Closed Bug 1545967 Opened 6 years ago Closed 6 years ago

Reader mode href treatment

Categories

(Toolkit :: Reader Mode, defect)

Product:
Toolkit
Component:
Reader Mode
Version:
67 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: ajv-939-807-4355, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux i686; rv:67.0) Gecko/20100101 Firefox/67.0

Steps to reproduce:

I have an RSS reader with an option to view article bodies in reader mode.
It builds an <a> with href of "about:reader?url=...". Clicking on this element does
nothing. Right click and "open in new tab" creates a new tab (_blank is on the
element) but no content. The base URL is on the location bar, and if you click
up there and hit enter, the target URL is now rendered in reader mode.

Actual results:

No action, or blank until click on URL--then get reader mode content. On Fennec
it won't even let you open link in new tab.

Expected results:

I understand the hesitation of Firefox to let web pages reach out to the about:
namespace. OTOH, rendering a page in reader mode is, of itself, a benign action.
I suggest either the about:reader space be granted a distinct security policy, or that
some other URL scheme be adopted to access a reader view of a URL. reader:URL,
for instance.

Component: Untriaged → Reader Mode
Product: Firefox → Toolkit

We have no intention to do this. The security risks simply aren't worth it. Reader mode pages were restricted precisely because people found ways to abuse being able to force one to open (esp. because it contains a full URL as a param).

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.