How to sign script or webpage requiring UniversalXPConnect privilege - javascript

I have a website which uses some functionality implemented in the Firefox extension, which I developed. JavaScript script on one of my webpages requires UniversalXPConnect privilege for communicating with XPCOM component implemented in my Firefox extension.
By default, when my script tries to enable this privilege for accessing XPCOM component:
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
... the following error occurs:
Error: A script from "http://example.com" was denied UniversalXPConnect privileges.
To enable this privilege currently users need to manually edit "signed.applets.codebase_principal_support" setting in "about:config" Firefox page.
From this page: http://www.mozilla.org/projects/security/components/signed-scripts.html I learned that it is possible to explicitly sign my webpage containing script which requires this privilege. After I sign my script users will not need to manually edit above mentioned setting.
Website is hosted on Linux platform under Drupal CMS.
I would very much appreciate if you could give me detailed step-by-step instructions on how do I sign my script (what tools should I download, how to create certificate, etc.), such that after following your instructions editing about:config setting will not be necessary.

As of Firefox 16 signing the script will not likely work since support for universalXPconnect seems to have been removed and you should now use an add-on for added privileges although I don't know how. https://bugzilla.mozilla.org/show_bug.cgi?id=546848

EnablePrivilege is disabled in Firefox 15 and will be removed in Firefox 17.
check out this:
https://developer.mozilla.org/en-US/docs/Bypassing_Security_Restrictions_and_Signing_Code

Related

Why do I have a message about "mxpnl.net" always in my Google Chrome console?

VM2335:34152 POST https://cr-input.mxpnl.net/data?_channel_id=&_partner_id=39571&_sub_id=0000&_app_version=1.0.23&_app=cs-dca net::ERR_INTERNET_DISCONNECTED
From what I can find, it appears to be a behaviour and analytic tracking script most likely related to mixpanel.com. I've recently run into the same thing, and followed it back to the content.js file inside the Tampermonkey chrome extension. I'm sure there are other chrome extensions that do the same thing, but uninstalling this chrome extension made the https://cr-input.mxpnl.net request stop.
I've also heard others have solved this problem by uninstalling Hide my adBlocker, but I can't confirm this myself.
This could mean you have a malicious Chrome extension installed. I googled "cr-input mxpnl" and came across this Google Forums post. If your internet is disconnected, the extension is probably failing to connect to the website where it wants to send your data.
To be clear, this is a guess. It may be a totally legit extension. However it would definitely be worth checking what extensions are installed, removing any that you don't recognise and doing a virus scan.
Since you are using some Adblocker extension that's the reason for getting
ERR_INTERNET_DISCONNECTED from the console. In the preferences of your Adblocker, you have blocked the access to Site Analytics Tracker
Turning off or Disabling the Web Statistic Tracker options from the preferences of the installed extension came from the Tampermonkey chrome extension. That alone stops accessing analytic tracking script most likely related to mixpanel.com.
There are other options from the preferences from the extension that might not be needed
Cheap Flights Advisor
PromoBar
Aliradar
So try to disable these options and always try to block all unencrypted requests by using HTTPS Everywhere extensions so that your information might not be stolen to any third party agents.

Firefox addon inline installation from website

I am trying to work out how to best implement direct firefox-addon installation from my website. Besides simply prompting the user to install the addon, I would also want to get the result of the user action (accepts installation or cancels it).
Research on google generally points to the use of InstallTrigger.install(), which works fine except that there is no functional callback that I can use to know the result of the user's action.
Though InstallTrigger.install() does accept a callback, the callback is not fired unless the current viewing page is a whitelisted domain (e.g. AMO):
https://developer.mozilla.org/en-US/docs/Archive/Mozilla/XPInstall/Reference/InstallTrigger_Object/Methods/install
So I am wondering:
Is there any alternative way to get the result of the addon installation, and
Does mozilla have anyway to accept a domain into their default addon installation whitelist.
Thanks a lot!
Just to get this question off the Unanswered list.
The XPInstall whitelist only contains Mozilla's sites, so Mozilla doesn't seem to have a way to accept a domain into their default addon installation whitelist.
The browser itself will not notify the untrusted web page about the results of the add-on installation. If your extension is restartless, it can notify the page it has been installed via postMessage.

Chrome Extension installation

I have chrome extension which get installed with using installer which install some process and browser extensions. As per chrome security changes stand alone installation will be blocked.Google to block local Chrome extensions
If we host extension on chrome store what are the ways we can redirect chrome from installer to install extension.
According to the Chromium Blog:
If your extensions are currently hosted outside the Chrome Web Store you should migrate them as soon as possible. There will be no impact to your users, who will still be able to use your extension as if nothing changed. You could keep the extensions hidden from the Web Store listings if you like. And if you have a dedicated installation flow from your own website, you can make use of the existing inline installs feature.
So, basically, what you need to do is:
Host your extension on the Chrome Web Store (optionaly keeping it hidden from the listings).
Have your installer open a Chrome browser window pointing to a webpage on your site.
On that page have all necessary info and data for the user to initiate the extention's installation process. (The key concept here is that the user has to initiate the installation process, e.g. by clicking a button.
How does inline installation work:
The HTML page on your site from which you want inline installation to occur must contain one or more tags in the section referencing the items that the user can install. Each tag must have the following format:
<link rel="chrome-webstore-item" href="https://chrome.google.com/webstore/detail/itemID">
To actually begin inline installation, the chrome.webstore.install(url, successCallback, failureCallback) function must be called. This function can only be called in response to a user gesture, for example within a click event handler; an exception will be thrown if it is not.
(emphasis mine)
More info on the inline installs feature.

Unable to allow IE10 to run scripts

My IE10 has stopped execution of JavaScript for pages stored locally, infact it does not asks for permission to allow their execution.
I have Windows 8 x64 with IE 10 installed. A few days back whenever I used to open a file which used JavaScript IE10 used to display a message "IE restricted this webpage from running scripts or activex controls" with a button to allow blocked content.
Now, this dialog doesn't appear at all and I'm unable to test JavaScript programs in my local machine using IE. (On websites like gmail etc JS simply works).
I have tried changing security setting inside internet options to lowest but no use.
P.S.: On repeatedly clicking reload on realized that permission to allow blocked context dialog appears for fraction of a second and disappears.
I solved the issue by installing a cumulative security update for IE10 Windows 8 x64 from
this link
Don't know why this is related with the issue, but my friend suggested me try to update IE, and on googling I found this update.
I posted it here because when I searched internet for the solution, I was not able to find any case of this type.

UniversalXPConnect permission error in firefox 17

I have a small web JS, that copy and inserts some form data to and from the iframe.
But it doesn't work in Firefox 17. I'm using this code:
"netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");"
What could be wrong? Is there any workaround?
It was removed from running on the web with Firefox 17
https://developer.mozilla.org/en-US/docs/Bypassing_Security_Restrictions_and_Signing_Code
Early versions of Firefox allowed web sites to segregate principals
using signed scripts, and request extra permissions for scopes within
signed scripts using a function called enablePrivelege. These feature
was not used much (aside from abuse), and its complexity made
performance improvements difficult. Signed script segregation was
removed in bug 726125, the enablePrivilege prompt was removed in bug
750859, and enablePrivilege itself was nerfed in bug 757046.
EnablePrivilege is disabled in Firefox 15 and will be removed in
Firefox 17.
Sites that require additional permissions should now ask Firefox users
to install an extension, which can interact with non-privileged pages
if needed.
And a discussion on making an extension: http://support.mozilla.org/en-US/questions/936845

Categories