Closed
Bug 1277697
Opened 8 years ago
Closed 8 years ago
We don't resolve feed: URIs to http ones when opened via form submit
Categories
(Firefox Graveyard :: RSS Discovery and Preview, defect)
Firefox Graveyard
RSS Discovery and Preview
Tracking
(firefox49 affected)
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | affected |
People
(Reporter: Gijs, Unassigned)
References
Details
(Keywords: sec-other)
+++ This bug was initially created as a clone of Bug #1277583 +++
STR:
1. open a page with:
<form action="feed:http://www.mozilla.org/" method="post" target="feedWin">
<input type="submit">
</form>
2. click submit button
ER:
we redirect from feed: to non-feed.
AR:
we do not.
This works for the trivial <a href> case. I don't know why form submit is different, but it worries me.
|
||
Comment 1•8 years ago
|
||
I don't understand why we'd redirect here at all....
|
|
||
Comment 2•8 years ago
|
||
Is there a redirect if you use method="GET"?
|
||
Comment 3•8 years ago
|
||
There's one if you just type it in the addressbar.
I don't remember where it happens, but I remember that as being the intentional behavior of the feed preview page: "someone passed us something claiming it was a feed we could preview, but it's totally not a feed, so we should just show them the inner URL and let them figure out what it actually was."
|
Reporter | |
Comment 4•8 years ago
|
||
I mean, from a security perspective, not fussy about what /exactly/ we do in this case as it's clearly not an intended usecase, so I'd be fine with any of:
1) show network error for all feed: URIs that don't point to a feed
2) always redirect so "feed:" disappears off the front of the URI, as long as we do this in a way that doesn't have script executed at the feed: URI.
3) fix feed URIs to always have JS completely disabled at a docshell / jsengine level (in fact, that'd probably boil down to wanting to have a list of protocols for which script is allowed, and disallowing it for everything not in the list)
4) stop supporting feed: entirely (see also bug 1277698)
|
||
Comment 5•8 years ago
|
||
There's no reason to allow anything other than GET for the feed: protocol. It was made for fetching feeds, by people who ought to have used mime types but were hosting on providers where they didn't have that kind of control. If we don't kill or at least hide feed: from the web (better options) we shouldn't waste time trying to make it POST-able.
Keywords: sec-other
|
|
Reporter | |
Comment 6•8 years ago
|
||
Marking this WFM now that feed: is dangerous to load.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•7 years ago
|
Group: firefox-core-security
|
||
Updated•6 years ago
|
Product: Firefox → Firefox Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•