Re: Intent to unship: jar: URIs from content

[Gregory Szorc]

On Sat, Oct 17, 2015 at 3:48 PM, Ben Kelly  wrote:

> On Oct 16, 2015 6:17 PM, "Robert O'Callahan"  wrote:
> > I guess the right fix would be to have a Web proxy service that accepts
> > URLs in a custom format, unpacks ZIP files and serves their contents.
>
> Bugzilla could do this in a service worker.
>
Or you could register a custom content type handler (possibly via a special
"Gecko Hackers" Firefox add-on) that runs an appropriate mach command when
said file is downloaded.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: jar: URIs from content

[Boris Zbarsky]

On 10/19/15 4:07 PM, Gregory Szorc wrote:

Or you could register a custom content type handler (possibly via a special
"Gecko Hackers" Firefox add-on) that runs an appropriate mach command when
said file is downloaded.


This ignores the point about running the file after downloading having 
different security characteristics from running it from bmo.


-Boris

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: jar: URIs from content

[Ben Kelly]

On Oct 16, 2015 6:17 PM, "Robert O'Callahan"  wrote:
> I guess the right fix would be to have a Web proxy service that accepts
> URLs in a custom format, unpacks ZIP files and serves their contents.

Bugzilla could do this in a service worker.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: jar: URIs from content

[Boris Zbarsky]

On 10/16/15 1:13 PM, Gregory Szorc wrote:

On Thu, Oct 15, 2015 at 4:08 PM, Robert O'Callahan 
wrote:


I'm sad that I won't be able to use jar: URLs to load testcases in ZIP
files uploaded to Bugzilla, but this sounds like the right thing to do.



If this is a common use case, then `mach test` should be able to accept a
bz://123456 URL, autodiscover a test case attachment on that bug, download
it, and run it.


This would automate the "download, unzip" step, sure.

Note that this still changes the security context the attachment is 
running in.  I'm not super-happy running random reporter-provided code 
from file:// without having looked at it first.


-Boris
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: jar: URIs from content

[Gregory Szorc]

On Thu, Oct 15, 2015 at 4:08 PM, Robert O'Callahan 
wrote:

> I'm sad that I won't be able to use jar: URLs to load testcases in ZIP
> files uploaded to Bugzilla, but this sounds like the right thing to do.
>

If this is a common use case, then `mach test` should be able to accept a
bz://123456 URL, autodiscover a test case attachment on that bug, download
it, and run it.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: jar: URIs from content

[Robert O'Callahan]

On Sat, Oct 17, 2015 at 6:13 AM, Gregory Szorc  wrote:

> On Thu, Oct 15, 2015 at 4:08 PM, Robert O'Callahan 
> wrote:
>
>> I'm sad that I won't be able to use jar: URLs to load testcases in ZIP
>> files uploaded to Bugzilla, but this sounds like the right thing to do.
>>
>
> If this is a common use case, then `mach test` should be able to accept a
> bz://123456 URL, autodiscover a test case attachment on that bug, download
> it, and run it.
>

Not as convenient as clicking on a link.

I guess the right fix would be to have a Web proxy service that accepts
URLs in a custom format, unpacks ZIP files and serves their contents.

Rob
-- 
lbir ye,ea yer.tnietoehr  rdn rdsme,anea lurpr  edna e hnysnenh hhe uresyf
toD
selthor  stor  edna  siewaoeodm  or v sstvr  esBa  kbvted,t
rdsme,aoreseoouoto
o l euetiuruewFa  kbn e hnystoivateweh uresyf tulsa rehr  rdm  or rnea
lurpr
.a war hsrer holsa rodvted,t  nenh hneireseoouot.tniesiewaoeivatewt sstvr
esn
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: jar: URIs from content

[Ehsan Akhgari]

On 2015-10-15 7:08 PM, Robert O'Callahan wrote:

I'm sad that I won't be able to use jar: URLs to load testcases in ZIP
files uploaded to Bugzilla, but this sounds like the right thing to do.


When speaking with Boris on IRC today he also mentioned that he does use 
jar URLs in this way.  You can flip the pref to get this back  :-)


___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: jar: URIs from content

[Nicholas Alexander]

On Thu, Oct 15, 2015 at 10:58 AM, Ehsan Akhgari 
wrote:

> We currently support URLs such as  http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1=application/java-archive!/test.html>.
> This is a Firefox specific feature that no other engine implements, and it
> increases our attack surface unnecessarily.  As such, I would like to put
> it behind a pref and disable it for Web content by default.
>

I've always been surprised by this (and resource:, although I think there's
a story behind that one).  Glad to see it go.

Nick
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: jar: URIs from content

[Jason Duell]

OMG yes please.

Jason

On Thu, Oct 15, 2015 at 11:31 AM, Ehsan Akhgari 
wrote:

> On 2015-10-15 1:58 PM, Ehsan Akhgari wrote:
>
>> We currently support URLs such as
>> > http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1=application/java-archive!/test.html
>> >.
>>   This is a Firefox specific feature that no other engine implements,
>> and it increases our attack surface unnecessarily.  As such, I would
>> like to put it behind a pref and disable it for Web content by default.
>>
>
> FWIW I filed bug 1215235 for this.  We'll wait for this discussion before
> landing code there.
>
>
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>



-- 

Jason
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: jar: URIs from content

[Bobby Holley]

Huzzah! Thanks for fixing this Ehsan.

On Thu, Oct 15, 2015 at 10:58 AM, Ehsan Akhgari 
wrote:

> We currently support URLs such as  http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1=application/java-archive!/test.html>.
> This is a Firefox specific feature that no other engine implements, and it
> increases our attack surface unnecessarily.  As such, I would like to put
> it behind a pref and disable it for Web content by default.
>
> Are there any objections?
>
> Thanks!
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: jar: URIs from content

[Ehsan Akhgari]

On 2015-10-15 1:58 PM, Ehsan Akhgari wrote:

We currently support URLs such as
.
  This is a Firefox specific feature that no other engine implements,
and it increases our attack surface unnecessarily.  As such, I would
like to put it behind a pref and disable it for Web content by default.


FWIW I filed bug 1215235 for this.  We'll wait for this discussion 
before landing code there.


___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: jar: URIs from content

[Aaron Klotz]

SGTM!

On 10/15/2015 11:58 AM, Ehsan Akhgari wrote:
We currently support URLs such as 
. 
 This is a Firefox specific feature that no other engine implements, 
and it increases our attack surface unnecessarily.  As such, I would 
like to put it behind a pref and disable it for Web content by default.


Are there any objections?

Thanks!
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform


___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform