chrome protocol: access from http:// without security error

RESOLVED WORKSFORME

Status

()

defect
RESOLVED WORKSFORME
14 years ago
9 years ago

People

(Reporter: mash, Unassigned)

Tracking

2.0 Branch
x86
Windows Server 2003
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a1) Gecko/20050917 Firefox/1.6a1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a1) Gecko/20050917 Firefox/1.6a1

The <embed/> and <object/> can get context from chrome://{extenssion}/../file.ext

Reproducible: Always

Steps to Reproduce:
1. Create file "svg.svg" (attached... or other SVG file) in any
{extenssion}/content folder.
2. Create and open HTML file:
<embed src="chrome://{extenssion}/content/svg.svg"/>
<object data="chrome://{extenssion}/content/svg.svg"></object>
<img src=""/>
3. Open JavaScript Console, you'll see error "Security Error: Content at
http://localhost/security.html may not load or link to
chrome://{extenssion}/content/svg.svg."
4. Install AdBlock (was tested with version 0.5.9.20050831) or ImgLikeOpera (was
tested with version 0.6.4).
5. Open HTML file again (_only_ from "http://"): no errors, "svg.svg" loaded
successfuly.

Another steps to reproduce:
1. Install "Security Chrome SVG" extenssion (attached, was created only for
Fx1.4+, sorry).
2. Extract "testpage.html" from securitychromesvg.xpi and open it ("file://" or
"http://", nomatter).
3. Push button.

Actual Results:  
Object from html page load chrome://../file.ext

Expected Results:  
Object from html page may not load chrome://../file.ext
(Reporter)

Comment 1

14 years ago
Posted image svg.svg
(Reporter)

Comment 2

14 years ago
(Reporter)

Comment 3

14 years ago
I don't know "why?", but look at line 30 in
securitychromesvg.xpi/components/nsISecurityChromeSVG.js
(Reporter)

Comment 4

14 years ago
extenssion --> extension...
This bug was reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.3 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME
http://www.mozilla.com
http://support.mozilla.com/kb/Managing+profiles
http://support.mozilla.com/kb/Safe+mode
Version: unspecified → 2.0 Branch
(Reporter)

Updated

9 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.