bug 1253673 allowed us to make a distinction between linkable and unlinkable "safe" about: pages, and proceeded to make most of them unlinkable. This was an improvement for the parameterized pages where people could cause mischief, but we may have gone too far and hidden some about:s used by support or other community web pages We should restore (MAKE_LINKABLE): about:credits about:license about:rights and probably about:buildconfig

I disagree with this. Why do these pages need to be linkable from unprivileged webpages?

FWIW, as a random example, the SUMO pages about troubleshooting information like about:support do not link to the page - they only offer instructions on how to open it through the menu.

This also won't affect the noscript bustage.

(In reply to :Gijs Kruitbosch from comment #1) > I disagree with this. Why do these pages need to be linkable from > unprivileged webpages? I think they are used, they aren't harmful (strictly static content, no params), and they have been historically.

I would certainly occasionally appreciate the ability to send people a link to about:license. about:credits in a sense already has its own link, which is https://www.mozilla.org/credits/ - because that's where about:credits takes you. It seems to be that allowing SUMO to provide direct links to about:buildconfig and about:support would be most useful. Gerv

(In reply to Gervase Markham [:gerv] from comment #5) > It seems to be that allowing SUMO to provide direct links to > about:buildconfig and about:support would be most useful. about:support is privileged so it's not ever linkable, however we have a special hack to let SUMO trigger it anyway: https://dxr.mozilla.org/mozilla-central/source/browser/app/permissions#22 I suppose if it can launch the real about:support we don't need direct links to about:buildconfig since you can get there from about:support.

narrowing focus of bug to about:license given the above.

(In reply to Daniel Veditz [:dveditz] from comment #4) > (In reply to :Gijs Kruitbosch from comment #1) > > I disagree with this. Why do these pages need to be linkable from > > unprivileged webpages? > > I think they are used, they aren't harmful (strictly static content, no > params) and they have been historically. I think my worry is that just like the data/blob/view-source debacle, they could be (ab)used if web-accessible, and the gain in linking to them doesn't seem such that that's necessary. (In reply to Gervase Markham [:gerv] from comment #5) > I would certainly occasionally appreciate the ability to send people a link > to about:license. If it's worth doing I'm sure we could tidy up and publicize https://mxr.mozilla.org/mozilla-central/source/toolkit/content/license.html somehow. The links won't work in any other browser anyway, so I'm not sure to what degree sending people a link like that through some other medium (email? chat?) would be very useful right now. > It seems to be that allowing SUMO to provide direct links to > about:buildconfig and about:support would be most useful. SUMO has magical (UITour) ways of doing all kinds of stuff, including invoking Fx Refresh. If they very much wanted links to about:buildconfig (I think you overestimate the degree of technical skill we assume for most of its readers!) or about:support, then we can expose something specifically for them, which would be fine by me.

Oops.

Jason, any idea who should work on this?

Fixing this is trivial. The question is whether we want to.

I don't enough about the security issues here to make a call on whether to land the patch here. Dan, Gijs, who should make the call here?

I'm biased, I'll let Dan take care of this. :-)

I don't feel that strongly either way. It's been broken on Beta for a month or so and we haven't heard terrible screams about it being gone. The content itself is still discoverable through the About dialog.

:gijs: looks like it's your call. Gerv

I guess a priori there is no reason this would be any more dangerous than any of the other non-about-blank about: pages that are still accessible (though that's a shrinking list). We can come back to this if/when we make more meaningful strides in making about:blank the only linkable thing, but at least for now it seems hard to see any avenues for this really being exploited - harder than some of the other pages, anyway.

Pushed by cbook@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/553ce3faa35f make about:license content-linkable again, r=gijs