Closed Bug 13253 Opened 25 years ago Closed 25 years ago

Unable to use window.open with chrome: URLs

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: law, Assigned: norrisboyd)

References

Details

"Security Manager" code (nsIScriptSecurityManager::CheckURI, specifically)
doesn't seem to handle chrome: URLs.  As a result, attempts to open windows
or dialogs using JS of the form
    window.open[Dialog]( "chrome:...", ... );
fail.

This prevents navigator.js from opening the bookmarks window, for example (and
lots more).  I.e., choosing "Bookmarks->Manage Bookmarks..." doesn't work in
today's build (Sept 06).

The security manager calls seem to have been added by Norris on 9/6 in r1.143 of
the file
http://lxr.mozilla.org/seamonkey/source/dom/src/base/nsGlobalWindow.cpp#2100.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Just checked in a fix. Check out latest changes in mozilla/caps.
Status: RESOLVED → REOPENED
I have your 3:30 updates from caps, and can now get past window.open("http://www.mozilla.org"), say.
However, others are still failing the security check: the window behind window.prompt, for instance.
Resolution: FIXED → ---
Status: REOPENED → ASSIGNED
Target Milestone: M11
Severity: major → blocker
OS: Windows NT → All
Priority: P3 → P1
Summary: Unable to use window.open with chrome: URLs → [BLOCKER] Unable to use window.open with chrome: URLs
Norris, I've upgraded this to a blocker.  If you don't fix this soon I'm gonna
have to ask you to back out your security changes because you've disabled way
too much of the UI.
I don't have a build environment available tonight. If a fix tomorrow is too
late, feel free to comment out the check.
Severity: blocker → normal
Summary: [BLOCKER] Unable to use window.open with chrome: URLs → Unable to use window.open with chrome: URLs
Downgrading from blocker since don disabled the check.
Responding to some confusion about the mystical "window behind window.prompt" I mentioned earlier.
I was merely thinking of the prompt window itself.  So

<html><body>
<form>
  <input type=button value="punch me" onclick="prompt('Hi there')">
</form>
</body></html>

does nothing when you punch the form button unless the security check is disabled.  Then it works.
I'll bet this is blocking someone.  Me, for instance, if I think about it too much.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → FIXED
Fixed by disabling security check. Will get don's approval before reenabling.
*** Bug 13256 has been marked as a duplicate of this bug. ***
Status: RESOLVED → VERIFIED
WinNT 1999112208 comm
"Bookmarks-->Manage Bookmarks" window opens (working)
"punch me" form prompt (working)
"view source" window opens (working)

(I will follow up on whether checkuri is still commented out.  The security
checks will have to go back in, when it can be done without killing acceptable
window opens)
The security checks have been enabled and cause no known regressions.
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.