Closed Bug 1273936 Opened 4 years ago Closed 4 years ago

Make about:license linkable again

Categories

(Core :: Networking, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla50
Tracking Status
firefox50 --- fixed

People

(Reporter: dveditz, Assigned: jduell.mcbugs)

References

Details

(Whiteboard: [necko-active])

Attachments

(1 file)

bug 1253673 allowed us to make a distinction between linkable and unlinkable "safe" about: pages, and proceeded to make most of them unlinkable. This was an improvement for the parameterized pages where people could cause mischief, but we may have gone too far and hidden some about:s used by support or other community web pages

We should restore (MAKE_LINKABLE):
  about:credits
  about:license
  about:rights

and probably
  about:buildconfig
I disagree with this. Why do these pages need to be linkable from unprivileged webpages?
Flags: needinfo?(dveditz)
FWIW, as a random example, the SUMO pages about troubleshooting information like about:support do not link to the page - they only offer instructions on how to open it through the menu.
This also won't affect the noscript bustage.
No longer depends on: 1272139
(In reply to :Gijs Kruitbosch from comment #1)
> I disagree with this. Why do these pages need to be linkable from
> unprivileged webpages?

I think they are used, they aren't harmful (strictly static content, no params), and they have been historically.
No longer depends on: CVE-2016-5268, 1269238
Flags: needinfo?(dveditz)
Version: 38 Branch → unspecified
I would certainly occasionally appreciate the ability to send people a link to about:license.

about:credits in a sense already has its own link, which is https://www.mozilla.org/credits/ - because that's where about:credits takes you.

It seems to be that allowing SUMO to provide direct links to about:buildconfig and about:support would be most useful.

Gerv
(In reply to Gervase Markham [:gerv] from comment #5)
> It seems to be that allowing SUMO to provide direct links to
> about:buildconfig and about:support would be most useful.

about:support is privileged so it's not ever linkable, however we have a special hack to let SUMO trigger it anyway:

https://dxr.mozilla.org/mozilla-central/source/browser/app/permissions#22

I suppose if it can launch the real about:support we don't need direct links to about:buildconfig since you can get there from about:support.
narrowing focus of bug to about:license given the above.
Summary: Make support-ish about: pages linkable again → Make about:license linkable again
(In reply to Daniel Veditz [:dveditz] from comment #4)
> (In reply to :Gijs Kruitbosch from comment #1)
> > I disagree with this. Why do these pages need to be linkable from
> > unprivileged webpages?
> 
> I think they are used, they aren't harmful (strictly static content, no
> params) and they have been historically.

I think my worry is that just like the data/blob/view-source debacle, they could be (ab)used if web-accessible, and the gain in linking to them doesn't seem such that that's necessary.

(In reply to Gervase Markham [:gerv] from comment #5)
> I would certainly occasionally appreciate the ability to send people a link
> to about:license.

If it's worth doing I'm sure we could tidy up and publicize https://mxr.mozilla.org/mozilla-central/source/toolkit/content/license.html somehow. The links won't work in any other browser anyway, so I'm not sure to what degree sending people a link like that through some other medium (email? chat?) would be very useful right now.

> It seems to be that allowing SUMO to provide direct links to
> about:buildconfig and about:support would be most useful.

SUMO has magical (UITour) ways of doing all kinds of stuff, including invoking Fx Refresh. If they very much wanted links to about:buildconfig (I think you overestimate the degree of technical skill we assume for most of its readers!) or about:support, then we can expose something specifically for them, which would be fine by me.
Summary: Make about:license linkable again → Make support-ish about: pages linkable again
Oops.
Summary: Make support-ish about: pages linkable again → Make about:license linkable again
Jason, any idea who should work on this?
Assignee: nobody → jduell.mcbugs
Whiteboard: [necko-active]
Fixing this is trivial. The question is whether we want to.
I don't enough about the security issues here to make a call on whether to land the patch here.

Dan, Gijs, who should make the call here?
Flags: needinfo?(dveditz)
Flags: needinfo?(gijskruitbosch+bugs)
I'm biased, I'll let Dan take care of this. :-)
Flags: needinfo?(gijskruitbosch+bugs)
I don't feel that strongly either way. It's been broken on Beta for a month or so and we haven't heard terrible screams about it being gone. The content itself is still discoverable through the About dialog.
Flags: needinfo?(dveditz)
:gijs: looks like it's your call.

Gerv
Flags: needinfo?(gijskruitbosch+bugs)
I guess a priori there is no reason this would be any more dangerous than any of the other non-about-blank about: pages that are still accessible (though that's a shrinking list). We can come back to this if/when we make more meaningful strides in making about:blank the only linkable thing, but at least for now it seems hard to see any avenues for this really being exploited - harder than some of the other pages, anyway.
Flags: needinfo?(gijskruitbosch+bugs)
Keywords: checkin-needed
Attachment #8754493 - Flags: review+
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/553ce3faa35f
make about:license content-linkable again, r=gijs
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/553ce3faa35f
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.