Closed Bug 432919 Opened 14 years ago Closed 14 years ago

Help viewer content pane should not allow scripts, plugins, meta redirects, or subframes

Categories

(SeaMonkey :: Help Viewer, defect)

Product:
SeaMonkey
Component:
Help Viewer
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.9

People

(Reporter: dveditz, Assigned: reed)

Details

(Keywords: fixed1.8.1.15)

Attachments

(2 files)

patch - v1
1.30 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
turn off a couple more things
947 bytes, patch
Waldo
: review+
samuel.sidler+old
: approval1.8.1.15+
Details | Diff | Splinter Review 
We should turn off AllowJavaScript and AllowPlugins in the help content viewer docshell as we've done for various other remote content <browsers> in chrome. Do we need scripting in help? We certainly don't in Firefox 2 with local content, so if you refuse this for FF3 at least make it a branch-only bug rather than close it out. See bug 432406 for why we'd want this. In FF3 loading remote content raising different but similar hijacking concerns.
Flags: wanted1.9.0.x?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.15?
Attached patch patch - v1Splinter Review 
Something like this?
Assignee: jwalden+fxhelp → reed
Status: NEW → ASSIGNED
Attachment #320091 - Flags: review?(jwalden+bmo)
Comment on attachment 320091 [details] [diff] [review]
patch - v1

rs=me on the assumption that actually works, I don't remember the precise syntax for doing this...
Attachment #320091 - Flags: review?(jwalden+bmo) → review+
Note that anyone rolling their own content packs might have a fit here; dunno if any of them use script or not.  Also please double-check browser help doesn't; I think we use target="..." instead of javascript: URLs, and I think that's the only case where we might have used script.
Comment on attachment 320091 [details] [diff] [review]
patch - v1

dveditz, can you double check since this is going on branch?
Attachment #320091 - Flags: superreview?(dveditz)
Comment on attachment 320091 [details] [diff] [review]
patch - v1

This works great, but would you mind disabling allowSubframes and allowMetaRedirects too?

I'll sr that if it's OK with jwalden.
Attachment #320091 - Flags: superreview?(dveditz)
Attachment #320112 - Flags: review?(jwalden+fxhelp)
Attachment #320112 - Flags: review?(jwalden+fxhelp) → review?(jwalden+bmo)
Comment on attachment 320112 [details] [diff] [review]
turn off a couple more things

I like commoning expressions, but this is basically dead code anyway, so whatever.  :-)
Attachment #320112 - Flags: review?(jwalden+bmo) → review+
Flags: wanted1.9.0.x?
Flags: blocking1.8.1.15?
Flags: blocking1.8.1.15+
Comment on attachment 320112 [details] [diff] [review]
turn off a couple more things

Approved for 1.8.1.15. a=ss for release-drivers.
Attachment #320112 - Flags: approval1.8.1.15+
Checking in toolkit/components/help/content/help.js;
/cvsroot/mozilla/toolkit/components/help/content/help.js,v  <--  help.js
new revision: 1.49; previous revision: 1.48
done

I'll get this on branch in a little bit.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Summary: Help viewer content pane should not allow scripts or plugins → Help viewer content pane should not allow scripts, plugins, meta redirects, or subframes
Target Milestone: --- → mozilla1.9
MOZILLA_1_8_BRANCH:

Checking in toolkit/components/help/content/help.js;
/cvsroot/mozilla/toolkit/components/help/content/help.js,v  <--  help.js
new revision: 1.37.2.6; previous revision: 1.37.2.5
done
Keywords: checkin-neededfixed1.8.1.15
Is there any way to load scripts, plugins, redirects, etc into the Help Viewer in order to verify this fix?
Product: Toolkit → Seamonkey
You need to log in before you can comment on or make changes to this bug.