Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 350328 - fix WebSite.MapUrlToZone without breaking about:blank security bypass
Summary: fix WebSite.MapUrlToZone without breaking about:blank security bypass
Status: CLOSED WONTFIX
Alias: None
Product: Platform
Classification: Eclipse Project
Component: SWT (show other bugs)
Version: 3.7   Edit
Hardware: PC Windows All
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Grant Gayed CLA
QA Contact:
URL:
Whiteboard: stalebug
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-24 16:19 EDT by Grant Gayed CLA
Modified: 2019-11-27 07:29 EST (History)
0 users

See Also:


Attachments
desired patch (3.00 KB, patch)
2011-06-24 16:19 EDT, Grant Gayed CLA
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Grant Gayed CLA 2011-06-24 16:19:41 EDT
Created attachment 198573 [details]
desired patch

The attached patch fixes the problem of displaying modern HTML content via setText(), as well as showing it on the first setUrl() without checking for !performingInitialNavigate first.  However it has one problem, it restricts setText() from showing links that can access the local file system.  Surprisingly, changing URLZONE_INTRANET to URLZONE_LOCAL_MACHINE seems to impose this constraint, even though it's supposed to be more permissive.  This change is largely what fixes the problem of displaying modern HTML content via setText().

To test the security cases change a Snippet128 listener to:

boolean trusted = (counter++ % 2) == 0;
browser.setText(
	"<html><body>" +
	"trusted? " + (trusted ? "yes" : "no") +
	"<a href=\"file://c|/setupisam.log\">click</a>" +
	"<iframe src=\"file://c|/setupisam.log\"></iframe>" +
	"<iframe src=\"file://c|/Program Files/Mozilla Firefox/firefox.exe\"></iframe>" +
	"</body></html>", trusted);

To test the rendering of modern content change a Snippet128 listener to:

browser.setText("<!DOCTYPE HTML><html><body><canvas id=\"myCanvas\">your browser does not support the canvas tag </canvas><script type=\"text/javascript\">var canvas=document.getElementById('myCanvas');var ctx=canvas.getContext('2d');ctx.fillStyle='#FF0000';ctx.fillRect(0,0,80,100);</script></body></html>");
Comment 1 Lars Vogel CLA 2019-11-27 07:29:20 EST
This bug hasn't had any activity in quite some time. Maybe the problem got
resolved, was a duplicate of something else, or became less pressing for some
reason - or maybe it's still relevant but just hasn't been looked at yet.

If you have further information on the current state of the bug, please add it.
The information can be, for example, that the problem still occurs, that you
still want the feature, that more information is needed, or that the bug is
(for whatever reason) no longer relevant.

If the bug is still relevant, please remove the stalebug whiteboard tag.