info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to implement and ship: Ignore navigation to unknown protocol
603 views
Skip to first unread message
Emilio Cobos Álvarez
Mar 29, 2020, 2:24:06 AM3/29/20
to dev-platform
Hey, a quick web-observable change that may deserve a bit more
visibility / an intent.
I'd welcome some feedback, specially from the fingerprinting / privacy
angle (where I'm clearly not an expert).
Summary: A page redirecting / navigating to an unknown protocol will be
silently ignored (and logged to the DevTools console) instead of showing
an error page. This is not amazing, but it's needed because it causes a
bunch of compat issues (see the list of issues in the bug below).
There are a few subtle problems here. Part of the issue is that authors
don't have a cross-browser way of detecting whether a protocol will be
handled externally (that is, whether an app is installed to handle a
given protocol).
They technically can in Firefox (see example below). It's unclear
whether we want to expose more than that, or that at all.
Given Chrome just ignores the navigation if they can't handle it, some
authors (who don't seem to test on other browsers ;)) just spam the
redirect (using various methods like the location href setter / meta
refresh / whatevs). This works just fine in Chromium-based browsers, but
not in Firefox or Safari, which will just show an error, which causes a
very frustrating experience for users.
As far as I know, this behavior doesn't really expose more information
than we were exposing before. In a test-case like:
<iframe src="unhandled-protocol://foo"></iframe>
<iframe src="handled-protocol://foo"></iframe>
we have different behavior also before this patch: the contentDocument
for the handled-protocol iframe will be accessible to content, and be
about:blank. The contentDocument for the unhandled protocol will be the
error page, which will not be accessible to content and thus be null.
Other browsers seem to do about:blank for both iframes, but you can also
detect this in all browsers via window.open instead (there may be other
ways around it too, haven't dug all that much). Chrome insta-closes the
handled protocol window (so you can check window.closed). Firefox /
Safari will leave about:blank in that window, and show an error document
for the second (which will throw a security error on access).
So I don't think this change introduces a new privacy hole. That being
said, this all seems a bit sad, and a somewhat-serious potential
fingerprinting factor. I was in fact a bit nervous about this change
before realizing we were already exposing this information in other
(even simpler to test) ways... But I'm clearly not an expert on this matter.
There are mitigations possible both for the ignored-navigation case
(maybe only ignore the navigation to an unknown protocol once per
document or something, and only for browsing contexts that can't be
accessed by any ancestor JS? not sure) and the iframe case (probably
just not show error pages in frames?). Please let me know if I you think
I should file this and follow-up on it.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1528305
Standard: https://html.spec.whatwg.org/#process-a-navigate-url-scheme
allows for both the old and new behavior, as far as I (and Anne) can
tell. This uses urls after redirect and so on so beforeunload and such
will fire. This matches the behavior of Chromium browsers.
Preference: dom.no_unknown_protocol_error.enabled (I could've sweated it
a bit more).
Devtools bug: N/A, ignored navigations get logged to the console.
Other browsers: Chromium browsers do this, but WebKit doesn't seem to.
This was causing compat issues, specially on Android, but also desktop
(see above).
web-platform-tests: Spec allows both behaviors, so I've added an
internal test for now. Furthermore it's not clear if we want to do this
for sub-windows, which my patch does, so I may need to tweak the test or
add an internal switch depending on the outcome of the discussion here.
Secure contexts: not restricted to secure contexts, this is a compat
hack, of sorts...
Is this feature enabled by default in sandboxed iframes? Not sure if the
question quite applies to this, but we don't special-case sandboxed
iframes here. This doesn't expose anything you couldn't do before, as
discussed above.
Thanks for reading all the way until here
-- Emilio
visibility / an intent.
I'd welcome some feedback, specially from the fingerprinting / privacy
angle (where I'm clearly not an expert).
Summary: A page redirecting / navigating to an unknown protocol will be
silently ignored (and logged to the DevTools console) instead of showing
an error page. This is not amazing, but it's needed because it causes a
bunch of compat issues (see the list of issues in the bug below).
