Enabling cross-site scripting without signed scripts?

Discuss building things with or for the Mozilla Platform.
Post Reply
auron
Posts: 9
Joined: August 14th, 2003, 10:47 pm

Enabling cross-site scripting without signed scripts?

Post by auron »

Hi, this probably sounds silly, but is there a pref to enable cross-site scripting, or in other words, a pref to disable cross-site security checks? IE appears to have an option like this, but it doesn't seem to work, which is no great surprise I guess. For some context, I'd like to do something like the following: have a framed page, with a control script in one frame that changes pages in the other frame depending on what URL the other frame has.

I've tried signing the script, but I can't seem to even generate a test object-signing certificate with signtool. Thanks for any help!
User avatar
alanjstr
Moderator
Posts: 9100
Joined: November 5th, 2002, 4:43 pm
Location: Anywhere but here
Contact:

Post by alanjstr »

That's like saying "hi, is there a way to open a big security hole in my computer"

you should be able to access the frame as long as it's on the same website.
Former UMO Admin, Former MozillaZine General Mod
I am rarely on mozillaZine, so please do not send me a private message.
My Old Firefox config files
auron
Posts: 9
Joined: August 14th, 2003, 10:47 pm

Post by auron »

alanjstr wrote:That's like saying "hi, is there a way to open a big security hole in my computer"

you should be able to access the frame as long as it's on the same website.


Yes, that's exactly what I'm saying, hence the "this probably sounds silly" part. Regardless, this is what I'd like to do because figuring out how to sign the script is relatively unpleasant. Anyhow, it doesn't open a big security hole to my computer per se, I just need to be careful about what I enter into other mozilla windows. And yes, I would be able to access the frame if my controlling script were on the same website. But it's not, which is the problem.
doron
Posts: 935
Joined: November 4th, 2002, 4:50 pm

Post by doron »

You mean:

2 frames, and 1 frame opens a page in the other frame that is from another domain? Or do you need to do more than just load a page?
If you see a marquee, clap your hands!
auron
Posts: 9
Joined: August 14th, 2003, 10:47 pm

Post by auron »

Doron wrote:You mean:

2 frames, and 1 frame opens a page in the other frame that is from another domain? Or do you need to do more than just load a page?


Yep, basically. Well, all I need is for my script to be able to tell, for example, the url in the other frame. But since the other frame has a page from a different domain, mozilla won't allow access because it's a potential security hazard, so I'd like to disable the cross-site checks while I run this script, if possible.
aab
Posts: 252
Joined: November 18th, 2002, 11:59 am
Location: Tallinn, Estonia
Contact:

enablePrivilege

Post by aab »

you proabably want to grant
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead") in your script.

for more optins see http://www.mozilla.org/projects/securit ... privs-list
auron
Posts: 9
Joined: August 14th, 2003, 10:47 pm

Post by auron »

Hmm, I looked at that page before but just assumed codebase principals would need some kind of signing still. But it turns out that's not the case, so that's just what I'm looking for. Thanks!
Post Reply