Closed Bug 174388 Opened 22 years ago Closed 18 years ago

data: URLs cause cross-site security restrictions

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dbaron, Assigned: dveditz)

References

Details

Attachments

(1 file)

testcase described in comment 0
(deleted), application/vnd.mozilla.xul+xml
Details
data: URLs seem to be causing cross-site security restrictions. In my opinion, they shouldn't. (If we're dealing with something where the URL of the document/stylesheet is accessible, there doesn't seem to be much security risk. Is that ever not the case?) Steps to reproduce: 1. load the testcase (to be attached) 2. click on "Change Image" 3. Look at Javascript Console 4. See: Error: uncaught exception: [Exception... "Access to restricted URI denied" code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)" location: "file:///home/dbaron/webtest/149203.xul Line: 19"]
Attached file testcase described in comment 0 (deleted) —
Blocks: 144766
Well so long as we don't let a data: URI act as a kind of proxy between two http: pages...
Depends on: 221428
Blocks: 270748
Assignee: security-bugs → dveditz
QA Contact: bsharma → caps
Fixed by checkin for bug 221428.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: