svg in an iframe in a rss post brings up the content handling dialog

RESOLVED INCOMPLETE

Status

RESOLVED INCOMPLETE
11 years ago
6 years ago

People

(Reporter: moco, Unassigned)

Tracking

x86
Windows XP

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

svg in an iframe in a rss post brings up the content handling dialog

see screen shot.

my feed is http://planet.mozilla.org/atom.xml, and the iframe is from a post from roc:

see http://weblogs.mozillazine.org/roc/archives/2007/09/parallel_dom_ac.html

<iframe src="http://weblogs.mozillazine.org/roc/images/BrowserDataFlow.svg" style="width:285px; height:315px; border:0"></iframe>
What was your "Expected Result"? Did you want us to filter out all iframes, the way Google Reader does, turning his post semi-comprehensible, since he didn't provide fallback content? Or did you mean to file a duplicate of bug 366126, itself a duplicate of bug 288374?
> What was your "Expected Result"? 

good question, phil.  I didn't expect to be prompted, for sure.  

perhaps we should set allowSubframes to false on the docshell we use for message display? 

I'm not sure.

note, even if I choose "show the article summary instead of loading the webpage", I get this same bug.
Depends on: 366126
Since the "show the webpage" feature is implemented by just creating a message with an iframe whose src is the feed item <link> (and pretty much needs to be, to hang onto the email integration, since anything else isn't going to forward terribly well), disabling subframes on the docshell would mean removing that feature entirely.

We could certainly have a sanitizing parser, probably by switching to toolkit's, and then remove all iframes, cutting off everyone else's nose to spite roc's face, but given that we now support SVG, and that prompting to save an unhandled type as the source of an iframe is exactly what a browser is supposed to do, I'm not sure why we would want to.

What I could get behind (as in, I'd love to see someone else do it ;) would be a non-lame version of what happens if you go to roc's blog in IE7 - an infobar saying something was going to automatically download, though maybe without the "it's scary, but we protected you, and if you're foolish enough to want it anyway, you'll have to say you want to download it to find out anything more about what it was."

Comment 5

6 years ago
that post now throws a sec error in Fx, and this can't be recreated in Tb.  feeds no longer use an iframe and there have been many changes since.  reopen if reproducible in current releases.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.