The ResponseSerializer url field is a URLField which rejects about:config and urls like that. It shouldn't. That's naughty. This bug covers making that stop.
Hi Will, Can you also test for chrome:// url as well.
I'm on PTO Monday through Wednesday, but I'll get to this when I get back.
Assignee: nobody → willkg
To sum up, we need to add support for: 1. about: urls 2. chrome:// urls It looks like we've got some JS that restricts URLs to http/https/ftp urls in fjord/feedback/static/js/generic_feedback.js . I think we should fix this across the board so that we accept the following url schemes: 1. protocol-less. e.g. example.com 2. http/https: e.g. http://example.com 3. ftp: e.g. ftp://example.com 4. about: e.g. about:mozilla 5. chrome: e.g. chrome://foo That covers the following places: 1. generic feedback form (client-side field validation, server-side field validation) 2. Input API (server-side field validation)
Most of it is in a PR: https://github.com/mozilla/fjord/pull/338 The outstanding part is redoing the client-side field validation for the generic feedback form to also support about: and chrome:// urls. That's mostly a "for consistency sake" issue. We could push that work off since it doesn't affect the Input API at all.
Everything except the outstanding stuff landed in master in: https://github.com/mozilla/fjord/commit/0892546f8b32bfa36606bb20660538cac819d876
Pushed this to prod just now. Outstanding things: 1. rewrite the client-side url field validation for the generic feedback form
Whiteboard: u=user c=api p= s=input.2013q3 → u=user c=api p=2 s=input.2013q3
Oops--this got put in the wrong sprint so I missed it last quarter. Tossing it in this quarter's sprint.
Whiteboard: u=user c=api p=2 s=input.2013q3 → u=user c=api p=2 s=input.2014q4
On second thought, I'm switching this back to last quarter and spinning off a new bug for the outstanding work since this bug is really API-specific. Marking as FIXED.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Whiteboard: u=user c=api p=2 s=input.2014q4 → u=user c=api p=2 s=input.2014q3
You need to log in before you can comment on or make changes to this bug.