Weirdness with iframe srcdocs

[barbaz]

SeaMonkey 2.23, NS 2.6.8.9rc5. If I Allow file://, then open a file with this contents:

Code: Select all

<!DOCTYPE html>
<iframe srcdoc="<script type="text/javascript">alert("Cuckoo");</script><div>text</div>"></iframe>
<div id="2">noscript</div>
<script type="text/javascript">document.getElementById("2").innerHTML = "Script";</script>

I get an alert even though about:srcdoc is listed as forbidden in the menu
This is unexpected behavior - it would be better if about:srcdoc is either not shown in the menu (with each srcdoc automatically getting the same permissions as its parent page), or scripts from srcdocs are forbidden until explicitly allowing about:srcdoc. Would it be possible (and reasonable) to make one of those changes?

[Giorgio Maone]

it would be better if about:srcdoc is either not shown in the menu (with each srcdoc automatically getting the same permissions as its parent page), or scripts from srcdocs are forbidden until explicitly allowing about:srcdoc. Would it be possible (and reasonable) to make one of those changes?

Yes, probably the former (just ignoring about:srcdoc or making it unmodifiable like chrome:) is the most viable and less confusing.

[Giorgio Maone]

Please check latest development build 2.6.8.10rc1, thanks.