I have a xulrunner application that uses browser component to display HTML content. For security reasons I would like to restrict that browser to be able to only access a certain url mask.
I would like to restrict any networking to intranet only, something like "*.company.com". But not only page navigation, XHR, CSS, script and all the netwoking.
Does any body know how to implement this? Any XPCOM components that I could use for it?
The easiest way to do this would be through a proxy auto-configuration file (assuming that your application doesn't actually need to use a proxy). So you would set network.proxy.type preference to 2 (use PAC file) and network.proxy.autoconfig_url to chrome://.../proxy.js. With proxy.js being something along the lines of:
function FindProxyForURL(url, host)
{
if (shExpMatch(host, "*.company.com"))
{
return "DIRECT";
}
return "SOCKS localhost:19191";
}
So any requests to *.company.com won't use a proxy whereas requests to other hosts will be directed to a localhost port which is hopefully closed - so these requests will not succeed. This is a hack of course but one that is simple enough and works well in most scenarios.
The proper (but more complicated) way of doing this would be using content policies. You need to implement nsIContentPolicy in an XPCOM component and register that component in the content-policy category. This will make sure that the shouldLoad() method of your component will be called for each URL to be loaded - you can return Ci.nsIContentPolicy.REJECT_REQUEST to block the load.