93761 - File URLs do not work with "Open New Window"

Status: VERIFIED DUPLICATE of bug 84128

(Core :: Security, defect)

Description

[Neil Marshall]

If I have a file:///c|/ listing and I ctrl-dblclick (or ctrl-click) it doesn't
open the link in a new window.

Shouldn't it operate the same as a link on a www page?

Comment 1

[Chris Lyon]

I think Ctrl+click is used for multi-select.  A workaround is to use the 
context menu.

I don't think it should work the same as a link on a www page, because you 
can't multi-select or move www links.

Comment 2

[Neil Marshall]

I just tried it in a file view.  Ctrl-click does not select multiple items.

Even if it did, what would it do?  It looks like you can drag and drop files 
into folders, but that doesn't work yet, so that can't be it.

I guess it all depends on where the file:/// list is headed.

Comment 3

[benc]

NEW: (do not dupe)


File URLs inside an HTTP served page will not work when used. This currently
includes "Open New Window", although I am not sure if there is a security
problem with this action.

You can see some of this discussed in bug 47988.

We need to find out from a security expert if there is risk in making this work.
If not, this bug still needs an error, and becomes a dupe of bug 84128.

Comment 4

[Chris Lyon]

My mistake, sorry.  I was thinking of the Manage Bookmarks window, which I 
thought used the same widget.

Comment 5

[Mitchell Stoltz (not reading bugmail)]

Yes, "Open In New Window" carries the same security risks as clicking on the
link, as users do both very often. HTTP content should not be able to load or
link to file:// content by any means (with a few exceptions - and this isn't one
of them). See 47988 for some explanation. 

*** This bug has been marked as a duplicate of 84128 ***

Comment 6

[benc]

VERIFIED:
same problem.

Comment 7

[benc]

-> security-general (checkURI is doing this).
qa to bsharma.