Closed
Bug 13253
Opened 25 years ago
Closed 25 years ago
Unable to use window.open with chrome: URLs
Categories
(Core :: Security, defect, P1)
Core
Security
Tracking
()
VERIFIED
FIXED
M11
People
(Reporter: law, Assigned: norrisboyd)
References
Details
"Security Manager" code (nsIScriptSecurityManager::CheckURI, specifically) doesn't seem to handle chrome: URLs. As a result, attempts to open windows or dialogs using JS of the form window.open[Dialog]( "chrome:...", ... ); fail. This prevents navigator.js from opening the bookmarks window, for example (and lots more). I.e., choosing "Bookmarks->Manage Bookmarks..." doesn't work in today's build (Sept 06). The security manager calls seem to have been added by Norris on 9/6 in r1.143 of the file http://lxr.mozilla.org/seamonkey/source/dom/src/base/nsGlobalWindow.cpp#2100.
Assignee | ||
Updated•25 years ago
|
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 1•25 years ago
|
||
Just checked in a fix. Check out latest changes in mozilla/caps.
I have your 3:30 updates from caps, and can now get past window.open("http://www.mozilla.org"), say. However, others are still failing the security check: the window behind window.prompt, for instance.
Assignee | ||
Updated•25 years ago
|
Resolution: FIXED → ---
Assignee | ||
Updated•25 years ago
|
Status: REOPENED → ASSIGNED
Target Milestone: M11
Severity: major → blocker
OS: Windows NT → All
Priority: P3 → P1
Summary: Unable to use window.open with chrome: URLs → [BLOCKER] Unable to use window.open with chrome: URLs
Norris, I've upgraded this to a blocker. If you don't fix this soon I'm gonna have to ask you to back out your security changes because you've disabled way too much of the UI.
Assignee | ||
Comment 4•25 years ago
|
||
I don't have a build environment available tonight. If a fix tomorrow is too late, feel free to comment out the check.
Assignee | ||
Updated•25 years ago
|
Severity: blocker → normal
Summary: [BLOCKER] Unable to use window.open with chrome: URLs → Unable to use window.open with chrome: URLs
Assignee | ||
Comment 5•25 years ago
|
||
Downgrading from blocker since don disabled the check.
Responding to some confusion about the mystical "window behind window.prompt" I mentioned earlier. I was merely thinking of the prompt window itself. So <html><body> <form> <input type=button value="punch me" onclick="prompt('Hi there')"> </form> </body></html> does nothing when you punch the form button unless the security check is disabled. Then it works. I'll bet this is blocking someone. Me, for instance, if I think about it too much.
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago → 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 7•25 years ago
|
||
Fixed by disabling security check. Will get don's approval before reenabling.
WinNT 1999112208 comm "Bookmarks-->Manage Bookmarks" window opens (working) "punch me" form prompt (working) "view source" window opens (working) (I will follow up on whether checkuri is still commented out. The security checks will have to go back in, when it can be done without killing acceptable window opens)
Assignee | ||
Comment 10•25 years ago
|
||
The security checks have been enabled and cause no known regressions.
Comment 11•25 years ago
|
||
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in
before you can comment on or make changes to this bug.
Description
•