[AxPlugin] Cleanup nsAxSecurityPolicy.js, subscribe to hosting flag prefs & verify security levels are being handled correctly

VERIFIED FIXED in mozilla1.3final

Status

()

VERIFIED FIXED
16 years ago
16 years ago

People

(Reporter: adamlock, Assigned: adamlock)

Tracking

Trunk
mozilla1.3final
x86
Windows XP
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

16 years ago
nsAxSecurityPolicy.js needs a cleanup and to read its default hosting flag
settings from prefs.

During testing, hosting flags in nsAxSecurityPolicy.js should be set to allow
all test pages to function properly. This may involve some investigation, since
the settings already there should allow this, but clearly don't. Possible
npmozax.dll is not testing them properly.

Updated

16 years ago
QA Contact: depstein → carosendahl
(Assignee)

Comment 1

16 years ago
I think I realise the issue with safe for scripting. When a control uses
IObjectSafety - we're supposed to call IObjectSafety::SetInterfaceSafetyOptions
to enable safe for scripting after creation. Without this, the WMP returns the
defaults which disallow scripting. It seems a bit dumb to me, but there you go.

I also discovered a piece of IE specific blurb about IObjectSafety.

http://msdn.microsoft.com/workshop/components/com/IObjectSafetyExtensions.asp

I'll try and absorb this information tomorrow to see if I can figure what its
talking about, especially concerning IInternetHostSecurityManager. I'll also
mock up a simple test control and see what IE tries to call on it when I put it
in a page to verify that this is the issue.
Blocks: 188229
(Assignee)

Comment 2

16 years ago
Created attachment 113506 [details] [diff] [review]
Patch

Patch changes nsDispatchSupport::IsObjectSafeForScripting so that if the object
says it is not enabled for untrusted callers but does support it, to call
IObjectSafety::SetInterfaceSafetyOptions to enable it before asking again. This
allows WMP, YGP and presumably other controls to function happily on the
'medium' security setting.

I've also updated to nsAxSecurityPolicy.js, cleaning it up, defined some
constants representing various security levels and making the object read and
subscribe to the "security.xpconnect.activex.global.hosting_flags" pref for its
hosting flags. This value can be changed in the user prefs.js, or at runtime
with about:config. If the pref is not defined, the default security level used
in nsAxSecurityPolicy.js is currently medium.

Dave can you review this please?
(Assignee)

Comment 3

16 years ago
Comment on attachment 113506 [details] [diff] [review]
Patch

David & Alec, can I have an r/sr for this please?

To summarise changes:

1. Fix IObjectSafety behaviour
2. Cleanup nsAxSecurityPolicy.js
3. Make a general hosting flags pref and make nsAxSecurityPolicy.js read and
subscribe to changes to it.

Thanks
Attachment #113506 - Flags: superreview?(alecf)
Attachment #113506 - Flags: review?(dbradley)

Comment 4

16 years ago
Comment on attachment 113506 [details] [diff] [review]
Patch

r=dbradley

The first change in nsAxSecurityPolicy.js just adds spaces.

nsIScriptSecurityManager doesn't appear to be used anywhere.

Leave it to Microsoft to create such a horrid mechanism like IObjectSafety
Attachment #113506 - Flags: review?(dbradley) → review+

Comment 5

16 years ago
Comment on attachment 113506 [details] [diff] [review]
Patch

sorry for the delay.. this looks fine...
sr=alecf
Attachment #113506 - Flags: superreview?(alecf) → superreview+
(Assignee)

Comment 6

16 years ago
Comment on attachment 113506 [details] [diff] [review]
Patch

Seeking 1.3 approval. Patch is confined to COM connect and fixes broken
handling of control safe for scripting sessions so is very visible.
Attachment #113506 - Flags: approval1.3?

Comment 7

16 years ago
Comment on attachment 113506 [details] [diff] [review]
Patch

a=asa (on behalf of drivers) for checkin to 1.3
Attachment #113506 - Flags: approval1.3? → approval1.3+
(Assignee)

Comment 8

16 years ago
Fix is checked in
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED

Comment 9

16 years ago
Adding Ashish to cc list - ActiveX defect

Updated

16 years ago
Target Milestone: --- → mozilla1.3final

Comment 10

16 years ago
Ashish
QA Contact: carosendahl → ashishbhatt

Comment 11

16 years ago
Verified
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.