Open
Bug 201903
Opened 22 years ago
Updated 3 years ago
Security denies document.load("data: protocol")
Categories
(Core :: Security, defect)
Tracking
()
NEW
People
(Reporter: rbs, Assigned: dveditz)
References
()
Details
Spin-off from bug 109825. It is not clear why the security manager denies
the data: protocol in document.load().
The test URL
javascript:document.implementation.createDocument("", "", null)
.load("data:text/xml,<doc>Hello World!</doc>");
is generating the exception
Error: uncaught exception: [Exception... "Component returned failure code:
0x80004005 (NS_ERROR_FAILURE) [nsIDOMXMLDocument.load]" nsresult: "0x80004005
(NS_ERROR_FAILURE)" location: "JS frame ::
javascript:document.implementation.createDocument("", "",
null).load("data:text/xml,<doc>Hello World!</doc>");
It just occured to me that the possible strongest argument is that users can
already enter any data: protocol in the URL bar. Hence there doesn't seem to be
any apparent reason why it should be denied in document.load().
Ops... my argument is twisted. Users can do file: too, yet that is no reason to
load file: from scripts. Need som thougths here.
|
||
Comment 3•22 years ago
|
||
Well, data: is host-less, so it shouldn't be allowed to access http documents
(otherwise you could do cross-domain hosting exploits). However, I see no reason
why http documents shouldn't be able to access data ones, since they can already
see everything about the data document from its URI, which is in their document.
|
Assignee | |
Updated•19 years ago
|
Assignee: security-bugs → dveditz
QA Contact: carosendahl → toolkit
|
||
Comment 4•18 years ago
|
||
Probably because this is doing a same-origin check, like bug 270748
Depends on: 270748
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•