Closed
Bug 220711
Opened 21 years ago
Closed 8 years ago
Need to rework checking of URI so that it is not called multiple times
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: iannbugzilla, Assigned: iannbugzilla)
References
(Blocks 2 open bugs)
Details
Attachments
(4 obsolete files)
Currently, for certain clicks on links, urlSecurityCheck is called more than once, this should not be necessary.
This initial patch removes the call to urlSecurityCheck from the beginning of handleLinkClick function and adds new calls futher within the function where urlSecurityCheck would have no longer been called because of the removal. I'm not sure that we do actually need a call to urlSecurityCheck for the right click (event.button=2) but I have it in there for the moment.
This patch removes the first call to urlSecurityCheck in handleLinkClick and adds new calls where a call to an |openNew| function returns false, an |openNew| function is not called and wrt saveModifier where handleLinkClick is called with linkNode not being null.
Attachment #132514 -
Attachment is obsolete: true
Attachment #133087 -
Flags: review?(bzbarsky)
Comment 4•21 years ago
|
||
Comment on attachment 133087 [details] [diff] [review] Patch v0.4e - removes duplicate calls to urlSecurityCheck This really needs review from caillon.... Why the "if (linkNode)" check, by the way?
Attachment #133087 -
Flags: review?(bzbarsky) → review?(caillon)
Well I'm pretty sure that I don't need the check when the linkNode is null but I'm presuming that extensions could call this with linkNode not being null otherwise why do we still take the linkNode argument in handleLinkClick? Mozilla itself only calls it with a null for that argument.
Comment 6•21 years ago
|
||
My question is, why does it matter whether linkNode is null? The URL you are testing is not associated with linkNode at this point.... And yes, linkNode used to be used and then someone tweaked something, I guess.
Comment 7•21 years ago
|
||
Eek, why was I not cc'd?
Comment 8•21 years ago
|
||
Comment on attachment 133087 [details] [diff] [review] Patch v0.4e - removes duplicate calls to urlSecurityCheck There's just something about this patch that I don't like. Maybe it's the fact that now there are so many seemingly random security checks. Some callers have them, others don't, etc. Would it make more sense to require the callers of anything that loads a URL to do the check before calling the handleLinkClick/doOpenNewFoo methods? Also note that the security check is relatively cheap, so it doesn't really hurt anything here. The performance impact of doing perhaps an extra security check is negligible, and this bug may not be worth fixing. It's better to do too many checks than too few....
Patch reworks contentAreaClick function by inling handleLinkClick function and moving call to urlSecurityCheck into openNewTabOrWindow function where it hasn't previously been called from openNew* functions. Need to fix this so that bug 84128 can be fixed as multiple calls to urlSecurityCheck would cause multiple user alerts.
Attachment #133087 -
Attachment is obsolete: true
Assignee | ||
Comment 10•21 years ago
|
||
Comment on attachment 133087 [details] [diff] [review] Patch v0.4e - removes duplicate calls to urlSecurityCheck Cancelling previous request
Attachment #133087 -
Flags: review?(caillon)
Attachment #133892 -
Flags: review?(caillon)
Attachment #133892 -
Flags: review?(caillon)
Assignee | ||
Comment 11•20 years ago
|
||
This patch: * Fixes the duplicate calls to urlSecurityCheck in handleLinkClick - instead of checking at start of function only checks if openNewWindowWith or openNewTabWith have not been called. * Fixes the fact that urlSecurityCheck is not called before trying to load the url in middleMousePaste function if ctrl key is not being pressed
Attachment #133892 -
Attachment is obsolete: true
Attachment #163169 -
Flags: review?(caillon)
Assignee | ||
Comment 12•20 years ago
|
||
I guess firefox might need a similar middleMousePaste fix.
Updated•15 years ago
|
QA Contact: carosendahl → toolkit
Comment 13•8 years ago
|
||
Comment on attachment 163169 [details] [diff] [review] Patch v0.5 - makes sure urlSecurityCheck is called This is no longer anything like the current code.
Attachment #163169 -
Attachment is obsolete: true
Attachment #163169 -
Flags: review?(caillon)
Comment 14•8 years ago
|
||
This seems to have effectively been fixed when this function was rewritten at some point.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•