Closed Bug 53124 Opened 24 years ago Closed 21 years ago

[FIXr]location.host fails for pages loaded from jar

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.7final

People

(Reporter: security-bugs, Assigned: bzbarsky)

Details

(Keywords: dom0, fixed1.7)

Attachments

(1 file)

Possible patch
4.34 KB, patch
darin.moz
: review+
jst
: superreview+
asa
: approval1.7+
Details | Diff | Splinter Review
If a page was loaded from the jar protocol, accessing document.location.host fails and stops the script. This is because nsJARURI::GetHost always returns failure. Since Warren insists this is the correct behavior, the alternative is to special-case JAR URLs in nsLocation. This feature is important for security. In order to prevent a signed script from being copied to another site, a script must check document.location.host to see what host the script is being run from.
Warren, jband and I talked this over. I think the consensus was for a special- case solution in DOM rather than changing the behavior of nsJARURI. However, we can live without this for now. Marking Future.
Status: NEW → ASSIGNED
Target Milestone: --- → Future
Keywords: dom0
performance, footprint, feature work, and re-architecture bugs will be addressed in 0.9.8
Target Milestone: Future → mozilla0.9.8
Future
Target Milestone: mozilla0.9.8 → Future
Attached patch Possible patchSplinter Review
Comment on attachment 146733 [details] [diff] [review] Possible patch So assuming we still want to do this, I think this is the way to do it... I just changed host, hostname, and port. The rest should come from the jar URI itself.
Attachment #146733 - Flags: superreview?(jst)
Attachment #146733 - Flags: review?(darin)
Comment on attachment 146733 [details] [diff] [review] Possible patch sr=jst
Attachment #146733 - Flags: superreview?(jst) → superreview+
Comment on attachment 146733 [details] [diff] [review] Possible patch r=darin, but... what about a jar file contained in a jar file loaded from a http site? what should happen in that case? should you loop? also, what about wyciwyg? i also thought it would be nice if we had a nsILayeredURI or something like that that could be used to generalize the concept of a URI containing an inner URI.
Attachment #146733 - Flags: review?(darin) → review+
> what about a jar file contained in a jar file loaded from a http site? > what should happen in that case? should you loop? At the moment, I loop. Given the original intent of this bug, that seemed like the most reasonable thing to do. > also, what about wyciwyg? What about it? At the moment, CreateExposableURI makes it happy. If we have wyciwyg://x/jar:whatever, we run into trouble, I guess.... > it would be nice if we had a nsILayeredURI or something like that That may in fact be a good idea... Want to file a bug on that?
Assignee: security-bugs → bzbarsky
Status: ASSIGNED → NEW
Priority: P3 → P2
Summary: location.host fails for pages loaded from jar → [FIXr]location.host fails for pages loaded from jar
Target Milestone: Future → mozilla1.8alpha
Checked in. jst, is this something we want on the 1.7 branch?
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment on attachment 146733 [details] [diff] [review] Possible patch I'd say we do want this on the next stable branch, otherwise it doesn't help the implementors who need this all that much. Looks safe, is there a reason NOT to take it in 1.7?
Attachment #146733 - Flags: approval1.7?
Not that I know of.
Comment on attachment 146733 [details] [diff] [review] Possible patch a=asa (on behalf of drivers) for checkin to 1.7
Attachment #146733 - Flags: approval1.7? → approval1.7+
Checked in on the 1.7 branch.
Keywords: fixed1.7
Target Milestone: mozilla1.8alpha → mozilla1.7final
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: