info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
nsIWebBrowserPersist.saveURI privacy context
80 views
Skip to first unread message
Michael Palimaka
May 22, 2013, 10:06:08 AM5/22/13
to
Hi,
I am working with an XUL application that uses
nsIWebBrowserPersist.saveURI to save a file. The operation silently
fails unless aPrivacyContext = null is passed.
According to the docs[1]: "If you think that you should be passing null
here, you are almost certainly wrong. null should be passed only when no
plausible privacy context exists for the URI to be saved, which is an
exceedingly rare corner case."
Is it safe to do so in this case?
Best regards,
Michael
[1]:
https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIWebBrowserPersist#saveURI%28%29
I am working with an XUL application that uses
nsIWebBrowserPersist.saveURI to save a file. The operation silently
fails unless aPrivacyContext = null is passed.
According to the docs[1]: "If you think that you should be passing null
here, you are almost certainly wrong. null should be passed only when no
plausible privacy context exists for the URI to be saved, which is an
exceedingly rare corner case."
Is it safe to do so in this case?
Best regards,
Michael
[1]:
https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIWebBrowserPersist#saveURI%28%29
Josh Matthews
May 22, 2013, 1:31:25 PM5/22/13
to
You haven't given any details that are required to determine whether a
null context is safe or not. Here's a good way to think about it: can
this saveURI call be invoked on a URL that is related to content that
the user is viewing? If so, can that happen for content in a private
window? If so, null is definitely unsafe - it will cause the URI that is
saved to be stored in the persistent cache, exposing the user's private
behaviour and bypassing the protection of private browsing.
If you can obtain a Window object related to the URI being saved (such
as the owning window of a link element, for example), you can obtain a
privacy context with PrivateBrowsingUtils.privacyContextFromWindow(win)
(http://mxr.mozilla.org/mozilla-central/source/toolkit/modules/PrivateBrowsingUtils.jsm#23).
If you describe the source of your URI in more detail, I can provide
better information.
Cheers,
Josh
null context is safe or not. Here's a good way to think about it: can
this saveURI call be invoked on a URL that is related to content that
the user is viewing? If so, can that happen for content in a private
window? If so, null is definitely unsafe - it will cause the URI that is
saved to be stored in the persistent cache, exposing the user's private
behaviour and bypassing the protection of private browsing.
If you can obtain a Window object related to the URI being saved (such
as the owning window of a link element, for example), you can obtain a
privacy context with PrivateBrowsingUtils.privacyContextFromWindow(win)
(http://mxr.mozilla.org/mozilla-central/source/toolkit/modules/PrivateBrowsingUtils.jsm#23).
If you describe the source of your URI in more detail, I can provide
better information.
Cheers,
Josh
Michael Palimaka
Jun 12, 2013, 3:04:49 PM6/12/13
to
On 23/05/2013 03:31, Josh Matthews wrote:
> You haven't given any details that are required to determine whether a
> null context is safe or not. Here's a good way to think about it: can
> this saveURI call be invoked on a URL that is related to content that
> the user is viewing? If so, can that happen for content in a private
> window? If so, null is definitely unsafe - it will cause the URI that is
> saved to be stored in the persistent cache, exposing the user's private
> behaviour and bypassing the protection of private browsing.
>
> If you can obtain a Window object related to the URI being saved (such
> as the owning window of a link element, for example), you can obtain a
> privacy context with PrivateBrowsingUtils.privacyContextFromWindow(win)
> (http://mxr.mozilla.org/mozilla-central/source/toolkit/modules/PrivateBrowsingUtils.jsm#23).
> If you describe the source of your URI in more detail, I can provide
> better information.
>
> Cheers,
> Josh
Hi,
> You haven't given any details that are required to determine whether a
> null context is safe or not. Here's a good way to think about it: can
> this saveURI call be invoked on a URL that is related to content that
> the user is viewing? If so, can that happen for content in a private
> window? If so, null is definitely unsafe - it will cause the URI that is
> saved to be stored in the persistent cache, exposing the user's private
> behaviour and bypassing the protection of private browsing.
>
> If you can obtain a Window object related to the URI being saved (such
> as the owning window of a link element, for example), you can obtain a
> privacy context with PrivateBrowsingUtils.privacyContextFromWindow(win)
> (http://mxr.mozilla.org/mozilla-central/source/toolkit/modules/PrivateBrowsingUtils.jsm#23).
> If you describe the source of your URI in more detail, I can provide
> better information.
>
> Cheers,
> Josh
Thanks for the fast reply, and apologies for my late one (I had a
problem with my news client and did not see it).
I don't think it would be possible for saveURI in this case to interfere
with privacy browsing. It is being used to save a rasterized SVG that
the user created with the application.
As a standalone application[1], the user is not interacting with
webpages or the browser interface at all.
Best regards,
Michael
[1]: http://pencil.evolus.vn/
Josh Matthews
Jun 12, 2013, 3:08:34 PM6/12/13
to
That does sound like a null privacy context should be fine to me as
well. Carry on :)
Cheers,
Josh
well. Carry on :)
Cheers,
Josh
0 new messages