787086 - Lower Editor iframe privileges

Status: NEW

(DevTools :: Source Editor, defect, P3)

Description

[Mihai Sucan [:msucan]]

Once bug 759351 lands we might be able to lower the privileges we give to the Orion iframe. We need to check if this is possible.

Comment 1

[Jan Honza Odvarko [:Honza] (always need-info? me)]

Any progress on this one?
It's blocking Firebug to adopt Orion editor.

Honza

Comment 2

[Dave Camp (:dcamp)]

Mihai, when you get a chance can you explain the specific problems with the current orion codebase that prevent this change now?

Comment 3

[Mihai Sucan [:msucan]]

Good question.

IIRC, Orion currently does create an empty iframe that it tries to document.write() into, and it uses XHR to load the stylesheet from a chrome:// URL (in our codebase). Orion's approach forced us into giving the parent iframe chrome privileges. With content-only privileges Orion failed to initialize.

That was valid when we first integrated Orion, but I can try and see if simply lowering privileges works with the current Orion we use - maybe I missed some changes that would allow us to do the change right now.

Comment 4

[Mihai Sucan [:msucan]]

Just tested: Orion fails to initialize if I add iframe.setAttribute("type", "content"). Unfortunately, it's not trivial to fix Orion to work in this case.

Comment 5

[simon.kaegi]

I'm curious what version of the Orion Editor you guys are using?

The current release and the one previous haven't been using IFrames, document.write, or xhr to load stylesheets (although of course you can if you like). I'm trying to understand if this is a genuine problem in the Orion Editor or just a problem with the current snapshot being used.

If there is a problem preventing you from upgrading to the current release let me know.

Comment 6

[Girish Sharma [:Optimizer]]

Orion version: git clone from 2012-01-26
               commit hash 1d1150131dacecc9f4d9eb3cdda9103ea1819045

  + patch for Eclipse Bug 370584 - [Firefox] Edit menu items in context menus
    http://git.eclipse.org/c/orion/org.eclipse.orion.client.git/commit/?id=137d5a8e9bbc0fa204caae74ebd25a7d9d4729bd
    see https://bugs.eclipse.org/bugs/show_bug.cgi?id=370584

  + patches for Eclipse Bug 370606 - Problems with UndoStack and deletions at
                                     the beginning of the document
    http://git.eclipse.org/c/orion/org.eclipse.orion.client.git/commit/?id=cec71bddaf32251c34d3728df5da13c130d14f33
    http://git.eclipse.org/c/orion/org.eclipse.orion.client.git/commit/?id=3ce24b94f1d8103b16b9cf16f2f50a6302d43b18
    http://git.eclipse.org/c/orion/org.eclipse.orion.client.git/commit/?id=27177e9a3dc70c20b4877e3eab3adfff1d56e342
    see https://bugs.eclipse.org/bugs/show_bug.cgi?id=370606

  + patch for Mozilla Bug 730532 - remove CSS2Properties aliases for MozOpacity
                                   and MozOutline*
    see https://bugzilla.mozilla.org/show_bug.cgi?id=730532#c3


// content from the README file in Orion folder

Comment 7

[Mihai Sucan [:msucan]]

(In reply to simon.kaegi from comment #5)
> I'm curious what version of the Orion Editor you guys are using?
> 
> The current release and the one previous haven't been using IFrames,
> document.write, or xhr to load stylesheets (although of course you can if
> you like). I'm trying to understand if this is a genuine problem in the
> Orion Editor or just a problem with the current snapshot being used.
> 
> If there is a problem preventing you from upgrading to the current release
> let me know.

Thank you Simon! We just need to get around to update Orion to the latest version. We will do this soon.

Comment 8

[Anton Kovalyov (:anton)]

I'm wondering if this is also an issue with CodeMirror?

Comment 9

[Jason Barnabe (np)]

I'm updating Stylish to open its editor in a tab. I get "SecurityError: The operation is insecure." if I do this with Orion, but no problems with CodeMirror. So I'd say no, not an issue any more.