Signed XUL script into IFRAME component

RESOLVED FIXED

Status

()

Core
XPConnect
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: m.fabbri, Unassigned)

Tracking

2.0 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:2.0) Gecko/20100101 Firefox/4.0
Build Identifier: Mozilla/5.0 Gecko/20100101 Firefox/4.0

Unable to visualize signed XUL script into IFRAME component with Firefox 4.0.
With Firefox 3.6 all works fine.

Reproducible: Always

Steps to Reproduce:
Install "Remote XUL Manager" Firefox extension and insert your XUL script domain into white list.

Create a simple XUL script that integrates a browser component that when initialized load a URL (http://www.mozilla.org):

<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<window id="XXX" xmlns:html="http://www.w3.org/1999/xhtml" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" onload="init()">
	<script type="application/x-javascript">
		<![CDATA[
		var browser_1;

		function init() {
			try {
				netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
				browser_1=document.getElementById("browser_1");
				browser_1.loadURI("http://www.mozilla.org", null, null);
			}
			catch(e) {
				alert(e);
			}
		}
		]]>
	</script>
	<browser id="browser_1" flex="1"/>
</window>

Sign XUL script with any signtool and publish the obtained xxx.jar file and create a html template page that integrates signed XUL script into an IFRAME component:

<html>
	<head>
	...
	</head>
	<body>
		...
		<button>OK</button>
		<iframe src="jar:http://www.softlab.it/WE/xxx.jar!/xxx.xul"></iframe>
	</body>
</html>

Actual Results:  
XUL browser component don't load specified URL (http://www.mozilla.org) and return this error:

Error: Permission denied to <http://192.168.168.111:8400> for request to method BoxObject.QueryInterface


Expected Results:  
Expected result is that the signed XUL script load specified URL (http://www.mozilla.org), how properly happen in Firefox 3.6.


If you point your browser directly to the signed JAR URL:

jar:http://www.softlab.it/WE/xxx.jar!/xxx.xul

all works fine.
That's ... odd.  Can you attach the signed jar in question here, please?
(Reporter)

Comment 2

7 years ago
Created attachment 521499 [details]
Signed XUL script: xxx.xul
(Reporter)

Comment 3

7 years ago
If you want use the attached signed XUL script xxx.jar you must install this custom certificate and allow the first and third policy checkbox:

http://www.softlab.it/SoftLab/SoftLab2.cer

Updated

7 years ago
Version: unspecified → Trunk
(Reporter)

Comment 4

7 years ago
The error occurs on any os with Firefox 4.0 installed!
I confirm that with Firefox 3.6 error don't occur on any os!
Version: Trunk → 2.0 Branch
So I tried the attached jar file and the certificate.

It looks like the onload attribute on the <window> there is ignored (why? not sure), so the script doesn't run at all.

Reporter, is the problem fixed if you add this at the beginning of the script:

  window.addEventListener("load", init, false);
(Reporter)

Comment 6

7 years ago
Workaround proposed don't work... I have the same behaviour and the same error:

Error: Permission denied to <http://192.168.168.111:8400> for request to method
BoxObject.QueryInterface
(Reporter)

Comment 7

7 years ago
Strange behaviour:

if first I load my signed JAR:XUL URL:

jar:http://www.softlab.it/WE/xxx.jar!/xxx.xul

that load my page correctly, and next I load my html template with iframed JAR:XUL URL all works fine!
Closing my browser, if first I load my html template with iframed JAR:XUL URL I get the usual error here and also next when I load my signed JAR:XUL URL.
Perhaps this is some cached permission settings but I haven't idea!
Hope this help you to solve!
So can you please give me exact steps to reproduce and the exact jar file (with the change from comment 5) to reproduce with?
(Reporter)

Comment 9

7 years ago
Modified XUL script:

<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<window id="XXX" xmlns:html="http://www.w3.org/1999/xhtml"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
    <script type="application/x-javascript">
        <![CDATA[
        var browser_1;

	window.addEventListener("load", init, false);

        function init() {
            try {
               
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
                browser_1=document.getElementById("browser_1");
                browser_1.loadURI("http://www.mozilla.org", null, null);
            }
            catch(e) {
                alert(e);
            }
        }
        ]]>
    </script>
    <browser id="browser_1" flex="1"/>
</window>
I can modify the script myself, sure.  But then the signature on the jar is invalid, so the whole thing doesn't work.  Hence my request for the exact signed jar that contaisn the modified XUL file that you are testing with.
(Reporter)

Comment 11

7 years ago
Created attachment 524184 [details]
Signed XUL script with window.addEventListener: xxx.xul
OK, and using that jar file what are the steps to reproduce the problem?
(Reporter)

Comment 13

7 years ago
I have deployed the file to reproduce on my site www.softlab.it; this must be inserted in the domain white list of Remote XUL Manager plugins.
Now navigate to this URL:

jar:http://www.softlab.it/SoftLab/xxx.jar!/xxx.xul

accepting XUL permission issue this works correctly for me and load a the www.mozilla.org site in the XUL browser element.
Now close Firefox and navigate to this URL, that is the iframed JAR:XUL script :

http://www.softlab.it/SoftLab/index_xxx.html

(I don't post the html template realized but you can obviously view the source of the html page on line with the menĂ¹ View->Page Source).
accept XUL permission issue an now should appear this error:

Error: Permission denied to <http://www.softlab.it> for request to method
BoxObject.QueryInterface
OK, with those steps I can reproduce.

Blake, are we putting the signed script from the jar into the same compartment as the containing page and then using the compartment for the security check?
Status: UNCONFIRMED → NEW
Component: XUL → XPConnect
Ever confirmed: true
QA Contact: xptoolkit.widgets → xpconnect
(Reporter)

Comment 15

6 years ago
Not only a question relating to iframe, the error also appear if i try to navigate to the jar url (jar:http://www.softlab.it/SoftLab/xxx.jar!/xxx.xul) whit a javascript window.location.href="jar:http://www.softlab.it/SoftLab/xxx.jar!/xxx.xul" function.
Example redirector.html:

<html>
	<head>
		<title>REDIRECTOR</title>
		<meta http-equiv="cache-control" content="no-cache"/>
		<meta http-equiv="content-type" content="text/html; charset=UTF-8">
		<style type="text/css">html {width: 100%; height: 100%;} body {width: 100%; height: 100%; margin: 0; padding: 0; overflow: hidden;}</style>
	</head>
	<body>
		<script type="text/javascript">
			location.href="jar:http://www.softlab.it/SoftLab/xxx.jar!/xxx.xul";
		</script>
	</body>
</html>

Now this is a blocker bug for my application... maybe the case to change Importance Priority?
(Reporter)

Comment 16

6 years ago
Error appear also opening JAR/XUL url with a window.open function.
At now no workaround finded!
So, I recently fixed a bug dealing with signed jars being stuck in the wrong compartment. However, when I try the steps to reproduce this bug, the signed jar doesn't actually work and I get:

Signature Verification Error: the signature on xxx.xul is invalid because the digital signature (*.RSA) file is not a valid signature of the signature instruction file (*.SF).

m.fabbri, can you try a Firefox 6 Aurora build and report back as to whether it fixes your problem?
Blake, you installed the cert from comment 3, right?
I totally missed that... retrying now.
And now I can confirm: fixed by bug 657267.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.