Closed Bug 66200 Opened 25 years ago Closed 25 years ago

sidebarURLSecurityCheck for addPanel function doesnt admit chrome URLs

Categories

(SeaMonkey :: Sidebar, defect)

Product:
SeaMonkey
Component:
Sidebar
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 48583

People

(Reporter: sbanu, Assigned: matt)

Details

From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt) BuildID: mozilla 0.6 There are situations like mine when you realy want to add a XUL file panel which is a chrome resource. So, you have your own component with a new sidebar panel. Of course you want your panel to be a chrome file, or simply a file. in nsSidebar.js 91 function sidebarURLSecurityCheck(url) 92 { 93 if (url.search(/(^http:|^ftp:|^https:)/) == -1) 94 throw "Script attempted to add sidebar panel from illegal source"; 95 } line 93 should be like if (url.search(/(^http:|^ftp:|^https:|^chrome:|^file:)/) == -1) i guess you know this better then me sorinb
calling addPanel on chrome:// urls is disabled for security reasons. See discussion in bug 58844 (which covers this issue and is marked WONTFIX). I presume that the argument for file:// urls being disallowed is exactly the same, but ccing hyatt to see what he says.
OS: Windows NT → All
i intend to address this in an older bug *** This bug has been marked as a duplicate of 48583 ***
Status: UNCONFIRMED → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
1. In Sidebar component isnt another duplicate. Other places... couldnt know! 2. OK. I perfectly understand what this security should be all about, but take it like this: if somebody can addPanel(...), any other XUL that a chrome one or a file one, why do you think you are so secure? First of all it could add anything he wants and there could be a lot of bad XULs on internet or whatever. What is the problem in adding from "untrusted content" "trusted URLs"? There are a lot of "trusted" and "untrusted" URLs on internet. Oh, so is good if we have untrusted content adding untrusted Panels? 3. All this, I guess, it makes not a lot of sense. BUT, accepting your view lets take it like this: You want (accept) other guys to make their own components that can be added in Netscape and work fine with it. I still have in mind that you have there a good team knowing that a new component added be a guy doesnt mean using or modiffing a component of yours which is there to do the same thing (except the URL check). My component use a Panel in Sidebar. So I have to add a Panel there in order for my component to work. My component is not one that works only online. I guess you understood what I meant! 4. Anyway, a solution whould have been a AddPanel function that could be called only from C++ code (not only one called from JScript code), that of course wouldnt have given access to it from JS, and could have loaded chrome XULs without any problems. Anyway (again), I know you have a lot to work there (and I wish you good luck in making the best browser ever (I am on Netscape side ;)), and that's why I leave this BUG resolved. And dont bother anymore with it (or me)! I will modify the code for my component and thats all.
.
Status: RESOLVED → VERIFIED
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.