Last Comment Bug 644588 - Signed XUL script into IFRAME component
: Signed XUL script into IFRAME component
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: 2.0 Branch
: All All
: -- normal with 2 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-24 07:34 PDT by m.fabbri
Modified: 2011-06-01 09:18 PDT (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Signed XUL script: xxx.xul (2.55 KB, application/java-archive)
2011-03-24 07:56 PDT, m.fabbri
no flags Details
Signed XUL script with window.addEventListener: xxx.xul (12.98 KB, application/java-archive)
2011-04-06 07:55 PDT, m.fabbri
no flags Details

Description m.fabbri 2011-03-24 07:34:42 PDT
User-Agent:       Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:2.0) Gecko/20100101 Firefox/4.0
Build Identifier: Mozilla/5.0 Gecko/20100101 Firefox/4.0

Unable to visualize signed XUL script into IFRAME component with Firefox 4.0.
With Firefox 3.6 all works fine.

Reproducible: Always

Steps to Reproduce:
Install "Remote XUL Manager" Firefox extension and insert your XUL script domain into white list.

Create a simple XUL script that integrates a browser component that when initialized load a URL (http://www.mozilla.org):

<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<window id="XXX" xmlns:html="http://www.w3.org/1999/xhtml" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" onload="init()">
	<script type="application/x-javascript">
		<![CDATA[
		var browser_1;

		function init() {
			try {
				netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
				browser_1=document.getElementById("browser_1");
				browser_1.loadURI("http://www.mozilla.org", null, null);
			}
			catch(e) {
				alert(e);
			}
		}
		]]>
	</script>
	<browser id="browser_1" flex="1"/>
</window>

Sign XUL script with any signtool and publish the obtained xxx.jar file and create a html template page that integrates signed XUL script into an IFRAME component:

<html>
	<head>
	...
	</head>
	<body>
		...
		<button>OK</button>
		<iframe src="jar:http://www.softlab.it/WE/xxx.jar!/xxx.xul"></iframe>
	</body>
</html>

Actual Results:  
XUL browser component don't load specified URL (http://www.mozilla.org) and return this error:

Error: Permission denied to <http://192.168.168.111:8400> for request to method BoxObject.QueryInterface


Expected Results:  
Expected result is that the signed XUL script load specified URL (http://www.mozilla.org), how properly happen in Firefox 3.6.


If you point your browser directly to the signed JAR URL:

jar:http://www.softlab.it/WE/xxx.jar!/xxx.xul

all works fine.
Comment 1 Boris Zbarsky [:bz] (TPAC) 2011-03-24 07:48:43 PDT
That's ... odd.  Can you attach the signed jar in question here, please?
Comment 2 m.fabbri 2011-03-24 07:56:11 PDT
Created attachment 521499 [details]
Signed XUL script: xxx.xul
Comment 3 m.fabbri 2011-03-24 08:14:05 PDT
If you want use the attached signed XUL script xxx.jar you must install this custom certificate and allow the first and third policy checkbox:

http://www.softlab.it/SoftLab/SoftLab2.cer
Comment 4 m.fabbri 2011-04-05 06:00:51 PDT
The error occurs on any os with Firefox 4.0 installed!
I confirm that with Firefox 3.6 error don't occur on any os!
Comment 5 Boris Zbarsky [:bz] (TPAC) 2011-04-05 15:37:45 PDT
So I tried the attached jar file and the certificate.

It looks like the onload attribute on the <window> there is ignored (why? not sure), so the script doesn't run at all.

Reporter, is the problem fixed if you add this at the beginning of the script:

  window.addEventListener("load", init, false);
Comment 6 m.fabbri 2011-04-06 00:44:06 PDT
Workaround proposed don't work... I have the same behaviour and the same error:

Error: Permission denied to <http://192.168.168.111:8400> for request to method
BoxObject.QueryInterface
Comment 7 m.fabbri 2011-04-06 03:02:21 PDT
Strange behaviour:

if first I load my signed JAR:XUL URL:

jar:http://www.softlab.it/WE/xxx.jar!/xxx.xul

that load my page correctly, and next I load my html template with iframed JAR:XUL URL all works fine!
Closing my browser, if first I load my html template with iframed JAR:XUL URL I get the usual error here and also next when I load my signed JAR:XUL URL.
Perhaps this is some cached permission settings but I haven't idea!
Hope this help you to solve!
Comment 8 Boris Zbarsky [:bz] (TPAC) 2011-04-06 07:34:40 PDT
So can you please give me exact steps to reproduce and the exact jar file (with the change from comment 5) to reproduce with?
Comment 9 m.fabbri 2011-04-06 07:42:17 PDT
Modified XUL script:

