[Jslib] Remote XUL, JSlib, and Security Annoyances....

Micah Quinn mquinn at quinnteam.com
Fri Mar 5 12:13:18 EST 2004


Hi Pete,

Thanks for the tips.  I started building the thin local XUL app as you suggested and it's opened the doors again.  It will take me a while to get everything converted to local XUL, 
but I wanted to give you a quick thank you.

I'll keep everyone up to date as I progress.

Thanks again!

Pete Collins wrote:
> Micah Quinn wrote:
> 
>> Ughhh,
>>
>> For 6 months now I've been working on an application that I had hoped 
>> would prove XUL/Mozilla was a good platform to develop a new CRM 
>> (Customer Relationship Management) system.  But alas, I'm running into 
>> issue, after issue, after issue. (I know this is the jslib mailing 
>> list, but one of my major hang-ups happens to be loading JSlib from a 
>> remote XUL application.)
> 
> 
> We feel your pain.
> 
>>
>> First let me start by explaining what I had intended to do.  Perhaps 
>> there is a fundemental error in my planning.  I have a set of PHP 
>> scripts that run on a remote web server.  These scripts generate, most 
>> nicely, the XUL code that displays a wonderful UI for my CRM.
>>
>> The scritps also generate RDF (from a PostgreSQL DB) that is sent to 
>> Mozilla for use in tree displays, menus, etc.  For example, one screen 
>> displays in a fairly efficient manner over 2500 contacts.  Double 
>> clicking on contacts brings up their details, right mouse clicking 
>> allows me to e-mail them, make a new oppurtunity, record a meeting, 
>> etc.  Getting this simple interaction to work using remote XUL 
>> requires that I, by hand, modify my prefs.js in my profile and add the 
>> following line:
>>
>>    user_pref("signed.applets.codebase_principal_support", true);
>>
>> OK, we've already hit a snag that is almost unacceptable for a web 
>> deployed application.  That aside, I also have to request elevated 
>> security access within the application:
>>
>> // Request privilege
>> netscape.security.PrivilegeManager.enablePrivilege("UniversalDialogModality"); 
>>
>> netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserWrite"); 
>>
>> netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead"); 
>>
>> netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserAccess"); 
>>
>> netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
>> netscape.security.PrivilegeManager.enablePrivilege("UniversalTopLevelWindow"); 
>>
>>
>> Somewhere between 1.5 and 1.6 of Mozilla this got even worse.  Now for 
>> each call of elevated security level,every time, on every item in a 
>> tree I get a new request to elevate the security level.  The "remember 
>> this decision" is much more grainular now. (Yes folks, that means 6 
>> clicks of "Yes it's ok to allow access..." every time I double click 
>> on the contact details.)
> 
> 
> 
> These prefs can and should be set by a thin client install layer for 
> your app.
> 
>>
>> And now my latest issue appears to be that jslib will load only if the 
>> requesting XUL file is locally installed.  In other words, if my php 
>> script makes reference to the following:
>>
>> <DEFANGED_script type="application/x-javascript" 
>> src="chrome://content/jslib/jslib.js" />
>>
>> It does not appear to load.  I'm assuming this because my attemp to 
>> call "include(jslib_file);" fails with "include is not defined".
>>
>> JSlib is installed and works fine when called locally.  I've in fact 
>> been able to call the example programs without issue.
>>
>> --------------------------------
>> So, Here are the questions.  Any answers (partial credit given) would 
>> be MOST appreciated:
>>
>> 1.  How do I properly write a remote XUL application using PHP that 
>> has access to all the wonderful, tempting things elluded to in the 
>> XPConnect framework?  Things like in memory RDF.  (Please don't tell 
>> me to sign my application unless you know how to sign a PHP script.  
>> Short answer: you don't sign dynamic PHP/CGI scripts.  Not that I know 
>> of at least.)
> 
> 
> 
> I remember hearing way back when that if you use https/SSL it may help 
> in this case.  I wrote one of the first remote xul apps about 4 years 
> ago. Since then, I haven't played much w/ remote xul apps so I am a bit 
> out of touch w/ the specific magic required to get you going.
> 
>>
>> 2.  How do I get jslib to load properly and be available for use with 
>> a remote XUL application?  Remember that I've loaded JSlib locally, 
>> tested it, but Mozilla will not allow me to use it.
> 
> 
> Do these prefs still work?
> 
> user_pref("capability.principal.codebase.package_name.id", 
> "http://www.mysite.com");
> user_pref("capability.principal.codebase.package_name.granted", 
> "UniversalXPConnect");
> 
> eg:
> 
> If I wanted to run my remote app [foo] from foo.mozdev.org
> 
> user_pref("capability.principal.codebase.foo.id", "http://foo.mozdev.org");
> user_pref("capability.principal.codebase.foo.granted", 
> "UniversalXPConnect");
> 
> Take a look at mozcalc (warning: old stuff):
> 
>  http://mozcalc.mozdev.org/NS6.1/online/
> 
>>
>> 3.  Does anyone know of a document (in clear plain english) that shows 
>> how the Mozilla security system works and how to use it?  I need to be 
>> able to answer question like "I need to build in memory RDF 
>> structures.  How to I request that security from the user?".  Is there 
>> a way to ask for carte blanche, all encompassing, god mode?
> 
> 
> The above pref (if still valid these days) may give you god mode.
> 
>>
>> Let me also say thanks to the developers of jslib.  It's nice to know 
>> that I won't, if I continue with XUL, have to write so many pieces 
>> from scratch.
>>
>>
> We try. Glad that you are using jslib.
> 
> Please let us know how you make out. Also, if you are successful, 
> perhaps you can document it for us and save some pain for others.  :)
> 
> Regards
> 
> --pete
> 

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    Quinn Team Incorporated
   Micah T. Quinn - President
     (Voice) 281.465.4311
     (Fax)   281.465.4434
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


More information about the Jslib mailing list