I feel wary about a solution that allows pages to access a xpcom component.
As soon as you do that anybody writting such a xpcom component must be competent enough to be certain there's now way it can be misused. To exploit Firefox you suddenly don't need anymore to get someone to install your evil extension, but just to find someone who has already installed an insecure one.

(From Alex: This is a legitimate concern, and also the reason I opened my article saying most components shouldn't do this. Some, however, are designed for use by the public, including the two I talk about.)

Thank you so much! I was working on how to expose a component to javascript and I couldn't make it work!!