Mamoru Tasaka
mtasa****@ioa*****
2009年 11月 16日 (月) 00:48:38 JST
Yavor Doganov wrote, at 11/15/2009 10:49 PM +9:00: > Mamoru Tasaka wrote: >> - what is the reasonale for disabling to bookmark uri beginning with >> "data:"? > > The rationale is explained at http://lcamtuf.coredump.cx/ffbook: I already saw the URL, however still I fail to understand the rationale. > > Note that with my patch it is still possible to add a data: or > javascript: bookmark if the user consciously edits manually the > bookmark (there is probably useful and non-dangerous application of > this functionality, if the user really knows what he's doing). If it is possible to add the uri manually anyway, I don't see the necessity of the patch. > The > "security" context of allowing this via Bookmarks -> Add to bookmarks > menu is that a webpage can easily trick the user of semi-accidentally > adding a bookmark with subsequent malicious effects as described in > the third paragraph above. ... But when bookmarking the uri, the user is seeing the uri once anyway? >> I have Fedora 12 i686 system and even with firefox 3.5.5 >> I can bookmark such uri (i.e. uri beginning with data:) > > All versions of Firefox are vulnerable, yes. Mozilla people seem to > agree, the relevant upstream bug is (I believe): > > https://bugzilla.mozilla.org/show_bug.cgi?id=528772 Yes, so it means that firefox people are refusing the proposition? (and the original bug is https://bugzilla.mozilla.org/show_bug.cgi?id=371179 )