Closed Bug 656823 Opened 14 years ago Closed 8 years ago

Loading data: URLs from bookmarks shouldn't inherit principal

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1324406

People

(Reporter: jruderman, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-want, testcase, Whiteboard: [sg:want])

1. In the address bar, enter data:text/html,<script>alert(document.cookie)</script> Result: shows Bugzilla cookie Expected: show empty alert (Figuring out what to do for *javascript:* URLs is controversial and covered in other bugs.) (Changing the behavior of data: *links in web pages* is controversial and covered in other bugs.)
Gavin has a fix for the url bar case.
Gavin's patch in bug 656433 fixes the address bar case.
Depends on: 656433
(In reply to comment #0) > Result: shows Bugzilla cookie > > Expected: show empty alert Note that the patch in bug 656433 has slightly different expected results: no alert appears, because window.alert is undefined (there is no window object).
That sounds quite strange. How does the data: document end up without a window object?
Gavin: that sounds odd. for javascript:, maybe, but data: should do the right thing.
Yes, sorry, I was confusing data: and javascript:. data: URIs show the alert, javascript: URIs don't.
Summary: Loading data: URLs from bookmarks or address bar shouldn't inherit principal → Loading data: URLs from bookmarks shouldn't inherit principal
Christoph, this is fixed now, right? Can you mark this as a dep on the bug that fixed this?
Flags: needinfo?(ckerschb)
(In reply to :Gijs from comment #8) > Christoph, this is fixed now, right? Can you mark this as a dep on the bug > that fixed this? Let's mark it as a duplicate.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(ckerschb)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.