Glad you asked... Chris Shen wrote:
> 1. a back-channel notification from javascript to the customised browser > app which implements some kind of the callback (notification) service > interface. I'm sure this is possible with XPConnect; don't know the details though. > > 2. no privilege popup dialog occurs. -- this may be done by pref conf. > > 3. the javascript only has certain permittable scripting > into the customised xpcom callback service without requiring signing the > scripts rather than access > > a range of xpcom services with signing. These are both currently possible, and without the need for any additional plugins or other security mechanisms. You can set prefs to make any XPCOM class accessible from unsigned JS with no confirmation dialog. The only requirement is that the class you want to give access to must implement nsIClassInfo. See http://lxr.mozilla.org/seamonkey/source/xpcom/doc/nsIClassInfo-overview.html for info on ClassInfo and http://www.mozilla.org/projects/security/components/configPolicy.html for how to configure the prefs. Please email me if you have any questions. -Mitch
