XUL:Remote XUL bugs: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Fixing intro text, and changing the formatting/list)
(Change list items to headers)
Line 3: Line 3:
The following features should become scriptable objects that we can use in unprivilege scripts:
The following features should become scriptable objects that we can use in unprivilege scripts:


* drag and drop
= Features/Problems =


* datasources
== drag and drop ==
** [[User:BenB|Ben Bucksch]] Currently can't create and populate your own datasource from JS, only the remote-RDF-file-loader works. [http://www.xulplanet.com/tutorials/xultu/templates.html Documented] (wording unclear), but severe restriction when working with trees etc.. I don't see any security reasons, as long as you're not allowed to change (or read or merge with) other internal data sources like bookmarks. If anybody knows a workaround, hints welcome.


* XML-RPC
== Datasources ==
** ([[XUL:Axel Hecht|Axel Hecht]]) This is unclear. If you are referring to same-site restrictions, that is something that is likely to be discussed in the context of [http://wiki.mozilla.org/GeckoDev?SecurityAndPriviledges GeckoDev's SecurityAndPriviledges] and should include the [http://lxr.mozilla.org/mozilla/source/extensions/webservices/docs/New_Security_Model.html new soap security model].
* [[User:BenB|Ben Bucksch]] Currently can't create and populate your own datasource from JS, only the remote-RDF-file-loader works. [http://www.xulplanet.com/tutorials/xultu/templates.html Documented] (wording unclear), but severe restriction when working with trees etc.. I don't see any security reasons, as long as you're not allowed to change (or read or merge with) other internal data sources like bookmarks. If anybody knows a workaround, hints welcome.


* changing the height, width and title attributes of the <window> tag
== XML-RPC ==
** (described in [http://bugzilla.mozilla.org/show_bug.cgi?id=248004 bug 248004])
* ([[XUL:Axel Hecht|Axel Hecht]]) This is unclear. If you are referring to same-site restrictions, that is something that is likely to be discussed in the context of [http://wiki.mozilla.org/GeckoDev?SecurityAndPriviledges GeckoDev's SecurityAndPriviledges] and should include the [http://lxr.mozilla.org/mozilla/source/extensions/webservices/docs/New_Security_Model.html new soap security model].
** (NeilRashbrook) <window title="foo"> now works for remote XUL in 1.8


* We need more window dialog boxes than only alert(), confirm() and prompt()
== Changing the height, width and title attributes of the <window> ==
** Using privileged nsIPromptService we can use confirmEx() which also lets us customize the buttons that are displayed. It seems that there aren't any security reasons to prevent to use it. Other useful message boxes that comes with nsIPromptService interface are  alertCheck() and confirmCheck(). http://xulplanet.com/references/xpcomref/ifaces/nsIPromptService.html  
* (described in [http://bugzilla.mozilla.org/show_bug.cgi?id=248004 bug 248004])
** (BenjaminSmedberg) While it might be possible to add a few more default dialogs, it would be more generic to add the IE-compatible showModalDialog() DOM method, so apps can pop up whatever they wish.
* (NeilRashbrook) <window title="foo"> now works for remote XUL in 1.8
 
== More window dialog boxes than only alert(), confirm() and prompt() ==
* Using privileged nsIPromptService we can use confirmEx() which also lets us customize the buttons that are displayed. It seems that there aren't any security reasons to prevent to use it. Other useful message boxes that comes with nsIPromptService interface are  alertCheck() and confirmCheck(). http://xulplanet.com/references/xpcomref/ifaces/nsIPromptService.html  
* (BenjaminSmedberg) While it might be possible to add a few more default dialogs, it would be more generic to add the IE-compatible showModalDialog() DOM method, so apps can pop up whatever they wish.
(BenBucksch) Do you think showModalDialog() is a good idea, considering phishing/UI-fakes and popup blockers? Also, predefined dialogs can be more easily made to fit to the platform (if ensuring that the user is aware that it's a dialog from the webpage, not Mozilla or another app).
(BenBucksch) Do you think showModalDialog() is a good idea, considering phishing/UI-fakes and popup blockers? Also, predefined dialogs can be more easily made to fit to the platform (if ensuring that the user is aware that it's a dialog from the webpage, not Mozilla or another app).


