Open
Bug 388553
Opened 18 years ago
Updated 2 years ago
can't use skinnable favicons in FTP/File/Jar dir listings due to security restrictions
Categories
(Firefox :: File Handling, defect)
Firefox
File Handling
Tracking
()
NEW
People
(Reporter: dao, Unassigned)
References
()
Details
(Keywords: polish, Whiteboard: [polish-hard][polish-visual][polish-p5])
Attachments
(1 file, 1 obsolete file)
(deleted),
patch
|
Details | Diff | Splinter Review |
spin-off from bug 294800:
> buffer.AppendLiteral(...
> "<link rel=\"icon\" type=\"image/png\" href=\"");
> //XXX can't use skinnable icons here due to security restrictions
> if (isSchemeRemote) {
> //buffer.AppendLiteral("chrome://global/skin/dirListing/remote.png");
> buffer.AppendLiteral("data:image/png;base64,...");
> } else {
> //buffer.AppendLiteral("chrome://global/skin/dirListing/local.png");
> buffer.AppendLiteral("data:image/png;base64,...");
> }
> buffer.AppendLiteral("\" />\n<title>");
When using a chrome URI, the favicon isn't loaded and the error console says:
"Security Error: Content at http://ftp.mozilla.org/pub/mozilla.org/ may not load or link to chrome://global/skin/dirListing/remote.png."
Comment 1•18 years ago
|
||
Related to/dupe of bug 301119?
Reporter | ||
Comment 2•18 years ago
|
||
Bug 301119 is remotely related. FTP/File/Jar dir listings are built through streamconv. As far as I can tell, that's significantly different from error pages.
Reporter | ||
Comment 3•18 years ago
|
||
Reporter | ||
Comment 4•18 years ago
|
||
Comment on attachment 272779 [details] [diff] [review]
loosen restrictions
this is tested for ftp, file, jar and gopher dir listings with a modified version of the patch for bug 294800. I've used a local html file to verify that |fileName == ""| works.
Reporter | ||
Comment 5•17 years ago
|
||
Reporter | ||
Comment 6•17 years ago
|
||
In case this won't be fixed, the icons should be removed from the theme packages.
Flags: blocking-firefox3?
Comment 7•17 years ago
|
||
Can't we just set some class on the affected <tr> or <td> and let the theme set the icon there via CSS?
Reporter | ||
Comment 8•17 years ago
|
||
This bug is about <link rel="icon"...>, not the listing table itself.
Comment 9•17 years ago
|
||
Ah, right. Still this appears in the theme, and hardcoded paths for theme icons also suck. I guess we may not be able to do without them though in this case...
Comment 10•17 years ago
|
||
That patch doesn't work for jar: listings, does it?
In general, any time a patch is hardcoding schemes it's buggy...
Comment 11•17 years ago
|
||
Why not replace the literal URIs with code to sync-read data from a chrome:// URI and create the data: URI on the fly? That would make this themable without requiring us to poke holes in our security policy.
Reporter | ||
Comment 12•17 years ago
|
||
(In reply to comment #10)
> That patch doesn't work for jar: listings, does it?
I'm not sure if I tested jar explicitly, but schemeIs("jar") && fileName == "" is true, so I suppose it does work.
(In reply to comment #11)
> Why not replace the literal URIs with code to sync-read data from a chrome://
> URI and create the data: URI on the fly?
That's probably too much for me to handle, I barely know C++ after all. I agree that it sounds safer, but I won't be the assignee then.
Reporter | ||
Updated•17 years ago
|
Assignee: dao → nobody
Status: ASSIGNED → NEW
Reporter | ||
Updated•17 years ago
|
Attachment #272779 -
Attachment description: patch → loosen restrictions
Updated•17 years ago
|
Attachment #272779 -
Flags: review?(gavin.sharp)
Updated•17 years ago
|
Flags: blocking-firefox3? → blocking-firefox3-
Whiteboard: [wanted-firefox3]
Reporter | ||
Comment 13•17 years ago
|
||
Comment on attachment 272779 [details] [diff] [review]
loosen restrictions
Actually this patch is wrong, as dir listing URLs don't have to end with a slash, which means that fileName isn't necessarily empty.
Attachment #272779 -
Attachment is obsolete: true
Updated•17 years ago
|
Flags: wanted-firefox3+
Whiteboard: [wanted-firefox3]
Reporter | ||
Comment 14•17 years ago
|
||
(In reply to comment #13)
> (From update of attachment 272779 [details] [diff] [review])
> Actually this patch is wrong, as dir listing URLs don't have to end with a
> slash, which means that fileName isn't necessarily empty.
Additionally, proxy servers often serve custom HTML for ftp dir listings, so this is really not the way to go.
Comment 16•16 years ago
|
||
This bug's priority relative to the set of other polish bugs is:
P5 - Polish issue that is rarely encountered, and is not easily identifiable.
These icons are incorrect, but users don't that commonly use ftp/file/jar listings, and those that do are not that likely to consciously notice that they are seeing an aero icon when they should be seeing a tango icon, etc.
Whiteboard: [polish-hard][polish-visual] → [polish-hard][polish-visual][polish-p5]
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•