javascript:open from about:(blank|home) triggers LOCAL rule

al_9x · Post by **al_9x** » Wed Jun 22, 2011 1:05 pm

Fx 4.0.1, NS 2.1.1.2rc6

enter "javascript:open('http://localhost/','_self')" on about:home or about:blank

Post by **Giorgio Maone** » Wed Jun 22, 2011 1:44 pm

That's by design. Only chrome: and local network origins are included.
You can tweak it manually, if you need to.

al_9x · Post by **al_9x** » Wed Jun 22, 2011 1:49 pm

about:home is essentially chrome: it's definitely LOCAL, why would it not be?

about:blank is less clear, does not treating it as LOCAL actually protect you from anything?

al_9x · Post by **al_9x** » Wed Jun 22, 2011 5:33 pm

I know I can tweak the rules, but I am trying to understand the reasons for the default behavior.

Is not about:home a chrome, privileged page so why is it not LOCAL?

Is about:blank not LOCAL because a remote site can issue a local request with about:blank as origin? How?

Post by **Giorgio Maone** » Wed Jun 22, 2011 6:04 pm

See http://forums.informaction.com/viewtopi ... 882#p28882

Regarding about:home (and, more in general, internal browser URIs) I'm not gonna exempt them by default unless one of them demonstrate to need access to local resources.

InformAction Forums

javascript:open from about:(blank|home) triggers LOCAL rule

javascript:open from about:(blank|home) triggers LOCAL rule

Re: javascript:open from about:(blank|home) triggers LOCAL r

Re: javascript:open from about:(blank|home) triggers LOCAL r

Re: javascript:open from about:(blank|home) triggers LOCAL r

Re: javascript:open from about:(blank|home) triggers LOCAL r