Closed
Bug 291656
Opened 20 years ago
Closed 18 years ago
there is no way to insert the protocol "javascript:" in Configurable Security Policies
Categories
(Core :: Security: CAPS, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: intendentedelleacque, Assigned: dveditz)
References
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
I've searched in the documentation, but it seems that there is no way to insert
the protocol "javascript:" in Configurable Security Policies.
This is a problem because, for example, if I deny access to javascript to all
sites except one that has <a href="javascript:function">, this pseudo-link will
not work and so it will be useless to insert it like exception.
I make an example, because my english is bad:
I set a policy like this one
user_pref("capability.policy.policynames", "jsok");
user_pref("capability.policy.default.javascript.enabled", "noAccess");
user_pref("capability.policy.jsok.sites", "http://goodsite.com");
user_pref("capability.policy.jsok.javascript.enabled", "allAccess");
If http://goodsite.com has links <a href='javascript:alert("yes");'>, the alert
will not be displayed and so the capability policies become useless.
Reproducible: Always
Steps to Reproduce:
1. Set a capability policy like this:
user_pref("capability.policy.policynames", "jsok");
user_pref("capability.policy.default.javascript.enabled", "noAccess");
user_pref("capability.policy.jsok.sites", "http://goodsite.com");
user_pref("capability.policy.jsok.javascript.enabled", "allAccess");
2. Write in the url bar javascript:alert("yes"); or try to click in
http://goodsite.com a link that has code <a href='javascript:alert("yes")'>
3.
Actual Results:
The alert will not be displayed in both cases, because the
user_pref("capability.policy.default.javascript.enabled", "noAccess");
prevents the use of "javascript:" protocol and there is no way to insert this
protocol in user_pref("capability.policy.jsok.sites")
Expected Results:
There should be a way to insert the "javascript:" protocol in Configurable
Security Policies
|
Assignee | |
Updated•20 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 1•20 years ago
|
||
Sicking, what's the bug# for that "keep principals with the URI" bug? This
should depend on it...
Depends on: 293363
|
||
Comment 2•20 years ago
|
||
WFM, likely a side effect of the 1.0.3->1.0.4 security fixes.
|
|
||
Comment 3•18 years ago
|
||
Yeah, this is worksforme.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•