628089 - Remote XUL blocked for resource: URIs

Status: RESOLVED WORKSFORME

(Core :: XUL, defect)

Description

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

Following the information at this URL, I tried to add an optionsURL entry for my Addon SDK-built extension's install.rdf: http://starkravingfinkle.org/blog/2011/01/restartless-add-ons-more-resources/comment-page-1/

That post shows how to generate resource URIs for files in your extension. Everything's working up to this point. The URIs are being generated, and seem to be used when called upon. But when I tried to add an XUL file for a preference window in the optionsURL spot, I get the "Remote XUL is disabled and really really unsafe" warning, instead of seeing the pref window.

Talking to mfinkle on IRC, this apparently works just fine on Fennec, because "we load the UI differently than Fx".

This isn't just an issue with the dynamic generation of the resource URIs in the SDK, as I then tried modifying an XUL-based extension to use a resource URI, and it too gives me the warning.

On this page ( https://developer.mozilla.org/en/Chrome_Registration ), I see this note about registering resource URIs: 
"Note that there are no security restrictions preventing web content from including content at resource: URIs, so take care what you make visible there."

Was disabling remote XUL from resource URIs intentional?

Using the Remote XUL Manager extension to modify the whitelist, I can whitelist file URIs, but I don't seem to be able to whitelist resource URIs.

Comment 1

[Dave Townsend [:mossop]]

Seems a bug in its own right, doesn't block chrome registration for bootstrapped add-ons at all.

Comment 2

[Boris Zbarsky [:bzbarsky]]

> Was disabling remote XUL from resource URIs intentional?

Fairly so, yes.  It was disabled for all non-system principals, and resource URIs don't have the system principal.