function erepublikeasymessage_xmlhttpRequester(unsafeContentWin, chromeWindow) {

1. function erepublikeasymessage_xmlhttpRequester(unsafeContentWin, chromeWindow) {
2. this.unsafeContentWin = unsafeContentWin;
3. this.chromeWindow = chromeWindow;
4. }
5.  
6. // this function gets called by user scripts in content security scope to
7. // start a cross-domain xmlhttp request.
8. //
9. // details should look like:
10. // {method,url,onload,onerror,onreadystatechange,headers,data}
11. // headers should be in the form {name:value,name:value,etc}
12. // can't support mimetype because i think it's only used for forcing
13. // text/xml and we can't support that
14. erepublikeasymessage_xmlhttpRequester.prototype.contentStartRequest = function(details) {
15. // important to store this locally so that content cannot trick us up with
16. // a fancy getter that checks the number of times it has been accessed,
17. // returning a dangerous URL the time that we actually use it.
18. var url = details.url;
19.  
20. // make sure that we have an actual string so that we can't be fooled with
21. // tricky toString() implementations.
22. if (typeof url != "string") {
23. throw new Error("Invalid url: url must be of type string");
24. }
25.  
26. var ioService=Components.classes["@mozilla.org/network/io-service;1"]
27. .getService(Components.interfaces.nsIIOService);
28. var scheme = ioService.extractScheme(url);
29.  
30. // This is important - without it, GM_xmlhttpRequest can be used to get
31. // access to things like files and chrome. Careful.
32. switch (scheme) {
33. case "http":
34. case "https":
35. case "ftp":
36. this.chromeWindow.setTimeout(
37. erepublikeasymessage_gmCompiler.hitch(this, "chromeStartRequest", url, details), 0);
38. break;
39. default:
40. throw new Error("Invalid url: " + url);
41. }
42. }
43.  
44. // this function is intended to be called in chrome's security context, so
45. // that it can access other domains without security warning
46. erepublikeasymessage_xmlhttpRequester.prototype.chromeStartRequest=function(safeUrl, details) {
47. var req = new this.chromeWindow.XMLHttpRequest();
48.  
49. this.setupRequestEvent(this.unsafeContentWin, req, "onload", details);
50. this.setupRequestEvent(this.unsafeContentWin, req, "onerror", details);
51. this.setupRequestEvent(this.unsafeContentWin, req, "onreadystatechange", details);
52.  
53. req.open(details.method, safeUrl);
54.  
55. if (details.headers) {
56. for (var prop in details.headers) {
57. req.setRequestHeader(prop, details.headers[prop]);
58. }
59. }
60.  
61. req.send(details.data);
62. }
63.  
64. // arranges for the specified 'event' on xmlhttprequest 'req' to call the
65. // method by the same name which is a property of 'details' in the content
66. // window's security context.
67. erepublikeasymessage_xmlhttpRequester.prototype.setupRequestEvent =
68. function(unsafeContentWin, req, event, details) {
69. if (details[event]) {
70. req[event] = function() {
71. var responseState = {
72. // can't support responseXML because security won't
73. // let the browser call properties on it
74. responseText:req.responseText,
75. readyState:req.readyState,
76. responseHeaders:(req.readyState==4?req.getAllResponseHeaders():''),
77. status:(req.readyState==4?req.status:0),
78. statusText:(req.readyState==4?req.statusText:'')
79. }
80.  
81. // Pop back onto browser thread and call event handler.
82. // Have to use nested function here instead of GM_hitch because
83. // otherwise details[event].apply can point to window.setTimeout, which
84. // can be abused to get increased priveledges.
85. new XPCNativeWrapper(unsafeContentWin, "setTimeout()")
86. .setTimeout(function(){details[event](responseState);}, 0);
87. }
88. }
89. }