Closed
Bug 404678
Opened 18 years ago
Closed 17 years ago
New security restrictions on file:/// break JsUnit, TIBCO General Interface, etc.
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: jesse, Assigned: dveditz)
References
Details
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/523.12 (KHTML, like Gecko) Version/3.0.4 Safari/523.12
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b1) Gecko/2007110903 Firefox/3.0b1
New security restrictions introduced in Firefox 3 that affect pages loaded from the file:/// domain break existing JavaScript/AJAX applications. I can't find any documentation on this so I'm not sure whether it is a feature or a bug.
Example 1: Loading a standard instance of JsUnit over file:/// causes all sorts of messages in the error log of the form "Error: uncaught exception: Permission denied to get property Window.xbDEBUG". Loading the same page over http:// shows no errors.
Example 2: Loading any XML document from a relative URI that begins with "file:", "/" or "../" throws a security error with the message "Permission denied to call method XMLDocument.load". Using XMLHttpRequest or the same code in a page loaded from http:// does not raise an error.
Reproducible: Always
Steps to Reproduce:
1. Download JsUnit 2.1
2. Load testRunner.html into Firefox 3 with a file:/// URI
3. Open Error Console and see messages
I've tested this on Mac OS X 10.4 and Windows XP.
|
Reporter | |
Comment 1•18 years ago
|
||
Download JsUnit 2.1 here: http://internap.dl.sourceforge.net/sourceforge/jsunit/jsunit2_1.zip
-> DOM.
I think there is a dupe of this somewhere?
Component: General → DOM
Product: Firefox → Core
QA Contact: general → general
Version: unspecified → Trunk
|
||
Comment 3•18 years ago
|
||
These were added in bug 230606. I'm not sure there's really anything to be done about this issue without reintroducing the security problems.
Blocks: 230606
|
|
Reporter | |
Comment 4•18 years ago
|
||
It seems like some balance could be struck given that this change causes Firefox to stop performing like the other major browsers (IE, Safari).
1. I'm not really sure why JsUnit has to break since JsUnit only relies on accessing JavaScript objects defined by other frames to exist in the global namespace "top". (BTW, JsUnit is pretty popular, is used in Selenium, another popular package, and unfortunately doesn't seem to be under active development.)
2. It looks like you can still use XMLHttpRequest with UniversalRead to get to files above the page (../) but XMLDocument.load does not work even with UniversalRead/UniversalXPConnect. If XMLHttpRequest is not considered a security vulnerability why should XMLDocument be?
|
|
||
Comment 5•17 years ago
|
||
> but XMLDocument.load does not work even with UniversalRead/UniversalXPConnect.
That would be a bug. Either that, or the XMLHttpRequest thing is, as you say. Confirming based on that, and nominating for investigation, at least; inconsistencies in the security model scare me.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9?
|
|
||
Comment 6•17 years ago
|
||
+ing per comment 5 to investigate...
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
|
Assignee | |
Comment 7•17 years ago
|
||
Why is there an AJAX application running on file:/// uris?
If it's just for local development and testing then developers can easily relax this restriction by setting the pref security.fileuri.origin-policy to 4 ("traditional").
If you're deploying end-user code this way we'll need to know more about what and why to figure out what might be the best approach.
|
||
Comment 8•17 years ago
|
||
(In reply to comment #7)
> Why is there an AJAX application running on file:/// uris?
Why not?
I have an AJAX application on my laptop which reads cpu speed/temperature and
WLAN and battery levels from /proc/*.
IIRC, after bug 230606 I changed security.fileuri.origin-policy, though that
means that bug 230606 isn't fixed when I'm using my normal FF profile.
Probably I could have changed the AJAX application to ask UniversalXPConnect.
|
||
Updated•17 years ago
|
Flags: tracking1.9+ → blocking1.9+
|
|
||
Updated•17 years ago
|
Priority: P2 → P1
|
|
||
Updated•17 years ago
|
Assignee: nobody → dveditz
|
||
Comment 9•17 years ago
|
||
Progress on this?
|
||
Comment 10•17 years ago
|
||
From Jonas:
Not blocking on this for this release. This is probably WONTFIX even. If we are going to restrict cross-directory access for file-urls the type of things we want to block are the type of things that this bug asks us not to block. I.e. we're blocking these things by design.
Dan, would be great if you could elaborate here.
Flags: wanted-next+
Flags: blocking1.9-
Flags: blocking1.9+
|
|
||
Comment 12•17 years ago
|
||
Given that we're deprecating XMLDocument.load, I do think we should wontfix this. If we care, we can do a separate bug on making XMLDocument.load pay attention to UniversalSomething.
Yeah, we have decided to not allow "cross-origin" loads using document.load. This isn't primarily because we think cross-origin loads are bad, but because it requires us to change origin on an existing Document object, which is hard to implement while guaranteeing no bugs. Requiring the caller to have UniversalXPConnect isn't really going to help with these bugs.
So unfortunately the recommended solution is to use XMLHttpRequest instead.
If someone can point to exactly what code is failing we should be able to tell you what to replace it with.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•