XUL:Remote XUL bugs
This page is a list of features that currently require system/chrome privileges to run, without an inherent reason or security problem, and that we need in web applications. I.e. bugs in remote XUL that don't exist in chrome XUL.
Contents
Needless restrictions
See also Tracking bug 133695 and Remote XUL on dev.m.o.
Drag & Drop
This is a chrome: script currently. Unprivileged drag and drop support will be added by bug 356295.
Load external DTD
This is really important for XUL remote application. For the time being the only way to load a DTD is using chrome. We need the ability to load DTD with a relative path. Otherwise remote xul developer can't localize their remote applications. Localizing remote XUL applications is a real improvement comparing to traditional web application. Actually, I don't know if this is a bug or a security restriction: http://bugzilla.mozilla.org/show_bug.cgi?id=22942 [Benjamin Smedberg] This is a bug, but it requires a decent amount of work to fix in the XML parser. The latest version of expat (1.95.8), which supports suspend/resume of the outer XML parsing to allow for non-blocking loads of the external DTD. This will probably make the mozilla 1.9 milestone, and is a top priority.
(XUL:Axel Hecht) copied this issue over to GeckoDev:WishList, plus comment from myself, gonna remove the item here sometime soonish
XUL stringbundles also don't work, see bug 133698.
Custom RDF datasources
(Ben Bucksch) Currently you can't create and populate your own datasource from JS, only the remote-RDF-file-loader works. This is documented (wording unclear), but represents a severe restriction when working with trees etc.. I don't see any security reasons, as long as you're not allowed to change (or read or merge with) other internal data sources like bookmarks. If anybody knows a workaround, hints welcome.
RDF file async loading
(ConorDowling) Remote XUL pages often need to know when an RDF file has loaded. They can't listen to progress events and so can't neatly know when RDF loading ends. RDF should load asynchronously too - right now it seems to block the browser.
No overlays
XUL widget problems
Custom tree views (content supply by JS) don't work
- Custom RDF datasources also don't work, see above.
- RDF file datasources (also via http) do work, but without load notification (see above).
- You can also populate the tree via the DOM.
Cannot add properties to rows
<window> height and width ignored
Described in bug 248004
(NeilRashbrook) <window title="foo"> now works for remote XUL in 1.8
no document.cookie
document.cookie doesn't work, see bug 144795
More dialog boxes than only alert(), confirm() and prompt()
Using privileged nsIPromptService we can use confirmEx() which also lets us customize the buttons that are displayed. It seems that there aren't any security reasons to prevent to use it. Other useful message boxes that comes with nsIPromptService interface are alertCheck() and confirmCheck(). http://xulplanet.com/references/xpcomref/ifaces/nsIPromptService.html
- (BenjaminSmedberg) While it might be possible to add a few more default dialogs, it would be more generic to add the IE-compatible showModalDialog() DOM method, so apps can pop up whatever they wish.
- (BenBucksch) Do you think showModalDialog() is a good idea, considering phishing/UI-fakes and popup blockers? Also, predefined dialogs can be more easily made to fit to the platform (if ensuring that the user is aware that it's a dialog from the webpage, not Mozilla or another app).
File open and save dialog
This dialog would not only prompt the user for a file to read in, but would also read in the file and present it in a javascript string or array or input stream or something. I am not talking about direct access to the file objects, since remote scripts should not be able to read and write any file they want. What I want is a dialog (or just a tag, doesn't have to be a dialog) that prompts the user to select a file and then loads that file and returns it. It might also be nice to have a XMLFileOpen dialog, which would allow a DTD to be attached and would also return the data as a DOM tree. An example implementation is XUL:File_Input.
Rationale: This is already possible with a html input type="file" inside the XUL. That is, create a HTML input type=file, which would then post the file to the remote server. The file could then be retrieved from the server by using xmlhttprequest. This doesn't scale well, and the end result is the same. Using something like this and some more CSS could probably even get the input to look exactly like it was just another XUL element. I also don't think it is a really big security issue, since the only file the remote script would be able to read would be the one the user selected.
A file save dialog would be similar to the above, allowing a remote script to present a javascript string to be saved or an output stream or something. I am not as sure about this, since it might be possible to load the data into a hidden iframe and then call the document.execCommand('SaveAs',null,filename) command. Again, this seems possible already.
(Ben Bucksch) I agree that this would be secure, if implemented correctly and the dialog makes the user aware whom they are giving the file content to. Compare my security proposal for JNode. However, this is an RFE (not a Mozilla bug) and probably quite some work in security testing.
Not a bug
This page was meant to be about pointless restrictions, but the following are not. The following requests are either invalid, because it actually works, or there actually are good (e.g. security) and inherent reasons why Mozilla denies that. See also Remote XUL restrictions.
Copy and paste
Enable to use the three XPCOM objects needed for copy and paste (nsISupportsString, nsITransferable, nsIClipboard)
(BenBucksch) Note that XUL textfields do make use of user-triggered copy/paste just like HTML textfields do (XXX verify - at least they should)
- (BenBucksch) Scriptable clipboard access is not possible, that would be a security bug. People have passwords in their clipboard.
- (BrianEcker) Why not write-only perms to clipboard?
- (BenBucksch) What would you gain by being able to copy, but not paste?
- (Calin) If you use a <textbox> object in remote XUL, you get a right-click context menu with copy and paste on it. These fail (firefox 2.0.0.3 and earlier). I understand that gaining scriptable access to these functions would be a security problem, but it seems that there should be some way for installed objects (like textbox) to still work properly when used on a remote page.
Edit remote HTML
Not talking about saving changes back here, but the ability to use the editor tag on remote sources
(NeilRashbrook) Doesn't Midas satisfy that requirement?
XML-RPC
?
- (Axel Hecht) This is unclear. If you are referring to same-site restrictions, that is something that is likely to be discussed in the context of GeckoDev's SecurityAndPriviledges and should include the new soap security model.
Prefs UI for signed.applets.codebase_principal_support
Expose in the Options window the ability to change the value for signed.applets.codebase_principal_support. Currently we have to ask to the users to change the value from false to true using about:config and this is not a viable solution. I don't see any real security issue because, in any case, every time we ask for privileges a confirm box appear and the user have to accept it.
- (NeilDeakin) you should never be telling any user to change this preference.
- Why not? My remote applications are mainly for intranet.
- (JesseRuderman) if the enablePrivilege dialog didn't suck so much, it would make sense for signed.applets.codebase_principal_support to be true by default. We allow XPIs, after all.
- (BenBucksch) IMHO signed.applets.codebase_principal_support should be false by default and not be exposed in the UI. It's terribly insecure over the net and exposing it more will only lead people (developers and consequently users) to do the wrong thing. Either you are trusted and can be installed as extension with chrome rights or you shouldn't be running with these priviledges. In intranets where chrome is too expensive to distribute, you can set the default in your Mozilla distro or sign the app (good luck with signtool :( ). But ideally, intranet apps wouldn't need UniversalXPConnect or similar sledge hammers, only permission to open windows etc., that's what this page is about.
Comments
See Discussion/Talk.