Open Bug 199225 Opened 21 years ago Updated 2 years ago

Come up with a better way to disable JS and data urls in history

Categories

(Firefox :: Bookmarks & History, defect, P5)

Product:
Firefox
Component:
Bookmarks & History
Platform:
x86
Windows XP
Type:
defect

Tracking

()

People

(Reporter: nisheeth_mozilla, Unassigned)

Details

With the fix for bug 161546, when a user tries to load JS and data urls in the
history sidebar or window, an alert dialog pops up saying that such urls cannot
be loaded.

We want to come up with a better way to do this that avoids alerts.  Some
suggestions are to:

1) Gray out js and data urls.
2) Don't display js and data urls in the history sidebar or window at all.

Comments are welcome!
we should NOT just grey them out, think what a terrible user experience that
would be - you see the URL in the history window, but you can't actually click
on it. Why not? Who knows, ts just greyed out! There's no feedback to the user.

My suggestion is that instead of fixing this bug that we come up with a way to
actually run the urls in their own context, much like we do with bookmarks and
the url bar.. they aren't security risks, right? so why are we treating history
as some special thing?

my suggestion is to WONTFIX this.
Not sure bug 161546 should remain fixed... now that only typed javascript: urls
show up in history there really doesn't seem to be a security problem with
people hacking themselves if it ran in the context of the current page, and in
fact it could be useful. Oh well, autocomplete works, and they can always be
bookmarked and still work.

I wouldn't want them to be totally gone, though. I agree w/alecf that disabled
without an explanation sucks, but if they're present in the list at least the
user can right-click to get the context menu and then save complex urls as
bookmarks, or copy them. Really, I'm OK with the security dialog -- clicking on
these things would be pretty rare.
nisheeth, can you set the target milestone on this one?  thx
Setting target milestone to 1.5 alpha...
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.5alpha
QA Contact: kasumi → petersen
Target Milestone: mozilla1.5alpha → mozilla1.5beta
This bug doesn't need to be hidden anymore because the security hole it refers
to was fixed a long time ago.
Assignee: nisheeth_mozilla → nobody
Group: security
Status: ASSIGNED → NEW
QA Contact: chrispetersen → history.global
Component: History: Global → Bookmarks & History
Product: Core → Firefox
Target Milestone: mozilla1.5beta → ---
Priority: -- → P5
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.