I am writing a FireFox add-on that displays webpages from my server as control and info panels. These panels were written and work in regular URLs, but when I try to access them through a custom protocol (so it's like about:, just myplugin:settings) every XMLHttpRequest returns blank as if I was doing XSS stuff. I know the data's getting through - the requests are valid, accepted by the server, and tcpdump says they're making it to my machine. Clearly, it has something to do with the custom protocol implementation, so here is the relevant part of that:
newURI: function(spec, charset, baseURI)
{
var uri = Components.classes[@"mozilla.org/network/simple-uri;1"].createInstance(nsIURI);
if (baseURI) {
spec = "myplugin:" + spec;
}
uri.spec = spec;
return(uri);
},
newChannel: function(aURI)
{
var incomingURI = aURI.spec;
var purpose = incomingURI.substring(incomingURI.indexOf(":") + 1, incomingURI.length);
var my_spec;
var my_uri;
var proto;
var api_scheme = "http";
var api_host = "myapi.myserver.com";
var api_token = "temp";
purpose = encodeURI(purpose);
if(purpose.match(/^\//)) // If it begins with a "/" (relative URL)
if(purpose.match(/\?/)) // It already contains a query string
my_spec = api_scheme + "://" + api_host + purpose 开发者_如何学Go+ "&api_token=" + api_token;
else
my_spec = api_scheme + "://" + api_host + purpose + "?api_token=" + api_token;
else
my_spec = api_scheme + "://" + api_host + "/frontend/" + purpose + "?api_token=" + api_token;
my_uri = Components.classes[@mozilla.org/network/simple-uri;1].createInstance(nsIURI);
my_uri.spec = my_spec;
proto = Components.classes["@mozilla.org/network/protocol;1?name="+api_scheme].getService(nsIProtocolHandler);
return (proto.newChannel(my_uri));
}
};
In the eyes of the spec you ARE doing xss.
While the implementations differ slightly across platforms the general rule of thumb is same protocol, same domain, same port.
精彩评论