Closed
Bug 148465
Opened 22 years ago
Closed 17 years ago
add wyciwyg:// protocol to CheckLoadURI
Categories
(Core :: Security: CAPS, defect)
Core
Security: CAPS
Tracking
()
RESOLVED
FIXED
People
(Reporter: security-bugs, Assigned: dveditz)
References
(Blocks 1 open bug)
Details
We need to add the wyciwyg: protocol to the CheckLoadURI function's protocol list. It should be treated as local data, like file:.
|
||
Comment 1•22 years ago
|
||
A wyciwyg url should be treated by the security manager as being the same as its source. For example, wyciwyg://2/http://localhost/foo/ came from http://localhost/foo/. This seems to work already: in the JS console, I see "Content at http://localhost/foo/ may not load or link to file:///c%7C/" even though foo/index.html has rewritten itself using document.write. See also bug 123293, we send bogus referrers from wyciwyg URLs.
|
||
Comment 2•21 years ago
|
||
Note that this bug breaks Replicon's (http://www.replicon.com/) Web TimeSheet program when it's run from a secure server (program functions, but gives security warnings/broken (red) lock icon).
|
Reporter | |
Comment 3•21 years ago
|
||
This bug may be causing the warnings, but it's not causing the red lock icon.
|
Assignee | |
Updated•18 years ago
|
Assignee: security-bugs → dveditz
QA Contact: bsharma → caps
|
||
Comment 4•17 years ago
|
||
This is now fixed, as a result of the checkins for bug 387333 (1.8 branch) and bug 120373 (trunk).
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•