Open windows/dialogs with remote urls and without chrome privileges

Add-ons Development
#1

My addons was rejected by firefox addons gallery reviewer because I have used the window utils API to open modal dialog with remote url.
Ref URL : https://developer.mozilla.org/en-US/Add-ons/SDK/Low-Level_APIs/window_utils

Is there any alternative for the below code.
OR which API should I use to implement this functionality so that it will not get rejected by firefox addons gallery.

var features = “chrome=yes,dialog=yes,modal=yes,centerscreen=yes,directories=no,width=” + width + “,height=” + height +",left=" + left +",top="+top ;
var popupDialogWindow = window.openDialog(url, “_blank”, features);

Thanks in Advance

#2

Would window.open() work for you?

#3

I am using the below function so will you please verify this and let me know your suggestions.
var windows = require(“sdk/windows”).browserWindows;
windows.open({
url: url,
chrome : true,
dialog : true,
modal : true,
centerscreen : true,
directories : false,
onOpen: function(browserWindow) {
popupDialogWindow = viewFor(browserWindow);
popupDialogWindow.focus();
var mostRecentWin = windowMediator.getMostRecentWindow(‘navigator:browser’);
var winDocument= mostRecentWin.document;
winDocument.getElementById(“menubar-items”).style.display =“none”;
winDocument.getElementById(“tabbrowser-tabs”).style.display =“none”;
winDocument.getElementById(“nav-bar”).style.display =“none”;
winDocument.getElementById(“PersonalToolbar”).style.display =“none”;
winDocument.getElementById(“addon-bar”).style.display =“none”;

		  popupDialogWindow.outerWidth = width;
		  popupDialogWindow.outerHeight = height;
		  popupDialogWindow.moveTo(left, top);
	  }
});
#4

The security issue is not with what toolbars, etc. are included on the window, but the simple fact that it will have full privileges to do anything, such as deleting the entire file system or reading your passwords. The remote url might include anything, or could even be intercepted and give an attacker control of your machine.

What are you loading in this window? HTML? XUL? If it is html then load it in a browser window and no security problems. If it is XUL, essentially a remote dialog, then at a minimum it will need to be accessed from a secure URL. I imagine the reviewers would also want some indication on what that XUL might look like, since it effectively forms part of the addon.

#5

I am loading the simple remote html page in new window.
I have refereed the Addon API for the same?
Please help me i am stuck there and not able to add my addon into gallary since from last 2 months

Please let me know suggestions?

#6

I really don’t understand why there is problem with this code.
var features = “chrome=yes,dialog=yes,modal=yes,centerscreen=yes,directories=no,width=” + width + “,height=” + height +",left=" + left +",top="+top ;
var popupDialogWindow = window.openDialog(url, “_blank”, features);

Why this is included in the API then?
https://developer.mozilla.org/en-US/Add-ons/SDK/Low-Level_APIs/window_utils.
If this is not included in the API then i have tried to find the alternatives for the same?
and that is not possible right now becuase I am running out of the date.

#7

Which API got rejected? You mention two different APIs for opening a window. They might look much alike but are actually very different.

The high level API “sdk/windows” is for opening browser windows. It should be safe to pass any URL to this and I’d have thought it should pass review. That is the point of the API, to open browser windows with web pages in them.

The low level API 'sdk/window/utils" also has an open function. It is not safe for remote urls. It is for opening local content such as a preferences dialog. It would normally be passed an XUL file from a chrome:// address, probably a file bundled in the addon. I don’t use the SDK, but I didn’t think it was even possible to load an http:// address this way. openDialog() is the same thing, but allows some different options to control the behaviour of the window. Definitely wouldn’t pass review if a remote url was passed.

Incidentally, it is possible to open a window this way and load a web page into it, but you would do that in two steps: open the window and then call a function such as loadURI() to load the web page safely as content. The url which is loaded into such windows is “chrome://browser/content/browser.xul”, and this is a default value so if you pass a blank string you get a browser window. You should also be able to pass in certain special addresses such as “about:blank” to control how the browser window starts out.

So possibly your only problem first time around was using the low level API instead of the high level API, if I’m reading your timeline correctly?

#8

Thanks for your valuable feedback
So what if I use openDialog() to load the local URL(local html page present within the extension).
local html page may have a iframe.
And then call a function such as loadURI() to load the remote web page in the newly open window.
So I m going to use the local html page iframe element to load the remote URL by using the openDialog() function.

Please let me know if this is correct way to get the review passed?

#9

Let me put my two cents, maybe in this case it will be enough just use “chrome: false” to satisfy all safety requirements?

#10

Although setting the chrome feature requires full privileges, it does not affect the privileges of the new window. What it does is control is whether all the features you would normally expect on a browser window are present. These include context menus, keyboard shortcuts, toolbars, etc., although it will have scrollbars (even if scrollbars=no!). The old old preferences dialog window is an example of a chrome window. It has full privileges, but none of the features you’d expect in a browser window.

#11

Another problem is window.opener() although I would expect the same-origin-policy to kick in.

#12

@TheOne please let me know which API should i use to open the remote urls?

OR

What if i have used below sample code:
I am using the below function so will you please verify this and let me know your suggestions.
var windows = require(“sdk/windows”).browserWindows;
windows.open({
url: url,
chrome : true,
dialog : true,
modal : true,
centerscreen : true,
directories : false,
onOpen: function(browserWindow) {
popupDialogWindow = viewFor(browserWindow);
popupDialogWindow.focus();
var mostRecentWin = windowMediator.getMostRecentWindow(‘navigator:browser’);
var winDocument= mostRecentWin.document;
winDocument.getElementById(“menubar-items”).style.display =“none”;
winDocument.getElementById(“tabbrowser-tabs”).style.display =“none”;
winDocument.getElementById(“nav-bar”).style.display =“none”;
winDocument.getElementById(“PersonalToolbar”).style.display =“none”;
winDocument.getElementById(“addon-bar”).style.display =“none”;

	  popupDialogWindow.outerWidth = width;
	  popupDialogWindow.outerHeight = height;
	  popupDialogWindow.moveTo(left, top);
  }

});

OR

what if I use openDialog() to load the local URL(local html page present within the extension).
local html page may have a iframe.
And then call a function such as loadURI() to load the remote web page in the newly open window.
So I m going to use the local html page iframe element to load the remote URL by using the openDialog() function.

Please let me know if this is correct way to get the review passed?

Please help me ASAP.

#13

I think using the high level “sdk/windows” code should be fine. Do you really want to remove all the toolbars, or is that just trying to satisfy the reviewers? Have you tested it? Does it really meet your requirements? Seems like you’re looking for some kind of modal dialog, but I don’t think that’s what you’ll get.

Your second solution seems like a no-no. Opening HTML raw in a dialog window isn’t generally a good idea. I’m not sure it will work at all from the SDK. Have you tried it?

#14

Yes you’re right I am looking for some kind of modal dialog.
I really want to remove all the toolbars.
Yes i have tested it and its working fine except there is an issue with dialog size.

Is it possible to create the modal dialog using the Add-on SDK?

Thanks for your valuable time…

#15

Should I go with the high level “sdk/windows” API and by hiding all the toolbars?
Please let me know if this is correct way to get the review passed or not?