Closed Bug 1436128 Opened 6 years ago Closed 5 years ago
.fileuri .strict _origin _policy seems to break quotamanager
Jeff (CCd) had security.fileuri.strict_origin_policy set to false (it seems there is some internet advice around this) and at startup got errors related to quotamanager not liking file+++UNIVERSAL_FILE_URI_ORIGIN. Is this a quotamanager issue or a CAPS issue?
baku, seems you may have had something to do with this in bug 1347817.
I think QM probably needs to handle this.
Component: Security: CAPS → DOM: Quota Manager
Moving the NI to janv.
Flags: needinfo?(amarchesini) → needinfo?(jvarga)
I have a patch for this: https://bugzilla.mozilla.org/attachment.cgi?id=8946613&action=edit
security.fileuri.strict_origin_policy set to false means your entire disk is the same origin, as it was originally. This was an escape valve added when we tightened the policy to "same and sub directories" in case we broke some people's workflows, but it's not a safe setting. If you open a local file with malicious scripts it can now read any sensitive data on your drive. [In comparison Chrome and Safari one-upped us and make every file: uri a unique origin, which solves some additional security risks our version still has.]
This will be fixed in bug 1286798.
Fixed by bug 1286798.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.