Closed
Bug 355365
Opened 18 years ago
Closed 10 years ago
Error: pnglets is not defined when visiting pnglets site
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: martijn.martijn, Unassigned)
References
(Depends on 1 open bug, Blocks 2 open bugs, )
Details
(Keywords: regression)
This is a spin-off from bug 355358, see bug 355358, comment 1: " I see multiple times (in the error console): Error: pnglets is not defined Source File: pnglets.line2 Line: 1 " That used to be not happening. This regressed between 2006-09-23 and 2006-09-24, I think it's a regression from bug 351370. If desired, I could try and make a minimal testcase.
Comment 1•18 years ago
|
||
Yeah, the patch for bug 351370 would "break" this (in that now we deny access to all props always instead of only some and randomly)... The question is whether we really care. If we do, we need to change the principal we're giving the image javascript: loads, as Brendan keeps pushing for.
Yeah, I think we should add another one-off for images here, as we did for clicked links.
Comment 3•18 years ago
|
||
The question is whether it's a generally acceptable authoring practice that <img>s with javascript: SRC need to be filtered out. If it is, then we can use the page principal. If it's not, we can't. Note also that IE7 either doesn't run such javascript: code at all or does it in some other script context, in my testing... I'm going to post to m.d.security with some general thoughts on javascript:.
Comment 4•18 years ago
|
||
See http://groups.google.com/group/mozilla.dev.security/browse_frm/thread/55e9d2c1a6781d94/ed16140c9c1a8e4c#ed16140c9c1a8e4c
Updated•18 years ago
|
Reporter | ||
Comment 5•17 years ago
|
||
The branch patch from bug 351370 also made this regress on branch :( (see also bug 371633)
Status: NEW → ASSIGNED
Flags: blocking1.8.1.3?
Comment 6•17 years ago
|
||
The point is, this doesn't work in other UAs anyway (IE7 comes to mind). Given that, I don't think we care so much about trying to fix this on branch, especially since we don't have a particularly safe way to do it... Bug 369239 covers the work needed to be able to implement this safely.
Comment 7•17 years ago
|
||
The above is my opinion, of course. ;)
Bug 371633 has been flagged as duplicate of this one. May be its worth saying 371633 includes a new example: http://www.cs.ucl.ac.uk/staff/W.Langdon/image_javascript.html which shows the problem exists for the simpler XBM image format as well as PNG.
Comment 9•17 years ago
|
||
(In reply to comment #8) > Bug 371633 has been flagged as duplicate of this one. > May be its worth saying 371633 includes a new example: > http://www.cs.ucl.ac.uk/staff/W.Langdon/image_javascript.html > which shows the problem exists for the simpler XBM image format as well as PNG. The problem is independent of image type. bz, is the best branch fix to back-port the null principals infrastructure and use it? Or could we use a sandbox type already implemented on the branch? /be
Comment 10•17 years ago
|
||
Brendan, the only possible branch fix is to propagate the loader principal through imagelib, which requires imagelib API changes. In more detail, right now we're not propagating the principal, so we have no idea who's doing the load. We used to assume that that made it ok to run against the page context with a null principal like thing, but that gave us bug 351370. So now if we don't know who's doing the load we run it in a sandbox. The sites in question depend on the script in the image src touching the page's script context. So they will absolutely not work while that script is sandboxed -- the only way for them to work correctly is for the script to run against the page context with the page's principals. Note that the only reason this used to work on branch at all is due to bug 350433 (because we used to run against the page context but NOT with the page's principals, so the fact that the script could touch the things it was touching is actually a security hole).
Comment 11•17 years ago
|
||
Then let's make a MOZILLA_1_8_BRANCH API to get the owner propagated to the JS URL channel. I know IE does whatever it does, but we need to take compatibility with our own (going back to Netscape 2) functionality pretty seriously. Bugs or not, we have supported something like working image generation via javascript: img src for a long time, most of the time. What would the branch API look like? Single method IDL-defined interface to QI for in the branch imglib code? /be
Comment 12•17 years ago
|
||
Dunno what API would be acceptable to Stuart. He's the man to ask though, not I! ;)
Comment 13•17 years ago
|
||
With an owner and a fix we can take a look, but not going to block a branch security release.
Flags: blocking1.8.1.4? → blocking1.8.1.4-
Updated•15 years ago
|
Assignee: general → nobody
Status: ASSIGNED → NEW
QA Contact: ian → general
Reporter | ||
Comment 14•15 years ago
|
||
So can this be marked WONTFIX then?
Reporter | ||
Comment 15•10 years ago
|
||
Should this be marked WONTFIX?
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•