Closed
Bug 629682
Opened 13 years ago
Closed 9 years ago
Add a better warning message for SVG-as-an-image external resources being blocked
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
mozilla39
Tracking | Status | |
---|---|---|
firefox39 | --- | fixed |
People
(Reporter: dholbert, Assigned: longsonr)
References
Details
Attachments
(1 file, 1 obsolete file)
2.23 KB,
patch
|
dholbert
:
review+
|
Details | Diff | Splinter Review |
Bug 628747 imposed some restrictions, essentially preventing SVG-as-an-image from loading external resources, including resources loaded from the same domain (since those could actually translate into resources from a remote domain in some cases, for sites with open redirectors). Right now, we're posting a "CheckSameOriginError" warning in the error console to notify users about the blocked resource, to aid in website debugging: > nsScriptSecurityManager::ReportError( > nsnull, NS_LITERAL_STRING("CheckSameOriginError"), principalURI, > aContentLocation); http://hg.mozilla.org/mozilla-central/rev/21f96c423923 However, "CheckSameOriginError" is technically not the right error message to show, since in most cases the resource will probably *be coming from the same domain* (and we're just blocking it to be on the safe side). Luckily, the actual longhand text of this error is pretty vague, so it'll still be helpful for now: > Security Error: Content at %S may not load data from %S. ... but nonetheless, we should probably add a more specific, clearer error message for this situation, once we're not in an l10n string freeze.
Reporter | ||
Updated•13 years ago
|
Whiteboard: [todo after Firefox 4 branches]
Assignee | ||
Comment 1•9 years ago
|
||
Attachment #8570935 -
Flags: review?(dholbert)
Reporter | ||
Comment 2•9 years ago
|
||
Comment on attachment 8570935 [details] [diff] [review] warning.txt Thanks for picking this up! >+++ b/dom/locales/en-US/chrome/security/caps.properties > CheckSameOriginError = Security Error: Content at %S may not load data from %S. >+ExternalDataError = Security Error: Content at %S may not load external data. We probably should still include the external resource URI somehow, for two reasons: (1) It'll be useful for the author -- they may have a huge .svg file, with an external resource buried in there somewhere, with no way of finding it if we don't give them a hint at what to search for. (2) The function we're using -- nsScriptSecurityManager::ReportError() -- expects to be providing both URIs to the localized string (and you're passing in both URIs, too) -- so it's a bit bogus that we're providing these strings and then not using them. It's effectively doing printf("blah %s", localURI, resourceURI), with one more arg than "%s". Probably not a big deal, but a bit hacky. So, maybe reword as: Security Error: Content at %S may not load external data; blocking its attempt to load %S. ...or: Security Error: Content at %S attempted to load %S, but may not load external data when being used as an image. ...or maybe you can think of better wording that includes the resource URL. (I also thought of "may not load external data from %S", but that gives the impression that it *just* can't load external data from *this one place*.)
Reporter | ||
Updated•9 years ago
|
OS: Linux → All
Hardware: x86 → All
Whiteboard: [todo after Firefox 4 branches]
Reporter | ||
Updated•9 years ago
|
Assignee: nobody → longsonr
Assignee | ||
Comment 3•9 years ago
|
||
Of the two suggestions I picked the one I preferred.
Attachment #8570935 -
Attachment is obsolete: true
Attachment #8570935 -
Flags: review?(dholbert)
Attachment #8572863 -
Flags: review?(dholbert)
Reporter | ||
Comment 4•9 years ago
|
||
Comment on attachment 8572863 [details] [diff] [review] warning.txt r=me. Thanks! (If you haven't already, please test the final patch locally & make sure the message actually shows up correctly in error console, before landing.)
Attachment #8572863 -
Flags: review?(dholbert) → review+
Assignee | ||
Comment 5•9 years ago
|
||
Will this require translation? If so do I need to do set anything in the bug to indicate this?
Reporter | ||
Comment 6•9 years ago
|
||
Yes, I believe it will. I think localizers look for new strings and translate them proactively, and you only need to set flags if it's a late-breaking string change (e.g. for something being backported). jwatt can confirm/correct my interpretation on this; I'm pretty sure I've seen him adding strings recently.
Flags: needinfo?(jwatt)
Comment 7•9 years ago
|
||
Correct, as long as you don't plan on uplifting, this can just land.
Flags: needinfo?(jwatt)
Assignee | ||
Comment 8•9 years ago
|
||
Local testing... Security Error: Content at http://www.standardista.com/clowncar/clown.svg attempted to load http://www.standardista.com/clowncar/images/small.png, but may not load external data when being used as an image.
Assignee | ||
Comment 9•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/7ba19816e1e4
Comment 10•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7ba19816e1e4
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox39:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in
before you can comment on or make changes to this bug.
Description
•