Comments on: Extension Developers - Breaking News, Part 2

By: Boris

Boris — Sun, 23 Mar 2008 01:55:40 +0000

To answer Nils’ question, yes, the _calling_ code can already do anything it wants to. But the _called_ code can as well. Before this change, unless the called code was extremely careful (much more careful than extension code usually has to be), it was exploitable. Furthermore, if the calling code loaded something it didn’t expect (by accident, error, whatever), things were really bad.

By: Mark Finkle’s Weblog » Extension Developers - Unbreaking News, Part 2

Mark Finkle’s Weblog » Extension Developers - Unbreaking News, Part 2 — Sat, 22 Mar 2008 05:32:28 +0000

[…] love reporting “unbreaking news” and I have some report. I posted about a security change (bug 418356) to mozIJSSubScriptLoader that broke loading scripts from any […]

By: Nils Maier

Nils Maier — Fri, 21 Mar 2008 20:09:36 +0000

This appears to be a rather strange and pointless change as this affects only code that is trusted anyway and can do whatever it wants in the user context (untrusted code doesn’t have access to C.classes).
So at the moment it appears that this breaks a lot of extensions/applications and nothing more. Is there any *public* information on why these changes are indeed necessary?

By: Shinya Kasatani

Shinya Kasatani — Fri, 21 Mar 2008 09:10:25 +0000

Selenium IDE also uses jssubscript-loader to load user-defined extensions from file:// URLs.

By: DigDug

DigDug — Thu, 20 Mar 2008 18:30:22 +0000

This broke APNGEdit. I don’t think its possible for it to load external scripts from “resource” directories either.

By: Massimiliano Mirra

Massimiliano Mirra — Thu, 20 Mar 2008 15:03:52 +0000

Correction: this doesn’t just break loading files in MozRepl, it breaks it completely, as code typed at the prompt is sent via data: URI (and couldn’t alternatively be eval’ed, since eval() no longer support evaluation in a given context).

By: Massimiliano Mirra

Massimiliano Mirra — Thu, 20 Mar 2008 14:56:25 +0000

I develop MozRepl, MozUnit, and SamePlace, and this breaks loading JavaScript files in MozRepl, loading testcases in MozUnit, and loading scriptlets in SamePlace. But hey, could be worse — could be raining.

By: Justin Wood (Callek)

Justin Wood (Callek) — Thu, 20 Mar 2008 07:06:54 +0000

Chatzilla is said to be broken because of this (the chatzilla “plugins” feature anyway)

By: Samuel Sieb

Samuel Sieb — Thu, 20 Mar 2008 06:48:09 +0000

This breaks the ability to use plugins in ChatZilla. I guess we could work around it by setting up a resource url location and forcing users to put the plugins in there, but that’s unpleasant. Also, are resource: urls cached?

By: Mark Finkle

Mark Finkle — Thu, 20 Mar 2008 00:42:44 +0000

@mkaply and @dennis: Extensions can now register their own resource: aliases. See these MDC articles:
http://developer.mozilla.org/en/docs/Chrome_Registration#resource
http://developer.mozilla.org/en/docs/Using_JavaScript_code_modules