> When I try to save [from FireFox], I get this message:
>
> A script from "file://" is requesting enhanced abilities
> that are UNSAFE and could be used to compromise
> your machine or data
> Allow or Deny
>
> But what exactly is it doing? Am I opening up any kind of security
> hole by allowing this? Is there a way I can view the setting in
> Firefox that is being changed?
It is asking for permission to READ the existing TW document file from
your local hard drive, so it can then insert the changed tiddlers from
the currently loaded document into that file content, and then WRITE
that file content back to your hard drive... In other words: it's
saving the changes in your document!!!
So... why does this create a warning? Because, underneath the hood,
TiddlyWiki is still just a web page, and ALL web pages running in your
browser MUST ask for permission before accessing your local hard
drive. That's just basic, common-sense security. You don't want
random web sites that you visit to start reading/writing your locally-
stored files!
However, while TiddlyWiki is a web page, and CAN be opened from a
*remotely-hosted* document (i.e., an "http" URL), it is mostly
designed to opened and used as a *locally-stored file* (i.e., a "file"
URL), and NEEDS to be granted permission to access the local hard
drive in order for some key TW core functions (such as saving changes)
to work properly.
Unfortunately, even though one could presume that "file://" is, by
definition, a "trusted source" -- after all, it is YOUR drive, and YOU
opened the TW document in the first place -- the browser still asks
for permission to access the local hard drive from that locally-loaded
document.
I suggest that, once you are comfortable with the idea, you simply
"Allow" the file:// access and also [x] "remember this decision", so
you aren't nagged to death with security warnings.
Fortunately, the browser treats "file://" as a separate domain from
all other remote domains, so granting permissions to locally-stored
documents won't create any security holes when accessing remote web
sites.
To find the internal FireFox setting:
1) look for "prefs.js", a file that is automatically written by
FireFox to store your current browser settings. Under Windows, this
is generally located at:
-----
C:\Documents and Settings\Your Name\Application Data\Mozilla\Firefox
\Profiles\abcdef12345.default\prefs.js
-----
2) Open that file with a plain text editor (make sure FireFox is NOT
running at the time!), and find these two lines (or similar):
-----
user_pref("capability.principal.codebase.p0.granted",
"UniversalXPConnect UniversalBrowserRead");
user_pref("
capability.principal.codebase.p0.id", "file://");
-----
3) Delete those lines to restore FireFox's default "ask for
permission" state for the "file://" domain
HTH,
-e
Eric Shulman
TiddlyTools / ELS Design Studios