Closed Bug 251894 Opened 20 years ago Closed 20 years ago

Saved HTML pages should include location meta-data per XP SP2

Categories

(Core Graveyard :: File Handling, enhancement)

Product:
Core Graveyard
Component:
File Handling
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 125729

People

(Reporter: nrlz, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616

Windows XP SP2 includes a security feature that forces a locally saved HTML page
to be restricted to the untrusted Internet Zone if it includes a special comment.
Ref: "Changes to Local Machine Zone for Windows XP Service Pack 2" (scroll down)
http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp

The comment looks like this and is added after the DOCTYPE tag:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<!-- saved from url=(0032)http://geocities.yahoo.com/home/ -->
<HTML><HEAD>...

I suggest having Firefox/Mozilla also add this tag to saved HTML pages to
harness the improved security model on XP machines.

The advantage is that local HTML pages can be downloaded and viewed from the
local computer but is still restricted to the internet zone and therefore cannot
request pages outside its domain (via frames, XMLHttpRequest, etc.) and cannot
execute local applications (via redirection through "file://", Directory
Traversal, etc.).

Reproducible: Always
Steps to Reproduce:



Expected Results:  
<!-- saved from url=(0032)http://geocities.yahoo.com/home/ -->
what happens if no doctype tag is present?

what's the meaning of the (0032)?
dup of bug 125729?
ah right

*** This bug has been marked as a duplicate of 125729 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
This one isn't exactly a DUP as this enhancement serves the purpose of 
harnessing Windows XP SP2's security model, which the other thread doesn't 
consider. To harness XP SP2's security model, the URL MUST follow the comment 
style stipulated in the MSDN documentation.

I think this thread should be merged with the other.
that's true, although this is a bit pointless because only msie supports that
"security" feature.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.