There are a few subtle problems here. Part of the issue is that authors
don't have a cross-browser way of detecting whether a protocol will be
handled externally (that is, whether an app is installed to handle a
given protocol).
They technically can in Firefox (see example below). It's unclear
whether we want to expose more than that, or that at all.
Given Chrome just ignores the navigation if they can't handle it, some
authors (who don't seem to test on other browsers ;)) just spam the
redirect (using various methods like the location href setter / meta
refresh / whatevs). This works just fine in Chromium-based browsers, but
not in Firefox or Safari, which will just show an error, which causes a
very frustrating experience for users.
As far as I know, this behavior doesn't really expose more information
than we were exposing before. In a test-case like:
<iframe src="unhandled-protocol://foo"></iframe>
<iframe src="handled-protocol://foo"></iframe>
we have different behavior also before this patch: the contentDocument
for the handled-protocol iframe will be accessible to content, and be
about:blank. The contentDocument for the unhandled protocol will be the
error page, which will not be accessible to content and thus be null.
Other browsers seem to do about:blank for both iframes, but you can also
detect this in all browsers via window.open instead (there may be other
ways around it too, haven't dug all that much). Chrome insta-closes the
handled protocol window (so you can check window.closed). Firefox /
Safari will leave about:blank in that window, and show an error document
for the second (which will throw a security error on access).
So I don't think this change introduces a new privacy hole. That being
said, this all seems a bit sad, and a somewhat-serious potential
fingerprinting factor. I was in fact a bit nervous about this change
before realizing we were already exposing this information in other
(even simpler to test) ways... But I'm clearly not an expert on this matter.
There are mitigations possible both for the ignored-navigation case
(maybe only ignore the navigation to an unknown protocol once per
document or something, and only for browsing contexts that can't be
accessed by any ancestor JS? not sure) and the iframe case (probably
just not show error pages in frames?). Please let me know if I you think
I should file this and follow-up on it.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1528305
Standard: https://html.spec.whatwg.org/#process-a-navigate-url-scheme
allows for both the old and new behavior, as far as I (and Anne) can
tell. This uses urls after redirect and so on so beforeunload and such
will fire. This matches the behavior of Chromium browsers.
Preference: dom.no_unknown_protocol_error.enabled (I could've sweated it
a bit more).
Devtools bug: N/A, ignored navigations get logged to the console.
Other browsers: Chromium browsers do this, but WebKit doesn't seem to.
This was causing compat issues, specially on Android, but also desktop
(see above).
web-platform-tests: Spec allows both behaviors, so I've added an
internal test for now. Furthermore it's not clear if we want to do this
for sub-windows, which my patch does, so I may need to tweak the test or
add an internal switch depending on the outcome of the discussion here.
Secure contexts: not restricted to secure contexts, this is a compat
hack, of sorts...
Is this feature enabled by default in sandboxed iframes? Not sure if the
question quite applies to this, but we don't special-case sandboxed
iframes here. This doesn't expose anything you couldn't do before, as
discussed above.
Thanks for reading all the way until here
-- Emilio
Emilio Cobos Álvarez
Mar 29, 2020, 3:12:08 AM3/29/20
to dev-pl...@lists.mozilla.org
Doing a bit of digging,
https://bugzilla.mozilla.org/show_bug.cgi?id=680300 contains some more
interesting context...
We apparently used to sync-throw when assigning location.href to an
unknown protocol URI in the past, there we changed it to silently fail,
and now it is navigating to an error page...
I'll try to look at when behavior changed around here... Though the
sync-throwing clearly makes no sense as it doesn't account for redirects
or what not.
-- Emilio
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
https://bugzilla.mozilla.org/show_bug.cgi?id=680300 contains some more
interesting context...
We apparently used to sync-throw when assigning location.href to an
unknown protocol URI in the past, there we changed it to silently fail,
and now it is navigating to an error page...
I'll try to look at when behavior changed around here... Though the
sync-throwing clearly makes no sense as it doesn't account for redirects
or what not.
-- Emilio
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
Emilio Cobos Álvarez
Mar 29, 2020, 3:29:13 AM3/29/20
to dev-pl...@lists.mozilla.org
On 3/29/20 9:11 AM, Emilio Cobos Álvarez wrote:
> Doing a bit of digging,
> https://bugzilla.mozilla.org/show_bug.cgi?id=680300 contains some more
> interesting context...
>
> We apparently used to sync-throw when assigning location.href to an
> unknown protocol URI in the past, there we changed it to silently fail,
> and now it is navigating to an error page...
>
> I'll try to look at when behavior changed around here... Though the
> sync-throwing clearly makes no sense as it doesn't account for redirects
> or what not.
Apparently the pre-firefox63 behavior was to both navigate and throw...
> Doing a bit of digging,
> https://bugzilla.mozilla.org/show_bug.cgi?id=680300 contains some more
> interesting context...
>
> We apparently used to sync-throw when assigning location.href to an
> unknown protocol URI in the past, there we changed it to silently fail,
> and now it is navigating to an error page...
>
> I'll try to look at when behavior changed around here... Though the
> sync-throwing clearly makes no sense as it doesn't account for redirects
> or what not.
So not all that much to dig in, that was just obviously wrong, but
didn't address the fingerprinting angle other than patching one of the
holes.
Bobby Holley
Mar 30, 2020, 2:02:32 PM3/30/20
to Emilio Cobos Álvarez, dev-platform
Reading the post a few times, I'm still unclear on a few things, so would
appreciate clarification. Here's what I understand from the post:
On the user's machine, there is some entropy, i.e. the set of schemes for
which an external protocol handler is registered. This entropy is currently
retrievable via various mechanisms. For webcompat reasons, we want to make
a change to one of those mechanisms, but the entropy will remain accessible
after this change.
What's less clear to me is how the proposed change impacts the entropy
exposure by the mechanism it targets. It seems to me that using about:blank
for both the handled and unhandled case would not expose this entropy, but
the post implies otherwise.
In other words: does this change put us on a path to eventually making this
entropy non-observable, or would we need to undo this change if/when we
pursue that?
Thanks!
On Sun, Mar 29, 2020 at 12:29 AM Emilio Cobos Álvarez <emi...@crisal.io>
wrote:
appreciate clarification. Here's what I understand from the post:
On the user's machine, there is some entropy, i.e. the set of schemes for
which an external protocol handler is registered. This entropy is currently
retrievable via various mechanisms. For webcompat reasons, we want to make
a change to one of those mechanisms, but the entropy will remain accessible
after this change.
What's less clear to me is how the proposed change impacts the entropy
exposure by the mechanism it targets. It seems to me that using about:blank
for both the handled and unhandled case would not expose this entropy, but
the post implies otherwise.
In other words: does this change put us on a path to eventually making this
entropy non-observable, or would we need to undo this change if/when we
pursue that?
Thanks!
On Sun, Mar 29, 2020 at 12:29 AM Emilio Cobos Álvarez <emi...@crisal.io>
wrote:
Emilio Cobos Álvarez
Mar 30, 2020, 3:43:37 PM3/30/20
to dev-pl...@lists.mozilla.org
On 3/30/20 8:02 PM, Bobby Holley wrote:
> Reading the post a few times, I'm still unclear on a few things, so would
> appreciate clarification. Here's what I understand from the post:
>
> On the user's machine, there is some entropy, i.e. the set of schemes for
> which an external protocol handler is registered. This entropy is currently
> retrievable via various mechanisms. For webcompat reasons, we want to make
> a change to one of those mechanisms, but the entropy will remain accessible
> after this change.
>
> What's less clear to me is how the proposed change impacts the entropy
> exposure by the mechanism it targets. It seems to me that using about:blank
> for both the handled and unhandled case would not expose this entropy, but
> the post implies otherwise.
>
> In other words: does this change put us on a path to eventually making this
> entropy non-observable, or would we need to undo this change if/when we
> pursue that?
Yeah, you're right. I was not clear about this when I wrote the original
> Reading the post a few times, I'm still unclear on a few things, so would
> appreciate clarification. Here's what I understand from the post:
>
> On the user's machine, there is some entropy, i.e. the set of schemes for
> which an external protocol handler is registered. This entropy is currently
> retrievable via various mechanisms. For webcompat reasons, we want to make
> a change to one of those mechanisms, but the entropy will remain accessible
> after this change.
