[Jsprintsetup] Security Idea

Guillaume Crico guillaume.crico at gmail.com
Sat Feb 12 15:59:49 PST 2011


Hi Dimitar,

I am honored by your enthousiam for my suggestion!
I did not have the time to test and read the "last version" of the 
extension you sent. Sorry.

 > 1. I don't know how permission manager treat local uri-s?
I think (needs verification) that it's all domain based (eg. "uri.host").
So you pointed an issue!
https://bugzilla.mozilla.org/show_bug.cgi?id=204285

 > 2. Is it possible for manage permissions from FF permissions manager. 
Tools|Page Info|Permissions.
I did not thought about it... It's a "must have"! (I hope it's easy)
Did you notice that local uri-s do not have any "permissions tab" in 
"page info"?

 > 3. Are there any other tool to view and manage permissions to use for 
debuging.
Permissions are stored in "permissions.sqlite", in the user profile 
directory.
You can use your favorite sqlite GUI [*], or even a sqlite cli executable.
[*] https://addons.mozilla.org/fr/firefox/addon/sqlite-manager/


Regards,
Guillaume Crico

Le 12/02/2011 13:55, Dimitar Angelov a écrit :
 > Hi Guillaume,
 >
 > I want to add some thoughts to discuss after reading about 
nsIPermissionManager.
 >
 > From brief documentation and after looking at source code I have some 
conclusions (Please correct me if is wrong).
 > 1. Permission manager is global (for FF) storage for permissions for 
all components in FF.
 > 2. Permissions are on host level basis and permission type.
 > If different components in FF have different type of permissions over 
host they must use different "type" to distinguish.
 > For example popup manager use
 > PermissionManager.add('http://host.tld/some/path/script.php', 'Open 
Popup Windows', ALLOW_ACTION, EXPIRE_SESSION);
 > to allow popups from site host.tld for the session.
 > If jsPrintSetup want to use permission manager to add permision will be
 > PermissionManager.add('http://host.tld/some/path/script.php', 
'jsPrintSetupAccess', ALLOW_ACTION, EXPIRE_NEVER);
 > which mean that for host.tld is allowed access to jsPrintSetup fot 
this session.
 > 3. Checking of permission is made by calling testPermission or 
testExactPermission for URI/permission type.
 > 4. If jsPrintSetup want to get list of current permissions 
(permission types specific for jsPrintSetup) there must be enumerated 
all permissions from permission manager and filter these for jsPrintSetup.
 > This must be used in jsPrintSetup options dialog.
 > 5. For removing host/permission type from permission manager must be 
user method remove(host, permission type). Where permission types are 
only permission types for jsPrintSetup.
 > removeAll is not applicable from this context.
 >
 > If we assume to use only one permission type for jsPrintSetup, for 
example "jsPrintSetup Print Management" the solution will be simple.
 >
 > I missed following to the moment:
 > 1. I don't know how permission manager treat local uri-s?
 > 2. Is it possible for manage permissions from FF permissions manager. 
Tools|Page Info|Permissions.
 > 3. Are there any other tool to view and manage permissions to use for 
debuging.
 >
 > If my concerns are correct I can implement this.
 >
 > Regards,
 >
 > Dimitar Angelov
 > _______________________________________________
 > Jsprintsetup mailing list
 > Jsprintsetup at mozdev.org
 > https://www.mozdev.org/mailman/listinfo/jsprintsetup



More information about the Jsprintsetup mailing list