[Jslib] Remote XUL, JSlib, and Security Annoyances....

Pete Collins pete at mozdevgroup.com
Thu Mar 4 17:56:41 EST 2004

Micah Quinn wrote:

> Ughhh,
> For 6 months now I've been working on an application that I had hoped 
> would prove XUL/Mozilla was a good platform to develop a new CRM 
> (Customer Relationship Management) system.  But alas, I'm running into 
> issue, after issue, after issue. (I know this is the jslib mailing 
> list, but one of my major hang-ups happens to be loading JSlib from a 
> remote XUL application.)

We feel your pain.

> First let me start by explaining what I had intended to do.  Perhaps 
> there is a fundemental error in my planning.  I have a set of PHP 
> scripts that run on a remote web server.  These scripts generate, most 
> nicely, the XUL code that displays a wonderful UI for my CRM.
> The scritps also generate RDF (from a PostgreSQL DB) that is sent to 
> Mozilla for use in tree displays, menus, etc.  For example, one screen 
> displays in a fairly efficient manner over 2500 contacts.  Double 
> clicking on contacts brings up their details, right mouse clicking 
> allows me to e-mail them, make a new oppurtunity, record a meeting, 
> etc.  Getting this simple interaction to work using remote XUL 
> requires that I, by hand, modify my prefs.js in my profile and add the 
> following line:
>    user_pref("signed.applets.codebase_principal_support", true);
> OK, we've already hit a snag that is almost unacceptable for a web 
> deployed application.  That aside, I also have to request elevated 
> security access within the application:
> // Request privilege
> netscape.security.PrivilegeManager.enablePrivilege("UniversalDialogModality"); 
> netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserWrite"); 
> netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead"); 
> netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserAccess"); 
> netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
> netscape.security.PrivilegeManager.enablePrivilege("UniversalTopLevelWindow"); 
> Somewhere between 1.5 and 1.6 of Mozilla this got even worse.  Now for 
> each call of elevated security level,every time, on every item in a 
> tree I get a new request to elevate the security level.  The "remember 
> this decision" is much more grainular now. (Yes folks, that means 6 
> clicks of "Yes it's ok to allow access..." every time I double click 
> on the contact details.)

These prefs can and should be set by a thin client install layer for 
your app.

> And now my latest issue appears to be that jslib will load only if the 
> requesting XUL file is locally installed.  In other words, if my php 
> script makes reference to the following:
> <script type="application/x-javascript" 
> src="chrome://content/jslib/jslib.js" />
> It does not appear to load.  I'm assuming this because my attemp to 
> call "include(jslib_file);" fails with "include is not defined".
> JSlib is installed and works fine when called locally.  I've in fact 
> been able to call the example programs without issue.
> --------------------------------
> So, Here are the questions.  Any answers (partial credit given) would 
> be MOST appreciated:
> 1.  How do I properly write a remote XUL application using PHP that 
> has access to all the wonderful, tempting things elluded to in the 
> XPConnect framework?  Things like in memory RDF.  (Please don't tell 
> me to sign my application unless you know how to sign a PHP script.  
> Short answer: you don't sign dynamic PHP/CGI scripts.  Not that I know 
> of at least.)

I remember hearing way back when that if you use https/SSL it may help 
in this case.  I wrote one of the first remote xul apps about 4 years 
ago. Since then, I haven't played much w/ remote xul apps so I am a bit 
out of touch w/ the specific magic required to get you going.

> 2.  How do I get jslib to load properly and be available for use with 
> a remote XUL application?  Remember that I've loaded JSlib locally, 
> tested it, but Mozilla will not allow me to use it.

Do these prefs still work?



If I wanted to run my remote app [foo] from foo.mozdev.org

user_pref("capability.principal.codebase.foo.id", "http://foo.mozdev.org");

Take a look at mozcalc (warning: old stuff):


> 3.  Does anyone know of a document (in clear plain english) that shows 
> how the Mozilla security system works and how to use it?  I need to be 
> able to answer question like "I need to build in memory RDF 
> structures.  How to I request that security from the user?".  Is there 
> a way to ask for carte blanche, all encompassing, god mode?

The above pref (if still valid these days) may give you god mode.

> Let me also say thanks to the developers of jslib.  It's nice to know 
> that I won't, if I continue with XUL, have to write so many pieces 
> from scratch.
We try. Glad that you are using jslib.

Please let us know how you make out. Also, if you are successful, 
perhaps you can document it for us and save some pain for others.  :)



Pete Collins

More information about the Jslib mailing list