Closed
Bug 1403870
Opened 7 years ago
Closed 7 years ago
Potentially allow navigations to data:application/json
Categories
(Core :: DOM: Security, enhancement, P1)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla58
Tracking | Status | |
---|---|---|
firefox58 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(2 files)
1.46 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
2.45 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
No description provided.
Assignee | ||
Comment 1•7 years ago
|
||
Issue raised within Bug 1403641:
(In reply to zdnex from comment #7)
> Another issue is for example using data: uri for json > which is sometimes
> used by REST API services to quickly show JSON result and when we have
> inbuilt JSON viewer it is even better, but this breaks it also.
>
> <html><body><a href='data:application/json,{"my_json_key":"value"}'
> target='_blank'>show json value</a></body></html>
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → ckerschb
Blocks: 1380959
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [domsecurity-active]
Assignee | ||
Comment 2•7 years ago
|
||
Once we have fixed Bug 1403814, we can whitelist application/json since such a data: URI would open in the browser.
Depends on: 1403814
Assignee | ||
Comment 3•7 years ago
|
||
Olli, data/json is openend in the browser, hence we should whitelist it (simliar as we did for PDF within Bug 1398692). Agreed?
Attachment #8924691 -
Flags: review?(bugs)
Assignee | ||
Comment 4•7 years ago
|
||
Here is an automated test for that behavior.
Attachment #8924692 -
Flags: review?(bugs)
Updated•7 years ago
|
Attachment #8924691 -
Flags: review?(bugs) → review+
Updated•7 years ago
|
Attachment #8924692 -
Flags: review?(bugs) → review+
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4acac146285e
Allow toplevel data URI navigation data:application/json. r=smaug
https://hg.mozilla.org/integration/mozilla-inbound/rev/b66649cd261a
Test toplevel data URI navigation to application/json is allowed. r=smaug
Comment 6•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/4acac146285e
https://hg.mozilla.org/mozilla-central/rev/b66649cd261a
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox58:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in
before you can comment on or make changes to this bug.
Description
•