Script signing

Christian Schmitt wrote:

I need to use the UniversalBrowserRead Privilege in a script. For this,
the script has to be signed, right? Can anyone help me with getting a
You can request the privilege with an unsigned script loaded from the
local file system.
free certificate (I don't want to spend a lot of money for something I
do just for fun) and using it to sign a script in an external file
(loaded with the SRC attribute)? I'm working on a Linux machine, so I'd
prefer a solution for Linux. But I can move to windows, if necessary.

I want the script to read the contents (or at least search for some
keywords) of another HTML-page, that comes from a different server. If
there is a simpler way to do this than using UniversalBrowserRead to
bypass the same origin policy and then use XMLHttpRequest to read the
file, I'd appreciate some hints.

Can't you enable codebase principals?
http://www.mozilla.org/projects/secu....html#codebase
If not you need to get the signTool, I think it allows you to generate a
dummy certificate:
http://www.mozilla.org/projects/secu...s.html#signing

--

Martin Honnen
http://JavaScript.FAQTs.com/

Martin Honnen wrote:

You can request the privilege with an unsigned script loaded from the
local file system.
Right, but this script will be loaded from a web server. I was fooled by
this at first, because it worked when I tested locally. But after
uploading to the server...


Can't you enable codebase principals?
http://www.mozilla.org/projects/secu....html#codebase

I fear that enabling codebase principals would be too great a challenge
to most peoplo who will visit my site, since you have to manually modify
your prefs.js file.

If not you need to get the signTool, I think it allows you to generate a
dummy certificate:
http://www.mozilla.org/projects/secu...s.html#signing

This page states in the "After Signing" section:

"For testing, use SignTool to create a test certificate (see
documentation). However, end users will not be able to use the test
certificate, so remember to obtain a certificate from a certificate
authority in order to serve a signed script on the web."

So, no luck there, too. Also:

"New in Mozilla is the syntax needed to access signed scripts within JAR
files. The syntax is as follows:

jar:http://www.domain.com/secure-scripts/secure.jar!/thepage.html

Scripts will only be treated as signed if the HTML page that contains
them is using a URL of this form."

Can someone explain this to me???

I almost fear that this might be too much trouble for something I do
just because I like programming!

Christian

Christian Schmitt wrote:

Martin Honnen wrote:

Can't you enable codebase principals?
http://www.mozilla.org/projects/secu....html#codebase

I fear that enabling codebase principals would be too great a challenge
to most peoplo who will visit my site, since you have to manually modify
your prefs.js file.

Yes, I misunderstood your intentions, I thought you want to write a page
you use yourself, but below you state that you indeed expect to get a
certificate that browsers of other users accept. I don't think there is
any way but finding an accepted certificate authority that sells you a
certificate.

If not you need to get the signTool, I think it allows you to generate
a dummy certificate:

"For testing, use SignTool to create a test certificate (see
documentation). However, end users will not be able to use the test
certificate, so remember to obtain a certificate from a certificate
authority in order to serve a signed script on the web."

So, no luck there, too. Also:

"New in Mozilla is the syntax needed to access signed scripts within JAR
files. The syntax is as follows:

jar:http://www.domain.com/secure-scripts/secure.jar!/thepage.html

Scripts will only be treated as signed if the HTML page that contains
them is using a URL of this form."

Can someone explain this to me???
I think Sun invented this
jar:url!/file
URI scheme, basically you need to pack and sign your page and script
into a .jar file and then load it that way.
I almost fear that this might be too much trouble for something I do
just because I like programming!

Yes, I am sure if you want your script to load files from other servers
it is easier and cheaper to host your page on a server where you have
server side scripting with PHP or ASP and then simply connect back to
your server passing the URL you want to fetch and let the server side
script do the work.

--

Martin Honnen
http://JavaScript.FAQTs.com/