427906 - ChatZilla activates chrome and javascript URLs in channels

Status: RESOLVED INCOMPLETE

(Other Applications Graveyard :: ChatZilla, defect)

Description

[Bob Clary [:bc] (inactive)]

steps to reproduce:

1. paste javascript:alert%281%29 into a channel
2. click on the linkified link

actual results: 

alert(1) is executed by firefox.

expected results: 

?

1. paste chrome://browser/content into a channel
2. click on the linkified link

actual results:

browser chrome is loaded into firefox tab

expected results: ?

Comment 1

[:Gijs (he/him)]

I'm really not sure this is a problem, but perhaps that makes me naive. I'd be willing to unlink the javascript bits, but I'm not sure if we should block chrome URLs. Anyway, relevant code is here:

http://mxr.mozilla.org/seamonkey/source/extensions/irc/xul/content/mungers.js#166

We can probably hardcode chrome: and javascript: to not work if necessary. Anyone feel like doing a patch?

Comment 2

[:Gijs (he/him)]

I forgot, nobody can see this bug. Let's fix that...

Comment 3

[James Ross]

It would be nice if people could file bugs that actually indicate what the damn problem is supposed to be.

The URLs are thrown over to Firefox using standard methods (openTopWin and openNewWindowWith), which ought not be insecure themselves. If the browser wants to block javascript/chrome URLs, those functions or something they call is what you want to 'fix'.

Comment 4

[Bob Clary [:bc] (inactive)]

Sorry for not living up to your expectations. I won't make the mistake of filing a bug on chatzilla again. You are such a fine example and inspiration for all of us. Please keep of the good work of alienating everyone you work with.

Comment 5

[James Ross]

Is it really too much to ask that people filing security-sensitive bugs actually say what the security problem is? Surely not...