Created attachment 542694 [details] [diff] [review] Warn when enablePrivilege is used.
6 years ago
Can we get this into aurora?
It would need a totally different patch, because the WarnOnceAbout infrastructure is not there. So we would be warning on every use, most likely. If that's ok, I can probably write an aurora patch for this....
Could you explain to a non programmer (or rephrase in other words) what "runs with the system principal" mean?
It means "privileged code", essentially, or "runs with the same privileges as Firefox". I agree that it's somewhat confusing to mention that in the warning, "use an extension" is really the useful advice.
I'm happy for someone else to wordsmith as desired here... But yes, the upshot is "use an extension or get your code checked into the browser UI".
Thanks. So something like "Please use code that runs with the same priviliges of the application (e.g. an extension) instead." can be considered a fitting equivalent?
"Please use code that runs with the same privileges as the application itself (e.g. an extension) instead", yeah.
But if I don't use enablePrivilege, then I get an error saying that permission is denied? What is the correct way of calling script that uses UniversalXPConnect???
The entire old Java-like privilege system is deprecated. The correct way to do a script that needs privileges like that is to do an extension.
Is there someone other way that I can access UniversalXPConnect without writing an extension? The issue is that I have a website that reads/writes into a log that uses different technologies for each browser (IE, Chrome, Firefox). But removing this functionality, my website won't be able to support Firefox.
> Is there someone other way that I can access UniversalXPConnect without writing > an extension? No. How, exactly, are you making this work in Chrome in a way that doesn't work in Gecko?
Seems like we should implement filesystem API or equivalent (which is in the plans anyway as I understand) before dropping enablePrivilege support and that would handle your usecase, right?
And to be clear, all this bug changed was add a warning. There was no behavior change so far.
Why do you need a physical on-disk file? We have no plans to implement the filesystem API as is. If you just need to store large amounts of data offline, we're working on that.
Yes, I have the same question. Do you need to access data from the users "private" files, like files from the desktop/Documents/Music/Picutes folders? Or are you just storing data that you've generated or downloaded from somewhere so that you can retrieve it later?
Jonas, that is correct. But the issue here is that I want to right to a simple log file (text file) that can be read/written to using any browser. If I use the IndexedDB, it won't be a cross browser solution. There has to be a better way!
Verfied on: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0 When running a script that uses enablePrivilege I receive the following warning: "A script from "file://" is requesting enhanced abilities that are UNSAFE and could be used to compromise your machine or data: Read program settings Allow these abilities only if you trust this source to be free of viruses or malicious programs." Then, even if I click on the "Allow" button, the permission those privileges were supposed to grant me is denied. Is this the correct behavior? If not, please let me know what warning I should get. Thank you
You should get a warning in the Web Console and Error Console. The popup window you see has nothing to do with this bug.
Verfied fixed on: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0 Steps: 1. Open the Web Console. 2. Open the test case attached in the previous comment. 3. Tap on the "Home Page?" button. The "Use of enablePrivilege is deprecated. Please use code that runs with the system principal (e.g. an extension) instead." warning is displayed both in the Web console and in the Error console.