Closed Bug 644588 Opened 14 years ago Closed 14 years ago

Signed XUL script into IFRAME component

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Version:
2.0 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: m.fabbri, Unassigned)

Details

Attachments

(2 files)

Signed XUL script: xxx.xul
2.55 KB, application/java-archive
Details
Signed XUL script with window.addEventListener: xxx.xul
12.98 KB, application/java-archive
Details
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:2.0) Gecko/20100101 Firefox/4.0 Build Identifier: Mozilla/5.0 Gecko/20100101 Firefox/4.0 Unable to visualize signed XUL script into IFRAME component with Firefox 4.0. With Firefox 3.6 all works fine. Reproducible: Always Steps to Reproduce: Install "Remote XUL Manager" Firefox extension and insert your XUL script domain into white list. Create a simple XUL script that integrates a browser component that when initialized load a URL (http://www.mozilla.org): <?xml version="1.0" encoding="utf-8"?> <?xml-stylesheet href="chrome://global/skin/" type="text/css"?> <window id="XXX" xmlns:html="http://www.w3.org/1999/xhtml" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" onload="init()"> <script type="application/x-javascript"> <![CDATA[ var browser_1; function init() { try { netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); browser_1=document.getElementById("browser_1"); browser_1.loadURI("http://www.mozilla.org", null, null); } catch(e) { alert(e); } } ]]> </script> <browser id="browser_1" flex="1"/> </window> Sign XUL script with any signtool and publish the obtained xxx.jar file and create a html template page that integrates signed XUL script into an IFRAME component: <html> <head> ... </head> <body> ... <button>OK</button> <iframe src="jar:http://www.softlab.it/WE/xxx.jar!/xxx.xul"></iframe> </body> </html> Actual Results: XUL browser component don't load specified URL (http://www.mozilla.org) and return this error: Error: Permission denied to <http://192.168.168.111:8400> for request to method BoxObject.QueryInterface Expected Results: Expected result is that the signed XUL script load specified URL (http://www.mozilla.org), how properly happen in Firefox 3.6. If you point your browser directly to the signed JAR URL: jar:http://www.softlab.it/WE/xxx.jar!/xxx.xul all works fine.
That's ... odd. Can you attach the signed jar in question here, please?
If you want use the attached signed XUL script xxx.jar you must install this custom certificate and allow the first and third policy checkbox: http://www.softlab.it/SoftLab/SoftLab2.cer
Version: unspecified → Trunk
The error occurs on any os with Firefox 4.0 installed! I confirm that with Firefox 3.6 error don't occur on any os!
Version: Trunk → 2.0 Branch
So I tried the attached jar file and the certificate. It looks like the onload attribute on the <window> there is ignored (why? not sure), so the script doesn't run at all. Reporter, is the problem fixed if you add this at the beginning of the script: window.addEventListener("load", init, false);
Workaround proposed don't work... I have the same behaviour and the same error: Error: Permission denied to <http://192.168.168.111:8400> for request to method BoxObject.QueryInterface
Strange behaviour: if first I load my signed JAR:XUL URL: jar:http://www.softlab.it/WE/xxx.jar!/xxx.xul that load my page correctly, and next I load my html template with iframed JAR:XUL URL all works fine! Closing my browser, if first I load my html template with iframed JAR:XUL URL I get the usual error here and also next when I load my signed JAR:XUL URL. Perhaps this is some cached permission settings but I haven't idea! Hope this help you to solve!
So can you please give me exact steps to reproduce and the exact jar file (with the change from comment 5) to reproduce with?
Modified XUL script: <?xml version="1.0" encoding="utf-8"?> <?xml-stylesheet href="chrome://global/skin/" type="text/css"?> <window id="XXX" xmlns:html="http://www.w3.org/1999/xhtml" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <script type="application/x-javascript"> <![CDATA[ var browser_1; window.addEventListener("load", init, false); function init() { try { netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); browser_1=document.getElementById("browser_1"); browser_1.loadURI("http://www.mozilla.org", null, null); } catch(e) { alert(e); } } ]]> </script> <browser id="browser_1" flex="1"/> </window>
I can modify the script myself, sure. But then the signature on the jar is invalid, so the whole thing doesn't work. Hence my request for the exact signed jar that contaisn the modified XUL file that you are testing with.
OK, and using that jar file what are the steps to reproduce the problem?
I have deployed the file to reproduce on my site www.softlab.it; this must be inserted in the domain white list of Remote XUL Manager plugins. Now navigate to this URL: jar:http://www.softlab.it/SoftLab/xxx.jar!/xxx.xul accepting XUL permission issue this works correctly for me and load a the www.mozilla.org site in the XUL browser element. Now close Firefox and navigate to this URL, that is the iframed JAR:XUL script : http://www.softlab.it/SoftLab/index_xxx.html (I don't post the html template realized but you can obviously view the source of the html page on line with the menù View->Page Source). accept XUL permission issue an now should appear this error: Error: Permission denied to <http://www.softlab.it> for request to method BoxObject.QueryInterface
OK, with those steps I can reproduce. Blake, are we putting the signed script from the jar into the same compartment as the containing page and then using the compartment for the security check?
Status: UNCONFIRMED → NEW
Component: XUL → XPConnect
Ever confirmed: true
QA Contact: xptoolkit.widgets → xpconnect
Not only a question relating to iframe, the error also appear if i try to navigate to the jar url (jar:http://www.softlab.it/SoftLab/xxx.jar!/xxx.xul) whit a javascript window.location.href="jar:http://www.softlab.it/SoftLab/xxx.jar!/xxx.xul" function. Example redirector.html: <html> <head> <title>REDIRECTOR</title> <meta http-equiv="cache-control" content="no-cache"/> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <style type="text/css">html {width: 100%; height: 100%;} body {width: 100%; height: 100%; margin: 0; padding: 0; overflow: hidden;}</style> </head> <body> <script type="text/javascript"> location.href="jar:http://www.softlab.it/SoftLab/xxx.jar!/xxx.xul"; </script> </body> </html> Now this is a blocker bug for my application... maybe the case to change Importance Priority?
Error appear also opening JAR/XUL url with a window.open function. At now no workaround finded!
So, I recently fixed a bug dealing with signed jars being stuck in the wrong compartment. However, when I try the steps to reproduce this bug, the signed jar doesn't actually work and I get: Signature Verification Error: the signature on xxx.xul is invalid because the digital signature (*.RSA) file is not a valid signature of the signature instruction file (*.SF). m.fabbri, can you try a Firefox 6 Aurora build and report back as to whether it fixes your problem?
Blake, you installed the cert from comment 3, right?
I totally missed that... retrying now.
And now I can confirm: fixed by bug 657267.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: