Add preference to turn javascript: bookmarks off/on

RESOLVED WONTFIX

Status

()

Firefox
Security
RESOLVED WONTFIX
9 years ago
5 years ago

People

(Reporter: bsterne, Unassigned)

Tracking

(Blocks: 1 bug, {sec-want})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want?])

(Reporter)

Description

9 years ago
If a javascript: or data: URL is pasted on top of a privileged chrome document it is processed with chrome privileges.  As such, a person could inadvertently run malicious JavaScript with chrome privileges if they click a malicious bookmarklet, etc.

Perhaps javascript: and data: for bookmarks should be turned off by default and users who want to use JavaScript bookmarks can opt-in to use them.  Since the threat only applies to a javascript: URL being pasted on top of an active privileged tab, the restriction need only apply to bookmarks, etc., and these URLs could be safely allowed for normal hyperlinks, images, etc.
(Reporter)

Updated

9 years ago
Whiteboard: [sg:investigate]

Comment 1

9 years ago
See also bug 371923 and bug 305692.  This is mostly an XSS hazard, since most users don't load chrome documents often (right?).

Updated

7 years ago
Whiteboard: [sg:investigate] → [sg:want?]
The summary just wants a pref and does not say what the default is, on or off. Comment 0 suggests off, but allowing in-page references to load. Comment 1 says the threat is not chrome: privs (mostly).

What's the threat and how does a pref help? If the threat is real, why give a pref even to enable the attack (default off), instead of providing a defense so we can avoid yet another pref?

/be

Comment 3

6 years ago
For data: URLs, fixing bug 656823 would be better.
Summary: Add preference to turn javascript: and data: bookmarks off/on → Add preference to turn javascript: bookmarks off/on

Updated

6 years ago
Blocks: 527530
Is this WONTFIX now?

/be
Keywords: sec-want

Comment 5

5 years ago
Yes. I don't think a pref is the answer here.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.