Open Bug 436137 Opened 12 years ago Updated 10 years ago

irc: and ircs: urls opened with meta refresh tag, HTTP header redirect, and javascript without user interaction

Categories

(Other Applications :: ChatZilla, defect)

defect
Not set

Tracking

(Not tracked)

People

(Reporter: glenjamin+bmo, Assigned: rginda)

Details

Attachments

(2 files, 1 obsolete file)

any irc: protocol URLs opened via javascript are sent directly to ChatZilla, which opens with without question.

Example Testcase attached that will open irc://quakenet/test and irc://moznet/test, using location.href and new Image().src

As an example solution to this, mIRC prompts users when it catches any irc:// urls before initiating the connection.
http://mxr.mozilla.org/seamonkey/source/extensions/irc/js/lib/chatzilla-service.js#362

Here's the code where the protocol handler gets chatzilla to open the URL, is this as simple as putting a user prompt here?
(In reply to comment #1)
> http://mxr.mozilla.org/seamonkey/source/extensions/irc/js/lib/chatzilla-service.js#362
> 
> Here's the code where the protocol handler gets chatzilla to open the URL, is
> this as simple as putting a user prompt here?
> 

I don't believe so, as the protocol handler might have been called from the commandline, so there is no guarantee there is anywhere to prompt from.
I'd much prefer any prompting be done from the main app, and not component code. For example, update the code in processStartupURLs() and the component code to call a new function that prompts the user before calling gotoIRCURL().

You'd need to make sure to correctly discern whether it was the protocol handler or command-line that caused the load. I'd probably make both go to the new function, but passing the activation type in - it can then decide to unanimously accept command-line activations and only prompt for protocol handlers.
This bug can also be achieved using meta tags, which will work even if JS is disabled.


http://dc949.org/cz_bug.php
Assignee: rginda → silver
see also http://tinyurl.com/bug436137
Summary: irc: urls opened with javascript without user interaction → irc: urls opened with meta refresh tag, HTTP header redirect, and javascript without user interaction
Summary: irc: urls opened with meta refresh tag, HTTP header redirect, and javascript without user interaction → irc: and ircs: urls opened with meta refresh tag, HTTP header redirect, and javascript without user interaction
Attached patch Patch (obsolete) — Splinter Review
This is what I could come up with... I should note that I redid some if statement logic and comments in processStartupURLs that ultimately wasn't necessary (as in, I wouldn't have touched that code otherwise) but it does look neater, if you ask me. Can just eliminate that hunk entirely if people disagree. :-)
Assignee: silver → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Attachment #364807 - Flags: review?(silver)
Attachment #364807 - Attachment is obsolete: true
Attachment #364807 - Flags: review?(silver)
--> James
Assignee: gijskruitbosch+bugs → silver
Assignee: silver → rginda
Status: ASSIGNED → NEW
You need to log in before you can comment on or make changes to this bug.