>
> What's less clear to me is how the proposed change impacts the entropy
> exposure by the mechanism it targets. It seems to me that using about:blank
> for both the handled and unhandled case would not expose this entropy, but
> the post implies otherwise.
>
> In other words: does this change put us on a path to eventually making this
> entropy non-observable, or would we need to undo this change if/when we
> pursue that?
email, but this patch makes things slightly better. It makes the known /
unknown-ness of the protocol not observable in the navigation case.
That being said there are still a bunch of ways to get that information.
I just filed bug 1626068 to potentially try to minimize this.
-- Emilio
fut...@gmail.com
Apr 18, 2020, 11:51:20 AM4/18/20
to
Op zondag 29 maart 2020 08:24:06 UTC+2 schreef Emilio Cobos Álvarez:
the issue is more complex: as the browser is an application , the purpose is making an tcp connect that never completed a state, as this would give access to the webserver in a socket where the client (browser) can send any code , as the transmission runs on the protocol level, while http is an application protocol,
the issue with crypto is that the tcp out get's an reply to the ack-syn-nack the port doesn't matter you can run https over tcp 80, it's only not by the w3c standard allowed to use the first 1024 tcp ports for running public services, so
for those , the agreements and maintainers off the root file are now in private shareholders, so yes firefox also your cloudflare is part off the verisgn grs llc , now since ubuntu took private modifies, the cookies are no session urls, what the sw.js runs as a angualar spoofing the symbollic mime , in winDOwS , yes you see it right , the shorcutcs are extensions file .lnk, linux,unix uses the SOCX handler and uses a FD as file descriptor so files read/write runs over the kernell using the BSD AF_UNIX, IP_SOCX, which caches no cookie but a full html file in fooling the accept meta: text/html,*/css,*/png, and this is the code used,
/ Ultimate client-side JavaScript client sniff. Version 3.02
// (C) Netscape Communications 1999-2001. Permission granted to reuse and distribute.
you will recognise a strange issue :(,
but it uses a major function:
// convert all characters to lowercase to simplify testing
var agt=navigator.userAgent.toLowerCase();
this is code that protects , but in todays no-regulation the following runs,
#!/bin/bash
#
# Copyright (c) 2011 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# Let the wrapped binary know that it has been run through the wrapper.
export CHROME_WRAPPER="`readlink -f "$0"`"
HERE="`dirname "$CHROME_WRAPPER"`"
# We include some xdg utilities next to the binary, and we want to prefer them
# over the system versions when we know the system versions are very old. We
# detect whether the system xdg utilities are sufficiently new to be likely to
# work for us by looking for xdg-settings. If we find it, we leave $PATH alone,
# so that the system xdg utilities (including any distro patches) will be used.
if ! which xdg-settings &> /dev/null; then
# Old xdg utilities. Prepend $HERE to $PATH to use ours instead.
export PATH="$HERE:$PATH"
else
# Use system xdg utilities. But first create mimeapps.list if it doesn't
# exist; some systems have bugs in xdg-mime that make it fail without it.
xdg_app_dir="${XDG_DATA_HOME:-$HOME/.local/share/applications}"
mkdir -p "$xdg_app_dir"
[ -f "$xdg_app_dir/mimeapps.list" ] || touch "$xdg_app_dir/mimeapps.list"
fi
# Always use our versions of ffmpeg libs.
# This also makes RPMs find the compatibly-named library symlinks.
if [[ -n "$LD_LIBRARY_PATH" ]]; then
LD_LIBRARY_PATH="$HERE:$HERE/lib:$LD_LIBRARY_PATH"
else
LD_LIBRARY_PATH="$HERE:$HERE/lib"
fi
export LD_LIBRARY_PATH
export CHROME_VERSION_EXTRA="stable"
