I assume that you are in the XULRunner application and are trying to download the chrome URL from a non-chrome source in the browser (e.g. HTTP or local file). Although including UniversalXPConnect and UniversalBrowserWrite can be useful, they also pose a security risk (since any arbitrary scripts on the Internet can use them), so they are usually disabled in browsers (for example, running this line in Firebug will give you an exception):
>>> netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect UniversalBrowserWrite"); Error: A script from "http://stackoverflow.com" was denied UniversalXPConnect UniversalBrowserWrite privileges.
How about how you try to use security principles for codebase and do you see it that matters? (Http://www.mozilla.org/projects/security/components/signed-scripts.html#codebase). For me in Firebug, this allows me to get additional permissions after I'm OK with a large, nasty dialog box), but still does not allow me to open the Chrome URL using window.open. The next step is probably an attempt to modify the conf file to use contentaccessible so that the accessible portion of your content is available (see https://developer.mozilla.org/en/Chrome_Registration#contentaccessible ).
To avoid unpleasant messages when increasing permissions, you can try to automatically set permissions for the correct files, as described in http://forums.mozillazine.org/viewtopic.php?f=38&t=1769555 .
Also, make sure you check your browser type (https://developer.mozilla.org/en/XUL/Attribute/browser.type). If the browser type is not chrome plated, then it might be worth a try to make it chrome and see if it matters.
If any of my assumptions is wrong, come back to me and I will try something else.