Signing your JavaScript code lets it gain extra privledges, such as accessing the urls of windows from other sites. You can find out all about it at http://www.mozilla.org/projects/security/components/signed-scripts.html

SignedJavaScript? is only available in NetscapeNavigator 4 or higher and Mozilla. InternetExplorer probably has some nasty ActiveX method for doing similar things.

First thing to do is copy this HTML into a file named frame.html

<html> <head>

<title>!JavaScript test</title>

</head> <frameset rows="10%,*">

<frame src="snoop.html"> <frame src="http://slashdot.org/">

</frameset> </html>

And this HTML into snoop.html

<html> <head>

<title>snoop</title> <script type="text/javascript">

<!-- function init() {

window.setTimeout('snoop()', 100);

} function snoop() {

try {

netscape.security.!PrivilegeManager?.enablePrivilege('!UniversalBrowserRead?');

var url = top.frames[1?.location.toString(); document.getElementById('text').innerHTML = url; window.setTimeout('snoop()', 1000);

} catch (e) {

document.getElementById('text').innerHTML = 'Exception: ' + e;

}

} // -->

</script>

</head> <body onLoad="init();">

<tt id="text">loading...</tt>

</body> </html>

Then load frame.html in Mozilla1? with a local url (e.g. one starting with file://). You'll get a message asking if you want to grant the script enhanced privileges. Click No and you'll see an exception message in the upper frame. Reload, tick the remember box (or you'll get asked once a second) and click Yes. Now you'll see the url of the lower frame in the upper frame. It'll follow as you click around.

Now copy the two files to your webserver and try loading frame.html from there. It doesn't work as the script isn't signed. Go to http://ftp.mozilla.org/pub/security/nss/releases/ and download a copy of the latest version of NSS for your operating system and to http://ftp.mozilla.org/pub/nspr/releases/ to download a copy of the latest NSPR. Unpack them and do whatever it is you need to do put the files in the bin directory in your path and the files in the lib directory in your library path.

Set your Master Password in Mozilla to something easy insecure as you'll have to put it on the command line. Then execute

signtool -d /.mozilla -l

and you'll see you have no signing certificates, so quit Mozilla (or else you'll break it) and generate a signing certificate with this

signtool -d /.mozilla -p password -G certname

(You can load Mozilla again now.) Do this again to see that the certificate was generated correctly

signtool -d /.mozilla -l

Make a new directory, put snoop.html in it and sign it with this command

signtool -d /.mozilla -p passsword -k certname -Z snoop.jar scriptdir

Test that it was signed correctly with

signtool -d /.mozilla -v snoop.jar

Now copy snoop.jar to the same place as snoop.html and change this line in frame.jar

<frame src="snoop.html">

to

<frame src="jar:http://localhost/path-to-files/snoop.jar!/snoop.html">

Load up http://localhost/path-to-files/frame.html and all should be well.

That's all i know about signing JavaScript. The next step would be to get a real signing certificate so you could distribute your code. It doesn't seem to be possible to export the certificate you made with signtool, but if anyone figures it out, please edit this page!

Information about creating Root CA's and other certificates see SSLNotes

1? NetscapeNavigator 4 doesn't support the JavaScript try/catch statements, so it worn't work with the given code. If you take them out it should work. The netscape.security object doesn't exist for non-signed scripts, so you can use that to detect if you can access the permissions.