# We don't want bug-buddy intercepting our crashes. http://crbug.com/24120
export GNOME_DISABLE_CRASH_DIALOG=SET_BY_GOOGLE_CHROME
# Sanitize std{in,out,err} because they'll be shared with untrusted child
# processes (http://crbug.com/376567).
exec < /dev/null
exec > >(exec cat)
exec 2> >(exec cat >&2)
# Note: exec -a below is a bashism.
exec -a "$0" "$HERE/chrome" "$@"
now in the combination off following schema:
image/webp=google-chrome.desktop;
x-scheme-handler/http=firefox.desktop;google-chrome.desktop
x-scheme-handler/https=firefox.desktop;google-chrome.desktop
google-chrome.desktop==>uses the browser firefox making slave off
image/webp, so firefox launches in the session where google-chrome.desktop
uses the domain google for any header request use the data:image/webp
and the site is loaded in a <iframe> , and do a digg 10.net maybe THE CHARLESTONROEADREGISTRY will show what is ment by domainrouting;
as dig 10.org surprises,
<<<<<<<<<<<<<< in the html you will see this code, the code manipulates the DOM
and says top.location.href = "/base/cheetah_login.html"; here is the cookie , a full file off every in session content stored on a file using the favicon.png as FILE HANDLER , no site renders, press F12, do a event, no network traffic will run, in the browser,but massive data straight in the kernell, on interface,
a browser that also has a public dns system is nice, but a coder below the application layer, can easy make a zero-day in no-day;
<script language="javascript">
/* If session time out is reached we should be redirected to login page,
the page will be opened in maincontent frame which is not required,
so we need to change the location */
if(top != self)
top.location.href = "/base/cheetah_login.html";
</script>
<script type='text/javascript' language='JavaScript'>
>>>>>>>>>>>>>>>>
this is how the html get's loaded,
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<LINK REL=stylesheet HREF="/base/style.css" TYPE="text/css">
<link rel=stylesheet href="/base/nanoscroller.css" TYPE="text/css">
<META http-equiv="Pragma" content="no-cache">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <!-- Style Sheet link and Meta data -->
<TITLE>NETGEAR GS418TPP</TITLE> <!-- Cheetah Page Title -->
<link rel="shortcut icon" href="/base/favicon.ico"> <!-- fav icon -->
<script src="/base/js/jquery-1.6.2.min.js" type="text/javascript"></script>
<script src="/base/js/ng_tabs_Layer2.js" type="text/javascript"></script>
<script type="text/javascript" src="/base/js/xui_enhancements.js"></script>
<script src="/base/js/ng_help.js" type="text/javascript"></script>
<script src="/base/js/rollover.js" type="text/javascript"></script>
<script src="/base/js/browser.js" type="text/javascript"></script>
<!--[if IE 8]>
<style>
.loginPage_inlineEr_padding
{
padding-left: 25px;
}
</style>
<![endif]-->
<script language="javascript">
/* If session time out is reached we should be redirected to login page,
the page will be opened in maincontent frame which is not required,
so we need to change the location */
if(top != self)
top.location.href = "/base/cheetah_login.html";
</script>
<script type='text/javascript' language='JavaScript'>
the issue with crypto is that the tcp out get's an reply to the ack-syn-nack the port doesn't matter you can run https over tcp 80, it's only not by the w3c standard allowed to use the first 1024 tcp ports for running public services, so
for those , the agreements and maintainers off the root file are now in private shareholders, so yes firefox also your cloudflare is part off the verisgn grs llc , now since ubuntu took private modifies, the cookies are no session urls, what the sw.js runs as a angualar spoofing the symbollic mime , in winDOwS , yes you see it right , the shorcutcs are extensions file .lnk, linux,unix uses the SOCX handler and uses a FD as file descriptor so files read/write runs over the kernell using the BSD AF_UNIX, IP_SOCX, which caches no cookie but a full html file in fooling the accept meta: text/html,*/css,*/png, and this is the code used,
/ Ultimate client-side JavaScript client sniff. Version 3.02
// (C) Netscape Communications 1999-2001. Permission granted to reuse and distribute.
you will recognise a strange issue :(,
but it uses a major function:
// convert all characters to lowercase to simplify testing
var agt=navigator.userAgent.toLowerCase();
this is code that protects , but in todays no-regulation the following runs,
#!/bin/bash
#
# Copyright (c) 2011 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# Let the wrapped binary know that it has been run through the wrapper.
