DWR
 » 
DWR - Dev

 « Return to Thread: Dwr in remote Xul web applications

Re: Dwr in remote Xul web applications

by S.Pérès-Labourdette :: Rate this Message:

Reply to Author | View in Thread

Hi.

This is the point. I'm doing remote xul, not a chrome-like kind of firefox extension

Thanks to mozilla's design there is no need to wonder about your concerns.

I'm not an xpcom expert, but when i was first concerned with security when designing my first remote xul app, the first thing i learned is that "chrome" vs "remote xul" is just like god vs evil.

Enabling security in remote xul app rely on firefox profile settings you can't tweak remotely such as :
 - signed.applets.codebase_principal_support
 - security.xpconnect.plugin.unrestricted
 ......

Also, most of xpcom components access is just forbidden in a "remote xul" app.

As far as i'm concerned, Direct Web "Remoting" is useful for "remote" apps and "remote" xul is definitely not chrome.

What is your point ?


Joe Walker-3 wrote:
Thanks for the submission.
I'm nervous about adding this to engine.js for 2 reasons:
- I want to keep it as small as possible - ideally much smaller than it is
now.
- I'm concerned about the security implications of what you're doing. Is it
safe to download remote scripts for execution in a chrome context?

Joe.

On Thu, Sep 11, 2008 at 11:48 AM, S.Pérès-Labourdette <sperlab@gmail.com>wrote:

>
> I've just packaged a new release of my portal web app including latest
> 2.0.5
> release of Dwr.
> It just runs perfectly and very fast with jawr integration.
>
> I would like to point out engine.js changes i've done to make dwr working
> into a Mozilla remote Xul context so maybe someone could include it in
> future releases, because i think this would be great.
>
> The only 'blocking' issue i found is in the dwr.engine._getJSessionId
> member
> which i rewrote like that
>
> ......
> /** @private What is our session id? */
> dwr.engine._getJSessionId =  function() {
>        if (typeof document.cookie == 'undefined') { // not in a classic
> html
> context so guessing xul
>
>  netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
>                var cookieManager =
> Components.classes["@mozilla.org/cookiemanager;1
> "].getService(Components.interfaces.nsICookieManager2);
>                var iter = cookieManager.enumerator;
>                while (iter.hasMoreElements()) {
>                        var cookie = iter.getNext();
>                        if (cookie instanceof
> Components.interfaces.nsICookie) {
>                                if (cookie.name ==
> dwr.engine._sessionCookieName)
>                                        return cookie.value;
>                        }
>                }
>        }
>        else {
>                var cookies = document.cookie.split(';');
>                for (var i = 0; i < cookies.length; i++) {
>                        var cookie = cookies[i];
>                        while (cookie.charAt(0) == ' ')
>                                cookie = cookie.substring(1, cookie.length);
>                        if (cookie.indexOf(dwr.engine._sessionCookieName +
> "=") == 0) {
>                                return
> cookie.substring(dwr.engine._sessionCookieName.length + 1,
> cookie.length);
>                        }
>                }
>        }
>        return "";
> }
> .........
>
>
> Regards,
> S.PERES-LABOURDETTE
>
> --
> View this message in context:
> http://www.nabble.com/Dwr-in-remote-Xul-web-applications-tp19432203p19432203.html
> Sent from the DWR - Dev mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@dwr.dev.java.net
> For additional commands, e-mail: dev-help@dwr.dev.java.net
>
>

 « Return to Thread: Dwr in remote Xul web applications

Free embeddable forum powered by Nabble Forum Help