Closed
Bug 476505
Opened 15 years ago
Closed 12 years ago
Add preference to turn javascript: bookmarks off/on
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: bsterne, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: sec-want, Whiteboard: [sg:want?])
If a javascript: or data: URL is pasted on top of a privileged chrome document it is processed with chrome privileges. As such, a person could inadvertently run malicious JavaScript with chrome privileges if they click a malicious bookmarklet, etc. Perhaps javascript: and data: for bookmarks should be turned off by default and users who want to use JavaScript bookmarks can opt-in to use them. Since the threat only applies to a javascript: URL being pasted on top of an active privileged tab, the restriction need only apply to bookmarks, etc., and these URLs could be safely allowed for normal hyperlinks, images, etc.
Reporter | ||
Updated•15 years ago
|
Whiteboard: [sg:investigate]
Comment 1•15 years ago
|
||
See also bug 371923 and bug 305692. This is mostly an XSS hazard, since most users don't load chrome documents often (right?).
Updated•14 years ago
|
Whiteboard: [sg:investigate] → [sg:want?]
Comment 2•13 years ago
|
||
The summary just wants a pref and does not say what the default is, on or off. Comment 0 suggests off, but allowing in-page references to load. Comment 1 says the threat is not chrome: privs (mostly). What's the threat and how does a pref help? If the threat is real, why give a pref even to enable the attack (default off), instead of providing a defense so we can avoid yet another pref? /be
Comment 3•13 years ago
|
||
For data: URLs, fixing bug 656823 would be better.
Summary: Add preference to turn javascript: and data: bookmarks off/on → Add preference to turn javascript: bookmarks off/on
Updated•13 years ago
|
Blocks: bookmarklet-xss
Comment 4•13 years ago
|
||
Is this WONTFIX now? /be
Comment 5•12 years ago
|
||
Yes. I don't think a pref is the answer here.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•