Closed Bug 193558 Opened 22 years ago Closed 22 years ago

unable to include a href to file:// in web page. security error content at http://localhost/x.html may not link to file:///c:/temp/ in javascript console

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
CLOSED DUPLICATE of bug 122022

People

(Reporter: mdaskalo, Assigned: security-bugs)

Details

Attachments

(1 file)

testcase
288 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030203
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030203

If you have a web page such as 

<html>
<head>
<script language="Javascript">
function doit() {
window.open('file:///C:/temp/');
}
</script>
</head>
<body>
<input type="button" onclick="doit()" value="Open with button!">
<br>
<a href="file:///C:/temp/" target="_blank">Open with URL</a>
<br>
</body>
</html>

If the user tries to open a window using the button then nothing happens because
of a security error in JavaScript Console:
Security error: Content at http://localhost/x.html may not link to file:///c:/temp/

This is normal and good, because the JavaScript could do bad things with the
opened window.

However trying to open the page with the <a href> the same error is produced and
nothing is opened. I think this is a bug. Opening via <a href target="_blank" >
should be allowed by default. I don't see any security threats from this.

Reproducible: Always

Steps to Reproduce:
1. create a web web page with the above content and put it on a web server
2. open the page with mozilla
3. Click the button - security exception (this is OK)
4. Click the URL - results in security exception (this is WRONG in my opinion)



Expected Results:  
Be able to open file URL's with Mozilla from within a web page.
It would allow intranet developers to link to large files on a fileserver,
instead of serving them via webserver.
Another reason to allow linking to local files - this is the way IE behaves (it
also permits window.open('C:\temp') but this is problem of IE).
Attached file testcase 
here is a testcase.

Possible dupplicate of bug 81297 which mentions that CheckLoadURI should be
used instead of CheckLoadURIFromScript.
see the release notes. ALL links from http:// to file:// are not allowed

*** This bug has been marked as a duplicate of 122022 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
See also bug 84128 for a few more ideas how this could be solved without opening
this security hole again.
sorry for spam!
I should have looked better for duplicates :-(
Status: RESOLVED → VERIFIED
closed.count++
Status: VERIFIED → CLOSED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: