Created attachment 282779 [details] test page When I have an event listener in a HTML page, and the HTML page has received UniversalXPConnect privileges, I would expect the page's event listeners to have the same privileges. Instead, I find that CAPS rejects privileges for the event listener which the page itself has. Steps to reproduce: (1) Save the test page to your local drive. (2) Examine the page in your text editor to be sure it does nothing dangerous. (In this case, all it tries to do is create a transaction manager.) (3) Open the local copy of the attachment. (4) You should get a permissions dialog; tell the browser to grant privileges. (5) You should see an alert saying "configTest: true". Dismiss it. Expected results: The page says "This test has passed." Actual results: An alert appears stating "Permission denied to get property XPComponents.classes". The page says "This test has not passed." Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a9pre) Gecko/2007092409 Minefield/3.0a9pre Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/2007091417 Firefox/18.104.22.168 Attempts to work around this bug using window.setInterval() were also unsuccessful. This bug is causing problems for a product my company (DVC Labs) is developing.
This is a long-standing an well known bug, I think. enablePrivilege calls only apply to the current JS stack frame.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → INVALID
dveditz: There's just one little problem: my test page doesn't grant the privileges within a top-level function, but as part of a script that defines the inner function simultaneously. Unless I'm totally misinterpreting what you're saying and JS scope has absolutely nothing to do with this... Removing blocking request; invalid bugs can't block 1.9.
Yes, the top-level script creates the inner function but it does not *call* it. Capabilities are checked by walking up the frame stack, and when the event handler is executed nowhere on the stack will it find your top-level script with the enablePrivilege annotation. I'm not saying it doesn't suck, just describing the way it works. "Fixing" it requires rearchitecting caps which is less likely than killing capabilties altogether.
You need to log in before you can comment on or make changes to this bug.