Closed Bug 397845 Opened 18 years ago Closed 18 years ago

Should register(Protocol|Content)Handler enforce cross-domain policies?

Categories

(Firefox :: File Handling, defect)

Product:
Firefox
Component:
File Handling
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 402287

People

(Reporter: rflint, Unassigned)

References

(
URL
)

Details

Currently we allow pages to register handlers for domains other than their own (e.g. http://people.mozilla.org/~ctalbert/test-mailto-gmail.html). The language of the specification seems to be leaning towards only allowing pages to register handlers for the current domain, but only explicitly covers the case disallowing a single domain from registering multiple handlers for the same type/protocol. The current UI does display the domain to be registered in the body of the message (and is neither modal nor intrusive), so perhaps we're already fine. Any thoughts on this Ian?
No, not really. I don't think we collectively have enough experience to really know what the right answers are with this API. We should do what we think is best and then carefully follow what happens with it and redesign its security model and maybe even the API itself once we know what we're doing. :-)
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.