Security changes

Chrome access

In prior versions of Firefox, any web page could load scripts or images from chrome using the chrome:// protocol. Among other things, this made it possible for sites to detect the presence of add-ons -- which could be used to breach a user's security by bypassing add-ons that add security features to the browser.

Firefox 3 only allows web content to access items in the chrome://browser/ and chrome://toolkit/ spaces. These files are intended to be accessible by web content. All other chrome content is now blocked from access by the web.

There is, however, a way for extensions to make their content web-accessible. They can specify a special flag in their chrome.manifest file, like this:

content mypackage location/ contentaccessible=yes

This shouldn't be something you need to do very often, but it's available for those rare cases in which it's needed. Note that it's possible that Firefox may alert the user that your extension uses the contentaccessible flag in this way, as it does constitute a potential security risk.

Note: Because Firefox 2 doesn't understand the contentaccessible flag (it will ignore the entire line containing the flag), if you want your add-on to be compatible with both Firefox 2 and Firefox 3, you should do something like this:
content mypackage location/
content mypackage location/ contentaccessible=yes
So, I use the following two lines in the chrome.manifest file.

content firefoxtoolbar jar:chrome/firefoxtoolbar.jar!/content/ 
content firefoxtoolbar jar:chrome/firefoxtoolbar.jar!/content/ contentaccessible=yes

Then, it works fine.