How To Set An Xul Key Dynamically And Securely?

I am trying to create a key element dynamically for my bootstrapped add-on. Currently, I create a keyset element and append it to document.getElementById('mainKeyset').parentNode w

Solution 1:

The statement about <key> elements requiring either a command or an oncommand attribute is correct. Looking at the code triggering key handlers, it has an optimization that will ignore any <key> element that is either disabled or has neither a command nor an oncommand attribute - so the command event won't even fire for these elements. I solve this by adding a dummy oncommand attribute containing a JavaScript comment:

key.setAttribute("oncommand", "//");

But void(0); is fine as attribute value as well of course.

There won't be any issues getting this reviewed. The potential security issue you heard about is generating oncommand value dynamically, e.g.:

key.setAttribute("oncommand", "foo('" + bar + "')");

Depending on the value of bar (and particularly when bar comes from a website) this can be very dangerous. However, you don't generate the attribute value dynamically, it's always void(0); in your case - so no issue there.