I tried to load the XML document from the same "epaedia://host/" URI as the unprivileged script hoping that this would solve this issue. This did not work as I get errors when my epaedia protocol tries to get the "epaedia://packagename/package.xml" itself. I figured that because requests for the "package.xml" file are special, and just return the document without loading "package.xml", that when another file is requested and the XML doc is retrieved within the request that it would be successful.
Is there any way I can make the unprivileged script not need permissions for this XMLDocument? Thanks, James Boris Zbarsky wrote: > James Newell wrote: > > "XML", a property of the package component, contains an XML Document > > returned from an nsIXMLHttpRequest. Unprivileged JS can access this > > object but each of the XML Documents and methods are in-accessible: > > > > Error: uncaught exception: Permission denied to get property > > XMLDocument.textContent > > > > What am I doing wrong? > > You're creating an XMLDocument in security context A and trying to use it from > security context B. This is typically called an "XSS Attack" when used on the > web... And we generally try to not allow it to happen. > > More precisely, the issue is that the XMLDocument returned by XMLHttpRequest > doesn't have a security context of its own, so it uses the security context of > whoever called XMLHttpRequest. > > -Boris _______________________________________________ dev-tech-xpcom mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-xpcom
