As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 143420 - View Image loads javascript: url as chrome
: View Image loads javascript: url as chrome
Status: VERIFIED FIXED
[ADT2 RTM]
:
Product: Core
Classification: Components
Component: Security: CAPS (show other bugs)
: Trunk
: x86 Windows 98
: -- normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
: bsharma
: Selena Deckelmann :selenamarie :selena use ni?
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2002-05-10 02:16 PDT by Jesse Ruderman
Modified: 2002-11-05 23:09 PST (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase for View Image (139 bytes, text/html)
2002-05-10 02:17 PDT, Jesse Ruderman
no flags Details
testcase for Show Only This Frame (125 bytes, text/html)
2002-05-10 02:29 PDT, Jesse Ruderman
no flags Details
use loadURI() for safety in nsContextMenu.js (728 bytes, patch)
2002-05-21 02:55 PDT, Daniel Veditz [:dveditz]
bryner: review+
scc: superreview+
endico: approval+
Details | Diff | Splinter Review

Description User image Jesse Ruderman 2002-05-10 02:16:55 PDT
If the src of an img is a javascript: url, the View Image context menu item runs
the javascript: url as chrome.
Comment 1 User image Jesse Ruderman 2002-05-10 02:17:51 PDT
Created attachment 83015 [details]
testcase for View Image
Comment 2 User image Jesse Ruderman 2002-05-10 02:29:17 PDT
Created attachment 83020 [details]
testcase for Show Only This Frame
Comment 3 User image Jesse Ruderman 2002-05-14 20:49:52 PDT
While I rarely use View Image, I use Show Only This Frame reflexively on pages
with large navigation frames.  The frame with the javascript: URL can contain
anything a normal frame can using the format javascript:"<html>...", so the page
can look like a normal framed page.
Comment 4 User image Mitchell Stoltz (not reading bugmail) 2002-05-17 18:50:36 PDT
Reassigning to dveditz
Comment 5 User image Daniel Veditz [:dveditz] 2002-05-21 02:55:41 PDT
Created attachment 84419 [details] [diff] [review]
use loadURI() for safety in nsContextMenu.js


The view image (and background image) bug turns out to be the utilityOverlay.js
bug covered in bug 144704. This patch only fixes the show frame bug.
Comment 6 User image Scott Collins 2002-05-21 15:08:33 PDT
Comment on attachment 84419 [details] [diff] [review]
use loadURI() for safety in nsContextMenu.js

sr=scc
Comment 7 User image Brian Ryner (not reading) 2002-05-21 16:27:33 PDT
Comment on attachment 84419 [details] [diff] [review]
use loadURI() for safety in nsContextMenu.js

r=bryner
Comment 8 User image Dawn Endico 2002-05-21 17:11:15 PDT
Comment on attachment 84419 [details] [diff] [review]
use loadURI() for safety in nsContextMenu.js

a=brendan,chofmann,scc

please check in to mozilla 1.0 branch by midnight tonight
Comment 9 User image scottputterman 2002-05-21 17:16:50 PDT
adding adt1.0.0+ for 1.0 branch checkin.
Comment 10 User image Daniel Veditz [:dveditz] 2002-05-21 22:14:50 PDT
checked into trunk and branch
Comment 11 User image bsharma 2002-10-14 10:50:59 PDT
Verified on 2002-10-11-branch build on Win 2000.

Both of the attached test cases gives an exxception.
Comment 12 User image Daniel Veditz [:dveditz] 2002-11-05 23:09:36 PST
fixing verified keyword so queries of which bug was fixed when come out right:
this was fixed for mozilla 1.0

Note You need to log in before you can comment on or make changes to this bug.