在 FireFox 中以自定义协议运行时 XMLHttpRequest 中的空白响应文本?
我正在编写一个 FireFox 插件,它将来自我的服务器的网页显示为控制和信息面板。这些面板是在常规 URL 中编写和工作的,但是当我尝试通过自定义协议访问它们时(就像 about:, 只是 myplugin:settings),每个 XMLHttpRequest 返回空白,就好像我正在执行 XSS 操作一样。我知道数据正在通过 - 请求有效,已被服务器接受,并且 tcpdump 表示它们正在将其发送到我的机器。显然,它与自定义协议实现有关,因此以下是相关部分:
newURI: function(spec, charset, baseURI)
{
var uri = Components.classes[@"mozilla.org/network/simple-uri;1"].createInstance(nsIURI);
if (baseURI) {
spec = "myplugin:" + spec;
}
uri.spec = spec;
return(uri);
},
newChannel: function(aURI)
{
var incomingURI = aURI.spec;
var purpose = incomingURI.substring(incomingURI.indexOf(":") + 1, incomingURI.length);
var my_spec;
var my_uri;
var proto;
var api_scheme = "http";
var api_host = "myapi.myserver.com";
var api_token = "temp";
purpose = encodeURI(purpose);
if(purpose.match(/^\//)) // If it begins with a "/" (relative URL)
if(purpose.match(/\?/)) // It already contains a query string
my_spec = api_scheme + "://" + api_host + purpose + "&api_token=" + api_token;
else
my_spec = api_scheme + "://" + api_host + purpose + "?api_token=" + api_token;
else
my_spec = api_scheme + "://" + api_host + "/frontend/" + purpose + "?api_token=" + api_token;
my_uri = Components.classes[@mozilla.org/network/simple-uri;1].createInstance(nsIURI);
my_uri.spec = my_spec;
proto = Components.classes["@mozilla.org/network/protocol;1?name="+api_scheme].getService(nsIProtocolHandler);
return (proto.newChannel(my_uri));
}
};
I am writing a FireFox add-on that displays webpages from my server as control and info panels. These panels were written and work in regular URLs, but when I try to access them through a custom protocol (so it's like about:, just myplugin:settings) every XMLHttpRequest returns blank as if I was doing XSS stuff. I know the data's getting through - the requests are valid, accepted by the server, and tcpdump says they're making it to my machine. Clearly, it has something to do with the custom protocol implementation, so here is the relevant part of that:
newURI: function(spec, charset, baseURI)
{
var uri = Components.classes[@"mozilla.org/network/simple-uri;1"].createInstance(nsIURI);
if (baseURI) {
spec = "myplugin:" + spec;
}
uri.spec = spec;
return(uri);
},
newChannel: function(aURI)
{
var incomingURI = aURI.spec;
var purpose = incomingURI.substring(incomingURI.indexOf(":") + 1, incomingURI.length);
var my_spec;
var my_uri;
var proto;
var api_scheme = "http";
var api_host = "myapi.myserver.com";
var api_token = "temp";
purpose = encodeURI(purpose);
if(purpose.match(/^\//)) // If it begins with a "/" (relative URL)
if(purpose.match(/\?/)) // It already contains a query string
my_spec = api_scheme + "://" + api_host + purpose + "&api_token=" + api_token;
else
my_spec = api_scheme + "://" + api_host + purpose + "?api_token=" + api_token;
else
my_spec = api_scheme + "://" + api_host + "/frontend/" + purpose + "?api_token=" + api_token;
my_uri = Components.classes[@mozilla.org/network/simple-uri;1].createInstance(nsIURI);
my_uri.spec = my_spec;
proto = Components.classes["@mozilla.org/network/protocol;1?name="+api_scheme].getService(nsIProtocolHandler);
return (proto.newChannel(my_uri));
}
};
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在规范的眼中,你正在做 xss。
虽然不同平台的实现略有不同,但一般经验法则是相同的协议、相同的域、相同的端口。
In the eyes of the spec you ARE doing xss.
While the implementations differ slightly across platforms the general rule of thumb is same protocol, same domain, same port.