Fix origin header for null principal content dialogs (e.g. alert/prompt/confirm from data: URI pages or sandboxed iframes)
Categories
(Toolkit Graveyard :: Notifications and Alerts, defect, P1)
Tracking
(firefox-esr78 unaffected, firefox85 unaffected, firefox86 wontfix, firefox87 fixed)
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox85 | --- | unaffected |
firefox86 | --- | wontfix |
firefox87 | --- | fixed |
People
(Reporter: dholbert, Assigned: mtigley)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, Whiteboard: [proton-modals])
Attachments
(2 files)
STR:
(1) Visit data:text/html,<script>alert("hi");</script>
(2) Look at the alert that appears.
ACTUAL RESULTS:
The alert has this line of header text:
The page at moz-nullprincipal: says:
EXPECTED RESULTS:
We shouldn't be using moz-nullprincipal:
in user-facing strings.
This principal is perhaps something we should be checking for as a special-case (in our JS), and just using a simpler header string like This page says:
Reporter | ||
Comment 1•4 years ago
|
||
I'm using Nightly 87.0a1 (2021-01-27) (64-bit)
Reporter | ||
Comment 2•4 years ago
|
||
Looks like this text was added in bug 1682393.
Micah, mind taking a look? Could we add a special-case for alerts from moz-nullprincipal:
to avoid putting that string in front of users?
Reporter | ||
Comment 3•4 years ago
|
||
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 4•4 years ago
|
||
Yep, I can take a look!
Comment 5•4 years ago
|
||
Set release status flags based on info from the regressing bug 1682393
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 6•4 years ago
|
||
Updated•4 years ago
|
Comment 7•4 years ago
|
||
As noted on phabricator, it's a recent regression (held to nightly + early beta) for toplevel data:
URIs, but the same bug actually pre-dated all our changes here, for the sandboxed iframes. The regressor there was bug 1594781
Updated•4 years ago
|
Comment 8•4 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Comment 9•4 years ago
|
||
The product::component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit auto_nag documentation.
Updated•4 years ago
|
Comment 10•4 years ago
|
||
Updated•4 years ago
|
Comment 11•4 years ago
|
||
bugherder |
Comment 12•4 years ago
|
||
The patch landed in nightly and beta is affected.
:mtigley, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Updated•1 year ago
|
Description
•