Closed Bug 1142774 Opened 10 years ago Closed 9 years ago

Allow loading images and videos from other domains without allowDomain

Categories

(Firefox Graveyard :: Shumway, defect)

Product:
Firefox Graveyard
Component:
Shumway
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: till, Assigned: till)

References

Details

I realized there's a problem with the very strict interpretation of allowDomain we have right now: it prevents loading of images and videos, too. We need to still allow those, as not doing so has the potential to break way too much content. The thing to do is probably to start loading and do the allowDomain check after the header has been parsed. If it's a SWF and the check fails, stop loading and discard the results. If it's an image, do the load, but prevent it from being passed into the player's iframe. That makes the inner sandbox more important than it was before, but I don't see a way around it. Example of content broken by this: http://ichizengogo.blog.fc2.com/blog-entry-43.html (the image widget on the left)
allowDomain doesn't need to block M3 because it only breaks some ads.
Blocks: shumway-m4
No longer blocks: shumway-m3
Till is working on cross-domain image loading.
Assignee: ydelendik → till
Depends on: 1188840
Will be fixed by https://github.com/mozilla/shumway/pull/2320.
Status: NEW → ASSIGNED
No longer depends on: 1188840
Product: Firefox → Firefox Graveyard
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.