Would it be possible to have a page on Mozilla listing XUL cross domain
security FAQs
I have compiled a list of questions based on bug and newsgroup responses-
but I'm not entirely sure if the answers I've got back are consistant or
correct.
The premise of my FAQ is a XUL file containing two iframe windows, one of
which contains a document from a different domain.
<iframe id="frame1" src="www.abc.com/file1.htm />
<iframe id="frame2" src="about:blank" />
Any clarification/correction welcome.
METHODS
Q1. Using a XUL script, is it always possible to read the content tree of
any document from any domain without restriction?
A1. Yes (?)
Q2. Using a XUL script, should it be possible to use the focus method to
direct keyboard events to a particular iframe e.g.
window.frames[0].setfocus() ?
A2. Currently not because of cross domain security but will be changed see
69028
Q3. Using a XUL script, should it be possible to scroll the contents of a
particular iframe e.g. window.frames[0].scrollBy(0,30) or return the
document X and Y page offsets e. window.frames[0].pageYOffset ? (does XUL
support these methods and properties)
A3. Currently not because of cross domain security but will be reviewed. ?
Q4. Will XUL support the print method e.g window.frames[0].print() ?
A4 Currently not because of cross domain security
Q5. Will XUL eventually support silent printing via javascript of iframe
content ? Presumably a XUL script is trusted enough to do this (unlike an
HTM script) similar to the print button in IE
var contentViewerFile =
window.frames[0].docShell.contentViewer.QueryInterface(Components.interfaces
.nsIContentViewerFile);
contentViewerFile.Print(true, null, null);
A5. Unknown
Q6 If you copy or merge iframe content from one or more cross domain iframe
sources, should all cross domain security be removed from the target iframe?
(is the security domain of iframe2 the same as the XUL file). Currently, the
content of iframe2 seems secured.
var sid = document.getElementById("frame1");
var tid = document.getElementById("frame2");
// copy sid
var copyOfNode = sid.cloneNode(true);
// replace tid with the copy of sid
tid.parentNode.replaceChild( copyOfNode, tid );
A6 Unclear
EVENTS
Q7. Will XUL support the creation of keyboard events such as page down/ page
up? i.e. can the CreateEvent and Event() method can be used to emulate such
keyboard events
A7. Unknown
Q8. If true, then is it correct to assume it should be possible for XUL
script to create any type of event on a document in an iframe irrespective
of its domain (click, mousedown, etc) something like
window.frames[0].document.getElementById('target').click()
A8 Unknown
Q9. Should XUL scripts be able to capture events occuring within a document
within an iframe
Q9 No (?)
Q10. If non of the above are true, is nt there some way of allowing
bi-directional event notification between XUL and an embedded document?
A10. Yes(?)
