Closed Bug 1227625 Opened 10 years ago Closed 7 years ago

Reader view internal handler should reject non-http(s) URLs

Categories

(Firefox for iOS :: Reader View, defect)

Product:
Firefox for iOS
Component:
Reader View
Platform:
Other
iOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
fxios 1.3+ ---

People

(Reporter: st3fan, Assigned: st3fan)

References

Details

(Keywords: sec-moderate)

The reader view internal link (localhost/reader-mode/page?url=) should not accept links other than http or https. To test: what happens with a http link that redirects to javascript? Can we intercept that? Does the WKWebView allow that at all?
This is no longer a URL because we cannot manually enter a reader-mode URL scheme in our address bar anymore.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Group: firefox-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.