This is a security review of sorts, and I need your advice. In many
places where a URL specified in Web content is used to load or link to
additional content, we do a security check,
nsScriptSecurityManager::CheckLoadURI. This enforces some restrictions
on what types of content can load other types of content. Cutting to the
chase, my questions are these: Is there anywhere this check isn't being
called but should be? Is there anywhere where this check is too
restrictive? I need your help to make sure I haven't missed applying
this check in any crucial spots.
CheckLoadURI enforces a few different policies (see for yourself at ).
Basically, it keeps Web content (from http mainly) from loading or
linking to local content (from file: or chrome). It's called for link
clicks, script tags, style tags, frame tags, document.load(),
meta-refresh tags, base tags, and location= in the DOM. The full list is
at http://lxr.mozilla.org/seamonkey/search?string=checkloaduri
The obvious one that's missing is image tags - I'm waiting on Pavlov to
add this one. Is there anywhere else a URL can be included in web
content which could cause damage or be used to steal information if it's
allowed to be a file: or chrome: URL?
Things this prevents: executing JavaScript files on the user's machine
is one example. This can lead to stealing browser prefs or other
sensitive info, or potenitally cause damage. Targeting a link at
/dev/(something interesting) on Unix, or at c:\con\con on Win98, can
cause lots of problems. It's generally a good thing to prevent.
