Come up with a better way to disable JS and data urls in history




16 years ago
6 months ago


(Reporter: nisheeth_mozilla, Unassigned)


Windows XP

Firefox Tracking Flags

(Not tracked)




16 years ago
With the fix for bug 161546, when a user tries to load JS and data urls in the
history sidebar or window, an alert dialog pops up saying that such urls cannot
be loaded.

We want to come up with a better way to do this that avoids alerts.  Some
suggestions are to:

1) Gray out js and data urls.
2) Don't display js and data urls in the history sidebar or window at all.

Comments are welcome!

Comment 1

16 years ago
we should NOT just grey them out, think what a terrible user experience that
would be - you see the URL in the history window, but you can't actually click
on it. Why not? Who knows, ts just greyed out! There's no feedback to the user.

My suggestion is that instead of fixing this bug that we come up with a way to
actually run the urls in their own context, much like we do with bookmarks and
the url bar.. they aren't security risks, right? so why are we treating history
as some special thing?

my suggestion is to WONTFIX this.
Not sure bug 161546 should remain fixed... now that only typed javascript: urls
show up in history there really doesn't seem to be a security problem with
people hacking themselves if it ran in the context of the current page, and in
fact it could be useful. Oh well, autocomplete works, and they can always be
bookmarked and still work.

I wouldn't want them to be totally gone, though. I agree w/alecf that disabled
without an explanation sucks, but if they're present in the list at least the
user can right-click to get the context menu and then save complex urls as
bookmarks, or copy them. Really, I'm OK with the security dialog -- clicking on
these things would be pretty rare.

Comment 3

16 years ago
nisheeth, can you set the target milestone on this one?  thx

Comment 4

16 years ago
Setting target milestone to 1.5 alpha...
Target Milestone: --- → mozilla1.5alpha


16 years ago
QA Contact: kasumi → petersen


16 years ago
Target Milestone: mozilla1.5alpha → mozilla1.5beta

Comment 5

14 years ago
This bug doesn't need to be hidden anymore because the security hole it refers
to was fixed a long time ago.
Assignee: nisheeth_mozilla → nobody
Group: security
QA Contact: chrispetersen →
Component: History: Global → Bookmarks & History
Product: Core → Firefox
Target Milestone: mozilla1.5beta → ---
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.