Closed Bug 296231 Opened 19 years ago Closed 19 years ago

Allow file:// xforms to submit anywhere

Categories

(Core Graveyard :: XForms, defect)

x86
All
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: doronr, Assigned: doronr)

Details

Attachments

(1 file, 1 obsolete file)

Like js, xforms on file:// should have unrestricted access to any domain.
Attached patch patch (obsolete) — Splinter Review
asking r from darin, who has authority in this matter
Attachment #185027 - Flags: review?(darin)
no. they should not. not all file hosts are local and many are amazingly
untrustworthy.
we allow local JS to call anywhere - so how does one do the same without
allowing all file:// urls?
> we allow local JS to call anywhere

We have bugs on fixing that, since it opens up security holes...
If we are changing behavior, then we can invalidate this.
Comment on attachment 185027 [details] [diff] [review]
patch

This patch doesn't handle HTTP redirects.  See OnChannelRedirect.

It also seems to give file:// URLs the ability to read from any domain as well
(replace="instance").  Is that what you intended?

Why didn't you add this file:// checking inside
nsXFormsSubmissionElement::CheckSameOrigin?
Comment on attachment 185027 [details] [diff] [review]
patch

minusing based on previous comments.
Attachment #185027 - Flags: review?(darin) → review-
Attachment #185027 - Attachment is obsolete: true
Attachment #185166 - Flags: review?(darin)
Comment on attachment 185166 [details] [diff] [review]
with darin's comments addressed

Looks good.
Attachment #185166 - Flags: review?(darin) → review+
(In reply to comment #4)
> > we allow local JS to call anywhere
> 
> We have bugs on fixing that, since it opens up security holes...
> 

Do we have a master bug about removing the file:// behavior?
Attachment #185166 - Flags: review?(aaronr)
Comment on attachment 185166 [details] [diff] [review]
with darin's comments addressed

I think that there should be a way to still do 'replace instance' from a local
file via pref.	Especially if we don't have a solution for disconnected forms
when we ship, then companies are going to roll their own solutions and they'll
need that capability.
Attachment #185166 - Flags: review?(aaronr) → review+
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
(In reply to comment #11)
> (From update of attachment 185166 [details] [diff] [review] [edit])
> I think that there should be a way to still do 'replace instance' from a local
> file via pref. Especially if we don't have a solution for disconnected forms
> when we ship, then companies are going to roll their own solutions and they'll
> need that capability.

And then nothing happened, or? I agree with Aaron here. It might not be advisable, but if people want it, we should support it.
Should this work on 0.4? I am having trouble with an XForms document reading and writing from/to only local files, see http://isscvs.cern.ch/cgi-bin/viewcvs-all.cgi/install/XForms/jobs.xhtml?cvsroot=moi&only_with_tag=mozilla_plugin. Reading files works, but no writing happens, and there are no JavaScript errors.
(In reply to comment #13)
> Should this work on 0.4? I am having trouble with an XForms document reading
> and writing from/to only local files, see
> http://isscvs.cern.ch/cgi-bin/viewcvs-all.cgi/install/XForms/jobs.xhtml?cvsroot=moi&only_with_tag=mozilla_plugin.
> Reading files works, but no writing happens, and there are no JavaScript
> errors.
> 

the form you have listed won't work as it stands.  There are issues with it like that some paths are hardcoded where they should be relative.  But the issue you are going to run into trying to use this form to save to a local file is that the action elements under the triggers (and even a couple under xf:inputs) aren't listening for any events.  So the actions contained inside these action elements will never run.

For the triggers you need this:

<xf:action ev:event="DOMActivate">
....
</xf:action>

I don't know what event you need to listen for with the inputs.  I didn't really get a good understanding of what the form did in my brief glimpse.

Once I fixed up the action elements for the triggers doing the submissions, I saw that the local files were getting written.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: