Lj�s�lfr wrote:
I'm no XUL-meister, but as I understand things, XUL installs as part of the Browser, and has basically the same OS access as any other part of the browser.
That's a common misconception. There is XUL, which is a language used to describe UI. It has no inherent security priveleges -- XUL served over http:// has the same permissions as any web page.
Some particular XUL files are tagged as part of the browser and have expanded permissions. The same is true of some HTML files.
"Note that you can't bind the XBL to an arbitrary element like you can with XBL in XUL. You must bind it to a regular HTML element like a SPAN or a DIV.
I'm unaware of any such restrictions in XBL; in fact one can easily bind XBL to things like images...
"You should also be able to insert XUL directly into XHTML files, but a bug in Mozilla currently prevents this from working. See the bug report for the details."
This is only an issue if you want to embed XUL in a generic XML file. This is indeed broken. If you have a XUL file served with the XUL mimetype, it will work (modulo some issues with overlays).
Many-four-letter-words-typically-spoken-by-Axel-Rose-all-in-a-row! It's the mimetype that was killing me! Thank you for pointing that out.
Alias /shared/ "/web-site/shared/"
<Directory /web-site/shared>
AllowOverride All
Options Indexes -FollowSymLinks
deny from all
Allow from all
AddType application/vnd.mozilla.xul+xml .xul
</Directory>Well, the following is pretty much OBE, but it may be of interest to others.
bash$ ls $WEB_SITE/shared/xul/ js session.xul
bash$ cat $WEB_SITE/shared/xul/session.xul
<?xml version="1.0"?>
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<?xml-stylesheet href="chrome://navigator/skin/" type="text/css"?>
<window
onload="initSession(this);"
title="User Session"xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"; id="session-window"> <script type="application/x-javascript" src="js/session.js" /> </window>
bash$ ls $WEB_SITE/shared/xul/js session.js
bash$ cat $WEB_SITE/shared/xul/js/session.js
function initSession(w){
var owner = w.documentElement;
alert("Hello World");
}bash$ mozilla -P developer -chrome $WEB_SITE/shared/xul/session.xul
# An alert box with "Hello World" is displayed.
bash$ mozilla -P developer -chrome http://localhost/shared/xul/session.xul
# The prompt never returns, and nothing is displayed.
bash$ mozilla -P developer -chrome http://localhost/shared/xul/
# A directory listing is displayed. This demonstrates the browser is # willing to display content from that URL.
bash$ mozilla -P developer http://localhost/shared/xul/session.xul
# The browser starts with an empty content frame and JavaScript Console # shows a message "Error: initSession is not defined".
bash$ cat $WEB_SITE/shared/xul/session.html
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
<title>Session XHTML</title>
<script type="application/x-javascript" src="js/session.js" />
</head> <body onload="initSession(this);">
<h1>Session XHTML</h1></body> </html>
bash$ mozilla -P developer http://localhost/shared/xul/session.html
# The browser starts with an alert containing "Hello World". This # demonstrates that a virtually identical XHTML page will run JavaScript # that will not run from the corresponding XUL file.
bash$ grep signed ~/.mozilla/developer/y99nsirk.slt/prefs.js
user_pref("signed.applets.codebase_principal_support", true);# Adding the above to my prefs.js has absolutely no influence on the # outcome.
