MozillaZine

Javascript File i/o

Thursday May 25th, 2000

Pete Collins from Alphanumerica and Mozilla developers have created a Javascript interface for doing file i/o in Mozilla, which will allow new Mozilla components like Alphanumerica's Crash Recovery system to function properly.

Patterned after the PHP filesystem functions, simple functions such as file read/write and directory create are supported. The code has not yet made it into the nightly build, but they expect it will get in soon.

Note from AN: There seems to be a misconception about Javascript File I/O being a security risk. It is important to clarify that this project is not opening any security holes in Mozilla. There is a difference between Javascript on the Internet and Javascript inside the application. Javascript is used inside Mozilla to create the functionality for the application. This is in contrast to any Javascript downloaded from the Internet that is used for functionality only inside a Web page. This project does not grant any access to Javascript found on the Internet. For more information about how Javascript is used inside Mozilla read more about XPCOM and XPConnect.


#21 Re: Let me clarify my position

by svn <svn@xmlterm.org>

Thursday May 25th, 2000 3:49 PM

You are replying to this message

What you are requesting is fine-grained security control. Advanced users may find it useful, and the NS4.x (and Mozilla presumably) security model provides such control for signed scripts applets. However, scripts in the chrome area can do anything the browser program itself can do (I think it is called UniversalBrowserAccess in the fine-grained security model.) Presumably the scary dialog will state this as being High Risk and also say that files could be modified etc.

Unfortunately, at the moment, there is no fine fine-grained security model for XPConnect. There may never be one, because XPConnect is so broad and easily extensible. All access to XPConnect is considered as high risk, i.e., UniversalBrowserAccess. There is no low risk access to XPConnect or XUL, which is why the term "skins", <em>as used in the mozilla codebase</em>, does not allow for customizable button functionality. You can change the color of a button using skins, but not its function.

In short, if you don't want to install high risk stuff, you will never be able to customize button functionality using Mozilla, and there is no easy way around it.