Closed Bug 168136 Opened 22 years ago Closed 22 years ago

for pref controlled schemes, allow access if source scheme is chrome or res

Categories

(Core :: Security: CAPS, defect)

x86
All
defect
Not set
normal

Tracking

()

VERIFIED FIXED

People

(Reporter: sspitzer, Assigned: sspitzer)

References

Details

Attachments

(1 file)

for pref controlled schemes, allow accecs if source scheme is chrome or res

here comes a patch.

please review (somewhat scary).
Blocks: 167891
Status: NEW → ASSIGNED
see #167891 for some xul / js that requires this.

it's a xul window, with a browser element, and the src of the element is set to 
a file:// url (to a html file on disk)
Summary: for pref controlled schemes, allow accecs if source scheme is chrome or res → for pref controlled schemes, allow access if source scheme is chrome or res
Personally I think we should change file: to AllowAccess -- we're breaking a lot
of people on intranets and I don't see the security gain. Or default the pref to
true and let paranoids turn it off if we find a problem.  But chrome should
definitely be able to access file: so I'll sr= this if Mitch gives the r=
Comment on attachment 98856 [details] [diff] [review]
patch, please review carefully, I'm not a caps or security expert.

sr=dveditz if mstoltz gives the r=/moa=
Attachment #98856 - Flags: superreview+
Comment on attachment 98856 [details] [diff] [review]
patch, please review carefully, I'm not a caps or security expert.

Dan - yes, I think we should eventually make file: be an AllowProtocol,
although I want to add a lower-level check to prevent accessing /dev/* files
and the like. But that will require a lot of caution, so let's do this for now.

r=mstoltz.
Attachment #98856 - Flags: review+
fixed.

thanks all.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Marking verified as per above developer comments.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.