"security.checkxpconnect" pref is disabled

VERIFIED FIXED

Status

()

Core
Security: CAPS
P3
normal
VERIFIED FIXED
18 years ago
18 years ago

People

(Reporter: rusty.lynch, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
x86
All
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

18 years ago
Making a pref entry for "security.checkxpconnect" to false will not allow
xpconnect calls from JavaScript.

The problem is that  nsScriptSecurityManager::CheckXPCPermissions() will fail
on it's prefs->GetBoolPref() call because mIsAccessingPrefs was never set to
PR_TRUE.

A patch for this follows...
(Reporter)

Comment 1

18 years ago
Created attachment 8475 [details] [diff] [review]
apply to mozilla/caps/src/nsScriptSecurityManager.cpp
(Assignee)

Comment 2

18 years ago
Rusty,
   The ability to bypass the CheckXPConnect pref is going away before M16. It was 
put in (and marked temporary in the code) for convenience during development, but 
it's going to go away very soon. As an alternative, add the pref 
user_pref("signed.applets.codebase_principal_support", true); 
during development, and make sure your javascript code does a 
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
You'll get a confirmation dialog the first time you run this, just click 
"remember this decision" and you won't see it again. In the release version, only 
signed scripts will have access to XPConnect. I'm closing this bug.
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 3

18 years ago
Verified per mstoltz's comments.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.