(In reply to Christoph Kerschbaumer [:ckerschb] from comment #7) > I can't recall exactly who was in those conversation. My point was more that we explicitly added a variable named `aLoadFromExternal` and also the comment we added, see https://bugzilla.mozilla.org/attachment.cgi?id=8888269&action=diff. I suppose we can't easily distinguish between loads coming from the command line and loads coming from Thunderbird. I remember we wanted to block the loads from Thunderbird. However, if we can easily distinguish those loads, then I am OK with opening up the blocking mechanism and allow loads from the commandline. Unless I'm mistaken, I doubt we register Firefox as a handler for the `data` protocol in the OS, so I don't think TB would hand us those URLs unless it had specific code to (manually) look up and/or then invoke Firefox with custom arguments. It wouldn't happen through "normal" external protocol handling via the OS. So if this is about the vector of "you receive a malicious email with a `data:` link, we shouldn't execute it in Firefox when clicked", I _think_ that shouldn't work in any browser today, not because we block at the commandline but because the OS would not pass on such a URI. It'd be worth checking my intuition is correct there before doing anything... but in that case, it sounds like we could open this up?
Bug 1892289 Comment 8 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #7) > I can't recall exactly who was in those conversation. My point was more that we explicitly added a variable named `aLoadFromExternal` and also the comment we added, see https://bugzilla.mozilla.org/attachment.cgi?id=8888269&action=diff. I suppose we can't easily distinguish between loads coming from the command line and loads coming from Thunderbird. I remember we wanted to block the loads from Thunderbird. However, if we can easily distinguish those loads, then I am OK with opening up the blocking mechanism and allow loads from the commandline. Unless I'm mistaken, I doubt we register Firefox as a handler for the `data` protocol in the OS, so I don't think TB would hand us those URLs unless it had specific code to (manually) look up and/or then invoke Firefox with custom arguments. It wouldn't happen through "normal" external protocol handling via the OS. So if this is about the vector of "you receive a malicious email with a `data:` link, we shouldn't execute it in Firefox when clicked", I _think_ that shouldn't create a vulnerability in any browser today, not because we block at the commandline but because the OS would not pass on such a URI. It'd be worth checking my intuition is correct there before doing anything... but in that case, it sounds like we could open this up?