Closed
Bug 296231
Opened 20 years ago
Closed 20 years ago
Allow file:// xforms to submit anywhere
Categories
(Core Graveyard :: XForms, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: doronr, Assigned: doronr)
Details
Attachments
(1 file, 1 obsolete file)
1.14 KB,
patch
|
darin.moz
:
review+
aaronr
:
review+
|
Details | Diff | Splinter Review |
Like js, xforms on file:// should have unrestricted access to any domain.
Assignee | ||
Comment 1•20 years ago
|
||
asking r from darin, who has authority in this matter
Attachment #185027 -
Flags: review?(darin)
no. they should not. not all file hosts are local and many are amazingly
untrustworthy.
Assignee | ||
Comment 3•20 years ago
|
||
we allow local JS to call anywhere - so how does one do the same without
allowing all file:// urls?
Comment 4•20 years ago
|
||
> we allow local JS to call anywhere
We have bugs on fixing that, since it opens up security holes...
Assignee | ||
Comment 5•20 years ago
|
||
If we are changing behavior, then we can invalidate this.
Comment 6•20 years ago
|
||
Comment on attachment 185027 [details] [diff] [review]
patch
This patch doesn't handle HTTP redirects. See OnChannelRedirect.
It also seems to give file:// URLs the ability to read from any domain as well
(replace="instance"). Is that what you intended?
Why didn't you add this file:// checking inside
nsXFormsSubmissionElement::CheckSameOrigin?
Comment 7•20 years ago
|
||
Comment on attachment 185027 [details] [diff] [review]
patch
minusing based on previous comments.
Attachment #185027 -
Flags: review?(darin) → review-
Assignee | ||
Comment 8•20 years ago
|
||
Attachment #185027 -
Attachment is obsolete: true
Assignee | ||
Updated•20 years ago
|
Attachment #185166 -
Flags: review?(darin)
Comment 9•20 years ago
|
||
Comment on attachment 185166 [details] [diff] [review]
with darin's comments addressed
Looks good.
Attachment #185166 -
Flags: review?(darin) → review+
Assignee | ||
Comment 10•20 years ago
|
||
(In reply to comment #4)
> > we allow local JS to call anywhere
>
> We have bugs on fixing that, since it opens up security holes...
>
Do we have a master bug about removing the file:// behavior?
Assignee | ||
Updated•20 years ago
|
Attachment #185166 -
Flags: review?(aaronr)
Comment 11•20 years ago
|
||
Comment on attachment 185166 [details] [diff] [review]
with darin's comments addressed
I think that there should be a way to still do 'replace instance' from a local
file via pref. Especially if we don't have a solution for disconnected forms
when we ship, then companies are going to roll their own solutions and they'll
need that capability.
Attachment #185166 -
Flags: review?(aaronr) → review+
Assignee | ||
Updated•20 years ago
|
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 12•19 years ago
|
||
(In reply to comment #11)
> (From update of attachment 185166 [details] [diff] [review] [edit])
> I think that there should be a way to still do 'replace instance' from a local
> file via pref. Especially if we don't have a solution for disconnected forms
> when we ship, then companies are going to roll their own solutions and they'll
> need that capability.
And then nothing happened, or? I agree with Aaron here. It might not be advisable, but if people want it, we should support it.
Comment 13•19 years ago
|
||
Should this work on 0.4? I am having trouble with an XForms document reading and writing from/to only local files, see http://isscvs.cern.ch/cgi-bin/viewcvs-all.cgi/install/XForms/jobs.xhtml?cvsroot=moi&only_with_tag=mozilla_plugin. Reading files works, but no writing happens, and there are no JavaScript errors.
Comment 14•19 years ago
|
||
(In reply to comment #13)
> Should this work on 0.4? I am having trouble with an XForms document reading
> and writing from/to only local files, see
> http://isscvs.cern.ch/cgi-bin/viewcvs-all.cgi/install/XForms/jobs.xhtml?cvsroot=moi&only_with_tag=mozilla_plugin.
> Reading files works, but no writing happens, and there are no JavaScript
> errors.
>
the form you have listed won't work as it stands. There are issues with it like that some paths are hardcoded where they should be relative. But the issue you are going to run into trying to use this form to save to a local file is that the action elements under the triggers (and even a couple under xf:inputs) aren't listening for any events. So the actions contained inside these action elements will never run.
For the triggers you need this:
<xf:action ev:event="DOMActivate">
....
</xf:action>
I don't know what event you need to listen for with the inputs. I didn't really get a good understanding of what the form did in my brief glimpse.
Once I fixed up the action elements for the triggers doing the submissions, I saw that the local files were getting written.
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•