Closed Bug 335554 Opened 19 years ago Closed 19 years ago

[regression] New security message with Shockwave Flash (which depends on javascript: URL results being ASCII/UTF-8)

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: stevee, Assigned: dbaron)

References

(
URL
)

Details

(Keywords: regression, testcase)

Attachments

(1 file)

.swf that shows the problem but didn't used to
144 bytes, application/x-shockwave-flash
Details
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060426 Minefield/3.0a1 1. New Profile 2. Make sure Flash 8.5 b246 is in your ../firefox/plugins/ dir 3. Go to http://www.fairybluelight.com/ 4. Observe strange dialog: "Adobe Flash Player Security. Adobe Flash Player has stopped a potentually unsafe operation. The following local application on your computer or network: - h is trying to communicate with this Internet-enabled location: - as.casalemedia.com To let this application communnicate with the Internet, click Settings. You must restart the application after changing your settings. [OK] [SETTINGS]" This dialog never used to be displayed, but since the 20060426 builds a few on IRC have noticed this dialog popping up reproducabley. (Additionally, clicking on "settings" button does not result in any settings being shown; the dialog is just dismissed. Also, I have no idea what the local application called "h" is.) This msg was not displayed in firefox versions up to and including: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060425 Minefield/3.0a1 (2006042506) This msg now appears on: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060426 Minefield/3.0a1 (2006042609) Regression Range http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=PhoenixTinderbox&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-04-25+05%3A00%3A00&maxdate=2006-04-26+10%3A00%3A00&cvsroot=%2Fcvsroot
Slightly smaller regression range.. Doesn't Occur Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060425 Minefield/3.0a1 ID:2006042508 [cairo] Occurs Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060426 Minefield/3.0a1 ID:2006042604 [cairo] http://tinderbox.mozilla.org/bonsai/cvsquery.cgi?treeid=default&module=PhoenixTinderbox&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-04-25+09%3A00%3A00&maxdate=2006-04-26+04%3A00%3A00&cvsroot=%2Fcvsroot
Tested negative in 1.9a1_2006042505 and positive in 1.9a1_2006042510. Could it be that it first blocked that message (the notification bar said: 2 blocked popups) and later on only one blocked popup.
Also please note, exacly the same problem is seen when using "Shockwave Flash 8.0 r22" (the official release, rather than the beta mentioned in comment 0)
Flags: blocking1.9a1?
Summary: [regression] New security message with Shockwave Flash (Beta) 8.5 b246 → [regression] New security message with Shockwave Flash
1. New Profile 2. Install Flash (http://www.macromedia.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash) 3. Click on .swf attached to bug Older versions (pre 20060425.08) didn't used to throw an error dialog, recent versions (post 20060426.04) now do.
Keywords: testcase
You also need to make a new profile before each test, otherwise you get wrong results.
Can this be reproduced on Linux (preferably) or Mac OS X? I gave up on my Windows build environment when the build requirements were constantly changing and the build documentation wasn't keeping up.
There is not a linux version of the plugin at: http://www.macromedia.com/software/flashplayer/public_beta/ But I do get the same problem on Mac OSX except the application field is blank instead of having an h. Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060428 Minefield/3.0a1 OSX 10.3.9
reproducable on Win XP sp2. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060428 Minefield/3.0a1
Could somebody with a build environment figure out which checkin caused this?
With the regression range from 2006042508 to 2006042510 it could also be bug 153232 (checked in on 2006-04-25 07:33): http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2006-04-25+07%3A00&maxdate=2006-04-25+10%3A00
Backing out the patch from bug 335298 fixes this.
Blocks: 335298
Could somebody retest in an hourly or nightly build produced after now? (Those don't exist yet, but the hourly tinderbox-builds should in a few hours.)
(In reply to comment #15) > Could somebody retest in an hourly or nightly build produced after now? (Those > don't exist yet, but the hourly tinderbox-builds should in a few hours.) Testcase works with revision 1.124 of dom/src/jsurl/nsJSProtocolHandler.cpp.
To be clear, I get the expected result, no security message. I believe this bug can now be closed.
Assignee: nobody → dbaron
Component: General → DOM
Product: Firefox → Core
OK, fixed on trunk.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Summary: [regression] New security message with Shockwave Flash → [regression] New security message with Shockwave Flash (which depends on javascript: URL results being ASCII/UTF-8)
...and thanks for testing.
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060504 Minefield/3.0a1 ID:2006050413 Now WFM --> Verified
Status: RESOLVED → VERIFIED
Flags: blocking1.9a1?
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: