Closed Bug 445466 Opened 16 years ago Closed 16 years ago

When a script loaded from file: requests UniversalBrowserRead privilege, user is always prompted to allow or deny, even if they tick "Remember this decision" box.

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 427051

People

(Reporter: tony72, Unassigned)

Details

Attachments

(1 file)

html page illustrating the bug
(deleted), text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 In Firefox 3, a script loaded from a "file://" URL requests UniversalBrowserRead privilege: netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead"); The user receives a dialog titled "Internet Security", contents "A script from "file://" is requesting enhanced abilities [...] Allow these abilities only if you trust the source to be free of viruses or malicious programs." The dialog has "Allow" and "Deny" buttons, and a "Remember this decision" checkbox. However even if the "Remember this decision" checkbox is ticked and the "Allow" button clicked, the choice is not remembered between sessions. The next time the page is visited after the browser has been restarted, the user will get the same prompt. Examining the prefs.js file, we can see that each time the user ticks that checkbox and clicks allow, three lines are added, with the digit after "codebase.p" incrementing each time: user_pref("capability.principal.codebase.p0.granted", "UniversalBrowserRead"); user_pref("capability.principal.codebase.p0.id", "file://"); user_pref("capability.principal.codebase.p0.subjectName", ""); user_pref("capability.principal.codebase.p1.granted", "UniversalBrowserRead"); user_pref("capability.principal.codebase.p1.id", "file://"); user_pref("capability.principal.codebase.p1.subjectName", ""); user_pref("capability.principal.codebase.p2.granted", "UniversalBrowserRead"); user_pref("capability.principal.codebase.p2.id", "file://"); user_pref("capability.principal.codebase.p2.subjectName", ""); etc. Reproducible: Always Steps to Reproduce: 1. Open the test file (will attach) using the File->Open menu option in FF3. 2. In the "Internet Security" dialog that pops up, tick the "Remember this decision" checkbox, then click "Allow" 3. Close Firefox 3 4. Restart Firefox 3, and open the test file again. Actual Results: Observe that you still get the "Internet Security" dialog in step 4, which should not happen. Expected Results: The "Internet Security" prompt should not appear if "Remember this decision" was tick and "Allow" clicked. This is important, for embedded/kiosk etc applications where use of signed scripts may not be an option, and user interaction may be restricted, I am not aware of a workaround. I'm not sure how to attach a file, I will try to paste the html code of a test file below: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=windows-1250"> <meta name="generator" content="PSPad editor, www.pspad.com"> <title></title> </head> <body> Bug demo <script type="text/javascript" language="JavaScript"> netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead"); </script> </body> </html>
Attached file html page illustrating the bug (deleted) —
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: