Closed
Bug 193558
Opened 22 years ago
Closed 22 years ago
unable to include a href to file:// in web page. security error content at http://localhost/x.html may not link to file:///c:/temp/ in javascript console
Categories
(Core :: Security: CAPS, defect)
Tracking
()
CLOSED
DUPLICATE
of bug 122022
People
(Reporter: mdaskalo, Assigned: security-bugs)
Details
Attachments
(1 file)
288 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030203 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030203 If you have a web page such as <html> <head> <script language="Javascript"> function doit() { window.open('file:///C:/temp/'); } </script> </head> <body> <input type="button" onclick="doit()" value="Open with button!"> <br> <a href="file:///C:/temp/" target="_blank">Open with URL</a> <br> </body> </html> If the user tries to open a window using the button then nothing happens because of a security error in JavaScript Console: Security error: Content at http://localhost/x.html may not link to file:///c:/temp/ This is normal and good, because the JavaScript could do bad things with the opened window. However trying to open the page with the <a href> the same error is produced and nothing is opened. I think this is a bug. Opening via <a href target="_blank" > should be allowed by default. I don't see any security threats from this. Reproducible: Always Steps to Reproduce: 1. create a web web page with the above content and put it on a web server 2. open the page with mozilla 3. Click the button - security exception (this is OK) 4. Click the URL - results in security exception (this is WRONG in my opinion) Expected Results: Be able to open file URL's with Mozilla from within a web page. It would allow intranet developers to link to large files on a fileserver, instead of serving them via webserver. Another reason to allow linking to local files - this is the way IE behaves (it also permits window.open('C:\temp') but this is problem of IE).
Reporter | ||
Comment 1•22 years ago
|
||
here is a testcase. Possible dupplicate of bug 81297 which mentions that CheckLoadURI should be used instead of CheckLoadURIFromScript.
Comment 2•22 years ago
|
||
see the release notes. ALL links from http:// to file:// are not allowed *** This bug has been marked as a duplicate of 122022 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Comment 3•22 years ago
|
||
See also bug 84128 for a few more ideas how this could be solved without opening this security hole again.
Reporter | ||
Comment 4•22 years ago
|
||
sorry for spam! I should have looked better for duplicates :-(
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•