Closed
Bug 53124
Opened 24 years ago
Closed 20 years ago
[FIXr]location.host fails for pages loaded from jar
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla1.7final
People
(Reporter: security-bugs, Assigned: bzbarsky)
Details
(Keywords: dom0, fixed1.7)
Attachments
(1 file)
4.34 KB,
patch
|
darin.moz
:
review+
jst
:
superreview+
asa
:
approval1.7+
|
Details | Diff | Splinter Review |
If a page was loaded from the jar protocol, accessing document.location.host fails and stops the script. This is because nsJARURI::GetHost always returns failure. Since Warren insists this is the correct behavior, the alternative is to special-case JAR URLs in nsLocation. This feature is important for security. In order to prevent a signed script from being copied to another site, a script must check document.location.host to see what host the script is being run from.
Reporter | ||
Comment 1•24 years ago
|
||
Warren, jband and I talked this over. I think the consensus was for a special- case solution in DOM rather than changing the behavior of nsJARURI. However, we can live without this for now. Marking Future.
Status: NEW → ASSIGNED
Target Milestone: --- → Future
Reporter | ||
Comment 2•23 years ago
|
||
performance, footprint, feature work, and re-architecture bugs will be addressed in 0.9.8
Target Milestone: Future → mozilla0.9.8
Assignee | ||
Comment 4•20 years ago
|
||
Assignee | ||
Comment 5•20 years ago
|
||
Comment on attachment 146733 [details] [diff] [review] Possible patch So assuming we still want to do this, I think this is the way to do it... I just changed host, hostname, and port. The rest should come from the jar URI itself.
Attachment #146733 -
Flags: superreview?(jst)
Attachment #146733 -
Flags: review?(darin)
Comment 6•20 years ago
|
||
Comment on attachment 146733 [details] [diff] [review] Possible patch sr=jst
Attachment #146733 -
Flags: superreview?(jst) → superreview+
Comment 7•20 years ago
|
||
Comment on attachment 146733 [details] [diff] [review] Possible patch r=darin, but... what about a jar file contained in a jar file loaded from a http site? what should happen in that case? should you loop? also, what about wyciwyg? i also thought it would be nice if we had a nsILayeredURI or something like that that could be used to generalize the concept of a URI containing an inner URI.
Attachment #146733 -
Flags: review?(darin) → review+
Assignee | ||
Comment 8•20 years ago
|
||
> what about a jar file contained in a jar file loaded from a http site? > what should happen in that case? should you loop? At the moment, I loop. Given the original intent of this bug, that seemed like the most reasonable thing to do. > also, what about wyciwyg? What about it? At the moment, CreateExposableURI makes it happy. If we have wyciwyg://x/jar:whatever, we run into trouble, I guess.... > it would be nice if we had a nsILayeredURI or something like that That may in fact be a good idea... Want to file a bug on that?
Assignee: security-bugs → bzbarsky
Status: ASSIGNED → NEW
Priority: P3 → P2
Summary: location.host fails for pages loaded from jar → [FIXr]location.host fails for pages loaded from jar
Target Milestone: Future → mozilla1.8alpha
Assignee | ||
Comment 9•20 years ago
|
||
Checked in. jst, is this something we want on the 1.7 branch?
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 10•20 years ago
|
||
Comment on attachment 146733 [details] [diff] [review] Possible patch I'd say we do want this on the next stable branch, otherwise it doesn't help the implementors who need this all that much. Looks safe, is there a reason NOT to take it in 1.7?
Attachment #146733 -
Flags: approval1.7?
Assignee | ||
Comment 11•20 years ago
|
||
Not that I know of.
Comment 12•20 years ago
|
||
Comment on attachment 146733 [details] [diff] [review] Possible patch a=asa (on behalf of drivers) for checkin to 1.7
Attachment #146733 -
Flags: approval1.7? → approval1.7+
Assignee | ||
Comment 13•20 years ago
|
||
Checked in on the 1.7 branch.
Keywords: fixed1.7
Target Milestone: mozilla1.8alpha → mozilla1.7final
You need to log in
before you can comment on or make changes to this bug.
Description
•