Closed
Bug 668030
Opened 13 years ago
Closed 13 years ago
Warn when enablePrivilege is used
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla7
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
Details
Attachments
(3 files)
No description provided.
Assignee | ||
Comment 1•13 years ago
|
||
Attachment #542694 -
Flags: review?(jonas)
Assignee | ||
Updated•13 years ago
|
Priority: -- → P1
Whiteboard: [need review]
Attachment #542694 -
Flags: review?(jonas) → review+
Assignee | ||
Comment 2•13 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/rev/2cb11a5daaf5
Flags: in-testsuite?
Whiteboard: [need review]
Target Milestone: --- → mozilla7
Comment 3•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/2cb11a5daaf5
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 4•13 years ago
|
||
Can we get this into aurora?
Assignee | ||
Comment 5•13 years ago
|
||
It would need a totally different patch, because the WarnOnceAbout infrastructure is not there. So we would be warning on every use, most likely. If that's ok, I can probably write an aurora patch for this....
Comment 6•13 years ago
|
||
Could you explain to a non programmer (or rephrase in other words) what "runs with the system principal" mean?
Comment 7•13 years ago
|
||
It means "privileged code", essentially, or "runs with the same privileges as Firefox". I agree that it's somewhat confusing to mention that in the warning, "use an extension" is really the useful advice.
Assignee | ||
Comment 8•13 years ago
|
||
I'm happy for someone else to wordsmith as desired here... But yes, the upshot is "use an extension or get your code checked into the browser UI".
Comment 9•13 years ago
|
||
Thanks. So something like "Please use code that runs with the same priviliges of the application (e.g. an extension) instead." can be considered a fitting equivalent?
Assignee | ||
Comment 10•13 years ago
|
||
"Please use code that runs with the same privileges as the application itself (e.g. an extension) instead", yeah.
Comment 11•13 years ago
|
||
But if I don't use enablePrivilege, then I get an error saying that permission is denied? What is the correct way of calling script that uses UniversalXPConnect???
Assignee | ||
Comment 12•13 years ago
|
||
The entire old Java-like privilege system is deprecated. The correct way to do a script that needs privileges like that is to do an extension.
Comment 13•13 years ago
|
||
Is there someone other way that I can access UniversalXPConnect without writing an extension? The issue is that I have a website that reads/writes into a log that uses different technologies for each browser (IE, Chrome, Firefox). But removing this functionality, my website won't be able to support Firefox.
Assignee | ||
Comment 14•13 years ago
|
||
> Is there someone other way that I can access UniversalXPConnect without writing
> an extension?
No.
How, exactly, are you making this work in Chrome in a way that doesn't work in Gecko?
Comment 15•13 years ago
|
||
For Chrome, I use window.requestFileSystem (see: http://www.html5rocks.com/en/tutorials/file/filesystem/) For IE, I use Scripting.FileSystemObject (see: http://css.dzone.com/tips/javascript-how-read-and-write) and for FF, I use nsIFile and nsILocalFile (see: https://developer.mozilla.org/en/Code_snippets/File_I%2F%2FO)
Assignee | ||
Comment 16•13 years ago
|
||
Seems like we should implement filesystem API or equivalent (which is in the plans anyway as I understand) before dropping enablePrivilege support and that would handle your usecase, right?
Assignee | ||
Comment 17•13 years ago
|
||
And to be clear, all this bug changed was add a warning. There was no behavior change so far.
Why do you need a physical on-disk file? We have no plans to implement the filesystem API as is. If you just need to store large amounts of data offline, we're working on that.
Yes, I have the same question. Do you need to access data from the users "private" files, like files from the desktop/Documents/Music/Picutes folders? Or are you just storing data that you've generated or downloaded from somewhere so that you can retrieve it later?
Comment 20•13 years ago
|
||
I am storing log information that is in a format that is generated from my server which generates the client side javascript dynamically depending on the cleint's browers. The data could get large over time (100 MB or more). The location is in the users' home or documents folder.
Ok, so you are getting the data on your own server and downloading it using javascript (and XHR?). Then you are currently using nsILocalFile to store that data on the users computer and load it back in when needed? If that is correct, you should soon be able to use IndexedDB to store Blob objects and retrive them as needed. This will work without requiring any extended privileges and simply using web standards!
Comment 22•13 years ago
|
||
Jonas, that is correct. But the issue here is that I want to right to a simple log file (text file) that can be read/written to using any browser. If I use the IndexedDB, it won't be a cross browser solution. There has to be a better way!
Comment 23•13 years ago
|
||
Verfied on: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0 When running a script that uses enablePrivilege I receive the following warning: "A script from "file://" is requesting enhanced abilities that are UNSAFE and could be used to compromise your machine or data: Read program settings Allow these abilities only if you trust this source to be free of viruses or malicious programs." Then, even if I click on the "Allow" button, the permission those privileges were supposed to grant me is denied. Is this the correct behavior? If not, please let me know what warning I should get. Thank you
Assignee | ||
Comment 24•13 years ago
|
||
You should get a warning in the Web Console and Error Console. The popup window you see has nothing to do with this bug.
Comment 25•13 years ago
|
||
Comment 26•13 years ago
|
||
Verfied fixed on: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0 Steps: 1. Open the Web Console. 2. Open the test case attached in the previous comment. 3. Tap on the "Home Page?" button. The "Use of enablePrivilege is deprecated. Please use code that runs with the system principal (e.g. an extension) instead." warning is displayed both in the Web console and in the Error console.
Status: RESOLVED → VERIFIED
Comment 27•13 years ago
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•