Closed
Bug 197305
Opened 21 years ago
Closed 18 years ago
setting designMode on data: URLs throws security exception
Categories
(Core :: DOM: Editor, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: martijn.martijn)
References
Details
(Keywords: fixed1.8.1, testcase, Whiteboard: midas)
Attachments
(2 files)
518 bytes,
text/html
|
Details | |
1.83 KB,
patch
|
bzbarsky
:
review+
dveditz
:
superreview+
sicking
:
approval-branch-1.8.1+
|
Details | Diff | Splinter Review |
Trying to set designMode on a data: URL gives the following error: Error: uncaught exception: [Exception... "Access to restricted URI denied" code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)" location: "..."] In terms of security, data: URLs are generally considered to have the same source as the page that linked to or loaded them.
Reporter | ||
Comment 1•21 years ago
|
||
Updated•21 years ago
|
Whiteboard: midas
Assignee | ||
Comment 2•18 years ago
|
||
This makes it work for me.
Attachment #216989 -
Flags: review?(dveditz)
Comment 3•18 years ago
|
||
Comment on attachment 216989 [details] [diff] [review] patch I'm not a peer in content, but sr=dveditz fwiw
Attachment #216989 -
Flags: superreview+
Attachment #216989 -
Flags: review?(dveditz)
Attachment #216989 -
Flags: review?(bzbarsky)
Comment 4•18 years ago
|
||
Should the result of GetSecurityManager be checked for OOM cases? Some code in the tree does check, others don't.
Comment 5•18 years ago
|
||
Comment on attachment 216989 [details] [diff] [review] patch GetSecurityManager() is only null during shutdown, so as long as you can guarantee that this code is not running after layout module shutdown you're ok. And you can guarantee that once bsmedberg's document thing lands. This looks great. r=bzbarsky
Attachment #216989 -
Flags: review?(bzbarsky) → review+
Updated•18 years ago
|
Assignee: brade → martijn.martijn
Assignee | ||
Comment 6•18 years ago
|
||
Checking in content/html/document/src/nsHTMLDocument.cpp; /cvsroot/mozilla/content/html/document/src/nsHTMLDocument.cpp,v <-- nsHTMLDocu ment.cpp new revision: 3.665; previous revision: 3.664 done
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
This patch was clearly only tested with a MIDAS demo and the test case above and not with a single document with chrome JS setting designMode... Sorry, but this is _severely_ broken, designMode does not work at all any more in that case, and works ONLY in the case of a page embedding an iframe itself containing the edited document. If you launch FF and move from about:blank to a page HAVING ITSELF designMode="on", editing is not turned on because CheckSameOriginPrincipal() refuses it. I am therefore reopening the bug. This bug is a complete blocker for the contenteditable feature.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Updated•18 years ago
|
Blocks: contenteditable
Assignee | ||
Comment 8•18 years ago
|
||
Maybe the patch in bug 333922 would fix that issue (I didn't know I broke this, sorry)?
This bug is likely to break all xul-based apps using designMode as a cheap editing solution... If this bug is to remain unsolved for FF2.0, and because I have this feeling the original reported bug above is an hyper-minor edge case, I *STRONGLY* recommend to back out the patch and revert to the original code.
Assignee | ||
Comment 10•18 years ago
|
||
Afaik, the patch wasn't checked in the 1.8.1 branch. The patch in bug 333922 should fix the issue mentioned in comment 7.
Comment 11•18 years ago
|
||
This bug is fixed. IF there are regressions, please file bugs on them blocking this one. And yes, this bug was checked in trunk-only. I'd need to see great incentive to touch the fragile midas/editor mess on branches.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago → 18 years ago
Resolution: --- → FIXED
Comment 12•18 years ago
|
||
Comment on attachment 216989 [details] [diff] [review] patch Nominating, incentive may be forthcoming from my old pal scotti. /be
Attachment #216989 -
Flags: approval-branch-1.8.1?
Assignee | ||
Comment 13•18 years ago
|
||
Comment on attachment 216989 [details] [diff] [review] patch Brendan forgot to put an email in the approval text input. More or less asking a random person here. If this is approved, then the patch for bug 197305 also has to be approved.
Attachment #216989 -
Flags: approval-branch-1.8.1? → approval-branch-1.8.1?(bugmail)
Assignee | ||
Comment 14•18 years ago
|
||
Er, I meant the patch for bug 333922.
Requesting 1.8.1 blocking -- starting to hurt major web apps (like Windows Live stuff), and will only become more problematic.
Flags: blocking1.8.1?
Attachment #216989 -
Flags: approval-branch-1.8.1?(bugmail) → approval-branch-1.8.1+
Updated•18 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
Assignee | ||
Comment 16•18 years ago
|
||
Fixed on 1.8.1 branch by check-in of combined 1.8.1 patch in bug 333922.
Keywords: fixed1.8.1,
testcase
You need to log in
before you can comment on or make changes to this bug.
Description
•