MozillaZine

Enabling cross-site scripting without signed scripts?

Discuss building things with or for the Mozilla Platform.
auron
 
Posts: 9
Joined: August 14th, 2003, 10:47 pm

Post Posted August 14th, 2003, 10:58 pm

Hi, this probably sounds silly, but is there a pref to enable cross-site scripting, or in other words, a pref to disable cross-site security checks? IE appears to have an option like this, but it doesn't seem to work, which is no great surprise I guess. For some context, I'd like to do something like the following: have a framed page, with a control script in one frame that changes pages in the other frame depending on what URL the other frame has.

I've tried signing the script, but I can't seem to even generate a test object-signing certificate with signtool. Thanks for any help!

alanjstr
Moderator

User avatar
 
Posts: 9100
Joined: November 5th, 2002, 4:43 pm
Location: Anywhere but here

Post Posted August 15th, 2003, 11:21 am

That's like saying "hi, is there a way to open a big security hole in my computer"

you should be able to access the frame as long as it's on the same website.
Former UMO Admin, Former MozillaZine General Mod
I am rarely on mozillaZine, so please do not send me a private message.
My Old Firefox config files

auron
 
Posts: 9
Joined: August 14th, 2003, 10:47 pm

Post Posted August 15th, 2003, 1:25 pm

alanjstr wrote:That's like saying "hi, is there a way to open a big security hole in my computer"

you should be able to access the frame as long as it's on the same website.


Yes, that's exactly what I'm saying, hence the "this probably sounds silly" part. Regardless, this is what I'd like to do because figuring out how to sign the script is relatively unpleasant. Anyhow, it doesn't open a big security hole to my computer per se, I just need to be careful about what I enter into other mozilla windows. And yes, I would be able to access the frame if my controlling script were on the same website. But it's not, which is the problem.

doron
 
Posts: 935
Joined: November 4th, 2002, 4:50 pm

Post Posted August 18th, 2003, 10:06 am

You mean:

2 frames, and 1 frame opens a page in the other frame that is from another domain? Or do you need to do more than just load a page?
If you see a marquee, clap your hands!

auron
 
Posts: 9
Joined: August 14th, 2003, 10:47 pm

Post Posted August 18th, 2003, 12:15 pm

Doron wrote:You mean:

2 frames, and 1 frame opens a page in the other frame that is from another domain? Or do you need to do more than just load a page?


Yep, basically. Well, all I need is for my script to be able to tell, for example, the url in the other frame. But since the other frame has a page from a different domain, mozilla won't allow access because it's a potential security hazard, so I'd like to disable the cross-site checks while I run this script, if possible.

aab
 
Posts: 252
Joined: November 18th, 2002, 11:59 am
Location: Tallinn, Estonia

Post Posted August 19th, 2003, 11:29 pm

you proabably want to grant
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead") in your script.

for more optins see http://www.mozilla.org/projects/securit ... privs-list

auron
 
Posts: 9
Joined: August 14th, 2003, 10:47 pm

Post Posted August 20th, 2003, 10:22 am

Hmm, I looked at that page before but just assumed codebase principals would need some kind of signing still. But it turns out that's not the case, so that's just what I'm looking for. Thanks!

Return to Mozilla Development


Who is online

Users browsing this forum: Google Adsense [Bot] and 1 guest