* Load external DTD
== Load external DTD ==
** This is really important for XUL remote application. For the time being the only way to load a DTD is using chrome. We need the ability to load DTD with a relative path. Otherwise remote xul developer can't localize their remote applications. Localizing remote XUL applications is a real improvement comparing to traditional web application. Actually, I don't know if this is a bug or a security restriction: http://bugzilla.mozilla.org/show_bug.cgi?id=22942  [Benjamin Smedberg] This is a bug, but it requires a decent amount of work to fix in the XML parser. The latest version of expat (1.95.8), which supports suspend/resume of the outer XML parsing to allow for non-blocking loads of the external DTD. This will probably make the mozilla 1.9 milestone, and is a top priority.
* This is really important for XUL remote application. For the time being the only way to load a DTD is using chrome. We need the ability to load DTD with a relative path. Otherwise remote xul developer can't localize their remote applications. Localizing remote XUL applications is a real improvement comparing to traditional web application. Actually, I don't know if this is a bug or a security restriction: http://bugzilla.mozilla.org/show_bug.cgi?id=22942  [Benjamin Smedberg] This is a bug, but it requires a decent amount of work to fix in the XML parser. The latest version of expat (1.95.8), which supports suspend/resume of the outer XML parsing to allow for non-blocking loads of the external DTD. This will probably make the mozilla 1.9 milestone, and is a top priority.
** ([[XUL:Axel Hecht]]) copied this issue over to [http://wiki.mozilla.org/GeckoDev?WishList GeckoDev:WishList], plus comment from myself, gonna remove the item here sometime soonish
** ([[XUL:Axel Hecht]]) copied this issue over to [http://wiki.mozilla.org/GeckoDev?WishList GeckoDev:WishList], plus comment from myself, gonna remove the item here sometime soonish


* Expose in the Options window the ability to change the value for signed.applets.codebase_principal_support. Currently we have to ask to the users to change the value from false to true using about:config and this is not a viable solution. I don't see any real security issue because, in any case, every time we ask for privileges a confirm box appear and the user have to accept it.
== Prefs UI for signed.applets.codebase_principal_support ==
** (NeilDeakin) you should never be telling any user to change this preference.
Expose in the Options window the ability to change the value for signed.applets.codebase_principal_support. Currently we have to ask to the users to change the value from false to true using about:config and this is not a viable solution. I don't see any real security issue because, in any case, every time we ask for privileges a confirm box appear and the user have to accept it.
** Why not? My remote applications are mainly for intranet.
* (NeilDeakin) you should never be telling any user to change this preference.
** (JesseRuderman) if the enablePrivilege dialog didn't suck so much, it would make sense for signed.applets.codebase_principal_support to be true by default.  We allow XPIs, after all.
* Why not? My remote applications are mainly for intranet.
** (BenBucksch) IMHO signed.applets.codebase_principal_support should be false by default and not be exposed in the UI. It's terribly insecure over the net and exposing it more will only lead people (developers and consequently users) to do the wrong thing. Either you are trusted and can be installed as extension with chrome rights or you shouldn't be running with these priviledges. In intranets where chrome is too expensive to distribute, you can set the default in your Mozilla distro or sign the app (good luck with signtool :( ). But ideally, intranet apps wouldn't need UniversalXPConnect or similar sledge hammers, only permission to open windows etc., that's what this page is about.
* (JesseRuderman) if the enablePrivilege dialog didn't suck so much, it would make sense for signed.applets.codebase_principal_support to be true by default.  We allow XPIs, after all.
* (BenBucksch) IMHO signed.applets.codebase_principal_support should be false by default and not be exposed in the UI. It's terribly insecure over the net and exposing it more will only lead people (developers and consequently users) to do the wrong thing. Either you are trusted and can be installed as extension with chrome rights or you shouldn't be running with these priviledges. In intranets where chrome is too expensive to distribute, you can set the default in your Mozilla distro or sign the app (good luck with signtool :( ). But ideally, intranet apps wouldn't need UniversalXPConnect or similar sledge hammers, only permission to open windows etc., that's what this page is about.


* Copy and paste
== Copy and paste ==
** Enable to use the three XPCOM objects needed for copy and paste (nsISupportsString, nsITransferable, nsIClipboard)
* Enable to use the three XPCOM objects needed for copy and paste (nsISupportsString, nsITransferable, nsIClipboard)
** (BenBucksch) Clipboard not possible, would be a security bug. People have passwords in their clipboard.
* (BenBucksch) Clipboard not possible, would be a security bug. People have passwords in their clipboard.
** (BrianEcker) Why not write-only perms to clipboard?
* (BrianEcker) Why not write-only perms to clipboard?


* Edit remote HTML
== Edit remote HTML ==
** not talking about saving changes back here, but the ability to use the editor tag on remote sources
* not talking about saving changes back here, but the ability to use the editor tag on remote sources
** (NeilRashbrook) Doesn't Midas satisfy that requirement?
* (NeilRashbrook) Doesn't Midas satisfy that requirement?


* RDF loading
== RDF loading ==
** (ConorDowling) Remote XUL pages often need to know when an RDF file has loaded. They  can't listen to progress events and so can't neatly know when RDF loading ends. RDF should load asynchronously too - right now it seems to block the browser.
* (ConorDowling) Remote XUL pages often need to know when an RDF file has loaded. They  can't listen to progress events and so can't neatly know when RDF loading ends. RDF should load asynchronously too - right now it seems to block the browser.


* A file open dialogThis dialog would not only prompt the user for a file to read in, but would also read in the file and present it in a javascript string or array or input stream or something.  I am not talking about direct access to the file objects, since remote scripts should not be able to read and write any file they want.  What I want is a dialog (or just a tag, doesn't have to be a dialog) that prompts the user to select a file and then loads that file and returns it.  It might also be nice to have a XMLFileOpen dialog, which would allow a DTD to be attached and would also return the data as a DOM tree.  An example implementation is [[XUL:File_Input]].
== File open and save dialog ==
** '''Rationale:''' This is already possible with a html input type="file" inside the XUL.  That is, create a HTML input type=file, which would then post the file to the remote server.  The file could then be retrieved from the server by using xmlhttprequest.  This doesn't scale well, and the end result is the same.  Using something like [http://www.quirksmode.org/dom/inputfile.html this] and some more CSS could probably even get the input to look exactly like it was just another XUL element.  I also don't think it is a really big security issue, since the only file the remote script would be able to read would be the one the user selected.
This dialog would not only prompt the user for a file to read in, but would also read in the file and present it in a javascript string or array or input stream or something.  I am not talking about direct access to the file objects, since remote scripts should not be able to read and write any file they want.  What I want is a dialog (or just a tag, doesn't have to be a dialog) that prompts the user to select a file and then loads that file and returns it.  It might also be nice to have a XMLFileOpen dialog, which would allow a DTD to be attached and would also return the data as a DOM tree.  An example implementation is [[XUL:File_Input]].
* '''Rationale:''' This is already possible with a html input type="file" inside the XUL.  That is, create a HTML input type=file, which would then post the file to the remote server.  The file could then be retrieved from the server by using xmlhttprequest.  This doesn't scale well, and the end result is the same.  Using something like [http://www.quirksmode.org/dom/inputfile.html this] and some more CSS could probably even get the input to look exactly like it was just another XUL element.  I also don't think it is a really big security issue, since the only file the remote script would be able to read would be the one the user selected.


* A file save dialog.  This would be similar to the above, allowing a remote script to present a javascript string to be saved or an output stream or something.  I am not as sure about this, since it might be possible to load the data into a hidden iframe and then call the document.execCommand('SaveAs',null,filename) command.  Again, this seems possible already.  
A file save dialog would be similar to the above, allowing a remote script to present a javascript string to be saved or an output stream or something.  I am not as sure about this, since it might be possible to load the data into a hidden iframe and then call the document.execCommand('SaveAs',null,filename) command.  Again, this seems possible already.  


= General comments =
= General comments =

Revision as of 22:51, 14 December 2006

This page is a list of features that currently require system/chrome privileges to run, without an inherent reason or security problem, and that we need in web applications. I.e. bugs in remote XUL that don't exist in chrome XUL.

The following features should become scriptable objects that we can use in unprivilege scripts:

Features/Problems

drag and drop

Datasources

  • Ben Bucksch Currently can't create and populate your own datasource from JS, only the remote-RDF-file-loader works. Documented (wording unclear), but severe restriction when working with trees etc.. I don't see any security reasons, as long as you're not allowed to change (or read or merge with) other internal data sources like bookmarks. If anybody knows a workaround, hints welcome.

XML-RPC

Changing the height, width and title attributes of the <window>

  • (described in bug 248004)
  • (NeilRashbrook) <window title="foo"> now works for remote XUL in 1.8

More window dialog boxes than only alert(), confirm() and prompt()

  • Using privileged nsIPromptService we can use confirmEx() which also lets us customize the buttons that are displayed. It seems that there aren't any security reasons to prevent to use it. Other useful message boxes that comes with nsIPromptService interface are alertCheck() and confirmCheck(). http://xulplanet.com/references/xpcomref/ifaces/nsIPromptService.html
  • (BenjaminSmedberg) While it might be possible to add a few more default dialogs, it would be more generic to add the IE-compatible showModalDialog() DOM method, so apps can pop up whatever they wish.

(BenBucksch) Do you think showModalDialog() is a good idea, considering phishing/UI-fakes and popup blockers? Also, predefined dialogs can be more easily made to fit to the platform (if ensuring that the user is aware that it's a dialog from the webpage, not Mozilla or another app).

Load external DTD

  • This is really important for XUL remote application. For the time being the only way to load a DTD is using chrome. We need the ability to load DTD with a relative path. Otherwise remote xul developer can't localize their remote applications. Localizing remote XUL applications is a real improvement comparing to traditional web application. Actually, I don't know if this is a bug or a security restriction: http://bugzilla.mozilla.org/show_bug.cgi?id=22942 [Benjamin Smedberg] This is a bug, but it requires a decent amount of work to fix in the XML parser. The latest version of expat (1.95.8), which supports suspend/resume of the outer XML parsing to allow for non-blocking loads of the external DTD. This will probably make the mozilla 1.9 milestone, and is a top priority.

Prefs UI for signed.applets.codebase_principal_support

Expose in the Options window the ability to change the value for signed.applets.codebase_principal_support. Currently we have to ask to the users to change the value from false to true using about:config and this is not a viable solution. I don't see any real security issue because, in any case, every time we ask for privileges a confirm box appear and the user have to accept it.

  • (NeilDeakin) you should never be telling any user to change this preference.
  • Why not? My remote applications are mainly for intranet.
  • (JesseRuderman) if the enablePrivilege dialog didn't suck so much, it would make sense for signed.applets.codebase_principal_support to be true by default. We allow XPIs, after all.
  • (BenBucksch) IMHO signed.applets.codebase_principal_support should be false by default and not be exposed in the UI. It's terribly insecure over the net and exposing it more will only lead people (developers and consequently users) to do the wrong thing. Either you are trusted and can be installed as extension with chrome rights or you shouldn't be running with these priviledges. In intranets where chrome is too expensive to distribute, you can set the default in your Mozilla distro or sign the app (good luck with signtool :( ). But ideally, intranet apps wouldn't need UniversalXPConnect or similar sledge hammers, only permission to open windows etc., that's what this page is about.

Copy and paste

  • Enable to use the three XPCOM objects needed for copy and paste (nsISupportsString, nsITransferable, nsIClipboard)
  • (BenBucksch) Clipboard not possible, would be a security bug. People have passwords in their clipboard.
  • (BrianEcker) Why not write-only perms to clipboard?

Edit remote HTML

  • not talking about saving changes back here, but the ability to use the editor tag on remote sources
  • (NeilRashbrook) Doesn't Midas satisfy that requirement?

RDF loading

  • (ConorDowling) Remote XUL pages often need to know when an RDF file has loaded. They can't listen to progress events and so can't neatly know when RDF loading ends. RDF should load asynchronously too - right now it seems to block the browser.

File open and save dialog

This dialog would not only prompt the user for a file to read in, but would also read in the file and present it in a javascript string or array or input stream or something. I am not talking about direct access to the file objects, since remote scripts should not be able to read and write any file they want. What I want is a dialog (or just a tag, doesn't have to be a dialog) that prompts the user to select a file and then loads that file and returns it. It might also be nice to have a XMLFileOpen dialog, which would allow a DTD to be attached and would also return the data as a DOM tree. An example implementation is XUL:File_Input.

  • Rationale: This is already possible with a html input type="file" inside the XUL. That is, create a HTML input type=file, which would then post the file to the remote server. The file could then be retrieved from the server by using xmlhttprequest. This doesn't scale well, and the end result is the same. Using something like this and some more CSS could probably even get the input to look exactly like it was just another XUL element. I also don't think it is a really big security issue, since the only file the remote script would be able to read would be the one the user selected.

A file save dialog would be similar to the above, allowing a remote script to present a javascript string to be saved or an output stream or something. I am not as sure about this, since it might be possible to load the data into a hidden iframe and then call the document.execCommand('SaveAs',null,filename) command. Again, this seems possible already.

General comments

(Jocelyn Raymond) Remove Privilege or Remote Privilege? I am not sure, but perhaps the title has a typo. I came from [1] where it says for anyone to discuss "Remote" XUL application to come here. Anyway, I would like to add some discussion on remote XUL here (feel free to re-direct this if necessary). (Please, excuse my English , I am French).

First, I have been looking at XUL for about a year and build actual XUL application for the past 6 months. All future XUL applications that I must build have to be remote (like the first one I builded). Moreover, all XUL applications that I will be building are for our intranet (or in-house applications). Thus the problem of "privileged" tasks/resources is important to me. I will get right to the point and please do correct/expend this if you can.

What I would like to see for remote XUL application is the ability to add in the preference "signed.applets.codebase_principal_support" (or perhaps a specific privilege such as XPConnect) a domain[/path] (where [/path] means is optional).

Thus, if I could add this preference, it would essentially mean "Any XUL application coming from www.mydomain.com/path/to/my/app is granted XPConnect". Of course, this is not useful for anyone that wish to develop for an unknown audience (such as the internet), but only for secure controlled intranet.

Would something like this be feasible? Would it be secure enough?

Of course, I think the best is to sign our remote XUL application which I did without success (i.e. the signed code was treated as if it was invalid so I must have done something wrong along the way). There is much more I would like to say but not sure this is the appropriate place.

(Hans Harder) Signing remote XUL applications sounds nice, but how about dynamic remote XUL application, in other words how do I sign XUL applications which are dynamicly generated by remote perl scripts ?

Retrieved from "https://wiki.allizom.org/index.php?title=XUL:Remote_XUL_bugs&oldid=44611"