Closed Bug 193558 Opened 22 years ago Closed 22 years ago

unable to include a href to file:// in web page. security error content at http://localhost/x.html may not link to file:///c:/temp/ in javascript console

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
CLOSED DUPLICATE of bug 122022

People

(Reporter: mdaskalo, Assigned: security-bugs)

Details

Attachments

(1 file)

testcase
288 bytes, text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030203 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030203 If you have a web page such as <html> <head> <script language="Javascript"> function doit() { window.open('file:///C:/temp/'); } </script> </head> <body> <input type="button" onclick="doit()" value="Open with button!"> <br> <a href="file:///C:/temp/" target="_blank">Open with URL</a> <br> </body> </html> If the user tries to open a window using the button then nothing happens because of a security error in JavaScript Console: Security error: Content at http://localhost/x.html may not link to file:///c:/temp/ This is normal and good, because the JavaScript could do bad things with the opened window. However trying to open the page with the <a href> the same error is produced and nothing is opened. I think this is a bug. Opening via <a href target="_blank" > should be allowed by default. I don't see any security threats from this. Reproducible: Always Steps to Reproduce: 1. create a web web page with the above content and put it on a web server 2. open the page with mozilla 3. Click the button - security exception (this is OK) 4. Click the URL - results in security exception (this is WRONG in my opinion) Expected Results: Be able to open file URL's with Mozilla from within a web page. It would allow intranet developers to link to large files on a fileserver, instead of serving them via webserver. Another reason to allow linking to local files - this is the way IE behaves (it also permits window.open('C:\temp') but this is problem of IE).
Attached file testcase
here is a testcase. Possible dupplicate of bug 81297 which mentions that CheckLoadURI should be used instead of CheckLoadURIFromScript.
see the release notes. ALL links from http:// to file:// are not allowed *** This bug has been marked as a duplicate of 122022 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
See also bug 84128 for a few more ideas how this could be solved without opening this security hole again.
sorry for spam! I should have looked better for duplicates :-(
Status: RESOLVED → VERIFIED
closed.count++
Status: VERIFIED → CLOSED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: