Closed Bug 1403870 Opened 7 years ago Closed 7 years ago

Potentially allow navigations to data:application/json

Categories

(Core :: DOM: Security, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
mozilla58
Tracking Status
firefox58 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files)

No description provided.
Issue raised within Bug 1403641: (In reply to zdnex from comment #7) > Another issue is for example using data: uri for json > which is sometimes > used by REST API services to quickly show JSON result and when we have > inbuilt JSON viewer it is even better, but this breaks it also. > > <html><body><a href='data:application/json,{"my_json_key":"value"}' > target='_blank'>show json value</a></body></html>
Assignee: nobody → ckerschb
Blocks: 1380959
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [domsecurity-active]
Once we have fixed Bug 1403814, we can whitelist application/json since such a data: URI would open in the browser.
Depends on: 1403814
Olli, data/json is openend in the browser, hence we should whitelist it (simliar as we did for PDF within Bug 1398692). Agreed?
Attachment #8924691 - Flags: review?(bugs)
Here is an automated test for that behavior.
Attachment #8924692 - Flags: review?(bugs)
Attachment #8924691 - Flags: review?(bugs) → review+
Attachment #8924692 - Flags: review?(bugs) → review+
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/4acac146285e Allow toplevel data URI navigation data:application/json. r=smaug https://hg.mozilla.org/integration/mozilla-inbound/rev/b66649cd261a Test toplevel data URI navigation to application/json is allowed. r=smaug
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: