Closed Bug 309579 Opened 18 years ago Closed 14 years ago

chrome protocol: access from http:// without security error

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
2.0 Branch
Platform:
x86
Windows Server 2003
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: mash, Unassigned)

Details

Attachments

(2 files)

svg.svg
352 bytes, image/svg+xml
Details
"Security Chrome SVG" extenssion
3.68 KB, application/x-xpinstall
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a1) Gecko/20050917 Firefox/1.6a1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a1) Gecko/20050917 Firefox/1.6a1

The <embed/> and <object/> can get context from chrome://{extenssion}/../file.ext

Reproducible: Always

Steps to Reproduce:
1. Create file "svg.svg" (attached... or other SVG file) in any
{extenssion}/content folder.
2. Create and open HTML file:
<embed src="chrome://{extenssion}/content/svg.svg"/>
<object data="chrome://{extenssion}/content/svg.svg"></object>
<img src=""/>
3. Open JavaScript Console, you'll see error "Security Error: Content at
http://localhost/security.html may not load or link to
chrome://{extenssion}/content/svg.svg."
4. Install AdBlock (was tested with version 0.5.9.20050831) or ImgLikeOpera (was
tested with version 0.6.4).
5. Open HTML file again (_only_ from "http://"): no errors, "svg.svg" loaded
successfuly.

Another steps to reproduce:
1. Install "Security Chrome SVG" extenssion (attached, was created only for
Fx1.4+, sorry).
2. Extract "testpage.html" from securitychromesvg.xpi and open it ("file://" or
"http://", nomatter).
3. Push button.

Actual Results:  
Object from html page load chrome://../file.ext

Expected Results:  
Object from html page may not load chrome://../file.ext
Attached image svg.svg 

    
    

    
  


  

    
    

    
  
I don't know "why?", but look at line 30 in
securitychromesvg.xpi/components/nsISecurityChromeSVG.js

    
    

    
  
extenssion --> extension...

    
    

    
  
This bug was reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.3 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME
http://www.mozilla.com
http://support.mozilla.com/kb/Managing+profiles
http://support.mozilla.com/kb/Safe+mode
Version: unspecified → 2.0 Branch

    
  
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.