views:

79

answers:

1

I am writing a FireFox add-on that displays webpages from my server as control and info panels. These panels were written and work in regular URLs, but when I try to access them through a custom protocol (so it's like about:, just myplugin:settings) every XMLHttpRequest returns blank as if I was doing XSS stuff. I know the data's getting through - the requests are valid, accepted by the server, and tcpdump says they're making it to my machine. Clearly, it has something to do with the custom protocol implementation, so here is the relevant part of that:

    newURI: function(spec, charset, baseURI)
    {
        var uri = Components.classes[@"mozilla.org/network/simple-uri;1"].createInstance(nsIURI);

        if (baseURI) {
            spec = "myplugin:" + spec;
        }

        uri.spec = spec;

        return(uri);
    },

    newChannel: function(aURI)
    {
        var incomingURI = aURI.spec;
        var purpose = incomingURI.substring(incomingURI.indexOf(":") + 1, incomingURI.length);
        var my_spec;
        var my_uri;
        var proto;

 var api_scheme = "http";
 var api_host = "myapi.myserver.com";
 var api_token = "temp";

        purpose = encodeURI(purpose);

        if(purpose.match(/^\//)) // If it begins with a "/" (relative URL)
            if(purpose.match(/\?/)) // It already contains a query string
                my_spec = api_scheme + "://" + api_host + purpose + "&api_token=" + api_token;
            else
                my_spec = api_scheme + "://" + api_host + purpose + "?api_token=" + api_token;
        else
            my_spec = api_scheme + "://" + api_host + "/frontend/" + purpose + "?api_token=" + api_token;

        my_uri = Components.classes[@mozilla.org/network/simple-uri;1].createInstance(nsIURI);
        my_uri.spec = my_spec;
        proto = Components.classes["@mozilla.org/network/protocol;1?name="+api_scheme].getService(nsIProtocolHandler);

        return (proto.newChannel(my_uri));
    }
};
+1  A: 

In the eyes of the spec you ARE doing xss.

While the implementations differ slightly across platforms the general rule of thumb is same protocol, same domain, same port.

Sky Sanders