MozillaZine

Javascript File i/o

Thursday May 25th, 2000

Pete Collins from Alphanumerica and Mozilla developers have created a Javascript interface for doing file i/o in Mozilla, which will allow new Mozilla components like Alphanumerica's Crash Recovery system to function properly.

Patterned after the PHP filesystem functions, simple functions such as file read/write and directory create are supported. The code has not yet made it into the nightly build, but they expect it will get in soon.

Note from AN: There seems to be a misconception about Javascript File I/O being a security risk. It is important to clarify that this project is not opening any security holes in Mozilla. There is a difference between Javascript on the Internet and Javascript inside the application. Javascript is used inside Mozilla to create the functionality for the application. This is in contrast to any Javascript downloaded from the Internet that is used for functionality only inside a Web page. This project does not grant any access to Javascript found on the Internet. For more information about how Javascript is used inside Mozilla read more about XPCOM and XPConnect.


#26 Skin confusion

by svn <svn@xmlterm.org>

Thursday May 25th, 2000 5:23 PM

You are replying to this message

I think there's endless confusion about the term "skins" in this discussion. Let me list some (conflicting) types of definitions:

Type 1. Colloquial usage: Skin affects the browser appearance, but is otherwise believed to be safe (may affect number, arrangement and function of buttons/menus as well)

Type 2. Mozilla codebase: chrome:/.../skin directory is allowed to contain only *.css and image files. Truly safe, I believe (I don't think you can use XBL in CSS; that would be non-standard)

Type 3. Developer/ChromeZone usage: A bundle of XUL/XBL/JS/CSS files which modifies the browser appearance. Definitely not safe, because XUL/JS in chrome is *all powerful*.

It may be better to use the term "application" to describe type 3 stuff, to be installed with a scary dialog. Safe "skins" of type 1 are what the end-user community wants, but won't get from Mozilla. You can't allow a safe skin to change the function of a button, because it could be changed to something malicious. Only the appearance of buttons can be safely changed, and that leaves only type 2 skins as the safe alternative, and can be installed without a scary dialog, or even no dialog at all.