javascript: URLs have chrome privileges when loaded while on chrome: page

RESOLVED INVALID

Status

()

Core
Security
RESOLVED INVALID
9 years ago
9 years ago

People

(Reporter: myk, Unassigned)

Tracking

Trunk
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 years ago
I'm not sure this is a bug but thought I'd file it just in case.  javascript: URLs have chrome privileges when loaded while a chrome: page is currently loaded into the browser.

1. go to about:config;
2. enter javascript:alert(Components.classes) into the location bar;
3. hit enter or press the Go button.

Expected results: error console reports "Error: Permission denied for <about:config> to get property XPCComponents.classes".

Actual results: alert dialog appears.
This is pretty well known - javascript: URIs inherit the principal of the currently displayed page. I suppose it's probably a dupe of bug 288164. Bug 286651 is also related.
(Reporter)

Comment 2

9 years ago
Hmm, ok, that makes sense.  In that case, would anyone have a problem with me blogging about it?  I have a valid (although hacky, to be sure) use case!  I'm using a javascript: URL with chrome privileges to register a web protocol handler that is a data: URL that extracts message IDs from news: links and then loads the messages in Google Groups (i.e. it's "news: links to Google Groups" glue).
It might be better to suggest using the error console's "Code" field instead. It also has chrome privileges.
(Reporter)

Comment 4

9 years ago
(In reply to comment #3)
> It might be better to suggest using the error console's "Code" field instead.
> It also has chrome privileges.

The error console is a bit obscure, and many more folks understand the location bar, so it's easier to explain.  But I don't want to compromise Firefox security, so if "better" means less compromising, then I can mention the Error Console instead.
"better" in that "Open the error console (ctrl-shift-J), paste into field" is less bewildering than "open cryptic url and now a javascript: url will do things it normally wouldn't". An empowered dialog makes more sense than having the address bar sometimes have priveleges it usually does not.

Unhiding because not only is this well known, injecting javascript: urls into privileged content windows has been the basis of published security advisories we've had to fix in the past.

I don't think this is enough like bug 288164 to dupe it, but it's basically "as-designed".
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
(Reporter)

Comment 6

9 years ago
(In reply to comment #5)
> "better" in that "Open the error console (ctrl-shift-J), paste into field" is
> less bewildering than "open cryptic url and now a javascript: url will do
> things it normally wouldn't". An empowered dialog makes more sense than having
> the address bar sometimes have priveleges it usually does not.

Indeed, although it also means the URL can't load a web page explaining what just happened and giving sample URLs to click.  But that's ok, I can put sample URLs into the blog post.  I'll do that.
You need to log in before you can comment on or make changes to this bug.