Closed Bug 476505 Opened 15 years ago Closed 12 years ago

Add preference to turn javascript: bookmarks off/on

Categories

(Firefox :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: bsterne, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-want, Whiteboard: [sg:want?])

If a javascript: or data: URL is pasted on top of a privileged chrome document it is processed with chrome privileges.  As such, a person could inadvertently run malicious JavaScript with chrome privileges if they click a malicious bookmarklet, etc.

Perhaps javascript: and data: for bookmarks should be turned off by default and users who want to use JavaScript bookmarks can opt-in to use them.  Since the threat only applies to a javascript: URL being pasted on top of an active privileged tab, the restriction need only apply to bookmarks, etc., and these URLs could be safely allowed for normal hyperlinks, images, etc.
Whiteboard: [sg:investigate]
See also bug 371923 and bug 305692.  This is mostly an XSS hazard, since most users don't load chrome documents often (right?).
Whiteboard: [sg:investigate] → [sg:want?]
The summary just wants a pref and does not say what the default is, on or off. Comment 0 suggests off, but allowing in-page references to load. Comment 1 says the threat is not chrome: privs (mostly).

What's the threat and how does a pref help? If the threat is real, why give a pref even to enable the attack (default off), instead of providing a defense so we can avoid yet another pref?

/be
For data: URLs, fixing bug 656823 would be better.
Summary: Add preference to turn javascript: and data: bookmarks off/on → Add preference to turn javascript: bookmarks off/on
Is this WONTFIX now?

/be
Yes. I don't think a pref is the answer here.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.