Closed Bug 656823 Opened 13 years ago Closed 6 years ago

Loading data: URLs from bookmarks shouldn't inherit principal

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1324406

People

(Reporter: jruderman, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-want, testcase, Whiteboard: [sg:want]) 

1. In the address bar, enter 
  data:text/html,<script>alert(document.cookie)</script>

Result: shows Bugzilla cookie

Expected: show empty alert

(Figuring out what to do for *javascript:* URLs is controversial and covered in other bugs.)

(Changing the behavior of data: *links in web pages* is controversial and covered in other bugs.)
Gavin has a fix for the url bar case.
Gavin's patch in bug 656433 fixes the address bar case.
Depends on: 656433
(In reply to comment #0)
> Result: shows Bugzilla cookie
> 
> Expected: show empty alert

Note that the patch in bug 656433 has slightly different expected results: no alert appears, because window.alert is undefined (there is no window object).
That sounds quite strange. How does the data: document end up without a window object?
Gavin: that sounds odd.  for javascript:, maybe, but data: should do the right thing.
Yes, sorry, I was confusing data: and javascript:. data: URIs show the alert, javascript: URIs don't.
Summary: Loading data: URLs from bookmarks or address bar shouldn't inherit principal → Loading data: URLs from bookmarks shouldn't inherit principal
Christoph, this is fixed now, right? Can you mark this as a dep on the bug that fixed this?
Flags: needinfo?(ckerschb)
(In reply to :Gijs from comment #8)
> Christoph, this is fixed now, right? Can you mark this as a dep on the bug
> that fixed this?

Let's mark it as a duplicate.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(ckerschb)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.