As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 656815 - javascript: URIs refuse to load when channel owner is null
: javascript: URIs refuse to load when channel owner is null
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: General (show other bugs)
: unspecified
: All All
: -- normal (vote)
: mozilla6
Assigned To: :Gavin Sharp [email: gavin@gavinsharp.com]
:
:
Mentors:
Depends on: 656433
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-12 17:18 PDT by :Gavin Sharp [email: gavin@gavinsharp.com]
Modified: 2011-05-26 20:50 PDT (History)
4 users (show)
gavin.sharp: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (975 bytes, patch)
2011-05-12 17:19 PDT, :Gavin Sharp [email: gavin@gavinsharp.com]
bzbarsky: feedback-
Details | Diff | Splinter Review
patch (1.25 KB, patch)
2011-05-13 10:23 PDT, :Gavin Sharp [email: gavin@gavinsharp.com]
no flags Details | Diff | Splinter Review
patch, with tests (4.79 KB, patch)
2011-05-13 10:42 PDT, :Gavin Sharp [email: gavin@gavinsharp.com]
bzbarsky: review+
Details | Diff | Splinter Review

Description User image :Gavin Sharp [email: gavin@gavinsharp.com] 2011-05-12 17:18:03 PDT
See bug 656433 comment 19 and subsequent comments. Once we disallow inheriting of principals for URIs entered in the location bar, it would be nice to continue to allow javascript URIs that simply produce output to continue to work, by having them run against a null principal.
Comment 1 User image :Gavin Sharp [email: gavin@gavinsharp.com] 2011-05-12 17:19:28 PDT
Created attachment 532084 [details] [diff] [review]
patch

This seems to work (tested with the patch from bug 656433). Is it going to cause any security problems? I don't know!
Comment 2 User image Boris Zbarsky [:bz] (still a bit busy) 2011-05-12 18:08:33 PDT
Comment on attachment 532084 [details] [diff] [review]
patch

We actually depend on this code being the way it is to avoid running JS (even in a sandbox) in some contexts.  I'd rather not change that behavior right now.

For the bug 656433 thing, we'd want to get a null principal in docshell only.
Comment 3 User image :Gavin Sharp [email: gavin@gavinsharp.com] 2011-05-13 10:23:11 PDT
Created attachment 532270 [details] [diff] [review]
patch

As discussed on IRC.
Comment 4 User image :Gavin Sharp [email: gavin@gavinsharp.com] 2011-05-13 10:42:00 PDT
Created attachment 532274 [details] [diff] [review]
patch, with tests
Comment 5 User image Boris Zbarsky [:bz] (still a bit busy) 2011-05-13 10:54:05 PDT
Comment on attachment 532274 [details] [diff] [review]
patch, with tests

r=me
Comment 6 User image Brendan Eich [:brendan] 2011-05-13 11:33:50 PDT
Appreciate this followup work -- my javascript: typing habits thank you!

/be
Comment 7 User image :Gavin Sharp [email: gavin@gavinsharp.com] 2011-05-16 18:10:33 PDT
http://hg.mozilla.org/mozilla-central/rev/2c977d6f8a75
Comment 8 User image :Gavin Sharp [email: gavin@gavinsharp.com] 2011-05-16 18:13:03 PDT
Note that there's still a slight annoyance here: the JS loaded in this scenario still won't have an associated window object, so thing like e.g. "javsacript:alert(1+1)" still won't work. We should probably get a followup filed to run them against about:blank somehow.

Note You need to log in before you can comment on or make changes to this bug.