Closed Bug 309579 Opened 19 years ago Closed 15 years ago

chrome protocol: access from http:// without security error

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
2.0 Branch
Platform:
x86
Windows Server 2003
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: mash, Unassigned)

Details

Attachments

(2 files)

svg.svg
352 bytes, image/svg+xml
Details
"Security Chrome SVG" extenssion
3.68 KB, application/x-xpinstall
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a1) Gecko/20050917 Firefox/1.6a1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a1) Gecko/20050917 Firefox/1.6a1 The <embed/> and <object/> can get context from chrome://{extenssion}/../file.ext Reproducible: Always Steps to Reproduce: 1. Create file "svg.svg" (attached... or other SVG file) in any {extenssion}/content folder. 2. Create and open HTML file: <embed src="chrome://{extenssion}/content/svg.svg"/> <object data="chrome://{extenssion}/content/svg.svg"></object> <img src=""/> 3. Open JavaScript Console, you'll see error "Security Error: Content at http://localhost/security.html may not load or link to chrome://{extenssion}/content/svg.svg." 4. Install AdBlock (was tested with version 0.5.9.20050831) or ImgLikeOpera (was tested with version 0.6.4). 5. Open HTML file again (_only_ from "http://"): no errors, "svg.svg" loaded successfuly. Another steps to reproduce: 1. Install "Security Chrome SVG" extenssion (attached, was created only for Fx1.4+, sorry). 2. Extract "testpage.html" from securitychromesvg.xpi and open it ("file://" or "http://", nomatter). 3. Push button. Actual Results: Object from html page load chrome://../file.ext Expected Results: Object from html page may not load chrome://../file.ext
Attached image svg.svg
I don't know "why?", but look at line 30 in securitychromesvg.xpi/components/nsISecurityChromeSVG.js
extenssion --> extension...
This bug was reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.3 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME http://www.mozilla.com http://support.mozilla.com/kb/Managing+profiles http://support.mozilla.com/kb/Safe+mode
Version: unspecified → 2.0 Branch
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: