Security Error Content At May Not Load Data From Iframe

Home > Security Error > Security Error Content At May Not Load Data From Iframe

Security Error Content At May Not Load Data From Iframe

Take a look at the code for yourself: Evalbox Demo index.html frame.html You can do the same for your own code by breaking monolithic applications into single-purpose components. Wow, right? Also, I limit acceptable urls to ones in the public folder, so you will probably want to remove that check. Now I would like to know what kind of pitfalls the resource protocol might have that we have to keep in mind when designing such an API, and in general how Check This Out

Evalbox is an exciting application that takes a string, and evaluates it as JavaScript. That bug is about the user-perceived behavior. share|improve this answer edited Feb 28 '14 at 7:22 answered Feb 27 '14 at 6:12 Noitidart 11.5k52166 I went down this approach as well. If it throws a security error than you definitely need a chrome.manifest file and that will without question fix it up.

Indeed, a new protocol handler seems to be > the way to go. But in that case it wouldn't be able to directly pass messages to the parent, which comment 0 indicates is desirable. * Do we actually need content to be able to Comment 59 Dave Townsend [:mossop] 2015-02-09 08:45:13 PST Unfortunately we have no resources to work on this right now. Comment 25 Dave Townsend [:mossop] 2014-04-11 08:13:03 PDT Comment on attachment 8404091 [details] [diff] [review] web-resource-protocol.patch Gabor, can you review this?

Comment 18 Dave Townsend [:mossop] 2014-03-21 13:37:40 PDT (In reply to Jesper Kristensen from comment #17) > Hi. > > I am trying to understand how to fix this. > > I'd have to experiment to see. Format For Printing -XML -JSON - Clone This Bug -Top of page Home | New | Browse | Search | [help] | Reports | Product Dashboard Privacy Notice | Legal Terms loadContext is easiest tho –Noitidart Feb 28 '14 at 5:15 1 You are right.

The high-privilege parent window can act as a controller and dispatcher, sending messages into specific modules that each have the fewest privileges possible to do their jobs, listening for results, and Sorry for the vague question. allow-popups allows popups (, showModalDialog(), target=”_blank”, etc.). That’s a much more difficult task, especially since the controller can be greatly reduced in scope.

I’d turn that question around: if your code doesn’t need plugins, why give it access to plugins? This technique is very common in native code: Chrome, for example, breaks itself into a high-privilege browser process that has access to the local hard-drive and can make network connections, and Bill, is this ready for people to use? we need to implement a new protocol handler for this.

Comment 33 Jeff Griffiths (:canuckistani) (:⚡︎) 2014-04-17 14:12:14 PDT (In reply to Irakli Gozalishvili [:irakli] [:gozala] [@gozala] from comment #31) ... > I would prefer if there was no default folder Draw an hourglass Why every address in micro-controller has only 8 bit size? also gBrowser to getMostRecentBrowserWindow will fail if the url load is slow and in that time the user swithces to another tab or window I also changed to use Services.jsm as Message passing seems like the best solution for these kind of cross origin, or even cross protocol issues imo.

noitidart (Noitidart) 2015-07-04 08:13:02 UTC #2 You cant load privelaged stuff into unprivelaged. his comment is here But in the problem described above I'm adding an iframe to a webpage. Is it correct that the reason why the load does not work is because of this definition for resource:// URLs? My solution was to create a custom resource > > handler for the iframes.

contentWindow.location worked as intended. Comment 55 Alexandre Barreira 2014-12-10 06:40:08 PST (In reply to Jared Jacobs from comment #29) > (In reply to Gabor Krizsanits [:krizsa :gabor] from comment #27) > > One question though: I ran into the same problem. this contact form may not load or link to jar:file:///C:/Documents%20and%20Settings/SONY%20VAIO/Application%20Data/Mozilla/Firefox/Profiles/vr10qb8s.default/extensions/[email protected]!/resources/kaboom/data/pages/test.html.

asked 2 years ago viewed 1111 times active 2 years ago Linked 5 Listener to change url before loading it on Mozilla SDK 0 How to determine which Tab in Firefox Note You need to log in before you can comment on or make changes to this bug. And I didn't want to rely on experimentation since resource protocol might be tricky...

Isn't it too early to ditch the Addon-SDK ?

Or is there a work around with XPCOM? Browse other questions tagged firefox-addon firefox-addon-sdk or ask your own question. monk3manth31st commented Jul 19, 2012 I found a way to make this work. Comment 9 Matteo Ferretti [:zer0] [:matteo] 2014-01-15 00:54:02 PST Any updates about this bug?

Also, I > > limit acceptable urls to ones in the public folder, so you will probably > > want to remove that check. > > > > If you have My patch uses the same structure as used by the existing code for chrome:// and file:// URLs. Presumably a real application would do something less annoying: window.addEventListener('message', function (e) { // Sandboxed iframes which lack the 'allow-same-origin' // header have "null" rather than a valid origin. navigate here Log In Load an iframe into a page (using page-mod) from the extension data Add-ons Development bmenant_lmem (Benjamin Menant) 2015-07-03 23:37:18 UTC #1 Relative to: 792479 – can't load iframe

This call has been wrapped up in a try block, as banned operations inside a sandboxed iframe will frequently generate DOM exceptions; we’ll catch those and report a friendly error message Embed it please, Browser, but don’t let it break my site.” Least Privilege In essence, we’re looking for a mechanism that will allow us to grant content we embed only the Already have an account? If you wish, I can attach the code for the little test add-on I have to reproduce the problem.

We'd much prefer to have one of the patches in this thread applied to FF, or for lack of that, settle for a sensible work around. The patch is adding some mechanism to let content load them I was suggesting to put that mechanism on nsEP instead of regular principals... Further Reading “Privilege Separation in HTML5 Applications” is an interesting paper that works through the design of a small framework, and its application to three existing HTML5 apps. This works, but is of course not an optimal solution.

If it's the latter, you can accomplish this right now. That way it is explicitly opt-in and avoids exposing things that add-ons didn't intended to expose. Twitter’s “Tweet” button is a great example of functionality that can be more safely embedded on your site via a sandbox. One important consideration pertaining to this question, which I haven’t seen mentioned yet in this issue’s comments, is the role of a host page’s Content Security Policy.

My solution was to create a custom resource > handler for the iframes. It offers defense in depth, and unless you have control over your users’ clients, you can’t yet rely on browser support for all your users (if you do control your users