I have a page in my extension loaded from my own protocol handler. This page loads script both from the local disk (using the same protocol handler) and remote script loaded via HTTPS. When I try to access properties on objects instantiated in the remote script from my local script, I get "permission denied" errors.
I assume that I need either to subsume the principal of the remote site in my principle or relax the content security policy (similar to what can be done with the HTTP Content-Security-Policy header). Is there some way to do either of these programmatically with my own protocol handler? Something like nsIExpandedPrincipal looks perfect but it doesn't seem to be usable from JavaScript. I thought I could maybe set the nsIChannelPolicy on my channel a la http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsCSPService.cpp#302 but it doesn't seem to be using my CSP at all when I do that (no debug calls to shouldLoad() and company). And I'm not sure the CSP is what controls access to object properties in cross-origin scripts anyway (certainly the script is successfully loading so shouldLoad() is presumably not the culprit). So my questions are: 1) Is the CSP what determines whether a script can access properties in another script from a different origin? 2) If so, is there some way to set the CSP for a channel in a way that will be actually picked up and used? 3) If not, do I need a special principal for my channel? 4) If so, is there some way to do this in JS? I see a lot of [noscript] methods. Matt _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
