Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 656815 - javascript: URIs refuse to load when channel owner is null
: javascript: URIs refuse to load when channel owner is null
Product: Core
Classification: Components
Component: General (show other bugs)
: unspecified
: All All
: -- normal (vote)
: mozilla6
Assigned To: :Gavin Sharp [email:]
Depends on: 656433
  Show dependency treegraph
Reported: 2011-05-12 17:18 PDT by :Gavin Sharp [email:]
Modified: 2011-05-26 20:50 PDT (History)
4 users (show) in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (975 bytes, patch)
2011-05-12 17:19 PDT, :Gavin Sharp [email:]
bzbarsky: feedback-
Details | Diff | Splinter Review
patch (1.25 KB, patch)
2011-05-13 10:23 PDT, :Gavin Sharp [email:]
no flags Details | Diff | Splinter Review
patch, with tests (4.79 KB, patch)
2011-05-13 10:42 PDT, :Gavin Sharp [email:]
bzbarsky: review+
Details | Diff | Splinter Review

Description :Gavin Sharp [email:] 2011-05-12 17:18:03 PDT
See bug 656433 comment 19 and subsequent comments. Once we disallow inheriting of principals for URIs entered in the location bar, it would be nice to continue to allow javascript URIs that simply produce output to continue to work, by having them run against a null principal.
Comment 1 :Gavin Sharp [email:] 2011-05-12 17:19:28 PDT
Created attachment 532084 [details] [diff] [review]

This seems to work (tested with the patch from bug 656433). Is it going to cause any security problems? I don't know!
Comment 2 Boris Zbarsky [:bz] (still a bit busy) 2011-05-12 18:08:33 PDT
Comment on attachment 532084 [details] [diff] [review]

We actually depend on this code being the way it is to avoid running JS (even in a sandbox) in some contexts.  I'd rather not change that behavior right now.

For the bug 656433 thing, we'd want to get a null principal in docshell only.
Comment 3 :Gavin Sharp [email:] 2011-05-13 10:23:11 PDT
Created attachment 532270 [details] [diff] [review]

As discussed on IRC.
Comment 4 :Gavin Sharp [email:] 2011-05-13 10:42:00 PDT
Created attachment 532274 [details] [diff] [review]
patch, with tests
Comment 5 Boris Zbarsky [:bz] (still a bit busy) 2011-05-13 10:54:05 PDT
Comment on attachment 532274 [details] [diff] [review]
patch, with tests

Comment 6 Brendan Eich [:brendan] 2011-05-13 11:33:50 PDT
Appreciate this followup work -- my javascript: typing habits thank you!

Comment 7 :Gavin Sharp [email:] 2011-05-16 18:10:33 PDT
Comment 8 :Gavin Sharp [email:] 2011-05-16 18:13:03 PDT
Note that there's still a slight annoyance here: the JS loaded in this scenario still won't have an associated window object, so thing like e.g. "javsacript:alert(1+1)" still won't work. We should probably get a followup filed to run them against about:blank somehow.

Note You need to log in before you can comment on or make changes to this bug.