Open Bug 547813 Opened 14 years ago Updated 3 years ago

consider blocking drops of URI_INHERITS_SECURITY_CONTEXT URIs in front-end code

Categories

(Core :: DOM: Copy & Paste and Drag & Drop, defect, P5)

defect

Tracking

()

People

(Reporter: Gavin, Unassigned)

References

Details

...by adding DISALLOW_INHERIT_PRINCIPAL to nsDragAndDrop.dragDropSecurityCheck.

Dropping javascript: or data: URIs is relatively uncommon, I think, and has the potential to introduce security risks if they somehow end up triggering loads in chrome-privileged documents.
Just a note that bug 545714 makes nsDragAndDrop.dragDropSecurityCheck obsolete so we should change the new code instead.
See Also: → 545714
Also consider the use of checkLoadURIStrWithPrincipal instead.

Bulk-downgrade of unassigned, >=5 years untouched DOM/Storage bugs' priority.

If you have reason to believe this is wrong (especially for the severity), please write a comment and ni :jstutte.

Severity: normal → S4
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.