Hi,
I'm working on http://bugzilla.mozilla.org/show_bug.cgi?id=122846 and I
need to add a security check to nsIRDFResource::GetDelegate.
Not doing so would expose stuff like filters and other settings of the
user to web content, once RDFResource is fully accessible.
What would be the right security check?
I was about to add a check to allow chrome and as a bonus
http://www.mozilla.org/projects/security/components/ConfigPolicy.html
for something like
user_pref("capability.policy.rdfsite.RDFResource.GetDelegate", "allAccess");
with a default of noAccess.
Two questions, does the security check like this sound reasonable, and
how do I do the second check. I tried to find sample code, with little
luck. GlobalWindowImpl seems to do stuff that is just a pref, and I
didn't see anybody calling into checkFunctionAccess, if that'd be the
right entrypoint. hrm.
Thanx for feedback
Axel
- Re: RDFResource::GetDelegate security check Axel Hecht
- Re: RDFResource::GetDelegate security check Mitchell Stoltz
