Closed
Bug 168136
Opened 22 years ago
Closed 22 years ago
for pref controlled schemes, allow access if source scheme is chrome or res
Categories
(Core :: Security: CAPS, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: sspitzer, Assigned: sspitzer)
References
Details
Attachments
(1 file)
1.08 KB,
patch
|
security-bugs
:
review+
dveditz
:
superreview+
|
Details | Diff | Splinter Review |
for pref controlled schemes, allow accecs if source scheme is chrome or res
here comes a patch.
please review (somewhat scary).
Assignee | ||
Comment 1•22 years ago
|
||
Assignee | ||
Comment 2•22 years ago
|
||
see #167891 for some xul / js that requires this.
it's a xul window, with a browser element, and the src of the element is set to
a file:// url (to a html file on disk)
Summary: for pref controlled schemes, allow accecs if source scheme is chrome or res → for pref controlled schemes, allow access if source scheme is chrome or res
Comment 3•22 years ago
|
||
Personally I think we should change file: to AllowAccess -- we're breaking a lot
of people on intranets and I don't see the security gain. Or default the pref to
true and let paranoids turn it off if we find a problem. But chrome should
definitely be able to access file: so I'll sr= this if Mitch gives the r=
Comment 4•22 years ago
|
||
Comment on attachment 98856 [details] [diff] [review]
patch, please review carefully, I'm not a caps or security expert.
sr=dveditz if mstoltz gives the r=/moa=
Attachment #98856 -
Flags: superreview+
Comment 5•22 years ago
|
||
Comment on attachment 98856 [details] [diff] [review]
patch, please review carefully, I'm not a caps or security expert.
Dan - yes, I think we should eventually make file: be an AllowProtocol,
although I want to add a lower-level check to prevent accessing /dev/* files
and the like. But that will require a lot of caution, so let's do this for now.
r=mstoltz.
Attachment #98856 -
Flags: review+
Assignee | ||
Comment 6•22 years ago
|
||
fixed.
thanks all.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Marking verified as per above developer comments.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•