Re: Intent to unship: jar: URIs from content
On 10/19/15 4:07 PM, Gregory Szorc wrote: Or you could register a custom content type handler (possibly via a special "Gecko Hackers" Firefox add-on) that runs an appropriate mach command when said file is downloaded. This ignores the point about running the file after downloading having different security characteristics from running it from bmo. -Boris ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
On Sat, Oct 17, 2015 at 3:48 PM, Ben Kelly wrote: > On Oct 16, 2015 6:17 PM, "Robert O'Callahan" wrote: > > I guess the right fix would be to have a Web proxy service that accepts > > URLs in a custom format, unpacks ZIP files and serves their contents. > > Bugzilla could do this in a service worker. > Or you could register a custom content type handler (possibly via a special "Gecko Hackers" Firefox add-on) that runs an appropriate mach command when said file is downloaded. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
On Oct 16, 2015 6:17 PM, "Robert O'Callahan" wrote: > I guess the right fix would be to have a Web proxy service that accepts > URLs in a custom format, unpacks ZIP files and serves their contents. Bugzilla could do this in a service worker. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
On Sat, Oct 17, 2015 at 6:13 AM, Gregory Szorc wrote: > On Thu, Oct 15, 2015 at 4:08 PM, Robert O'Callahan > wrote: > >> I'm sad that I won't be able to use jar: URLs to load testcases in ZIP >> files uploaded to Bugzilla, but this sounds like the right thing to do. >> > > If this is a common use case, then `mach test` should be able to accept a > bz://123456 URL, autodiscover a test case attachment on that bug, download > it, and run it. > Not as convenient as clicking on a link. I guess the right fix would be to have a Web proxy service that accepts URLs in a custom format, unpacks ZIP files and serves their contents. Rob -- lbir ye,ea yer.tnietoehr rdn rdsme,anea lurpr edna e hnysnenh hhe uresyf toD selthor stor edna siewaoeodm or v sstvr esBa kbvted,t rdsme,aoreseoouoto o l euetiuruewFa kbn e hnystoivateweh uresyf tulsa rehr rdm or rnea lurpr .a war hsrer holsa rodvted,t nenh hneireseoouot.tniesiewaoeivatewt sstvr esn ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
On 10/16/15 1:13 PM, Gregory Szorc wrote: On Thu, Oct 15, 2015 at 4:08 PM, Robert O'Callahan wrote: I'm sad that I won't be able to use jar: URLs to load testcases in ZIP files uploaded to Bugzilla, but this sounds like the right thing to do. If this is a common use case, then `mach test` should be able to accept a bz://123456 URL, autodiscover a test case attachment on that bug, download it, and run it. This would automate the "download, unzip" step, sure. Note that this still changes the security context the attachment is running in. I'm not super-happy running random reporter-provided code from file:// without having looked at it first. -Boris ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
On Thu, Oct 15, 2015 at 4:08 PM, Robert O'Callahan wrote: > I'm sad that I won't be able to use jar: URLs to load testcases in ZIP > files uploaded to Bugzilla, but this sounds like the right thing to do. > If this is a common use case, then `mach test` should be able to accept a bz://123456 URL, autodiscover a test case attachment on that bug, download it, and run it. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
On 2015-10-15 7:08 PM, Robert O'Callahan wrote: I'm sad that I won't be able to use jar: URLs to load testcases in ZIP files uploaded to Bugzilla, but this sounds like the right thing to do. When speaking with Boris on IRC today he also mentioned that he does use jar URLs in this way. You can flip the pref to get this back :-) ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
Robert O'Callahan wrote: I'm sad that I won't be able to use jar: URLs to load testcases in ZIP files uploaded to Bugzilla Or indeed any ZIP-like file, once you flip the appropriate pref. -- Warning: May contain traces of nuts. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
I'm sad that I won't be able to use jar: URLs to load testcases in ZIP files uploaded to Bugzilla, but this sounds like the right thing to do. Rob -- lbir ye,ea yer.tnietoehr rdn rdsme,anea lurpr edna e hnysnenh hhe uresyf toD selthor stor edna siewaoeodm or v sstvr esBa kbvted,t rdsme,aoreseoouoto o l euetiuruewFa kbn e hnystoivateweh uresyf tulsa rehr rdm or rnea lurpr .a war hsrer holsa rodvted,t nenh hneireseoouot.tniesiewaoeivatewt sstvr esn ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
On Thu, Oct 15, 2015 at 10:58 AM, Ehsan Akhgari wrote: > We currently support URLs such as http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1&ctype=application/java-archive!/test.html>. > This is a Firefox specific feature that no other engine implements, and it > increases our attack surface unnecessarily. As such, I would like to put > it behind a pref and disable it for Web content by default. > I've always been surprised by this (and resource:, although I think there's a story behind that one). Glad to see it go. Nick ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
OMG yes please. Jason On Thu, Oct 15, 2015 at 11:31 AM, Ehsan Akhgari wrote: > On 2015-10-15 1:58 PM, Ehsan Akhgari wrote: > >> We currently support URLs such as >> > http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1&ctype=application/java-archive!/test.html >> >. >> This is a Firefox specific feature that no other engine implements, >> and it increases our attack surface unnecessarily. As such, I would >> like to put it behind a pref and disable it for Web content by default. >> > > FWIW I filed bug 1215235 for this. We'll wait for this discussion before > landing code there. > > > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > -- Jason ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
On 2015-10-15 1:58 PM, Ehsan Akhgari wrote: We currently support URLs such as http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1&ctype=application/java-archive!/test.html>. This is a Firefox specific feature that no other engine implements, and it increases our attack surface unnecessarily. As such, I would like to put it behind a pref and disable it for Web content by default. FWIW I filed bug 1215235 for this. We'll wait for this discussion before landing code there. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
Huzzah! Thanks for fixing this Ehsan. On Thu, Oct 15, 2015 at 10:58 AM, Ehsan Akhgari wrote: > We currently support URLs such as http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1&ctype=application/java-archive!/test.html>. > This is a Firefox specific feature that no other engine implements, and it > increases our attack surface unnecessarily. As such, I would like to put > it behind a pref and disable it for Web content by default. > > Are there any objections? > > Thanks! > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to unship: jar: URIs from content
SGTM! On 10/15/2015 11:58 AM, Ehsan Akhgari wrote: We currently support URLs such as http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1&ctype=application/java-archive!/test.html>. This is a Firefox specific feature that no other engine implements, and it increases our attack surface unnecessarily. As such, I would like to put it behind a pref and disable it for Web content by default. Are there any objections? Thanks! ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Intent to unship: jar: URIs from content
We currently support URLs such as http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1&ctype=application/java-archive!/test.html>. This is a Firefox specific feature that no other engine implements, and it increases our attack surface unnecessarily. As such, I would like to put it behind a pref and disable it for Web content by default. Are there any objections? Thanks! ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform