window.openDialog return value

Gijs Kruitbosch gijskruitbosch at gmail.com
Mon Oct 29 08:58:47 UTC 2018 

Hi,


(CC'ing the list back in)


On 26/10/2018 17:15, sfcheng at gmail.com wrote:
> Thank you for your answer. I am working on a custom build of firefox. 
> The window.openDialog is called from browser.js and the url is under 
> the path chrome://browser/content/  such as 
> chrome://browser/content/test.xul. In test.xul, before closing the 
> dialog, I use "document.arguments[0].value=****" to set the return 
> value. This will work just fine. But if I put the xul file under the 
> local file system, I will get this error: Permission denied to access 
> property


Yes. See 
https://developer.mozilla.org/en-US/docs/Mozilla/Gecko/Script_security , 
https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Xray_vision and 
https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Language_Bindings/Components.utils.waiveXrays 
.


> The reason for doing this is to save development time. If I bundle the 
> xul file into the executable, I will have to rebuild the project every 
> time I make a change.


If you're on a Linux or mac system, this shouldn't be the case. You get 
a symlink in the build output directory which will automatically pick up 
changes. You might need to run Firefox with the -purgecaches flag to 
clear any fastload-cached copies of your file, but you shouldn't need to 
rebuild the project.


Even if you're rebuilding, you should be able to do so with `./mach 
build faster`, which should take a few seconds on a modern machine.


> If I can do the same thing by loading XUL file from the file system 
> directly, I can make live changes and just reload. I was thinking of 
> adding an exception rule into the security wrapper to grant such 
> privilege to a particular folder sitting in parallel with the exe 
> file. But I am pretty new to the code here and don't know where to 
> locate the part of code responsible for this.


Hopefully the MDN links help.


~ Gijs


>
>
> ------------------------------------------------------------------------
> Rest Regards,
> Shanfeng Cheng
> sfcheng at gmail.com
>
>     *From:* Gijs Kruitbosch <mailto:gijskruitbosch at gmail.com>
>     *Date:* 2018-10-26 10:54
>     *To:* sfcheng at gmail.com <mailto:sfcheng at gmail.com>; firefox-dev
>     <mailto:firefox-dev at mozilla.org>
>     *Subject:* Re: window.openDialog return value
>
>     "It's complicated."
>
>     What are you actually trying to do? What does "use an internal
>     chrome:// url top open a dialog" mean - are you passing a chrome:
>     URL as the thing/target to open, or are you calling openDialog
>     from a chrome/system-privileged context (and if so, what's the
>     target URL, and what other params are you passing)? Or both? From
>     what "internal chrome:// url" are you doing this (not all chrome:
>     pages are equal)? What does "Writing ... doesn't work" mean? Does
>     it throw an exception? Does reading the value on the other end
>     throw an exception? Something else?
>
>     And what's the wider context here? Are you writing a patch for
>     Firefox itself, or something else?
>
>     At a guess, it sounds like you might be running into security
>     wrappers that prevent privileged code from touching unprivileged
>     non-simple JS things without jumping through hoops, because doing
>     so is likely to be a security risk (ie you could end up running
>     arbitrary unprivileged code in a privileged context and that would
>     be Bad) which is why it's normally prevented. But that's a guess,
>     and without more details about what you're doing it's hard to give
>     a more definitive answer to your question.
>
>     ~ Gijs
>
>     On 26/10/2018 04:31, sfcheng at gmail.com wrote:
>>     I found that if I use an internal chrome:// url to open a dialog
>>     using window.openDialog, I can pass back return value using
>>     window.arguments[n].value="*****" just fine. However, if I use a
>>     file from the local file system, I wasn't able pass back return
>>     value. Writing to window.arguments[n].value doesn't work. I
>>     believe there is some security restriction here. Does anyway know
>>     which part of the C++ code is responsible for defining the
>>     security rules for different url sources?
>>
>>     Thank you.
>>
>>     ------------------------------------------------------------------------
>>     Rest Regards,
>>     Shanfeng Cheng
>>     sfcheng at gmail.com
>>
>>
>>
>>     _______________________________________________
>>     firefox-dev mailing list
>>     firefox-dev at mozilla.org
>>     https://mail.mozilla.org/listinfo/firefox-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/firefox-dev/attachments/20181029/3f92b54d/attachment.html>

More information about the firefox-dev mailing list