Good day- Some time ago I mailed this list about the AntiXSS solution we came up with Novell to get around some of the problems we were having with the nph-proxy funnel for driven mode.
Recently I've been using a solution which is far, far simpler and which seems to address all the problems on both sides. It is essentially to disable the cross-site scripting checks for HTML and Javascript coming from the local filesystem (the file:// protocol). We use Mozilla's Configurable Security Policies [1] along with some related user preferences to formulate a user.js that can be put in a dedicated user profile, and which disables the CSS checks as described. The user.js we have so far is attached. When a Firefox session is run in that profile, SeleneseRunner.html or similar can be loaded directly using file:// and can do pretty much anything it wants with pages from other sources. If anyone else finds this useful and/or has anything to add or fix, great. Send it our way! Hopefully something like this can also go into Selenium upstream if it seems useful for others. This appears to be similar in effect to using an .hta suffix with Internet Explorer. The obvious disadvantage to this approach is that security is lessened when using that Firefox profile; if it were used to browse a malicious site, and that site knew where to find some certain javascript files on your filesystem, and it were allowed to load the javascript files from your filesystem (is it?) I guess there's a possibility that site could take advantage of the security loophole to do nefarious things. [1] http://www.mozilla.org/projects/security/components/ConfigPolicy.html -- paul
user.js
Description: JavaScript source
_______________________________________________ Selenium-devel mailing list Selenium-devel@lists.public.thoughtworks.org http://lists.public.thoughtworks.org/mailman/listinfo/selenium-devel
