ben Bucksch wrote: > hocus, I think such measures are an extremely bad idea. On the internet, > you cannot trust that Did he say he was doing this on the internet?
Re: disable security
Hi!
At the beginning - thank you for reply, that is what I was looking for.
What I exactly need is to grant full privileges to one domain - my domain
with my scripts which I guarantee to my customers will not do anything more
than they are supposed to. I know, that solution is still far from secure in
case someone would spoof somehow my domain, but for my purpose I think it is
acceptable danger ;)
Anyway, I was thinking if this pref("...") stuff wouldn't do what I need,
unfortunately when I add the last of the lines (*.granted), the browser does
not start properly (tested on two recent source snapshots).
So I went back to modifying source code. In CheckPropertyAccessImpl
function - is there an easy way to extract the base url of the script
requesting access to properties? So I could just explicitly compare it with
my domain name.
It is probably not to hard to find it out, but as I didn't have much time
recently to delve into source, if you just know exactly how to do that I'd
be very obliged :-)
Regards
Hocus
> The simplest and most drastic change would be to open up
> mozilla/caps/src/nsScriptSecurityManager, and make the
> CheckPropertyAccessImpl function a no-op that always returns true. That
> will essentially disable all security and create a browser that's
> totally unsafe to be used on the public Internet.
>
> Or, you could make a more specific change. Try adding these lines to
> defaults/pref/all.js:
>
> pref("signed.applets.codebase_principal_support", true);
> pref("capability.principal.codebase.foo.id", "http://foo.com
> http://bar.com";);
> pref("capability.principal.codebase.foo.granted", "UniversalBrowserRead
> UniversalBrowserWrite");
>
> Replace "http://foo.com http://bar.com"; with a space-separated list of
> the hosts to which your Mozilla-based tool needs to connect.
