Closed
Bug 166166
Opened 22 years ago
Closed 15 years ago
Composer should not open new documents using about:blank
Categories
(SeaMonkey :: Composer, defect)
Tracking
(Not tracked)
RESOLVED
EXPIRED
People
(Reporter: glazou, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: topembed+, Whiteboard: EDITORBASE+, edt_b3, edt_x3)
For the time being, Composer creates new documents "opening" about:blank. This
should be changed because for security reasons (see bug 69070 for instance),
about:blank cannot load a local stylesheet, cannot embed local applets, ... It can
**for the moment** embed images but fix for bug 69070 is going to change that.
I think we need either a new static private url like "composer:blank" or create
a local temporary file with an empty document inside.
heehee :-)
x-composer:
(about: is grandfathered, but unless you want to propose to ietf a composer
protocol...)
Reporter | ||
Comment 2•22 years ago
|
||
==> Editor:Composer
Assignee: kin → syd
Component: Editor: Core → Editor: Composer
Comment 3•22 years ago
|
||
nominating since it's likely that much core functionality will be broken if we
don't address this issue
Keywords: nsbeta1
Whiteboard: EDITORBASE
Comment 4•22 years ago
|
||
dupe of bug 134996?
Comment 5•22 years ago
|
||
nsbeta1+, EDITORBASE+
Reporter | ||
Comment 6•22 years ago
|
||
*** Bug 134996 has been marked as a duplicate of this bug. ***
Comment 8•22 years ago
|
||
See bug 69070 comment 41
Could someone tell me whether Midas also uses about:blank? I would have thought
that it would use the URI of the <iframe> the editing is happening in....
Comment 9•22 years ago
|
||
Midas uses whatever the url is that is specified in the iframe. The editing
session grabs the url from the document here:
http://lxr.mozilla.org/seamonkey/source/editor/composer/src/nsEditingSession.cpp#313
We do have security checks in place that require the iframe be on the same host
etc as the parent document but we make an exception for "about:blank" so that
page authors can start with an "empty page."
Comment 10•22 years ago
|
||
Hmm.... So what happens if you have a page in an iframe that links to an image
on the local drive (and that load is blocked) then you say you want to edit it;
does the link suddenly get unblocked? (I'm just not sure how Midas works in
practice, so I'm trying to figure out what possibilities we have to account
for). Or is a Midas docshell/document defined as special at creation time somehow?
Comment 11•22 years ago
|
||
OK. Looks like CheckLoadURI uses the protocol and does not care about script
priveleges and will just deny any load attempts from an about: URI... so just
setting up about:composer in the redirector does not work. :(
Updated•22 years ago
|
QA Contact: sujay → sairuh
Updated•22 years ago
|
Whiteboard: EDITORBASE+ → EDITORBASE+, edt_b3, edt_x3
Comment 13•22 years ago
|
||
How about resource://res/blank.html - that has file: privileges, right?
Comment 14•21 years ago
|
||
This bug generates other problems, so I guess we've to have this sorted out in
order to get Composer correctly working (esepcially w/emails).
Flags: blocking1.6a?
Flags: blocking1.4.2?
Updated•21 years ago
|
Flags: blocking1.4.2? → blocking1.4.2-
Updated•20 years ago
|
Product: Browser → Seamonkey
Updated•16 years ago
|
Assignee: daniel → nobody
QA Contact: bugzilla → composer
Comment 15•16 years ago
|
||
MASS-CHANGE:
This bug report is registered in the SeaMonkey product, but has been without a comment since the inception of the SeaMonkey project. This means that it was logged against the old Mozilla suite and we cannot determine that it's still valid for the current SeaMonkey suite. Because of this, we are setting it to an UNCONFIRMED state.
If you can confirm that this report still applies to current SeaMonkey 2.x nightly builds, please set it back to the NEW state along with a comment on how you reproduced it on what Build ID, or if it's an enhancement request, why it's still worth implementing and in what way.
If you can confirm that the report doesn't apply to current SeaMonkey 2.x nightly builds, please set it to the appropriate RESOLVED state (WORKSFORME, INVALID, WONTFIX, or similar).
If no action happens within the next few months, we move this bug report to an EXPIRED state.
Query tag for this change: mass-UNCONFIRM-20090614
Status: NEW → UNCONFIRMED
Comment 16•15 years ago
|
||
MASS-CHANGE:
This bug report is registered in the SeaMonkey product, but still has no comment since the inception of the SeaMonkey project 5 years ago.
Because of this, we're resolving the bug as EXPIRED.
If you still can reproduce the bug on SeaMonkey 2 or otherwise think it's still valid, please REOPEN it and if it is a platform or toolkit issue, move it to the according component.
Query tag for this change: EXPIRED-20100420
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → EXPIRED
You need to log in
before you can comment on or make changes to this bug.
Description
•