Bugzilla – Full Text Bug Listing
| Summary: | fix WebSite.MapUrlToZone without breaking about:blank security bypass | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Eclipse Project] Platform | Reporter: | Grant Gayed <grant_gayed> | ||||
| Component: | SWT | Assignee: | Grant Gayed <grant_gayed> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | |||||
| Severity: | normal | ||||||
| Priority: | P3 | ||||||
| Version: | 3.7 | ||||||
| Target Milestone: | --- | ||||||
| Hardware: | PC | ||||||
| OS: | Windows All | ||||||
| Whiteboard: | stalebug | ||||||
| Attachments: |
|
||||||
This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. If you have further information on the current state of the bug, please add it. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. If the bug is still relevant, please remove the stalebug whiteboard tag. |
Created attachment 198573 [details] desired patch The attached patch fixes the problem of displaying modern HTML content via setText(), as well as showing it on the first setUrl() without checking for !performingInitialNavigate first. However it has one problem, it restricts setText() from showing links that can access the local file system. Surprisingly, changing URLZONE_INTRANET to URLZONE_LOCAL_MACHINE seems to impose this constraint, even though it's supposed to be more permissive. This change is largely what fixes the problem of displaying modern HTML content via setText(). To test the security cases change a Snippet128 listener to: boolean trusted = (counter++ % 2) == 0; browser.setText( "<html><body>" + "trusted? " + (trusted ? "yes" : "no") + "<a href=\"file://c|/setupisam.log\">click</a>" + "<iframe src=\"file://c|/setupisam.log\"></iframe>" + "<iframe src=\"file://c|/Program Files/Mozilla Firefox/firefox.exe\"></iframe>" + "</body></html>", trusted); To test the rendering of modern content change a Snippet128 listener to: browser.setText("<!DOCTYPE HTML><html><body><canvas id=\"myCanvas\">your browser does not support the canvas tag </canvas><script type=\"text/javascript\">var canvas=document.getElementById('myCanvas');var ctx=canvas.getContext('2d');ctx.fillStyle='#FF0000';ctx.fillRect(0,0,80,100);</script></body></html>");