Closed Bug 1277697 Opened 4 years ago Closed 4 years ago

We don't resolve feed: URIs to http ones when opened via form submit

Categories

(Firefox Graveyard :: RSS Discovery and Preview, defect)

defect
Not set

Tracking

(firefox49 affected)

RESOLVED WORKSFORME
Tracking Status
firefox49 --- affected

People

(Reporter: Gijs, Unassigned)

References

Details

(Keywords: sec-other)

+++ This bug was initially created as a clone of Bug #1277583 +++

STR:

1. open a page with:

<form action="feed:http://www.mozilla.org/" method="post" target="feedWin">
  <input type="submit">
</form>

2. click submit button

ER:
we redirect from feed: to non-feed.

AR:
we do not.


This works for the trivial <a href> case. I don't know why form submit is different, but it worries me.
No longer blocks: 1277685
Depends on: 1277698
I don't understand why we'd redirect here at all....
Is there a redirect if you use method="GET"?
There's one if you just type it in the addressbar.

I don't remember where it happens, but I remember that as being the intentional behavior of the feed preview page: "someone passed us something claiming it was a feed we could preview, but it's totally not a feed, so we should just show them the inner URL and let them figure out what it actually was."
I mean, from a security perspective, not fussy about what /exactly/ we do in this case as it's clearly not an intended usecase, so I'd be fine with any of:

1) show network error for all feed: URIs that don't point to a feed
2) always redirect so "feed:" disappears off the front of the URI, as long as we do this in a way that doesn't have script executed at the feed: URI.
3) fix feed URIs to always have JS completely disabled at a docshell / jsengine level (in fact, that'd probably boil down to wanting to have a list of protocols for which script is allowed, and disallowing it for everything not in the list)
4) stop supporting feed: entirely (see also bug 1277698)
There's no reason to allow anything other than GET for the feed: protocol. It was made for fetching feeds, by people who ought to have used mime types but were hosting on providers where they didn't have that kind of control. If we don't kill or at least hide feed: from the web (better options) we shouldn't waste time trying to make it POST-able.
Keywords: sec-other
Marking this WFM now that feed: is dangerous to load.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
Group: firefox-core-security
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.