Last Comment Bug 144704 - javascript: url loaded from bookmark sidebar or manager runs as chrome
: javascript: url loaded from bookmark sidebar or manager runs as chrome
Status: VERIFIED FIXED
:
Product: Core
Classification: Components
Component: Security: CAPS (show other bugs)
: Trunk
: x86 Windows 98
: -- normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
: bsharma
Mentors:
javascript:try{x=String(Components.cl...
: 88143 (view as bug list)
Depends on:
Blocks: 143200
  Show dependency treegraph
 
Reported: 2002-05-15 02:33 PDT by Jesse Ruderman
Modified: 2002-11-05 23:10 PST (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Load javascript URIs safely (598 bytes, patch)
2002-05-21 02:07 PDT, Daniel Veditz [:dveditz]
bryner: review+
brendan: superreview+
endico: approval+
Details | Diff | Splinter Review

Description Jesse Ruderman 2002-05-15 02:33:07 PDT
A javascript: URL loaded from any of the following places runs as chrome:

* bookmarks sidebar
* bookmark manager
* global history window
* global history sidebar

Example: javascript:try{x=String(Components.classes);}catch(er){x=er};x

The weird thing is that bookmarks loaded from these places run as chrome /and/
run in the context of the page in the content area.  How can they be both chrome
and part of the page?

Expected:
* javascript: urls loaded from bookmarks should run as part of the page
* javascript: urls loaded from global history should run as nothing

Bookmarklets run from the bookmarks menu and from the personal toolbar work as
expected.
Comment 1 Mitchell Stoltz (not reading bugmail) 2002-05-17 18:48:59 PDT
Dan Veditz has offered to take this one.
Comment 2 Brendan Eich [:brendan] 2002-05-20 14:11:23 PDT
Any news?  Today is the last day for 1.0rc3, which probably means for 1.0.

/be
Comment 3 Daniel Veditz [:dveditz] 2002-05-20 17:30:57 PDT
I'm just learning my way on the security stuff. I plan on fixing it this week,
but if you want something immediate someone who knows what to look for already
should take it.
Comment 4 Daniel Veditz [:dveditz] 2002-05-21 02:07:36 PDT
Created attachment 84409 [details] [diff] [review]
Load javascript URIs safely
Comment 5 Daniel Veditz [:dveditz] 2002-05-21 02:53:22 PDT
This bug is in the utility function openTopWin() which is called lots of places.
Many of them probably suffered from this bug. In addition to the bookmarks and
history problems in this bug, the view image (and background image) problem from
bug 143420 turns out to have the same cause. abCardViewOverlay.js is another one
to look into.

It doesn't look like any places would get broken by this change, but it'd be
good to get a second opinion or some trunk testing before landing this on the
branch.
Comment 6 Brendan Eich [:brendan] 2002-05-21 11:11:19 PDT
Adding to the rc3-not-suck list, thanks dveditz.  Does walletOverlay.js need a
similar fix?  I see other foo._content.location{,.href} = ... patterns under
xpfe/components.

/be
Comment 7 Brian Ryner (not reading) 2002-05-21 16:59:52 PDT
Comment on attachment 84409 [details] [diff] [review]
Load javascript URIs safely

r=bryner
Comment 8 Brendan Eich [:brendan] 2002-05-21 17:04:57 PDT
Comment on attachment 84409 [details] [diff] [review]
Load javascript URIs safely

sr=brendan@mozilla.org

I believe this will be approved today for 1.0 branch checkin.  Please get it
into the trunk ASAP.

/be
Comment 9 Dawn Endico 2002-05-21 17:13:04 PDT
Comment on attachment 84409 [details] [diff] [review]
Load javascript URIs safely

a=chofmann,scc

please check this in to the  mozilla 1.0 branch by midnight.
Comment 10 scottputterman 2002-05-21 17:15:37 PDT
adding adt1.0.0+ for checkin to the 1.0 branch.
Comment 11 Daniel Veditz [:dveditz] 2002-05-21 18:14:53 PDT
*** Bug 88143 has been marked as a duplicate of this bug. ***
Comment 12 Daniel Veditz [:dveditz] 2002-05-21 22:15:18 PDT
Checked into trunk and branch
Comment 13 bsharma 2002-10-14 10:53:13 PDT
Verified on 2002-10-11-branch build on Win2000.

Attached URL throws an exception.
Comment 14 Daniel Veditz [:dveditz] 2002-11-05 23:10:34 PST
Fixing verified keyword so queries of which bugs were fixed in what release come
out right: this was fixed for Mozilla 1.0

Note You need to log in before you can comment on or make changes to this bug.