Closed Bug 143420 Opened 21 years ago Closed 21 years ago

View Image loads javascript: url as chrome

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: dveditz)

Details

(Whiteboard: [ADT2 RTM])

Attachments

(3 files)

testcase for View Image
139 bytes, text/html
Details
testcase for Show Only This Frame
125 bytes, text/html
Details
use loadURI() for safety in nsContextMenu.js
728 bytes, patch
bryner
: review+
scc
: superreview+
endico
: approval+
Details | Diff | Splinter Review 
If the src of an img is a javascript: url, the View Image context menu item runs
the javascript: url as chrome.

    
    

    
  


  

    
  

        Attachment #83015 -
        Attachment description: testcase → testcase for View Image

    
    

    
  
While I rarely use View Image, I use Show Only This Frame reflexively on pages
with large navigation frames.  The frame with the javascript: URL can contain
anything a normal frame can using the format javascript:"<html>...", so the page
can look like a normal framed page.
Keywords: nsbeta1+
Whiteboard: [ADT2 RTM]

    
    

    
  
Reassigning to dveditz
Assignee: mstoltz → dveditz

    
    

    
  


  
The view image (and background image) bug turns out to be the utilityOverlay.js
bug covered in bug 144704. This patch only fixes the show frame bug.

    
    

    
  
Comment on attachment 84419 [details] [diff] [review]
use loadURI() for safety in nsContextMenu.js

sr=scc

        Attachment #84419 -
        Flags: superreview+

    
    

    
  
Comment on attachment 84419 [details] [diff] [review]
use loadURI() for safety in nsContextMenu.js

r=bryner

        Attachment #84419 -
        Flags: review+

    
    

    
  
Comment on attachment 84419 [details] [diff] [review]
use loadURI() for safety in nsContextMenu.js

a=brendan,chofmann,scc

please check in to mozilla 1.0 branch by midnight tonight

        Attachment #84419 -
        Flags: approval+

    
    

    
  
adding adt1.0.0+ for 1.0 branch checkin.
Keywords: adt1.0.0+

    
    

    
  
checked into trunk and branch
Status: NEW → RESOLVED
Closed: 21 years ago
Keywords: fixed1.0.0
Resolution: --- → FIXED
Group: security?

    
    

    
  
Verified on 2002-10-11-branch build on Win 2000.

Both of the attached test cases gives an exxception.
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.0verified1.0.2

    
    

    
  
fixing verified keyword so queries of which bug was fixed when come out right:
this was fixed for mozilla 1.0
Keywords: verified1.0.2verified1.0.0

          You need to log in
          before you can comment on or make changes to this bug.