Open Bug 142155 Opened 23 years ago Updated 3 years ago

CSS from a file: url, linked by HTML from a chrome: url is blocked

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
All
Type:
defect

Tracking

()

People

(Reporter: rginda, Assigned: dveditz)

Details

1. Save http://www.hacksrus.com/~ginda/chatzilla/motifs/output-dark.css somewhere on your local disk. 2. Start chatzilla 3. type /css file:/path/tp/output-dark.css You should see chatzilla's text change to (or remain as) light text on a dark background. Instead, what I'm getting is... The link to file:///home/rginda/src/cvs/mozilla/extensions/irc/xul/skin/output-dark.css was blocked by the security manager. Remote content may not link to local content.
I get the same error on the JavaScript console, Win 98 Build 2002051208 (switches to standard serif text, white background black text, etc). Fixing this may require wrangling with some people discussing Bug 84128 (how to handle failure of CheckLoadURI), because I guess you don't want to go around the security system, and you don't want to require that the chrome: protocol be used. It is also interesting to note that the same mechanism handles requests to load URLs when a user clicks on them in Chatzilla's channel/network/chatzilla view: requests to open file: URLs will also fail there. Still seems to me that that all of this could be solved by creating a preference setting for allowing access to file protocol (or various protocols). (Good argument in Bug 84128 Comment 30). Also, we might ask why there is no error handed back by the security manager for Chatzilla to report? (right?)
Assignee: security-bugs → dveditz
QA Contact: bsharma
QA Contact: toolkit
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.