Closed Bug 659681 Opened 13 years ago Closed 13 years ago

Show compatibility warning if a javascript: or data: URLs are used

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect, P2)

defect

Tracking

(Not tracked)

VERIFIED FIXED
6.0.12

People

(Reporter: jorgev, Assigned: basta)

References

Details

(Whiteboard: [fx6][post-freeze+])

Attachments

(1 file)

As explained in bug 656433, javascript: and data: URLs can no longer be executed from the location bar in the context of the page currently being displayed. It's difficult to tell if this affects any add-ons, but we should show a warning anyway. We should flag all uses of javascript: or data: URLs in JS code. 

This is only a warning. It should appear in the compatibility message sent to authors, but should not prevent a compatibility bump from happening.
Whiteboard: [fx6] → [fx6][post-freeze+]
Target Milestone: 6.1.0 → 6.0.12
Message:

Loading javascript: or data: URLs through the URL bar may no longer work as expected in Firefox 6. If you load these types of URL, please test your add-on on the latest Firefox 6 builds, or refer to <LINKED_BUG> for more information.

Krupa:

Subtitles Timeline uses javascript: URLs
https://addons.mozilla.org/en-US/firefox/addon/subtitles-timeline/
I'm not sure what I should be looking for in the validator with this one. Changes to window.location[.href]? To the best of my understanding of bug 656433, the bug only applies to javascript: and data: URLs that are pasted into the location bar, so executing those URLs via href attributes on <a> tags, for instance, shouldn't be flagged.
In bug 656433 they made sure that it worked when executed from a document and from a bookmark. If you can discard those uses, that's good. However, limiting this to changes to window.location might discard situations where the bug affect an add-on, since there are many ways to execute such URLs.
I guess I'm just unsure of which ways are affected and which aren't affected by this. To make this work, I need to test each individual way that you can launch the URLs. I could always implement it as a naive regex, but that would pick up every instance of "javascript:" or "data:", so that's probably a rather bad thing.
That's the reason we are only showing this as a warning, because we don't know if any add-on is affected, or under which circumstances they could be affected. We just want to let developers know that they should double check.
Depends on: 661259, 661261
No longer depends on: 661261
Merged:

https://github.com/mozilla/amo-validator/commit/7778eec40ff8923f8f515d17b702b17690706a8a
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Attached image post-fix screenshot
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: