Closed Bug 817007 Opened 7 years ago Closed 5 years ago
Consider removing "<file>" hack from the permission manager
Currently, if there is an entry with "<file>" as a host in the permission manager, the expected behaviour is that this will apply for all local files. With bug 815640, it will only apply to a file that doesn't already have an explicit permission listed. Using <file> is a security issue (a user can trust certain files but not others) and there is nearly no downside in having this feature removed in favour of per-file permissions except for someone who would test a website locally with heavy permissions usage.
Fix the user interface first, because currently <file> is the only exception type that can be created from the cookie exceptions dialog. As an example, entering "file:///tmp/test.html" in the dialog will produce an exception for host "tmp". Entering "<file>" in the same dialog does at least create a usable exception even if it would be preferable to have separate ones for each path. A full file URL exception can be set from the dialog that appears to ask about each cookie (assuming that custom privacy setting is configured), although the about:permissions page will mis-report the permissions for that file and will not report any cookies set by it. I have raised bug 921280 for the about:permissions problem. Even then it might be wise to leave the hack in place so that existing permissions are not wiped out, or worse yet a repeat of the bug 814554 breakage. There is no meaningful way to migrate an all-encompassing "<file>" exception to the new regime, but perhaps the dialog could be prevented from creating any more permissions of that type. Or a stronger form of warning?
Let's drop support for this now that bug 1165263 is being fixed. Michael has already fixed the UI issue in comment 1.
Assignee: nobody → michael
Comment on attachment 8623318 [details] [diff] [review] Part 1: Remove <file> hack from the permission manager Review of attachment 8623318 [details] [diff] [review]: ----------------------------------------------------------------- (Please hold off landing this patch, all of your permission manager changes should land together, I think.)
Attachment #8623318 - Flags: review?(ehsan) → review+
(In reply to Ehsan Akhgari (not reviewing patches, not reading bugmail, needinfo? me!) from comment #6) > (Please hold off landing this patch, all of your permission manager changes > should land together, I think.) Or more precisely, in the next cycle. :-)
This (and everything else from ehsan's push) backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/de3fb216f066 for mass android reftest bustage: https://treeherder.mozilla.org/logviewer.html#?job_id=11676048&repo=mozilla-inbound
fixed patch is on inbound
You need to log in before you can comment on or make changes to this bug.