Avoiding making the user grant UniversalXPConnect privileges to everything in file:

Skip to first unread message

Xavier Verges

Mar 27, 2006, 7:57:52 PM3/27/06
to TiddlyWikiDev
When you save a local TiddlyWiki in Firefox, you get asked a few times
if you want to grant the requested privileges and if you want to
remember the decission. Most users are not aware that they are granting
the privilege for everything loaded from file:, not for the TiddlyWiki
that they are working with.

See http://www.mozilla.org/projects/security/components/per-file.html

One way to help users to make the correct choice would be to do
something like
var file =
catch (e)
display a tiddler telling users how they should update their user.js
(see the previous link)

If you have granted by accident privileges to anything from the file:
"host", you probably have something like this in prefs.js
user_pref("capability.principal.codebase.p0.id", "file:///");

It is a good idea to close the browser and remove these lines from

Releated to privileges in Firefox, it would also be nice that when
privileges are requested, they were later reverted, by calling
PrivilegeManager.revertPrivilege. Probably there is nothing wrong with
not reverting them, but TiddlyWiki is such a nice piece of code that it
is a good thing if it teaches its readers the good practice of
minimizing its trusetd code base.

I wish I were knowledgeable enough about the TiddlyWiki code to write a
patch or a pluggin for this... but, unfortunately, I'm not.

-Xavier (xavier_verges at es.ibm.com)

Jeremy Ruston

Mar 29, 2006, 5:42:19 AM3/29/06
to Tiddly...@googlegroups.com
Xavier, that's great, and fills in a bunch of gaps in my Mozilla knowledge.

I'm worried that the user experience of editting the user.js file is
pretty grim, though; it's going to be quite an obstacle for
inexperienced users. Overall, this problem feels like a shortcoming in
Mozilla's privilege mechanism; perhaps we should be lobbying Mozilla
to refine their implementation to track privileges per file:// item.

I'm very keen that TiddlyWiki should be a good citizen, though, and
would welcome any further investigation of how we can accomplish the
same goal with a better UI.

Best wishes,


Jeremy Ruston

Xavier Verges

Mar 29, 2006, 5:51:37 PM3/29/06
to TiddlyWikiDev
>Releated to privileges in Firefox, it would also be nice that when
>privileges are requested, they were later reverted, by calling

Please, ignore that part. Ignoring my own
minimize-the-trusted-code-base advice, I've just tried to change the
tiddlywiki code so that only a security popup per session would appear,
by just calling once
netscape.security.PrivilegeManager.enablePrivilege. Unfortunately, I
learned that the privilege is only granted until the function where
this call is made returns. So the only possibility would be to call
that from the main script, but at that point you still don't know if
you'll need to request the privileges.

Maybe there are no reasonable alternatives for this security model, but
this looks like a case of security getting so intrusive that it almost
forces end-user to make the wrong choice (and click on the "remember
this" choice)

-Xavier (xavier_verges at es.ibm.com)

Xavier Verges

Mar 29, 2006, 6:44:57 PM3/29/06
to TiddlyWikiDev
Jeremy, yes, editing user.js is not for the average user. ItI helps to
use the chromeEdit extension
but is still far from friendly.

Additionally, I believe that it does not work as documented, and that
multiple urls separated by blanks are ignored. This makes everything
more annoying, since you need to copy/type two lines per local

I've searched in bugzilla and it looked like the bug that we'd like to
be fixed is this one:

-Xavier (xavier_verges at es.ibm.com)

Reply all
Reply to author
0 new messages