tree view issue in FF 1.5.0.4

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

tree view issue in FF 1.5.0.4

Laurent Jouanneau
Hello

I just discovered the fix of  a security issue with custom tree views in
a remote xul page. ( https://bugzilla.mozilla.org/show_bug.cgi?id=326501 
and
http://lxr.mozilla.org/mozilla1.8.0/source/layout/xul/base/src/tree/src/nsTreeBoxObject.cpp#193 
).

I don't know exactly what is this security issue, but this fix causes an
other  *big* issue : it will break *many* web application !

So, are you working on a *real* solution on this ? a *real* solution
means, a solution which permit us to use a custom tree view in a remote
app.

thanks

Laurent
_______________________________________________
dev-tech-layout mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-layout
Reply | Threaded
Open this post in threaded view
|

Re: tree view issue in FF 1.5.0.4

Boris Zbarsky
Laurent Jouanneau wrote:
> I don't know exactly what is this security issue, but this fix causes an
> other  *big* issue : it will break *many* web application !

Yes, we know.  This was deemed the lesser of two evils....

> So, are you working on a *real* solution on this ? a *real* solution
> means, a solution which permit us to use a custom tree view in a remote
> app.

There is some discussion in bug 326501 about a way to do this; see comment 11
for the summary.  I'm not sure whether anyone is working on this, offhand... :(
  It's worth filing a bug to track work on it and request blocking of Gecko
1.8.1 and 1.9a2 or something.

Note that if your app has the UniversalBrowserWrite capability, we will allow
you to set a custom view right now. That might be ok as a workaround in some
cases....

-Boris
_______________________________________________
dev-tech-layout mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-layout
Reply | Threaded
Open this post in threaded view
|

Re: tree view issue in FF 1.5.0.4

Laurent Jouanneau-3
Boris Zbarsky wrote:

> Laurent Jouanneau wrote:
>> I don't know exactly what is this security issue, but this fix causes
>> an other  *big* issue : it will break *many* web application !
>
> Yes, we know.  This was deemed the lesser of two evils....
>
>> So, are you working on a *real* solution on this ? a *real* solution
>> means, a solution which permit us to use a custom tree view in a
>> remote app.
>
> There is some discussion in bug 326501 about a way to do this; see
> comment 11 for the summary.  I'm not sure whether anyone is working on
> this, offhand... :(  It's worth filing a bug to track work on it and
> request blocking of Gecko 1.8.1 and 1.9a2 or something.

Ok

(sorry, i cannot read the comment, i'm not allowed to access to the bug
;-) )

>
> Note that if your app has the UniversalBrowserWrite capability, we will
> allow you to set a custom view right now. That might be ok as a
> workaround in some cases....

Yes,i know. But you cannot ask to the user to change the pref
signed.applets.codebase_principal_support in his config ("type
about:config, search "signed.." bla bla), and then ask him his agreement
for the "UniversalBrowserWrite" capability etc.. It's too complex and
too restricting for a "normal" user...


Thanks

Laurent.
_______________________________________________
dev-tech-layout mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-layout
Reply | Threaded
Open this post in threaded view
|

Re: tree view issue in FF 1.5.0.4

Boris Zbarsky
Laurent Jouanneau wrote:
> (sorry, i cannot read the comment, i'm not allowed to access to the bug
> ;-) )

Shouldn't stop you from filing a bug, though, right?

> Yes,i know. But you cannot ask to the user to change the pref
> signed.applets.codebase_principal_support in his config

You don't have to if your code is in a signed jar, do you?

-Boris
_______________________________________________
dev-tech-layout mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-layout