Home > Security Error > Security Error Content At May Not Load Data From Iframe

Security Error Content At May Not Load Data From Iframe

Thanks to point it out, I also updated the reply on SO. Comment 4 Gabor Krizsanits [:krizsa :gabor] 2012-10-01 02:55:17 PDT (In reply to toberndo from comment #3) > Is this really related to bug 786681? Not the answer you're looking for? This has the downside that a page like "data/web/example.html" loaded into an iframe in web content cannot use a relative url like to load the resource at "data/example.jpg", which Check This Out

Maybe we want to allow making individual URLs or patterns web accessible, like Chrome does. Next steps Share Share Twitter Facebook Google+ Subscribe Enjoyed this article? Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License, and code samples are licensed under the Apache 2.0 License. telega 2007-10-23 11:21:22 UTC PermalinkRaw Message Post by Adam Nielsen----------------------var strXMLHeader ='' +'';var strXMLData = '';document.getElementById('idIFrame').setAttribute('src','data:text/xml,' + strXMLHeader + strXMLData);----------------------Not sure, but seems that non-chrome pages cannot http://stackoverflow.com/questions/21947483/security-error-when-trying-to-load-content-from-resource-in-a-firefox-addon-sdk

Comment 77 Richard Z. 2016-07-28 02:44:59 PDT Don't inject iframes into arbitrary webpages, it is broken and unsafe by design. So all files referenced will need to be in an outware facing > location. > > Scott Amazing! Citation, please? I would answer Gabor’s question this way: Yes, it’s important for the iframe `src` page to be web-accessible using a new scheme such as `resource:` so that web page authors can

Thanks a lot for all the info. The sandbox attribute of the iframe element gives us just what we need to tighten the restrictions on framed content. Attackers will need to find several holes in different pieces of the system order to do any damage, which hugely reduces the risk of successful pwnage. Without > > > this resolved, we will not be able to provide robust support for Firefox. > > > > I think we have something at least something like this

So all files referenced will need to be in an outware facing location. people are hacking their extensions with 350 lines of code in order to workaround something that can be done in one line in other browsers (Chrome, Safari). Once found, I place an overlay on top of the encrypted content and > insert an iframe that will show a UI and finally the decrypted message. https://bugzilla.mozilla.org/show_bug.cgi?id=792479 Comment 23 Jesper Kristensen 2014-04-09 10:02:12 PDT Created attachment 8404094 [details] test-addon.zip an add-on and a web page to test it Comment 24 Tomislav Jovanovic :zombie 2014-04-09 11:23:23 PDT hey Dave,

Using Services.jsm is super fast not even blink fast. share|improve this answer answered Feb 28 '14 at 16:44 Matthew Gertner 2,6701239 Yes. My solution was to create a custom resource handler for the iframes. I could only find JavaScript files within the SDK tests.

Comment 7 Gabor Krizsanits [:krizsa :gabor] 2013-06-11 02:38:21 PDT (In reply to Matteo Ferretti [:matteo] [:zer0] from comment #6) > Gabor, any news from your side? http://forums.mozillazine.org/viewtopic.php?f=19&t=785115 also gBrowser to getMostRecentBrowserWindow will fail if the url load is slow and in that time the user swithces to another tab or window I also changed to use Services.jsm as Applying the sandbox attribute to iframes you include allows you to grant certain privileges to the content they display, only those privileges which are necessary for the content to function correctly. The store page that is in the iframe has to save the cart locally, then call a function in the parent window to load the cart and run the checkout Checkout

However, you can use `data:` URL instead, and set directly the HTML you want to. his comment is here That is basically the approach I took in a patch I started working on. Without > > > > > this resolved, we will not be able to provide robust support for Firefox. > > > > > > > > I think we have This means that we have to add allow-forms to the frame’s sandbox, even though the form only exists in the window that the frame pops up.

Finally, we post the result back to the parent window. Note You need to log in before you can comment on or make changes to this bug. monk3manth31st commented Jul 19, 2012 I found a way to make this work. this contact form Validate your output!

Someday… but for now sandboxing is another layer of protection to strengthen your defenses, it’s not a complete defense upon which you can soley rely. Not sure if it's good enough, it was just an idea. This technique is very common in native code: Chrome, for example, breaks itself into a high-privilege browser process that has access to the local hard-drive and can make network connections, and

The solution that did work was your solution of var gBrowser = utils.getMostRecentBrowserWindow().gBrowser; var domWin = httpChannel.notificationCallbacks.getInterface(Ci.nsIDOMWindow); var browser = gBrowser.getBrowserForDocument(domWin.document); //redirect browser.loadURI(self.data.url('pages/test.html')); however I changed this to use loadContext instead

sorry... Moreover, sandboxing is a powerful technique for reducing the risk that a clever attacker will be able to exploit holes in your own code. I don't have anything better to offer right now. But if you just do contentWindow.location you > should be able to trigger the load over Xrays.

Citation, please? If it throws a security error than you definitely need a chrome.manifest file and that will without question fix it up. firefox-addon firefox-addon-sdk share|improve this question asked Feb 21 '14 at 23:48 im_nullable 253213 add a comment| 4 Answers 4 active oldest votes up vote 3 down vote accepted +200 actually man http://internetmairie.com/security-error/security-error-content-at-may-not-load-or-link-to.html Note, however, that you need to be very careful when dealing with framed content that comes from the same origin as the parent.

Therefore I'm in the context of the webpage and the webpage then tries to load the content for the iframe from the resource:// URI. This means communication would need to use postMessage to a content > > script to then get relayed back to main.js, introducing complexity to the > > implementation. > > Comment I agree - if we want to add new machinery here, we should create a different protocol handler, probably called firefox-extension://. Safely sandboxing eval() With sandboxing and the postMessage API, the success of this model is fairly straightforward to apply to the web.

Thank you man!! :) I learned a lot from helping you too! :) Make sure you watch out for resources that load into top window or something with the same URL Does anyone know how I could get anXSLT-translated XML document to appear in an