Closed
Bug 365526
Opened 18 years ago
Closed 15 years ago
Security Error: Content at about: may not load or link to {xxx}.
Categories
(Core :: Security: CAPS, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: glandium, Assigned: glandium)
Details
(Keywords: fixed1.8.1.21)
Attachments
(1 file)
1.08 KB,
patch
|
dveditz
:
review+
mrbkap
:
superreview+
dveditz
:
approval1.8.1.next+
dveditz
:
approval1.8.0.next?
|
Details | Diff | Splinter Review |
Trying to modify the about page to make it more useful for debian, I got these security errors when trying to link to file:///, resource:/// and chrome:/// urls from about:. I understand how loading data may be a security risk, but I fail to see how allowing *links* to file:/// from about: would be a security risk. Note that links to http:// from about: are allowed, and would be a much greater security risk... Is there a real rationale behind this or is this just a side effect of something else ?
Comment 1•18 years ago
|
||
File:/// links are not allowed for security reasons, see <http://kb.mozillazine.org/Links_to_local_pages_don't_work>. But maybe they should be allowed originating from about: pages, since they can't come from the outside.
Assignee | ||
Comment 2•18 years ago
|
||
Note that if I go to chrome://global/content/about.xhtml and click on the link to a file:/// url, it works. I guess adding a test on sourceScheme.EqualsLiteral("about") to http://lxr.mozilla.org/mozilla1.8.0/source/caps/src/nsScriptSecurityManager.cpp#1352 and http://lxr.mozilla.org/mozilla1.8.0/source/caps/src/nsScriptSecurityManager.cpp#1378 would be okay.
Assignee | ||
Comment 3•18 years ago
|
||
The code is pretty different on the trunk, and I'm only interested on 1.8 right now. Does it look okay to you ?
Attachment #250174 -
Flags: review?(jo.hermans)
Comment 4•18 years ago
|
||
I'm sorry, but I'm not the person to ask for review. Daniel (dveditz@cruzio.com) is the module owner.
Assignee | ||
Updated•18 years ago
|
Attachment #250174 -
Flags: review?(jo.hermans) → review?(dveditz)
Comment 5•18 years ago
|
||
A non-safe about: URI should already be able to link to these. See http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/caps/src/nsScriptSecurityManager.cpp&rev=1.266.2.14&mark=1260-1262#1245 So I guess this only applies to plain "about:" itself, which GetBaseURIScheme thinks is non-safe but isn't actually privileged, and that should make this a safe enough change. Boris, any thoughts before I OK this?
Comment 6•18 years ago
|
||
The proposed patch would allow all about: URIs that are not whitelisted as "safe" to link to file:, chrome:, and resource: URIs, right? I guess that's ok as long as we're absolutely sure that all about: implementations are either privileged or on this whitelist... the problem is that people can drop in about: implementations. If what we care is about: itself, why not just compare the URI to about:? I'd feel much happier with that. As for trunk, we should do this before the betas of 1.9, I think. We might need API changes to the new APIs to do it. All that said, why exactly isn't about: just privileged? This keeps coming up as an issue, as I recall -- people want to run XPConnectified script in it too...
Comment 7•17 years ago
|
||
Mike, is this still a problem on the trunk? If it is, could you supply a new patch based on the trunk?
Assignee: dveditz → mh+mozilla
Assignee | ||
Comment 8•17 years ago
|
||
I have no idea if it still is a problem. I'll give this a try in a little while.
Comment 9•16 years ago
|
||
(In reply to comment #8) > I have no idea if it still is a problem. I'll give this a try in a little > while. Any update on this?
Updated•16 years ago
|
Attachment #250174 -
Flags: superreview?(mrbkap)
Updated•16 years ago
|
Attachment #250174 -
Flags: review?(dveditz) → review+
Comment 10•16 years ago
|
||
Comment on attachment 250174 [details] [diff] [review] Proposed patch for 1.8 branch r=dveditz This is not great but OK, if you still need it. It's not going to work on the trunk in the current form. If you really want to land this please replace the tabs with spaces.
Updated•16 years ago
|
Attachment #250174 -
Flags: superreview?(mrbkap) → superreview+
Updated•16 years ago
|
Attachment #250174 -
Flags: approval1.8.1.19?
Updated•16 years ago
|
Attachment #250174 -
Flags: approval1.8.1.next?
Updated•16 years ago
|
Attachment #250174 -
Flags: approval1.8.1.19?
Updated•16 years ago
|
Attachment #250174 -
Flags: approval1.8.1.next?
Attachment #250174 -
Flags: approval1.8.1.next+
Attachment #250174 -
Flags: approval1.8.0.next?
Comment 11•16 years ago
|
||
Comment on attachment 250174 [details] [diff] [review] Proposed patch for 1.8 branch Approved for 1.8.1.21, a=dveditz for release-drivers.
Comment 12•15 years ago
|
||
Reed: Can you please make sure this gets landed on the 1.8 branch.
Keywords: checkin-needed
Whiteboard: [needs checkin on 1.8 branch]
Comment 13•15 years ago
|
||
MOZILLA_1_8_BRANCH: Checking in caps/src/nsScriptSecurityManager.cpp; /cvsroot/mozilla/caps/src/nsScriptSecurityManager.cpp,v <-- nsScriptSecurityManager.cpp new revision: 1.266.2.28; previous revision: 1.266.2.27 done
Status: NEW → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed → fixed1.8.1.21
OS: Linux → All
Hardware: x86 → All
Resolution: --- → FIXED
Whiteboard: [needs checkin on 1.8 branch]
You need to log in
before you can comment on or make changes to this bug.
Description
•