Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Why does user_pref("capability.policy.default.Location.href", "allAccess"); no longer work in FireFox 4? How can I re-enable this feature?

  • 4 replies
  • 15 have this problem
  • 1 view
  • Last reply by Natorator

more options

On upgrading to FireFox 4 from 3.6.15, I noticed that my capability.policy.default items in the prefs.js file were no longer working (the custom site that I run locally needs access to this attribute, amongst others) - how can I go about returning this feature back on?

Example CAPS entry: user_pref("capability.policy.default.Location.href", "allAccess");

I've had to downgrade again to 3.6.15 until I can get this to work.

Tested on Windows XP (SP3), and using existing/new profiles in FF 4.0 and using prefs.js and user.js - nothing can get the Javascript code to read the location.href and getting an error generated in the error console. Also tested on Mac OS X 10.6.7 with FF 4.0 - still no luck getting capability.policies to work.

Please help...

On upgrading to FireFox 4 from 3.6.15, I noticed that my capability.policy.default items in the prefs.js file were no longer working (the custom site that I run locally needs access to this attribute, amongst others) - how can I go about returning this feature back on? Example CAPS entry: user_pref("capability.policy.default.Location.href", "allAccess"); I've had to downgrade again to 3.6.15 until I can get this to work. Tested on Windows XP (SP3), and using existing/new profiles in FF 4.0 and using prefs.js and user.js - nothing can get the Javascript code to read the location.href and getting an error generated in the error console. Also tested on Mac OS X 10.6.7 with FF 4.0 - still no luck getting capability.policies to work. Please help...

Modified by damager

All Replies (4)

more options

Anyone, really? This would be a bug if you ask me and it doesn't work on two different operating systems. Does anyone have a way of disabling the Same Origin Policy, temporarily, for FF4 whilst this gets looked at/fixed?

On Google Chrome, --disable-web-security would be the equivalent.

more options

New information: On FireFox 3.6 if I remove the following line from prefs.js: user_pref("capability.policy.default.Location.href", "allAccess");

I get the following error:

Error: Permission denied for <http://<Redacted>> to get property Location.href Source File: http://<Redacted>/ Line: 1769 </p>

I get a slightly different error under FF4.0 - is there a different syntax now, as it is no longer showing "Location.href", but just "href" (and yes, I've tried removing Location. from the user_pref)...

Error: Permission denied to access property 'href' Source File: http://<Redacted</ Line: 1769 </p>

Modified by damager

more options

New information:

Also happens on Windows Vista (upgrading from FF 3.5 directly to 4.0) and Windows 7 (from FF 3.6 to 4.0).

more options

I've been beating my head against this problem for a few hours, and I finally solved it. I'd been trying to set a capability policy using the "magic" default policy, and nothing would work - I could disable properties and functions of the Window object, but not the Location object.

It turns out that if I set a custom policy name, and named the specific sites I wanted the policy to apply to, it works! The only hitch is that you'll have to build a whitelist of sites that are allowed to have this kind of access, instead of allowing any site to access it by default. I think this is prudent security policy, in order to prevent XSS attacks.

So, for your case, instead of this: user_pref("capability.policy.default.Location.href", "allAccess");

use this instead: user_pref("capability.policy.policynames", "hrefaccess"); user_pref("capability.policy.hrefaccess.sites", "http://example.com http://www.example.com"); user_pref("capability.policy.hrefaccess.Location.href", "allAccess");

I haven't tested this code, but a similar implementation for my problem did the trick. I hope this helps!