Closed Bug 38684 Opened 24 years ago Closed 24 years ago

"security.checkxpconnect" pref is disabled

Categories

(Core :: Security: CAPS, defect, P3)

Product:
Core
Component:
Security: CAPS
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: rusty.lynch, Assigned: security-bugs)

Details

Attachments

(1 file)

apply to mozilla/caps/src/nsScriptSecurityManager.cpp
800 bytes, patch
Details | Diff | Splinter Review 
Making a pref entry for "security.checkxpconnect" to false will not allow
xpconnect calls from JavaScript.

The problem is that  nsScriptSecurityManager::CheckXPCPermissions() will fail
on it's prefs->GetBoolPref() call because mIsAccessingPrefs was never set to
PR_TRUE.

A patch for this follows...
Rusty,
   The ability to bypass the CheckXPConnect pref is going away before M16. It was 
put in (and marked temporary in the code) for convenience during development, but 
it's going to go away very soon. As an alternative, add the pref 
user_pref("signed.applets.codebase_principal_support", true); 
during development, and make sure your javascript code does a 
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
You'll get a confirmation dialog the first time you run this, just click 
"remember this decision" and you won't see it again. In the release version, only 
signed scripts will have access to XPConnect. I'm closing this bug.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Verified per mstoltz's comments.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: