Closed Bug 301119 Opened 19 years ago Closed 16 years ago

Need to allow chrome favicons for XUL error pages

Categories

(Toolkit :: UI Widgets, defect)

Product:
Toolkit
Component:
UI Widgets
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: whimboo, Assigned: whimboo)

References

Details

Attachments

(2 files, 4 obsolete files)

Ported patch for toolkit [Checkin: Comment 26 (& 27)]
1.31 KB, patch
benjamin
: first-review+
benjamin
: approval1.8b4+
Details | Diff | Splinter Review
Updated patch for SeaMonkey v2 [Checkin: Comment 46]
2.67 KB, patch
whimboo
: review+
Details | Diff | Splinter Review 
Currently checkLoadURI in tabbrowser.xml restricts loading of favicon for
chrome-URIs.

We should allow loading of favicons here because normal images doesn't have this
restriction. I noticed this bug while working on bug 280190.

http://lxr.mozilla.org/seamonkey/source/xpfe/global/resources/content/bindings/tabbrowser.xml#716
http://lxr.mozilla.org/seamonkey/source/content/base/src/nsContentUtils.cpp#1821

Patch upcoming...
Assignee: dveditz → hskupin
Status: NEW → ASSIGNED
Attachment #189619 - Flags: first-review?(bzbarsky)

        Attachment #189620 -
        Flags: first-review?(darin)
Blocks: 280190

    
    

    
  
Nromal images have this restriction because known functionality (eg some remote
XUL) would break with it.  The fact that they don't have this restriction does
NOT make me happy...

Is there an actual use case for chrome favicons?

    
    

    
  
(In reply to comment #3)
> Is there an actual use case for chrome favicons?

As I mentioned before we want to use a favicon on the new netError.xhtml page. 

    
    

    
  
How about only allowing loading of chrome favicons by a chrome page, then?

    
    

    
  
(In reply to comment #5)
> How about only allowing loading of chrome favicons by a chrome page, then?

One possibility, but this wouldn't help us due to netError.xhtml doesn't have
chrome permissions since bug 292624 was fixed. Or how we could handle his? But
setting a restriction for loading chrome favicons by normal webpages is a good
idea. They don't need access.

    
    

    
  
Can't you get the actual URI loaded from the page's docshell and just look at
the scheme?

    
    

    
  
Comment on attachment 189619 [details] [diff] [review]
Enable loading of favicons for xpfe

Per comments

        Attachment #189619 -
        Flags: first-review?(bzbarsky) → first-review-

    
    

    
  
(In reply to comment #7)
> Can't you get the actual URI loaded from the page's docshell and just look at
> the scheme?

Sorry, I don't really understand, what I should do. You are only interested to
know the current scheme of netError? After the checkin of bug 292624 the scheme
was changed to "moz-neterror:page?e=error&u=url&d=desc". 


    
    

    
  
That's the URI that starts to be loaded.  I'm talking about the URI as actually
loaded...  biesi, do we have a way of getting at it in this case?

    
    

    
  
(In reply to comment #10)
> That's the URI that starts to be loaded.  I'm talking about the URI as actually
> loaded...  biesi, do we have a way of getting at it in this case?

Ok, I've used DOMi to get the documentURI. I hope this is that one you wanna
have... 

It looks like that one:
about:neterror?e=dnsNotFound&u=http%3A//www.not.existent/&c=UTF-8&d=www.not.existent%20could%20not%20be%20found.%20Please%20check%20the%20name%20and%20try%20again.

    
    

    
  
hmm, I guess docshell.currentURI really is the channel's originalURI.
document.documentURI maybe?

    
    

    
  
For an about: load, document.documentURI will be the originalURI of the channel.
 The webnavigation's currentURI will generally be the channel's final URI, but
for error pages I believe we might force it to be the URI the user originally
started to load...

In any case, is there a reason to allow chrome favicons for anything but
"about:neterror" (as documentURI here)?
Blocks: 229737

    
    

    
  
(In reply to comment #13)
> For an about: load, document.documentURI will be the originalURI of the channel.
>  The webnavigation's currentURI will generally be the channel's final URI, but
> for error pages I believe we might force it to be the URI the user originally
> started to load...

Ok, I tested the values for the above objects.

document.documentURI:          about:neterror?e=dnsNotFound...
getWebNavigation().currentURI: http://www.not.existent/

> In any case, is there a reason to allow chrome favicons for anything but
> "about:neterror" (as documentURI here)?

At this time I don't think so. Afaik netError.xhtml will be the only page using
a chrome referenced favicon.

    
    

    
  
I'd be in favor of restricting to that, then.

    
    

    
  
*** Bug 302797 has been marked as a duplicate of this bug. ***
Assignee: hskupin → dveditz
Status: ASSIGNED → NEW

    
    

    
  
Comment on attachment 189620 [details] [diff] [review]
Enable loading of favicons for toolkit

equivalent to the one bz rejected

        Attachment #189620 -
        Flags: first-review?(darin) → first-review-

    
    

    
  
As summarized this is WFM: chrome pages *can* load chrome favicons and
checkLoadURI works fine.

Rather than a general bug I think this is specific to the about:neterror? page.
This should get fixed in tabbrowser rather than caps.
Assignee: dveditz → nobody
Component: Security → XUL Widgets
QA Contact: toolkit → xul.widgets
Summary: checkLoadURI should allow loading of favicons for chrome-URIs → Need to allow chrome favicons for XUL error pages

    
    

    
  
(In reply to comment #18)
> As summarized this is WFM: chrome pages *can* load chrome favicons and
> checkLoadURI works fine.

Indeed a bad summary. Thanks for adjusting to the real issue.

> Rather than a general bug I think this is specific to the about:neterror? page.
> This should get fixed in tabbrowser rather than caps.

Yes, it seems only to be used for netError.xhtml. Personaly I havn't an idea
where to start now. 

    
    

    
  


  
maybe something like this, but this is completely untested

(the reason for the chrome check is that I feared XSS attacks on the error page
leading to insertion of another <link rel="icon">, which I suspect does load
the favicon. I haven't verified that, but I thought better to be on the safe
side...)

    
    

    
  
(I don't intend to do anything with this patch, someone else will have to take
care of it)

    
    

    
  
Christian's patch is what I was suggesting (good call on checking that the
favicon is indeed chrome). If we think this is at all useful we could let all
about: URIs set a chrome favicon, but this is a conservative change to fix the
narrowly stated problem.

the Toolkit tabbrowser would need the same patch.

    
    

    
  
Comment on attachment 191143 [details] [diff] [review]
allow favicons for error pages only

r=dveditz
I have no idea how important neterror favicons are to 1.8b4. This is not marked
blocking (or even nominated). We need bsmedberg's (or mconnor's) r= on this.

        Attachment #191143 -
        Flags: second-review+

        Attachment #191143 -
        Flags: first-review?(benjamin)

    
  

        Attachment #191143 -
        Flags: first-review?(benjamin) → first-review+

    
    

    
  


  
Assignee: nobody → hskupin

        Attachment #189619 -
        Attachment is obsolete: true

        Attachment #189620 -
        Attachment is obsolete: true
Status: NEW → ASSIGNED

        Attachment #191267 -
        Flags: first-review?(benjamin)

        Attachment #191143 -
        Flags: approval1.8b4?

    
    

    
  
Comment on attachment 191143 [details] [diff] [review]
allow favicons for error pages only

Such a favicon will get pushed all the way up the UI to the URLbar and the
bookmarks. Pages without their own icon will not get reset when the page loads
succesfully. Maybe it's possible to fake a favicon like we do for image
documents.

    
  

        Attachment #191267 -
        Flags: first-review?(benjamin)

        Attachment #191267 -
        Flags: first-review+

        Attachment #191267 -
        Flags: approval1.8b4+

    
  

        Attachment #191143 -
        Flags: approval1.8b4? → approval1.8b4+
Whiteboard: [checkin needed]

    
    

    
  
Checking in toolkit/content/widgets/tabbrowser.xml;
/cvsroot/mozilla/toolkit/content/widgets/tabbrowser.xml,v  <--  tabbrowser.xml
new revision: 1.102; previous revision: 1.101
done
Checking in xpfe/global/resources/content/bindings/tabbrowser.xml;
/cvsroot/mozilla/xpfe/global/resources/content/bindings/tabbrowser.xml,v  <-- 
tabbrowser.xml
new revision: 1.125; previous revision: 1.124
done

Whiteboard: [checkin needed]

    
    

    
  
I backed out the xpfe patch because of comment 25, which may make this patch not
needed at least for xpfe.

    
    

    
  
(In reply to comment #25)
> (From update of attachment 191143 [details] [diff] [review] [edit])
> Such a favicon will get pushed all the way up the UI to the URLbar and the
> bookmarks. Pages without their own icon will not get reset when the page loads
> succesfully. Maybe it's possible to fake a favicon like we do for image
> documents.

I can't recognize this problem with my current cvs build of Firefox. Domains
without a favicon aren't updated with the netError warning icon. Also the
bookmark isn't updated. It still shows me the blank favicon after a complete reload.

