Why does user_pref("capability.policy.default.Location.href", "allAccess"); no longer work in FireFox 4? How can I re-enable this feature?
On upgrading to FireFox 4 from 3.6.15, I noticed that my capability.policy.default items in the prefs.js file were no longer working (the custom site that I run locally needs access to this attribute, amongst others) - how can I go about returning this feature back on?
Example CAPS entry: user_pref("capability.policy.default.Location.href", "allAccess");
I've had to downgrade again to 3.6.15 until I can get this to work.
Tested on Windows XP (SP3), and using existing/new profiles in FF 4.0 and using prefs.js and user.js - nothing can get the Javascript code to read the location.href and getting an error generated in the error console. Also tested on Mac OS X 10.6.7 with FF 4.0 - still no luck getting capability.policies to work.
Please help...
Modified by damager
All Replies (4)
Anyone, really? This would be a bug if you ask me and it doesn't work on two different operating systems. Does anyone have a way of disabling the Same Origin Policy, temporarily, for FF4 whilst this gets looked at/fixed?
On Google Chrome, --disable-web-security would be the equivalent.
New information: On FireFox 3.6 if I remove the following line from prefs.js: user_pref("capability.policy.default.Location.href", "allAccess");
I get the following error:
Error: Permission denied for <http://<Redacted>> to get property Location.href Source File: http://<Redacted>/ Line: 1769 </p>
I get a slightly different error under FF4.0 - is there a different syntax now, as it is no longer showing "Location.href", but just "href" (and yes, I've tried removing Location. from the user_pref)...
Error: Permission denied to access property 'href' Source File: http://<Redacted</ Line: 1769 </p>
Modified by damager
New information:
Also happens on Windows Vista (upgrading from FF 3.5 directly to 4.0) and Windows 7 (from FF 3.6 to 4.0).
I've been beating my head against this problem for a few hours, and I finally solved it. I'd been trying to set a capability policy using the "magic" default policy, and nothing would work - I could disable properties and functions of the Window object, but not the Location object.
It turns out that if I set a custom policy name, and named the specific sites I wanted the policy to apply to, it works! The only hitch is that you'll have to build a whitelist of sites that are allowed to have this kind of access, instead of allowing any site to access it by default. I think this is prudent security policy, in order to prevent XSS attacks.
So, for your case, instead of this: user_pref("capability.policy.default.Location.href", "allAccess");
use this instead: user_pref("capability.policy.policynames", "hrefaccess"); user_pref("capability.policy.hrefaccess.sites", "http://example.com http://www.example.com"); user_pref("capability.policy.hrefaccess.Location.href", "allAccess");
I haven't tested this code, but a similar implementation for my problem did the trick. I hope this helps!