Closed Bug 1329413 Opened 9 years ago Closed 8 years ago

Disallow javascript: and data: URLs entered into the location bar from inheriting the principal of the currently-loaded page

Categories

(Invalid Bugs :: General, enhancement)

Product:
Invalid Bugs
Component:
General
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: Doublek420, Unassigned)

Details

+++ This bug was initially created as a clone of Bug #656433 +++ I'm splitting this off from bug 527530 as a short term solution to the bookmarklet-pasting attacks being seen in the wild on Facebook and similar. The change this bug will make is to disallow loading of javascript: URLs from the URL bar *at all*. This behavior varies slightly from IE 9 which strips the leading "javascript:" from a pasted URL, and Chrome which does something similar. The approach in this bug still enables bookmarklet functionality through bookmarks as well as entering them on the Web Console or Error Console.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Product: Add-on SDK → Invalid Bugs
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.