What I have done:
- Put a bookmark without favicon to the PTB 
- Load this page
- Shut down the network
- Reload the page after clearing the cache
- Tab and location bar show the warning icon but not the bookmark
- Click bookmark to refresh it - still blank icon
- Reconnect network
- Reload page - tab and location bar shows blank favicon

    
    

    
  
(In reply to comment #28)
>(In reply to comment #25)
>>Such a favicon will get pushed to the URLbar and bookmarks.
>I can't recognize this problem with my current cvs build of Firefox.
No, it turns out that Firefox only update the bookmarks icon when a page loads
(error pages don't load, they just show). So as long as you don't patch xpfe's
tabbrowser.xml then we'll be fine.                                             
                                                             

    
    

    
  
note that the xpfe part of bug 229737 is now checked in, so seamonkey shouldn't
change any favicons when error pages are loaded.

    
    

    
  
(In reply to comment #30)
> note that the xpfe part of bug 229737 is now checked in, so seamonkey shouldn't
> change any favicons when error pages are loaded.

So we want to fix this bug or are favicons for xul error pages out of scope for now?

    
  
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

    
    

    
  
(In reply to comment #31)
>So we want to fix this bug
The patch still applies, so I guess biesi can check it in (it's his patch)...

    
  
Depends on: 430433

    
    

    
  
can someone else take care of checking this in for me, if it's still needed?
Keywords: checkin-needed

    
    

    
  
(In reply to comment #33)
> can someone else take care of checking this in for me, if it's still needed?

You mean backing it out, as per bug 430433?

    
    

    
  
> You mean backing it out, as per bug 430433?
No Biesi means that the patch needs to be landed.

    
    

    
  
>> You mean backing it out, as per bug 430433?
>No Biesi means that the patch needs to be landed.
But in /suite/ and not in /xpfe/

    
    

    
  
The patch needs to updated to apply to the suite tabbrowser, and should probably included about:blocked like the current Firefox code in browser.js does. It should probably also be tested and maybe even reviewed again after someone's done that.
Keywords: checkin-needed

    
    

    
  
So which patches have to be updated? Both or only the one for suite?

Reopening bug until the remaining work is done and an updated patch is checked in.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
The suite patch needs to be updated for the tabbrowser.xml living in suite/ - this is probably the cause of bug 431955.
Blocks: 431955

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Updated patch for SeaMonkey (obsolete)
        — Splinter Review
      

    


  
This patch updates the suite tabbrowser.xml in the same way how Firefox handles it.

        Attachment #191143 -
        Attachment is obsolete: true

        Attachment #319128 -
        Flags: review?

        Attachment #319128 -
        Flags: review? → review?(kairo)
Version: unspecified → Trunk
Status: REOPENED → ASSIGNED

    
    

    
  
Comment on attachment 319128 [details] [diff] [review]
Updated patch for SeaMonkey

I don't really understand tabbrowser code, over to Neil who should actually know it.

        Attachment #319128 -
        Flags: review?(kairo) → review?(neil)

    
    

    
  
Comment on attachment 319128 [details] [diff] [review]
Updated patch for SeaMonkey

>+              const aboutBlocked = /^about:blocked\?/;
We don't (yet?) have about:blocked, so I don't think we should test for it, it will only confuse people. r=me with that fixed.

>+                const secMan =
>+                Components.classes["@mozilla.org/scriptsecuritymanager;1"]
>+                          .getService(nsIScriptSecurityManager);
Nit: need to reindent all three lines, not just the first ;-)

        Attachment #319128 -
        Flags: review?(neil) → review+

    
    

    
  


  
Fixed comments and taken over r+.

Robert, do we need sr for this module?

        Attachment #319128 -
        Attachment is obsolete: true

        Attachment #322405 -
        Flags: review+

    
    

    
  
Given that Neil as our "UI tsar" has done the review, I guess it's ok to go in this way.

    
    

    
  
Ok, so I need someone to check this in. Thanks.
Keywords: checkin-needed

    
    

    
  
Checking in suite/browser/tabbrowser.xml;
/cvsroot/mozilla/suite/browser/tabbrowser.xml,v  <--  tabbrowser.xml
new revision: 1.196; previous revision: 1.195
done

Is this fixed now? If so, leaving to Henrik to mark it as such :)
Keywords: checkin-needed

    
    

    
  
Comment on attachment 322405 [details] [diff] [review]
Updated patch for SeaMonkey v2
[Checkin: Comment 46]

>+              if (!(aboutNeterr.test(targetDoc.documentURI) ||
>+                  !uri.schemeIs("chrome")) {

Grrr, the first of those lines has a ( too much, killed the one after the ! as a bustage fix, thanks to ajschult for pointing this out.

    
    

    
  
Sorry for the bustage. But with the follow-up fix this bug should be resolved now. Marking accordingly.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago16 years ago
Resolution: --- → FIXED

        Attachment #322405 -
        Attachment description: Updated patch for SeaMonkey v2 → Updated patch for SeaMonkey v2
[Checkin: Comment 46]

        Attachment #191267 -
        Attachment description: Ported patch for toolkit → Ported patch for toolkit
[Checkin: Comment 26 (& 27)]
Blocks: 430433
No longer depends on: 430433

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: