Closed Bug 436137 Opened 17 years ago Closed 9 months ago

irc: and ircs: urls opened with meta refresh tag, HTTP header redirect, and javascript without user interaction

Categories

(Other Applications Graveyard :: ChatZilla, defect)

Product:
Other Applications Graveyard
Component:
ChatZilla
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: glenjamin+bmo, Assigned: rginda)

Details

Attachments

(2 files, 1 obsolete file)

example (will open irc client)
200 bytes, text/html
Details
Same bug, but uses Meta Tags, so it will still function with JavaScript disabled.
97 bytes, text/html
Details
any irc: protocol URLs opened via javascript are sent directly to ChatZilla, which opens with without question. Example Testcase attached that will open irc://quakenet/test and irc://moznet/test, using location.href and new Image().src As an example solution to this, mIRC prompts users when it catches any irc:// urls before initiating the connection.
http://mxr.mozilla.org/seamonkey/source/extensions/irc/js/lib/chatzilla-service.js#362 Here's the code where the protocol handler gets chatzilla to open the URL, is this as simple as putting a user prompt here?
(In reply to comment #1) > http://mxr.mozilla.org/seamonkey/source/extensions/irc/js/lib/chatzilla-service.js#362 > > Here's the code where the protocol handler gets chatzilla to open the URL, is > this as simple as putting a user prompt here? > I don't believe so, as the protocol handler might have been called from the commandline, so there is no guarantee there is anywhere to prompt from.
I'd much prefer any prompting be done from the main app, and not component code. For example, update the code in processStartupURLs() and the component code to call a new function that prompts the user before calling gotoIRCURL(). You'd need to make sure to correctly discern whether it was the protocol handler or command-line that caused the load. I'd probably make both go to the new function, but passing the activation type in - it can then decide to unanimously accept command-line activations and only prompt for protocol handlers.
This bug can also be achieved using meta tags, which will work even if JS is disabled. http://dc949.org/cz_bug.php
Assignee: rginda → silver
see also http://tinyurl.com/bug436137
Summary: irc: urls opened with javascript without user interaction → irc: urls opened with meta refresh tag, HTTP header redirect, and javascript without user interaction
Summary: irc: urls opened with meta refresh tag, HTTP header redirect, and javascript without user interaction → irc: and ircs: urls opened with meta refresh tag, HTTP header redirect, and javascript without user interaction
Attached patch Patch (obsolete) — Splinter Review
This is what I could come up with... I should note that I redid some if statement logic and comments in processStartupURLs that ultimately wasn't necessary (as in, I wouldn't have touched that code otherwise) but it does look neater, if you ask me. Can just eliminate that hunk entirely if people disagree. :-)
Assignee: silver → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Attachment #364807 - Flags: review?(silver)
Attachment #364807 - Attachment is obsolete: true
Attachment #364807 - Flags: review?(silver)
--> James
Assignee: gijskruitbosch+bugs → silver
Assignee: silver → rginda
Status: ASSIGNED → NEW
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → INCOMPLETE
Product: Other Applications → Other Applications Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: