Warn when enablePrivilege is used

VERIFIED FIXED in mozilla7

Status

()

Core
DOM
P1
normal
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: bz, Assigned: bz)

Tracking

Trunk
mozilla7
x86
Mac OS X
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

Created attachment 542694 [details] [diff] [review]
Warn when enablePrivilege is used.
Attachment #542694 - Flags: review?(jonas)
Priority: -- → P1
Whiteboard: [need review]
Attachment #542694 - Flags: review?(jonas) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/2cb11a5daaf5
Flags: in-testsuite?
Whiteboard: [need review]
Target Milestone: --- → mozilla7
http://hg.mozilla.org/mozilla-central/rev/2cb11a5daaf5
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 4

6 years ago
Can we get this into aurora?
It would need a totally different patch, because the WarnOnceAbout infrastructure is not there.  So we would be warning on every use, most likely.  If that's ok, I can probably write an aurora patch for this....
Could you explain to a non programmer (or rephrase in other words) what "runs with the system principal" mean?
It means "privileged code", essentially, or "runs with the same privileges as Firefox". I agree that it's somewhat confusing to mention that in the warning, "use an extension" is really the useful advice.
I'm happy for someone else to wordsmith as desired here...

But yes, the upshot is "use an extension or get your code checked into the browser UI".
Thanks. So something like "Please use code that runs with the same priviliges of the application (e.g. an extension) instead." can be considered a fitting equivalent?
"Please use code that runs with the same privileges as the application itself (e.g. an extension) instead", yeah.

Comment 11

6 years ago
But if I don't use enablePrivilege, then I get an error saying that permission is denied?  What is the correct way of calling script that uses UniversalXPConnect???
The entire old Java-like privilege system is deprecated.  The correct way to do a script that needs privileges like that is to do an extension.

Comment 13

6 years ago
Is there someone other way that I can access UniversalXPConnect without writing an extension?  The issue is that I have a website that reads/writes into a log that uses different technologies for each browser (IE, Chrome, Firefox).  But removing this functionality, my website won't be able to support Firefox.
> Is there someone other way that I can access UniversalXPConnect without writing
> an extension? 

No.

How, exactly, are you making this work in Chrome in a way that doesn't work in Gecko?

Comment 15

6 years ago
For Chrome, I use window.requestFileSystem (see: http://www.html5rocks.com/en/tutorials/file/filesystem/)

For IE, I use Scripting.FileSystemObject (see: http://css.dzone.com/tips/javascript-how-read-and-write)

and for FF, I use nsIFile and nsILocalFile (see: https://developer.mozilla.org/en/Code_snippets/File_I%2F%2FO)
Seems like we should implement filesystem API or equivalent (which is in the plans anyway as I understand) before dropping enablePrivilege support and that would handle your usecase, right?
And to be clear, all this bug changed was add a warning.  There was no behavior change so far.
Why do you need a physical on-disk file?  We have no plans to implement the filesystem API as is.

If you just need to store large amounts of data offline, we're working on that.
Yes, I have the same question. Do you need to access data from the users "private" files, like files from the desktop/Documents/Music/Picutes folders?

Or are you just storing data that you've generated or downloaded from somewhere so that you can retrieve it later?

Comment 20

6 years ago
I am storing log information that is in a format that is generated from my server which generates the client side javascript dynamically depending on the cleint's browers.  The data could get large over time (100 MB or more).

The location is in the users' home or documents folder.
Ok, so you are getting the data on your own server and downloading it using javascript (and XHR?). Then you are currently using nsILocalFile to store that data on the users computer and load it back in when needed?

If that is correct, you should soon be able to use IndexedDB to store Blob objects and retrive them as needed. This will work without requiring any extended privileges and simply using web standards!

Comment 22

6 years ago
Jonas, that is correct.

But the issue here is that I want to right to a simple log file (text file) that can be read/written to using any browser.  If I use the IndexedDB, it won't be a cross browser solution.

There has to be a better way!

Comment 23

6 years ago
Verfied on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0

When running a script that uses enablePrivilege I receive the following warning:
"A script from "file://" is requesting enhanced abilities that are UNSAFE and could be used to compromise your machine or data:

Read program settings

Allow these abilities only if you trust this source to be free of viruses or malicious programs."

Then, even if I click on the "Allow" button, the permission those privileges were supposed to grant me is denied.

Is this the correct behavior? If not, please let me know what warning I should get.

Thank you
You should get a warning in the Web Console and Error Console.

The popup window you see has nothing to do with this bug.

Comment 25

6 years ago
Created attachment 558279 [details]
test case

Comment 26

6 years ago
Verfied fixed on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0

Steps:
 1. Open the Web Console.
 2. Open the test case attached in the previous comment.
 3. Tap on the "Home Page?" button.

The "Use of enablePrivilege is deprecated.  Please use code that runs with the system principal (e.g. an extension) instead." warning is displayed both in the Web console and in the Error console.
Status: RESOLVED → VERIFIED

Comment 27

6 years ago
Created attachment 558282 [details]
The enablePrivilege warning in the Web and Error consoles
You need to log in before you can comment on or make changes to this bug.