Last Comment Bug 365526 - Security Error: Content at about: may not load or link to {xxx}.
: Security Error: Content at about: may not load or link to {xxx}.
: fixed1.8.1.21
Product: Core
Classification: Components
Component: Security: CAPS (show other bugs)
: 1.8 Branch
: All All
-- normal (vote)
: ---
Assigned To: Mike Hommey [:glandium]
: Selena Deckelmann :selenamarie :selena use ni?
Depends on:
  Show dependency treegraph
Reported: 2006-12-31 10:01 PST by Mike Hommey [:glandium]
Modified: 2009-03-01 15:39 PST (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Proposed patch for 1.8 branch (1.08 KB, patch)
2007-01-02 08:25 PST, Mike Hommey [:glandium]
dveditz: review+
mrbkap: superreview+
Details | Diff | Splinter Review

Description User image Mike Hommey [:glandium] 2006-12-31 10:01:54 PST
Trying to modify the about page to make it more useful for debian, I got these security errors when trying to link to file:///, resource:/// and chrome:/// urls from about:.

I understand how loading data may be a security risk, but I fail to see how allowing *links* to file:/// from about: would be a security risk. Note that links to http:// from about: are allowed, and would be a much greater security risk...

Is there a real rationale behind this or is this just a side effect of something else ?
Comment 1 User image Jo Hermans 2006-12-31 10:24:37 PST
File:/// links are not allowed for security reasons, see <'t_work>.

But maybe they should be allowed originating from about: pages, since they can't come from the outside.
Comment 2 User image Mike Hommey [:glandium] 2007-01-01 03:23:19 PST
Note that if I go to chrome://global/content/about.xhtml and click on the link to a file:/// url, it works.

I guess adding a test on sourceScheme.EqualsLiteral("about") to
and would be okay.
Comment 3 User image Mike Hommey [:glandium] 2007-01-02 08:25:48 PST
Created attachment 250174 [details] [diff] [review]
Proposed patch for 1.8 branch

The code is pretty different on the trunk, and I'm only interested on 1.8 right now. Does it look okay to you ?
Comment 4 User image Jo Hermans 2007-01-02 13:09:29 PST
I'm sorry, but I'm not the person to ask for review. Daniel ( is the module owner.
Comment 5 User image Daniel Veditz [:dveditz] 2007-01-19 23:05:53 PST
A non-safe about: URI should already be able to link to these. See

So I guess this only applies to plain "about:" itself, which GetBaseURIScheme thinks is non-safe but isn't actually privileged, and that should make this a safe enough change.

Boris, any thoughts before I OK this?
Comment 6 User image Boris Zbarsky [:bz] (still a bit busy) 2007-01-20 12:30:29 PST
The proposed patch would allow all about: URIs that are not whitelisted as "safe" to link to file:, chrome:, and resource: URIs, right?

I guess that's ok as long as we're absolutely sure that all about: implementations are either privileged or on this whitelist... the problem is that people can drop in about: implementations.

If what we care is about: itself, why not just compare the URI to about:?  I'd feel much happier with that.

As for trunk, we should do this before the betas of 1.9, I think.  We might need API changes to the new APIs to do it.

All that said, why exactly isn't about: just privileged?  This keeps coming up as an issue, as I recall -- people want to run XPConnectified script in it too...
Comment 7 User image Reed Loden [:reed] (use needinfo?) 2007-10-12 00:04:45 PDT
Mike, is this still a problem on the trunk? If it is, could you supply a new patch based on the trunk?
Comment 8 User image Mike Hommey [:glandium] 2007-10-13 02:38:54 PDT
I have no idea if it still is a problem. I'll give this a try in a little while.
Comment 9 User image Reed Loden [:reed] (use needinfo?) 2008-07-12 15:21:11 PDT
(In reply to comment #8)
> I have no idea if it still is a problem. I'll give this a try in a little
> while.

Any update on this?
Comment 10 User image Daniel Veditz [:dveditz] 2008-11-19 17:15:13 PST
Comment on attachment 250174 [details] [diff] [review]
Proposed patch for 1.8 branch


This is not great but OK, if you still need it. It's not going to work on the trunk in the current form. If you really want to land this please replace the tabs with spaces.
Comment 11 User image Daniel Veditz [:dveditz] 2009-01-16 11:27:58 PST
Comment on attachment 250174 [details] [diff] [review]
Proposed patch for 1.8 branch

Approved for, a=dveditz for release-drivers.
Comment 12 User image Samuel Sidler (old account; do not CC) 2009-02-23 07:44:35 PST
Reed: Can you please make sure this gets landed on the 1.8 branch.
Comment 13 User image Reed Loden [:reed] (use needinfo?) 2009-03-01 15:39:16 PST

Checking in caps/src/nsScriptSecurityManager.cpp;
/cvsroot/mozilla/caps/src/nsScriptSecurityManager.cpp,v  <--  nsScriptSecurityManager.cpp
new revision:; previous revision:

Note You need to log in before you can comment on or make changes to this bug.