Closed
Bug 432919
Opened 14 years ago
Closed 14 years ago
Help viewer content pane should not allow scripts, plugins, meta redirects, or subframes
Categories
(SeaMonkey :: Help Viewer, defect)
SeaMonkey
Help Viewer
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla1.9
People
(Reporter: dveditz, Assigned: reed)
Details
(Keywords: fixed1.8.1.15)
Attachments
(2 files)
1.30 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
947 bytes,
patch
|
Waldo
:
review+
samuel.sidler+old
:
approval1.8.1.15+
|
Details | Diff | Splinter Review |
We should turn off AllowJavaScript and AllowPlugins in the help content viewer docshell as we've done for various other remote content <browsers> in chrome. Do we need scripting in help? We certainly don't in Firefox 2 with local content, so if you refuse this for FF3 at least make it a branch-only bug rather than close it out. See bug 432406 for why we'd want this. In FF3 loading remote content raising different but similar hijacking concerns.
Flags: wanted1.9.0.x?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.15?
Assignee | ||
Comment 1•14 years ago
|
||
Something like this?
Assignee: jwalden+fxhelp → reed
Status: NEW → ASSIGNED
Attachment #320091 -
Flags: review?(jwalden+bmo)
Comment 2•14 years ago
|
||
Comment on attachment 320091 [details] [diff] [review] patch - v1 rs=me on the assumption that actually works, I don't remember the precise syntax for doing this...
Attachment #320091 -
Flags: review?(jwalden+bmo) → review+
Comment 3•14 years ago
|
||
Note that anyone rolling their own content packs might have a fit here; dunno if any of them use script or not. Also please double-check browser help doesn't; I think we use target="..." instead of javascript: URLs, and I think that's the only case where we might have used script.
Assignee | ||
Comment 4•14 years ago
|
||
Comment on attachment 320091 [details] [diff] [review] patch - v1 dveditz, can you double check since this is going on branch?
Attachment #320091 -
Flags: superreview?(dveditz)
Reporter | ||
Comment 5•14 years ago
|
||
Comment on attachment 320091 [details] [diff] [review] patch - v1 This works great, but would you mind disabling allowSubframes and allowMetaRedirects too? I'll sr that if it's OK with jwalden.
Attachment #320091 -
Flags: superreview?(dveditz)
Reporter | ||
Comment 6•14 years ago
|
||
Attachment #320112 -
Flags: review?(jwalden+fxhelp)
Reporter | ||
Updated•14 years ago
|
Attachment #320112 -
Flags: review?(jwalden+fxhelp) → review?(jwalden+bmo)
Comment 7•14 years ago
|
||
Comment on attachment 320112 [details] [diff] [review] turn off a couple more things I like commoning expressions, but this is basically dead code anyway, so whatever. :-)
Attachment #320112 -
Flags: review?(jwalden+bmo) → review+
Reporter | ||
Updated•14 years ago
|
Flags: wanted1.9.0.x?
Flags: blocking1.8.1.15?
Flags: blocking1.8.1.15+
Comment 8•14 years ago
|
||
Comment on attachment 320112 [details] [diff] [review] turn off a couple more things Approved for 1.8.1.15. a=ss for release-drivers.
Attachment #320112 -
Flags: approval1.8.1.15+
Assignee | ||
Comment 9•14 years ago
|
||
Checking in toolkit/components/help/content/help.js; /cvsroot/mozilla/toolkit/components/help/content/help.js,v <-- help.js new revision: 1.49; previous revision: 1.48 done I'll get this on branch in a little bit.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Summary: Help viewer content pane should not allow scripts or plugins → Help viewer content pane should not allow scripts, plugins, meta redirects, or subframes
Target Milestone: --- → mozilla1.9
Assignee | ||
Comment 10•14 years ago
|
||
MOZILLA_1_8_BRANCH: Checking in toolkit/components/help/content/help.js; /cvsroot/mozilla/toolkit/components/help/content/help.js,v <-- help.js new revision: 1.37.2.6; previous revision: 1.37.2.5 done
Keywords: checkin-needed → fixed1.8.1.15
Comment 11•14 years ago
|
||
Is there any way to load scripts, plugins, redirects, etc into the Help Viewer in order to verify this fix?
Updated•6 years ago
|
Product: Toolkit → Seamonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•