Last Comment Bug 143420 - View Image loads javascript: url as chrome
: View Image loads javascript: url as chrome
Status: VERIFIED FIXED
[ADT2 RTM]
:
Product: Core
Classification: Components
Component: Security: CAPS (show other bugs)
: Trunk
: x86 Windows 98
: -- normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
: bsharma
: Selena Deckelmann :selenamarie :selena use ni?
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2002-05-10 02:16 PDT by Jesse Ruderman
Modified: 2002-11-05 23:09 PST (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase for View Image (139 bytes, text/html)
2002-05-10 02:17 PDT, Jesse Ruderman
no flags Details
testcase for Show Only This Frame (125 bytes, text/html)
2002-05-10 02:29 PDT, Jesse Ruderman
no flags Details
use loadURI() for safety in nsContextMenu.js (728 bytes, patch)
2002-05-21 02:55 PDT, Daniel Veditz [:dveditz]
bryner: review+
scc: superreview+
endico: approval+
Details | Diff | Splinter Review

Description Jesse Ruderman 2002-05-10 02:16:55 PDT
If the src of an img is a javascript: url, the View Image context menu item runs
the javascript: url as chrome.
Comment 1 Jesse Ruderman 2002-05-10 02:17:51 PDT
Created attachment 83015 [details]
testcase for View Image
Comment 2 Jesse Ruderman 2002-05-10 02:29:17 PDT
Created attachment 83020 [details]
testcase for Show Only This Frame
Comment 3 Jesse Ruderman 2002-05-14 20:49:52 PDT
While I rarely use View Image, I use Show Only This Frame reflexively on pages
with large navigation frames.  The frame with the javascript: URL can contain
anything a normal frame can using the format javascript:"<html>...", so the page
can look like a normal framed page.
Comment 4 Mitchell Stoltz (not reading bugmail) 2002-05-17 18:50:36 PDT
Reassigning to dveditz
Comment 5 Daniel Veditz [:dveditz] 2002-05-21 02:55:41 PDT
Created attachment 84419 [details] [diff] [review]
use loadURI() for safety in nsContextMenu.js


The view image (and background image) bug turns out to be the utilityOverlay.js
bug covered in bug 144704. This patch only fixes the show frame bug.
Comment 6 Scott Collins 2002-05-21 15:08:33 PDT
Comment on attachment 84419 [details] [diff] [review]
use loadURI() for safety in nsContextMenu.js

sr=scc
Comment 7 Brian Ryner (not reading) 2002-05-21 16:27:33 PDT
Comment on attachment 84419 [details] [diff] [review]
use loadURI() for safety in nsContextMenu.js

r=bryner
Comment 8 Dawn Endico 2002-05-21 17:11:15 PDT
Comment on attachment 84419 [details] [diff] [review]
use loadURI() for safety in nsContextMenu.js

a=brendan,chofmann,scc

please check in to mozilla 1.0 branch by midnight tonight
Comment 9 scottputterman 2002-05-21 17:16:50 PDT
adding adt1.0.0+ for 1.0 branch checkin.
Comment 10 Daniel Veditz [:dveditz] 2002-05-21 22:14:50 PDT
checked into trunk and branch
Comment 11 bsharma 2002-10-14 10:50:59 PDT
Verified on 2002-10-11-branch build on Win 2000.

Both of the attached test cases gives an exxception.
Comment 12 Daniel Veditz [:dveditz] 2002-11-05 23:09:36 PST
fixing verified keyword so queries of which bug was fixed when come out right:
this was fixed for mozilla 1.0

Note You need to log in before you can comment on or make changes to this bug.