[FIX]CanExecuteScripts hard codes about:neterror as the only page that can execute script when scripts are disabled

RESOLVED FIXED in mozilla1.9alpha1

Status

()

P2
normal
RESOLVED FIXED
13 years ago
9 years ago

People

(Reporter: bugs, Assigned: bzbarsky)

Tracking

Trunk
mozilla1.9alpha1
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

In nsScriptSecurityManager::CanExecuteScripts, about:neterror is hardcoded as the only local page that can execute scripts even when js is disabled. This list should instead be extendable, so that I can add about:feeds to it from the browser code without having to edit code in nsSSM.
Depends on: 337746
(Assignee)

Comment 1

13 years ago
Created attachment 226425 [details] [diff] [review]
Proposed fix

I limited this to about: URIs for the time being.  If we want to have a protocol handler flag for this, we could do that, and add a third about: protocol handler for URIs which drop privs but want to allow script execution or something like that.  But I'm not sure we want to allow random other protocols to force script execution...
Assignee: dveditz → bzbarsky
Status: NEW → ASSIGNED
Attachment #226425 - Flags: superreview?(jst)
Attachment #226425 - Flags: review?(darin)
(Assignee)

Updated

13 years ago
Priority: -- → P2
Summary: CanExecuteScripts hard codes about:neterror as the only page that can execute script when scripts are disabled → [FIX]CanExecuteScripts hard codes about:neterror as the only page that can execute script when scripts are disabled
Target Milestone: --- → mozilla1.9alpha

Comment 2

13 years ago
Comment on attachment 226425 [details] [diff] [review]
Proposed fix

nit: When you called the method getURIFlags, I thought you intended to prefix all flags with URI_.  If you meant "get flags for this URI", then the method should probably have been called getFlagsForURI ;-)

r=darin
Attachment #226425 - Flags: review?(darin) → review+
(Assignee)

Comment 3

13 years ago
I definitely meant the latter.  Do you want me to go ahead and rename the method?
Comment on attachment 226425 [details] [diff] [review]
Proposed fix

sr=jst
Attachment #226425 - Flags: superreview?(jst) → superreview+

Comment 5

13 years ago
> I definitely meant the latter.  Do you want me to go 
> ahead and rename the method?

Up to you.  It is probably not worth the time ;-)
(Assignee)

Comment 6

13 years ago
Fixed.  I didn't change the name.
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Comment on attachment 226425 [details] [diff] [review]
Proposed fix

-    { "neterror", "chrome://global/content/netError.xhtml", PR_TRUE }
+    { "neterror", "chrome://global/content/netError.xhtml", PR_TRUE, PR_TRUE }

have you considered making the third field a "flags" field instead, so that the values are more self-documenting and that not all lines have to be changed for a new flag?
(Assignee)

Comment 8

13 years ago
Hmm...  I suppose I could do that, yeah... file a bug and I'll deal in July?

Updated

9 years ago
QA Contact: caps
You need to log in before you can comment on or make changes to this bug.