dissabte, desembre 29, 2007

Hosting XBL files (2)

This is an attempt to answer the following (and/or related) questions:

  1. Is it possible to substitute userscripts (think Greasemonkey) with XBL bindings?

  2. If yes, is it possible to host the XBL locally? Possible schemes are:

    1. file:///
    2. http://localhost
    3. chrome:
    4. resource:
    5. data:

  3. What are the security considerations in this situation? Specifically:
    In what context do the XBL bindings execute?

    • the hosting page?
    • their own context?
    • other?

    Note: Starting with version1.1.8.5, NoScript includes the preference noscript.forbidXBL which can be set from about:config:

    0 - allow all XBL
    1 - allow trusted and data: (Fx 3) XBL on any site
    2 - allow trusted and data: (Fx 3) XBL on trusted sites
    3 - allow only trusted XBL on trusted sites
    4 - allow only trusted XBL from the same site or chrome (default)
    5 - allow only chrome XBL

  4. What differences exist between Firefox 2 and Firefox 3 regarding handling of XBL?

  5. What differences exist between XBL 1.0, XBL 2.0 and/or other versions? What is implemented in each version of Firefox (this is specially relevant in regard to security principals)?

  6. At what level must Javascript be enabled? This is relevant for use in conjunction with NoScript.

  7. Any other question related to this.
Publicat per esquifit a 12/29/2007 10:21:00 PM

1 comentaris:

esquifit ha dit...

Regarding the question of XBL flavors, it is intresting to see what the Mozilla developers say at MDC [1]

* XBL 1.0 is specified in XBL 1.0 Reference. Unfortunately, the actual implementation in Mozilla is different from the specification[...]
XBL 1.0 is a Mozilla-specific technology, and not a W3C standard. However, at least two standards are being worked on: sXBL and XBL 2.0.

* W3C sXBL (currently a working draft, 2005) stands for SVG's XML Binding Language. It is supposed to include a subset of XBL 2.0 features needed for SVG.

* XBL 2.0 (W3C Candidate Recommendation) is being developed to address problems found in XBL 1.0 [...]. Mozilla plans to implement XBL2 in future versions of Gecko.


[1] http://developer.mozilla.org/en/docs/XBL

dilluns, desembre 31, 2007 9:13:00 PM

Publica un comentari

Subscriure's a: Comentaris del missatge (Atom)