Closed Bug 251368 Opened 20 years ago Closed 20 years ago

documentURI for about: urls should list the about: urls

Categories

(Core :: DOM: Core & HTML, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: timeless, Assigned: timeless)

References

()

Details

Attachments

(1 file)

chrome and resoruce are special cased by ns(XUL)Document.
about should be too.
Attachment #153145 - Flags: superreview?(bzbarsky)
Attachment #153145 - Flags: review?(bzbarsky)
Comment on attachment 153145 [details] [diff] [review]
sorta consistently skip resolving about ala chrome and resource

r+sr=bzbarsky.	Looks reasonable.
Attachment #153145 - Flags: superreview?(bzbarsky)
Attachment #153145 - Flags: superreview+
Attachment #153145 - Flags: review?(bzbarsky)
Attachment #153145 - Flags: review+
Attachment #153145 - Flags: approval1.7.2?
is this already on the trunk?
Checked in last night, yes.
Comment on attachment 153145 [details] [diff] [review]
sorta consistently skip resolving about ala chrome and resource

a=mkaply
Attachment #153145 - Flags: approval1.7.2? → approval1.7.2+
mozilla/content/base/src/nsDocument.cpp 	3.510
mozilla/content/xul/document/src/nsXULDocument.cpp 	1.628
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Does this influence any security things?  What about the about: documents (e.g.,
about:credits) loaded from remote hosts over insecure connections?  It's not
clear to me what the rationale for this was.
The only change is that now about:credits can link to other about: URIs.... 
Given that about: is marked as "ChromeProtocol", that could indeed be a problem.

timeless, what was the reason for this again?  I recall that it was a decent
reason, but I can't recall it exactly...
about: urls already have credentials based on what their specific url is
<http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/netwerk/protocol/about/src/nsAboutRedirector.cpp&rev=1.19&mark=50,54-58,61#47>
if you're actually concerned, then the fact that the url changes to resource:
instead of keeping about: should be more worrisome.

note that using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040728

and loading about:credits, using ctrl-shift-i (inspect document) and changing
the mailto at the bottom to link to about:config, and then clicking it, i get:
Error: uncaught exception: Load of about:config denied.

This is because the about: url has already dropped its privs and is *not*
priv'd. Anyone adding a redirector is of course obligated to undergo a security
review. unless of course that someone is a member of aviary, in which case they
seem to be allowed to make arbitrary commits to locked files whenever they
please. "<ben> timeless: bite me."
This checkin broke linking to licenses in chrome (bug 256945). That's really
quite bad.

I can't immediately see how to make this work again, apart from writing an
about:license, which I'd rather avoid (if only because of holy wars about the
spelling of licence). Is there an easy way to restore this function?

Gerv
So it looks like the chrome protocol thing actually _prevents_ linking _to_
about: URIs.

The question is whether about: is trustworthy.  If it is, we should mark it so.
 If it's not, it should not be able to link to arbitrary chrome documents.
There isn't currently an about: which is obviously untrustworthy. about:cache
doesn't display data from the cache, just links to the original page. But it
might be dangerous to assume this will always be the case.

Is about:licen[cs]e the only solution, then? Or can we use res: or resource: or
something?

Gerv
note that about:config has chrome privileges
resource: and chrome: are identical for our purposes here.

about: runs javascript, in general, so making it chrome should be scrutinized
very carefully...

about:license is probably the best solution in any case.
This needs to be backed out of the 1.7 and aviary branch for 1.7.5. Timeless,
can you do that for us? 
asa: i *need* this for my product which will be moving to 1.7.5. <period>
Then you'll have to put it in separately.

1.7.5 needs to match Firefox 1.0, and this causes it not to.

I was wrong to approve this.

Either way, this broke something we need (licenses in chrome) so it needs to be
backed out.
Comment on attachment 153145 [details] [diff] [review]
sorta consistently skip resolving about ala chrome and resource

Backed out of 1.7.5.
Attachment #153145 - Flags: approval1.7.5+ → approval1.7.5-
Note that this also broke about: when JS is disabled, since the document no
longer had a chrome: URI in the security manager.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: