Closed
Bug 669046
Opened 13 years ago
Closed 13 years ago
Whitelist (instead of blacklist) the URLs that can be dropped onto the tab strip
Categories
(Firefox :: Tabbed Browser, defect)
Firefox
Tabbed Browser
Tracking
()
RESOLVED
INVALID
People
(Reporter: fryn, Unassigned)
Details
From bug 455694 comment 190: > > @@ +3736,5 @@ > > // valid urls don't contain spaces ' '; if we have a space it isn't a valid url. > > // Also disallow dropping javascript: or data: urls--bail out > > if (!url || !url.length || url.indexOf(" ", 0) != -1 || > > /^\s*(javascript|data):/.test(url)) > > return; > > Hmm, this should probably be a whitelist to only allow certain URLs.
|
||
Comment 1•13 years ago
|
||
Why should it be a whitelist?
|
||
Comment 2•13 years ago
|
||
Just general principle that it's often more robust to whitelist than blacklist. Should we allow gopher:// or mms:// URLs to be dropped here? Seems like we should limit it to things we know we can load.
|
|
||
Comment 3•13 years ago
|
||
This isn't about what can/can't be loaded. (And it's not generally true that gopher can't be loaded, as something might have registered a protocol handler for it.) javascript: and data: are prevented for security reasons (bug 280056).
|
||
Comment 4•13 years ago
|
||
What about something like the bit.ly sidebar that runs from a javascript: "bookmarklet"? Will this kill those types of javascript? Or is this just for dragging, not clicking a bookmark?
|
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•