Potentially allow navigations to data:application/json

RESOLVED FIXED in Firefox 58

Status

()

enhancement
P1
normal
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: ckerschb, Assigned: ckerschb)

Tracking

unspecified
mozilla58
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox58 fixed)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 attachments)

No description provided.
Issue raised within Bug 1403641:
(In reply to zdnex from comment #7)
> Another issue is for example using data: uri for json > which is sometimes
> used by REST API services to quickly show JSON result and when we have
> inbuilt JSON viewer it is even better, but this breaks it also.
> 
> <html><body><a href='data:application/json,{"my_json_key":"value"}'
> target='_blank'>show json value</a></body></html>
Assignee: nobody → ckerschb
Blocks: 1380959
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [domsecurity-active]
Once we have fixed Bug 1403814, we can whitelist application/json since such a data: URI would open in the browser.
Depends on: 1403814
Olli, data/json is openend in the browser, hence we should whitelist it (simliar as we did for PDF within Bug 1398692). Agreed?
Attachment #8924691 - Flags: review?(bugs)
Here is an automated test for that behavior.
Attachment #8924692 - Flags: review?(bugs)
Attachment #8924691 - Flags: review?(bugs) → review+
Attachment #8924692 - Flags: review?(bugs) → review+
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4acac146285e
Allow toplevel data URI navigation data:application/json. r=smaug
https://hg.mozilla.org/integration/mozilla-inbound/rev/b66649cd261a
Test toplevel data URI navigation to application/json is allowed. r=smaug
https://hg.mozilla.org/mozilla-central/rev/4acac146285e
https://hg.mozilla.org/mozilla-central/rev/b66649cd261a
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.