verify that we don't leak information via web-based proto handlers

RESOLVED WORKSFORME

Status

Core Graveyard
File Handling
P2
normal
RESOLVED WORKSFORME
10 years ago
a year ago

People

(Reporter: dmose, Assigned: Dolske)

Tracking

Trunk
mozilla1.9
Bug Flags:
blocking1.9 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [proto])

(Reporter)

Description

10 years ago
In particular, we should never send referer[sic] headers, nor provide access to window.opener or window.parent.
Flags: blocking1.9?
(Reporter)

Updated

10 years ago
Whiteboard: [proto]
(Reporter)

Updated

10 years ago
Assignee: nobody → dmose
Priority: -- → P3

Updated

10 years ago
Flags: blocking1.9? → blocking1.9+

Comment 1

10 years ago
Can you connect up with tomcat for the qawanted help
(Reporter)

Comment 2

10 years ago
Tomcat: Some example tests of handler apps are in test_handlerApps.xhtml and the files it references.  This is only somewhat useful to this testing, I think, in that this particular test is calling the launching functions directly, rather than triggering stuff through the UI, which is what I suspect we're going to need.

There are several cases worth testing, I think:

* link in the content area clicked
* URL typed into the URL bar
* Send To command chosen from the context menu

After giving it more thought, I'm no longer so sure these are all easily testable from Mochitest, but it bears investigation...
(Reporter)

Comment 3

10 years ago
Also worth noting is that how the first and third cases are tested depends in part on what we decide to do in bug 402736.
(Reporter)

Comment 4

10 years ago
With a few exceptions, I'm mostly focused on MailCo-related hacking now.  Reassigning a bunch of bugs to default component owners.  I'm happy to help with brainstorming/advice as needed, however.  

Search for the string MAILMONKEY to delete any bugmail generated by this change.
Assignee: dmose → nobody
Connor: need an owner.
Flags: tracking1.9+ → blocking1.9+
Priority: P3 → P2

Updated

10 years ago
Assignee: nobody → dmose
(Assignee)

Updated

10 years ago
Assignee: dmose → dolske
(Assignee)

Updated

10 years ago
Target Milestone: --- → mozilla1.9

Comment 6

10 years ago
Ping on this...
(Assignee)

Comment 7

10 years ago
So, this all seems ok.

I whipped up some manual tests: http://people.mozilla.com/~dolske/handler/ Visit the "install_mailto.html" pagge to install a test mailto handler, and then select it from Prefs -> Applications -> mailto.

Testing consists of looking at the output of a local copy of http://people.mozilla.com/~dolske/handler/linkpage.html (to trigger same-origin checks).

* The parent and children are unable to peek across the iframe boundary
* No referrer is sent when loading from an iframe or clicking the link

I don't see anything interesting happening with these sanity checks, so resolving this bug.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → WORKSFORME
Issue is Resolved - removing QA-Wanted Keywords - QA-Wanted query clean-up task
Keywords: qawanted
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.