Closed
Bug 1273936
Opened 9 years ago
Closed 8 years ago
Make about:license linkable again
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
RESOLVED
FIXED
mozilla50
Tracking | Status | |
---|---|---|
firefox50 | --- | fixed |
People
(Reporter: dveditz, Assigned: jduell.mcbugs)
References
Details
(Whiteboard: [necko-active])
Attachments
(1 file)
1.25 KB,
patch
|
Gijs
:
review+
|
Details | Diff | Splinter Review |
bug 1253673 allowed us to make a distinction between linkable and unlinkable "safe" about: pages, and proceeded to make most of them unlinkable. This was an improvement for the parameterized pages where people could cause mischief, but we may have gone too far and hidden some about:s used by support or other community web pages
We should restore (MAKE_LINKABLE):
about:credits
about:license
about:rights
and probably
about:buildconfig
Comment 1•9 years ago
|
||
I disagree with this. Why do these pages need to be linkable from unprivileged webpages?
Flags: needinfo?(dveditz)
Comment 2•9 years ago
|
||
FWIW, as a random example, the SUMO pages about troubleshooting information like about:support do not link to the page - they only offer instructions on how to open it through the menu.
Reporter | ||
Comment 4•9 years ago
|
||
(In reply to :Gijs Kruitbosch from comment #1)
> I disagree with this. Why do these pages need to be linkable from
> unprivileged webpages?
I think they are used, they aren't harmful (strictly static content, no params), and they have been historically.
Blocks: CVE-2016-5268
No longer depends on: CVE-2016-5268, 1269238
Flags: needinfo?(dveditz)
Version: 38 Branch → unspecified
Comment 5•9 years ago
|
||
I would certainly occasionally appreciate the ability to send people a link to about:license.
about:credits in a sense already has its own link, which is https://www.mozilla.org/credits/ - because that's where about:credits takes you.
It seems to be that allowing SUMO to provide direct links to about:buildconfig and about:support would be most useful.
Gerv
Reporter | ||
Comment 6•9 years ago
|
||
(In reply to Gervase Markham [:gerv] from comment #5)
> It seems to be that allowing SUMO to provide direct links to
> about:buildconfig and about:support would be most useful.
about:support is privileged so it's not ever linkable, however we have a special hack to let SUMO trigger it anyway:
https://dxr.mozilla.org/mozilla-central/source/browser/app/permissions#22
I suppose if it can launch the real about:support we don't need direct links to about:buildconfig since you can get there from about:support.
Reporter | ||
Comment 7•9 years ago
|
||
narrowing focus of bug to about:license given the above.
Summary: Make support-ish about: pages linkable again → Make about:license linkable again
Comment 8•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #4)
> (In reply to :Gijs Kruitbosch from comment #1)
> > I disagree with this. Why do these pages need to be linkable from
> > unprivileged webpages?
>
> I think they are used, they aren't harmful (strictly static content, no
> params) and they have been historically.
I think my worry is that just like the data/blob/view-source debacle, they could be (ab)used if web-accessible, and the gain in linking to them doesn't seem such that that's necessary.
(In reply to Gervase Markham [:gerv] from comment #5)
> I would certainly occasionally appreciate the ability to send people a link
> to about:license.
If it's worth doing I'm sure we could tidy up and publicize https://mxr.mozilla.org/mozilla-central/source/toolkit/content/license.html somehow. The links won't work in any other browser anyway, so I'm not sure to what degree sending people a link like that through some other medium (email? chat?) would be very useful right now.
> It seems to be that allowing SUMO to provide direct links to
> about:buildconfig and about:support would be most useful.
SUMO has magical (UITour) ways of doing all kinds of stuff, including invoking Fx Refresh. If they very much wanted links to about:buildconfig (I think you overestimate the degree of technical skill we assume for most of its readers!) or about:support, then we can expose something specifically for them, which would be fine by me.
Summary: Make about:license linkable again → Make support-ish about: pages linkable again
Comment 9•9 years ago
|
||
Oops.
Summary: Make support-ish about: pages linkable again → Make about:license linkable again
Updated•9 years ago
|
Whiteboard: [necko-active]
Comment 11•9 years ago
|
||
Fixing this is trivial. The question is whether we want to.
Assignee | ||
Comment 12•8 years ago
|
||
I don't enough about the security issues here to make a call on whether to land the patch here.
Dan, Gijs, who should make the call here?
Flags: needinfo?(dveditz)
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(gijskruitbosch+bugs)
Comment 13•8 years ago
|
||
I'm biased, I'll let Dan take care of this. :-)
Flags: needinfo?(gijskruitbosch+bugs)
Reporter | ||
Comment 14•8 years ago
|
||
I don't feel that strongly either way. It's been broken on Beta for a month or so and we haven't heard terrible screams about it being gone. The content itself is still discoverable through the About dialog.
Flags: needinfo?(dveditz)
Comment 15•8 years ago
|
||
:gijs: looks like it's your call.
Gerv
Flags: needinfo?(gijskruitbosch+bugs)
Comment 16•8 years ago
|
||
I guess a priori there is no reason this would be any more dangerous than any of the other non-about-blank about: pages that are still accessible (though that's a shrinking list). We can come back to this if/when we make more meaningful strides in making about:blank the only linkable thing, but at least for now it seems hard to see any avenues for this really being exploited - harder than some of the other pages, anyway.
Flags: needinfo?(gijskruitbosch+bugs)
Keywords: checkin-needed
Updated•8 years ago
|
Attachment #8754493 -
Flags: review+
Comment 17•8 years ago
|
||
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/553ce3faa35f
make about:license content-linkable again, r=gijs
Keywords: checkin-needed
Comment 18•8 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in
before you can comment on or make changes to this bug.
Description
•