Closed
Bug 177237
Opened 22 years ago
Closed 22 years ago
[FIXr]checking the base uri for security checks is bogus...
Categories
(Core :: Security, defect, P1)
Core
Security
Tracking
()
RESOLVED
FIXED
mozilla1.3alpha
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
Details
Attachments
(1 file, 1 obsolete file)
4.50 KB,
patch
|
security-bugs
:
review+
blizzard
:
approval+
|
Details | Diff | Splinter Review |
nsHTMLFormElement and nsScriptLoader have these bogus security checks....
Assignee | ||
Comment 1•22 years ago
|
||
Assignee | ||
Updated•22 years ago
|
Severity: normal → critical
Priority: -- → P1
Summary: checking the base uri for security checks is bogus... → [FIX]checking the base uri for security checks is bogus...
Target Milestone: --- → mozilla1.3alpha
Assignee | ||
Comment 2•22 years ago
|
||
hmm.... as bbaetz just pointed out, you can't set the base url to something you could not link to anyway... so perhaps this is a non-issue.... (if it _is_ an issue, we should fix the CSSLoader as well).
Assignee | ||
Comment 3•22 years ago
|
||
We need to decide on what the right thing is so I can fix the remaining (correctness) problem in bug 171924
Blocks: 171924
Comment 4•22 years ago
|
||
Comment on attachment 104455 [details] [diff] [review] fix This seems right to me. No matter what you set the base to (even if you're allowed to set it to whatever URI you're setting it to), the security checks should IMO use the document URI since that's who's really loading the data, or whatever. sr=jst, Mitch, you ok with this?
Attachment #104455 -
Flags: superreview+
Assignee | ||
Comment 5•22 years ago
|
||
This just adds the last chunk for CSSloader...
Attachment #104455 -
Attachment is obsolete: true
Comment 6•22 years ago
|
||
Comment on attachment 104908 [details] [diff] [review] add CSSLoader to the list of victims Yes, this looks more correct. r=mstoltz.
Attachment #104908 -
Flags: review+
Assignee | ||
Updated•22 years ago
|
Summary: [FIX]checking the base uri for security checks is bogus... → [FIXr]checking the base uri for security checks is bogus...
Comment 7•22 years ago
|
||
Comment on attachment 104908 [details] [diff] [review] add CSSLoader to the list of victims a=blizzard on behalf of drivers for 1.2final. Make sure you get this in by the tree closure on Nov 5th, 2002. If you don't, it's going to have to wait until the branch is finished being cut.
Attachment #104908 -
Flags: approval+
Assignee | ||
Comment 8•22 years ago
|
||
checked in
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•