Comments (13)
I don't think the JavaScript version of mail.google.com will load even though a patch landed for this. I'm not sure why.
from chromeless.
I think the suggestion is that a recent fix to issue 68 (6d8791d) is a potential solution for this.
If I add "enableSystemPrivileges":true to my app manifest it does make a difference for some sites (e.g. Twitter seems to work).
However, a lot of Google apps behave oddly. For example GMail now gets as far as a loading screen but doesn't get any further. Google Calendar loads but somehow manages to take over the whole screen!
Also, I don't fully understand what adding this parameter to the app manifest means, does it introduce security issues?
from chromeless.
thanks @hippygeek
gmail does not work but "enableSystemPrivileges":true does make a difference, no idea why.
from chromeless.
Regarding why chrome level page works, check this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=593387 i think we need to get input from geckoplatform engineers to help us out here. The bit i heard is that the nature of the iframe docshell is created in a different way. The docshell of the iframe in xul, for example, offers additional attributes. I believe we need to be stronger in making a list of all our browser cases, apps, to show clearly
from chromeless.
I wonder if stripping out the "X-Frame-Options" header from the response with nsIObserverService's http-on-examine-response (https://developer.mozilla.org/en/Observer_Notifications#HTTP_requests) for top-level iframes would fix this.
Kinda off-topic: I still have NO idea how Google Calendar can take over the window without any user interaction (though the patch Lloyd landed a couple minutes ago does fix this). Has anyone been able to figure out how they did this?
from chromeless.
Probably. We have to annotate again that this is a hack override, so the discussion is alive and see what is the impact of the workaround -- vs security mindset.
from chromeless.
I think @davidmurdoch's suggestion looks really promising. I see no real downside. The only hard part is determining what load requests are targeted at top level iframes, but we already solve this problem in other places.
To @taboca's point, sure it's a hack: We're still patching gecko from the outside. But in this case it seems like a robust hack that would fix a problem lots of people care about :)
from chromeless.
++ to that too. Just keeping track of things. As soon as this is out I would love to make a video of a functional browser and strongly point out what we doing.
from chromeless.
This sounds promising, even if it's really a bit of a hack until a better solution can be found upstream.
Was the patch you're talking about on the master branch? I'd like to try it out with Shell to see if it makes a difference.
Thanks
from chromeless.
@hippygeek yeah, update to master to get the fix that should prevent content from taking over your app in all circumstances (that I can think of)
from chromeless.
Whereabouts in the Chromeless source code would you intercept the "X-Frame-Options" header for top level iFrames using the nsIObserverService? And can you point me towards another point in the source code where HTTP requests are identified as being from a top level iFrame?
from chromeless.
Aha, I'm guessing the answer to both of my questions may be https://github.com/mozilla/chromeless/blob/master/modules/internal/chromeless-sandbox-window.js
from chromeless.
Well, I had a stab at this (https://github.com/hippygeek/chromeless/commit/8937cafa1fafb040fb3a0281aa3c9bc3b6fd0433) but I didn't get very far. I'm hoping it's just that my JavaScript foo isn't strong enough and that someone can help.
The two main problems I had are:
- The
nsIHttpChannel
interface has agetResponseHeader()
and asetResponseHeader()
method, but noremoveResponseHeader()
method so the best I could think to do was (re)set the X-Frame-Options header to null or an empty string, but this doesn't seem to fix the problem. - I'm not sure how you'd detect whether the HTTP response was headed for a top level iFrame because the "subject" of the http-on-examine-response notification is of the interface
nsIHttpChannel
, notnsIDOMWindow
.
from chromeless.
Related Issues (20)
- Solaris SPARC support
- localStorage doesnt work with enableSystemPrivileges HOT 1
- Add special keys to hotkey api
- IndexedDB doesn't work HOT 3
- Error when Installing on Mac HOT 4
- jQuery Include fails when enableSystemPrivileges HOT 2
- Webcontent.inject fails when the content is loaded from remote webserver HOT 1
- The window size shoud be able to change browser code.
- LSOpenURLsWithRole failed on first run HOT 4
- Drag and Drop fullpath HOT 1
- window.top is the application window
- how could i make chromeless to work without proxy
- installation problem with fetching xulrunner HOT 2
- clearing cache in chromeless
- points to wrong xulrunner repository
- update for B2G
- Want to know HOT 3
- hAS cHROMELESS BEEN tOTALLY aBANDONED?????? HOT 3
- CODE_OF_CONDUCT.md file missing
- Is this project dead?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chromeless.