<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<window id="XXX" xmlns:html="http://www.w3.org/1999/xhtml"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
    <script type="application/x-javascript">
        <![CDATA[
        var browser_1;

	window.addEventListener("load", init, false);

        function init() {
            try {
               
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
                browser_1=document.getElementById("browser_1");
                browser_1.loadURI("http://www.mozilla.org", null, null);
            }
            catch(e) {
                alert(e);
            }
        }
        ]]>
    </script>
    <browser id="browser_1" flex="1"/>
</window>
Comment 10 Boris Zbarsky [:bz] (TPAC) 2011-04-06 07:46:26 PDT
I can modify the script myself, sure.  But then the signature on the jar is invalid, so the whole thing doesn't work.  Hence my request for the exact signed jar that contaisn the modified XUL file that you are testing with.
Comment 11 m.fabbri 2011-04-06 07:55:13 PDT
Created attachment 524184 [details]
Signed XUL script with window.addEventListener: xxx.xul
Comment 12 Boris Zbarsky [:bz] (TPAC) 2011-04-06 10:35:55 PDT
OK, and using that jar file what are the steps to reproduce the problem?
Comment 13 m.fabbri 2011-04-06 23:51:51 PDT
I have deployed the file to reproduce on my site www.softlab.it; this must be inserted in the domain white list of Remote XUL Manager plugins.
Now navigate to this URL:

jar:http://www.softlab.it/SoftLab/xxx.jar!/xxx.xul

accepting XUL permission issue this works correctly for me and load a the www.mozilla.org site in the XUL browser element.
Now close Firefox and navigate to this URL, that is the iframed JAR:XUL script :

http://www.softlab.it/SoftLab/index_xxx.html

(I don't post the html template realized but you can obviously view the source of the html page on line with the menù View->Page Source).
accept XUL permission issue an now should appear this error:

Error: Permission denied to <http://www.softlab.it> for request to method
BoxObject.QueryInterface
Comment 14 Boris Zbarsky [:bz] (TPAC) 2011-04-07 21:11:40 PDT
OK, with those steps I can reproduce.

Blake, are we putting the signed script from the jar into the same compartment as the containing page and then using the compartment for the security check?
Comment 15 m.fabbri 2011-04-27 08:07:24 PDT
Not only a question relating to iframe, the error also appear if i try to navigate to the jar url (jar:http://www.softlab.it/SoftLab/xxx.jar!/xxx.xul) whit a javascript window.location.href="jar:http://www.softlab.it/SoftLab/xxx.jar!/xxx.xul" function.
Example redirector.html:

<html>
	<head>
		<title>REDIRECTOR</title>
		<meta http-equiv="cache-control" content="no-cache"/>
		<meta http-equiv="content-type" content="text/html; charset=UTF-8">
		<style type="text/css">html {width: 100%; height: 100%;} body {width: 100%; height: 100%; margin: 0; padding: 0; overflow: hidden;}</style>
	</head>
	<body>
		<script type="text/javascript">
			location.href="jar:http://www.softlab.it/SoftLab/xxx.jar!/xxx.xul";
		</script>
	</body>
</html>

Now this is a blocker bug for my application... maybe the case to change Importance Priority?
Comment 16 m.fabbri 2011-04-29 05:39:35 PDT
Error appear also opening JAR/XUL url with a window.open function.
At now no workaround finded!
Comment 17 Blake Kaplan (:mrbkap) 2011-06-01 08:51:10 PDT
So, I recently fixed a bug dealing with signed jars being stuck in the wrong compartment. However, when I try the steps to reproduce this bug, the signed jar doesn't actually work and I get:

Signature Verification Error: the signature on xxx.xul is invalid because the digital signature (*.RSA) file is not a valid signature of the signature instruction file (*.SF).

m.fabbri, can you try a Firefox 6 Aurora build and report back as to whether it fixes your problem?
Comment 18 Boris Zbarsky [:bz] (TPAC) 2011-06-01 08:58:23 PDT
Blake, you installed the cert from comment 3, right?
Comment 19 Blake Kaplan (:mrbkap) 2011-06-01 09:12:02 PDT
I totally missed that... retrying now.
Comment 20 Blake Kaplan (:mrbkap) 2011-06-01 09:18:48 PDT
And now I can confirm: fixed by bug 657267.

Note You need to log in before you can comment on or make changes to this bug.