Re: disable security
hocus <news <at> dronet.gliwice.pl>
2002-09-04 10:58:35 GMT
At the beginning - thank you for reply, that is what I was looking for.
What I exactly need is to grant full privileges to one domain - my domain
with my scripts which I guarantee to my customers will not do anything more
than they are supposed to. I know, that solution is still far from secure in
case someone would spoof somehow my domain, but for my purpose I think it is
acceptable danger ;)
Anyway, I was thinking if this pref("...") stuff wouldn't do what I need,
unfortunately when I add the last of the lines (*.granted), the browser does
not start properly (tested on two recent source snapshots).
So I went back to modifying source code. In CheckPropertyAccessImpl
function - is there an easy way to extract the base url of the script
requesting access to properties? So I could just explicitly compare it with
my domain name.
It is probably not to hard to find it out, but as I didn't have much time
recently to delve into source, if you just know exactly how to do that I'd
be very obliged
> The simplest and most drastic change would be to open up
> mozilla/caps/src/nsScriptSecurityManager, and make the
> CheckPropertyAccessImpl function a no-op that always returns true. That
> will essentially disable all security and create a browser that's
> totally unsafe to be used on the public Internet.
> Or, you could make a more specific change. Try adding these lines to
> pref("signed.applets.codebase_principal_support", true);
> pref("capability.principal.codebase.foo.id", "http://foo.com
> pref("capability.principal.codebase.foo.granted", "UniversalBrowserRead
> Replace "http://foo.com http://bar.com" with a space-separated list of
> the hosts to which your Mozilla-based tool needs to connect.