Trying to modify the about page to make it more useful for debian, I got these security errors when trying to link to file:///, resource:/// and chrome:/// urls from about:. I understand how loading data may be a security risk, but I fail to see how allowing *links* to file:/// from about: would be a security risk. Note that links to http:// from about: are allowed, and would be a much greater security risk... Is there a real rationale behind this or is this just a side effect of something else ?
File:/// links are not allowed for security reasons, see <http://kb.mozillazine.org/Links_to_local_pages_don't_work>. But maybe they should be allowed originating from about: pages, since they can't come from the outside.
Note that if I go to chrome://global/content/about.xhtml and click on the link to a file:/// url, it works. I guess adding a test on sourceScheme.EqualsLiteral("about") to http://lxr.mozilla.org/mozilla1.8.0/source/caps/src/nsScriptSecurityManager.cpp#1352 and http://lxr.mozilla.org/mozilla1.8.0/source/caps/src/nsScriptSecurityManager.cpp#1378 would be okay.
Created attachment 250174 [details] [diff] [review] Proposed patch for 1.8 branch The code is pretty different on the trunk, and I'm only interested on 1.8 right now. Does it look okay to you ?
I'm sorry, but I'm not the person to ask for review. Daniel (email@example.com) is the module owner.
A non-safe about: URI should already be able to link to these. See http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/caps/src/nsScriptSecurityManager.cpp&rev=1.266.2.14&mark=1260-1262#1245 So I guess this only applies to plain "about:" itself, which GetBaseURIScheme thinks is non-safe but isn't actually privileged, and that should make this a safe enough change. Boris, any thoughts before I OK this?
The proposed patch would allow all about: URIs that are not whitelisted as "safe" to link to file:, chrome:, and resource: URIs, right? I guess that's ok as long as we're absolutely sure that all about: implementations are either privileged or on this whitelist... the problem is that people can drop in about: implementations. If what we care is about: itself, why not just compare the URI to about:? I'd feel much happier with that. As for trunk, we should do this before the betas of 1.9, I think. We might need API changes to the new APIs to do it. All that said, why exactly isn't about: just privileged? This keeps coming up as an issue, as I recall -- people want to run XPConnectified script in it too...
Mike, is this still a problem on the trunk? If it is, could you supply a new patch based on the trunk?
I have no idea if it still is a problem. I'll give this a try in a little while.
(In reply to comment #8) > I have no idea if it still is a problem. I'll give this a try in a little > while. Any update on this?
Comment on attachment 250174 [details] [diff] [review] Proposed patch for 1.8 branch r=dveditz This is not great but OK, if you still need it. It's not going to work on the trunk in the current form. If you really want to land this please replace the tabs with spaces.
Comment on attachment 250174 [details] [diff] [review] Proposed patch for 1.8 branch Approved for 220.127.116.11, a=dveditz for release-drivers.
Reed: Can you please make sure this gets landed on the 1.8 branch.
MOZILLA_1_8_BRANCH: Checking in caps/src/nsScriptSecurityManager.cpp; /cvsroot/mozilla/caps/src/nsScriptSecurityManager.cpp,v <-- nsScriptSecurityManager.cpp new revision: 1.266.2.28; previous revision: 1.266.2.27 done