Page 1 of 1
javascript:open from about:(blank|home) triggers LOCAL rule
Posted: Wed Jun 22, 2011 1:05 pm
by al_9x
Fx 4.0.1, NS 2.1.1.2rc6
enter "javascript:open('
http://localhost/','_self')" on about:home or about:blank
Re: javascript:open from about:(blank|home) triggers LOCAL r
Posted: Wed Jun 22, 2011 1:44 pm
by Giorgio Maone
That's by design. Only chrome: and local network origins are included.
You can tweak it manually, if you need to.
Re: javascript:open from about:(blank|home) triggers LOCAL r
Posted: Wed Jun 22, 2011 1:49 pm
by al_9x
about:home is essentially chrome: it's definitely LOCAL, why would it not be?
about:blank is less clear, does not treating it as LOCAL actually protect you from anything?
Re: javascript:open from about:(blank|home) triggers LOCAL r
Posted: Wed Jun 22, 2011 5:33 pm
by al_9x
I know I can tweak the rules, but I am trying to understand the reasons for the default behavior.
Is not about:home a chrome, privileged page so why is it not LOCAL?
Is about:blank not LOCAL because a remote site can issue a local request with about:blank as origin? How?
Re: javascript:open from about:(blank|home) triggers LOCAL r
Posted: Wed Jun 22, 2011 6:04 pm
by Giorgio Maone
See
http://forums.informaction.com/viewtopi ... 882#p28882
Regarding about:home (and, more in general, internal browser URIs) I'm not gonna exempt them by default unless one of them demonstrate to
need access to local resources.