Differences between current version and predecessor to the previous major change of SignedJavaScript.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 3 | Last edited on Wednesday, November 19, 2003 4:12:53 pm | by AristotlePagaltzis | |
| Older page: | version 2 | Last edited on Sunday, June 22, 2003 1:53:29 am | by PerryLorier | Revert |
@@ -1,75 +1 @@
-Signing your JavaScript code lets it gain extra privledges, such as accessing the urls of windows from other sites. You can find out all about it at http://www.mozilla.org/projects/security/components/signed-scripts.html
-
-
-!
SignedJavaScript is only available in NetscapeNavigator 4 or higher and [Mozilla]. InternetExplorer probably has some nasty [ActiveX] method for doing similar things.
-
-
-First thing to do is copy this [HTML] into a file named ''frame.html'':
-
- <html>
- <head>
- <title>!JavaScript test</title>
- </head>
- <frameset rows="10%,*">
- <frame src="snoop.html">
- <frame src="http://slashdot.org/">
- </frameset>
- </html>
-
-And this [HTML] into ''snoop.html'':
- <html>
- <head>
- <title>snoop</title>
- <script type="text/javascript">
- <!--
- function init() {
- window.setTimeout('snoop()', 100);
- }
- function snoop() {
- try {
- netscape.security.!PrivilegeManager.enablePrivilege('!UniversalBrowserRead');
- var url = top.frames[[1].location.toString();
- document.getElementById('text').innerHTML = url;
- window.setTimeout('snoop()', 1000);
- } catch (e) {
- document.getElementById('text').innerHTML = 'Exception: ' + e;
- }
- }
- // -->
- </script>
- </head>
- <body onLoad="init();">
- <tt id="text">loading...</tt>
- </body>
- </html>
-
-Then load ''frame.html'' in [Mozilla][1] with a local url (e.g. one starting with ''file://''). You'll get a message asking if you want to grant the script enhanced privileges. Click __No__ and you'll see an exception message in the upper frame. Reload, tick the remember box (or you'll get asked once a second) and click __Yes__. Now you'll see the url of the lower frame in the upper frame. It'll follow as you click around.
-
-Now copy the two files to your webserver and try loading ''frame.html'' from there. It doesn't work as the script isn't signed. Go to http://ftp.mozilla.org/pub/security/nss/releases/ and download a copy of the latest version of __NSS__ for your operating system and to http://ftp.mozilla.org/pub/nspr/releases/ to download a copy of the latest __NSPR__. Unpack them and do whatever it is you need to do put the files in the ''bin'' directory in your path and the files in the ''lib'' directory in your library path.
-
-Set your ''Master Password'' in Mozilla to something easy insecure as you'll have to put it on the command line. Then execute:
- signtool -d ~/.mozilla -l
-and you'll see you have no signing certificates, so quit [Mozilla] (or else you'll break it) and generate a signing certificate with this:
- signtool -d ~/.mozilla -p ''password'' -G ''certname''
-(You can load Mozilla again now.) Do this again to see that the certificate was generated correctly:
- signtool -d ~/.mozilla -l
-Make a new directory, put ''snoop.html'' in it and sign it with this command:
- signtool -d ~/.mozilla -p ''passsword'' -k ''certname'' -Z snoop.jar ''scriptdir''
-Test that it was signed correctly with:
- signtool -d ~/.mozilla -v snoop.jar
-
-Now copy ''snoop.jar'' to the same place as ''snoop.html'' and change this line in ''frame.jar'':
- <frame src="snoop.html">
-
-to
- <frame src="jar:http://localhost/path-to-files/snoop.jar!/snoop.html">
-
-
-Load up ''http://localhost/path-to-files/frame.html'' and all should be well.
-
-That's all i know about signing JavaScript. The next step would be to get a real signing certificate so you could distribute your code. It doesn't seem to be possible to export the certificate you made with ''signtool'', but if anyone figures it out, please edit this page!
-
-Information about creating Root CA's and other certificates see [SSLNotes]
-
-----
-[1
] NetscapeNavigator 4 doesn't support the JavaScript try/catch statements, so it worn't work with the given code. If you take them out it should work. The ''netscape.security'' object doesn't exist for non-signed scripts, so you can use that to detect if you can access the permissions
.
+Describe [
SignedJavaScript] here
.
