Last Comment Bug 365526 - Security Error: Content at about: may not load or link to {xxx}.
: Security Error: Content at about: may not load or link to {xxx}.
Status: RESOLVED FIXED
: fixed1.8.1.21
Product: Core
Classification: Components
Component: Security: CAPS (show other bugs)
: 1.8 Branch
: All All
: -- normal (vote)
: ---
Assigned To: Mike Hommey [:glandium]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-31 10:01 PST by Mike Hommey [:glandium]
Modified: 2009-03-01 15:39 PST (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Proposed patch for 1.8 branch (1.08 KB, patch)
2007-01-02 08:25 PST, Mike Hommey [:glandium]
dveditz: review+
mrbkap: superreview+
dveditz: approval1.8.1.next+
dveditz: approval1.8.0.next?
Details | Diff | Review

Description Mike Hommey [:glandium] 2006-12-31 10:01:54 PST
Trying to modify the about page to make it more useful for debian, I got these security errors when trying to link to file:///, resource:/// and chrome:/// urls from about:.

I understand how loading data may be a security risk, but I fail to see how allowing *links* to file:/// from about: would be a security risk. Note that links to http:// from about: are allowed, and would be a much greater security risk...

Is there a real rationale behind this or is this just a side effect of something else ?
Comment 1 Jo Hermans 2006-12-31 10:24:37 PST
File:/// links are not allowed for security reasons, see <http://kb.mozillazine.org/Links_to_local_pages_don't_work>.

But maybe they should be allowed originating from about: pages, since they can't come from the outside.
Comment 2 Mike Hommey [:glandium] 2007-01-01 03:23:19 PST
Note that if I go to chrome://global/content/about.xhtml and click on the link to a file:/// url, it works.

I guess adding a test on sourceScheme.EqualsLiteral("about") to http://lxr.mozilla.org/mozilla1.8.0/source/caps/src/nsScriptSecurityManager.cpp#1352
and http://lxr.mozilla.org/mozilla1.8.0/source/caps/src/nsScriptSecurityManager.cpp#1378 would be okay.
Comment 3 Mike Hommey [:glandium] 2007-01-02 08:25:48 PST
Created attachment 250174 [details] [diff] [review]
Proposed patch for 1.8 branch

The code is pretty different on the trunk, and I'm only interested on 1.8 right now. Does it look okay to you ?
Comment 4 Jo Hermans 2007-01-02 13:09:29 PST
I'm sorry, but I'm not the person to ask for review. Daniel (dveditz@cruzio.com) is the module owner.
Comment 5 Daniel Veditz [:dveditz] 2007-01-19 23:05:53 PST
A non-safe about: URI should already be able to link to these. See http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/caps/src/nsScriptSecurityManager.cpp&rev=1.266.2.14&mark=1260-1262#1245

So I guess this only applies to plain "about:" itself, which GetBaseURIScheme thinks is non-safe but isn't actually privileged, and that should make this a safe enough change.

Boris, any thoughts before I OK this?
Comment 6 Boris Zbarsky [:bz] (Out June 25-July 6) 2007-01-20 12:30:29 PST
The proposed patch would allow all about: URIs that are not whitelisted as "safe" to link to file:, chrome:, and resource: URIs, right?

I guess that's ok as long as we're absolutely sure that all about: implementations are either privileged or on this whitelist... the problem is that people can drop in about: implementations.

If what we care is about: itself, why not just compare the URI to about:?  I'd feel much happier with that.

As for trunk, we should do this before the betas of 1.9, I think.  We might need API changes to the new APIs to do it.

All that said, why exactly isn't about: just privileged?  This keeps coming up as an issue, as I recall -- people want to run XPConnectified script in it too...
Comment 7 Reed Loden [:reed] (use needinfo?) 2007-10-12 00:04:45 PDT
Mike, is this still a problem on the trunk? If it is, could you supply a new patch based on the trunk?
Comment 8 Mike Hommey [:glandium] 2007-10-13 02:38:54 PDT
I have no idea if it still is a problem. I'll give this a try in a little while.
Comment 9 Reed Loden [:reed] (use needinfo?) 2008-07-12 15:21:11 PDT
(In reply to comment #8)
> I have no idea if it still is a problem. I'll give this a try in a little
> while.

Any update on this?
Comment 10 Daniel Veditz [:dveditz] 2008-11-19 17:15:13 PST
Comment on attachment 250174 [details] [diff] [review]
Proposed patch for 1.8 branch

r=dveditz

This is not great but OK, if you still need it. It's not going to work on the trunk in the current form. If you really want to land this please replace the tabs with spaces.
Comment 11 Daniel Veditz [:dveditz] 2009-01-16 11:27:58 PST
Comment on attachment 250174 [details] [diff] [review]
Proposed patch for 1.8 branch

Approved for 1.8.1.21, a=dveditz for release-drivers.
Comment 12 Samuel Sidler (old account; do not CC) 2009-02-23 07:44:35 PST
Reed: Can you please make sure this gets landed on the 1.8 branch.
Comment 13 Reed Loden [:reed] (use needinfo?) 2009-03-01 15:39:16 PST
MOZILLA_1_8_BRANCH:

Checking in caps/src/nsScriptSecurityManager.cpp;
/cvsroot/mozilla/caps/src/nsScriptSecurityManager.cpp,v  <--  nsScriptSecurityManager.cpp
new revision: 1.266.2.28; previous revision: 1.266.2.27
done

Note You need to log in before you can comment on or make changes to this bug.