Open
Bug 547813
Opened 15 years ago
Updated 4 years ago
consider blocking drops of URI_INHERITS_SECURITY_CONTEXT URIs in front-end code
Categories
(Core :: DOM: Copy & Paste and Drag & Drop, defect, P5)
Core
DOM: Copy & Paste and Drag & Drop
Tracking
()
NEW
People
(Reporter: Gavin, Unassigned)
References
Details
...by adding DISALLOW_INHERIT_PRINCIPAL to nsDragAndDrop.dragDropSecurityCheck.
Dropping javascript: or data: URIs is relatively uncommon, I think, and has the potential to introduce security risks if they somehow end up triggering loads in chrome-privileged documents.
|
||
Comment 1•15 years ago
|
||
Just a note that bug 545714 makes nsDragAndDrop.dragDropSecurityCheck obsolete so we should change the new code instead.
See Also: → 545714
|
|
||
Comment 2•15 years ago
|
||
Also consider the use of checkLoadURIStrWithPrincipal instead.
|
||
Comment 3•4 years ago
|
||
Bulk-downgrade of unassigned, >=5 years untouched DOM/Storage bugs' priority.
If you have reason to believe this is wrong (especially for the severity), please write a comment and ni :jstutte.
Severity: normal → S4
Priority: -- → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•