Comment on attachment 166864 [details] [diff] [review] v1 patch NOTE: this patch is impossible to override. at some point we will want to invent a way to allow the browser to be configured to enable certain sites or domains to support cross-origin XForms submission. Also, this patch only limits XML submission or replace="instance" ... replace="all/none" + method="get/form-data-post" need not be restricted.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta
Comment on attachment 166864 [details] [diff] [review] v1 patch sr=jst
Attachment #166864 - Flags: superreview?(jst) → superreview+
Attachment #166864 - Flags: review?(bryner) → review+
Comment on attachment 166864 [details] [diff] [review] v1 patch Spoke with jst, and we came up with a better solution. We can use CheckConnect with the JSContext associated with the script global of our document. This is defined even when there is no JS on the page. Using CheckConnect is preferrable since there is already a mechanism to override it using prefs.
Attachment #166864 - Attachment is obsolete: true
Actually, CheckConnect is not what we want. More in a bit...
Created attachment 167459 [details] [diff] [review] v2 patch Similar patch, but includes calls to nsIPermissionManager::TestPermission so that the same-origin restriction can be disabled per-host. NOTE: this does not allow us to disable same-origin checking for protocols that do not have a host (e.g., file:///).
The v2 patch also fixes two unrelated problems that I observed: (1) We were not handling relative URIs specified as the "src" of a <instance> element. (2) nsXFormsSetValueElement needs to null check the result of an xpath evaluation.
Attachment #167459 - Flags: review?(bryner) → review+
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.