export CHROME_WRAPPER="`readlink -f "$0"`"
HERE="`dirname "$CHROME_WRAPPER"`"
# We include some xdg utilities next to the binary, and we want to prefer them
# over the system versions when we know the system versions are very old. We
# detect whether the system xdg utilities are sufficiently new to be likely to
# work for us by looking for xdg-settings. If we find it, we leave $PATH alone,
# so that the system xdg utilities (including any distro patches) will be used.
if ! which xdg-settings &> /dev/null; then
# Old xdg utilities. Prepend $HERE to $PATH to use ours instead.
export PATH="$HERE:$PATH"
else
# Use system xdg utilities. But first create mimeapps.list if it doesn't
# exist; some systems have bugs in xdg-mime that make it fail without it.
xdg_app_dir="${XDG_DATA_HOME:-$HOME/.local/share/applications}"
mkdir -p "$xdg_app_dir"
[ -f "$xdg_app_dir/mimeapps.list" ] || touch "$xdg_app_dir/mimeapps.list"
fi
# Always use our versions of ffmpeg libs.
# This also makes RPMs find the compatibly-named library symlinks.
if [[ -n "$LD_LIBRARY_PATH" ]]; then
LD_LIBRARY_PATH="$HERE:$HERE/lib:$LD_LIBRARY_PATH"
else
LD_LIBRARY_PATH="$HERE:$HERE/lib"
fi
export LD_LIBRARY_PATH
export CHROME_VERSION_EXTRA="stable"
# We don't want bug-buddy intercepting our crashes. http://crbug.com/24120
export GNOME_DISABLE_CRASH_DIALOG=SET_BY_GOOGLE_CHROME
# Sanitize std{in,out,err} because they'll be shared with untrusted child
# processes (http://crbug.com/376567).
exec < /dev/null
exec > >(exec cat)
exec 2> >(exec cat >&2)
# Note: exec -a below is a bashism.
exec -a "$0" "$HERE/chrome" "$@"
now in the combination off following schema:
image/webp=google-chrome.desktop;
x-scheme-handler/http=firefox.desktop;google-chrome.desktop
x-scheme-handler/https=firefox.desktop;google-chrome.desktop
google-chrome.desktop==>uses the browser firefox making slave off
image/webp, so firefox launches in the session where google-chrome.desktop
uses the domain google for any header request use the data:image/webp
and the site is loaded in a <iframe> , and do a digg 10.net maybe THE CHARLESTONROEADREGISTRY will show what is ment by domainrouting;
as dig 10.org surprises,
<<<<<<<<<<<<<< in the html you will see this code, the code manipulates the DOM
and says top.location.href = "/base/cheetah_login.html"; here is the cookie , a full file off every in session content stored on a file using the favicon.png as FILE HANDLER , no site renders, press F12, do a event, no network traffic will run, in the browser,but massive data straight in the kernell, on interface,
a browser that also has a public dns system is nice, but a coder below the application layer, can easy make a zero-day in no-day;
<script language="javascript">
/* If session time out is reached we should be redirected to login page,
the page will be opened in maincontent frame which is not required,
so we need to change the location */
if(top != self)
top.location.href = "/base/cheetah_login.html";
</script>
<script type='text/javascript' language='JavaScript'>
>>>>>>>>>>>>>>>>
this is how the html get's loaded,
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<LINK REL=stylesheet HREF="/base/style.css" TYPE="text/css">
<link rel=stylesheet href="/base/nanoscroller.css" TYPE="text/css">
<META http-equiv="Pragma" content="no-cache">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <!-- Style Sheet link and Meta data -->
<TITLE>NETGEAR GS418TPP</TITLE> <!-- Cheetah Page Title -->
<link rel="shortcut icon" href="/base/favicon.ico"> <!-- fav icon -->
<script src="/base/js/jquery-1.6.2.min.js" type="text/javascript"></script>
<script src="/base/js/ng_tabs_Layer2.js" type="text/javascript"></script>
<script type="text/javascript" src="/base/js/xui_enhancements.js"></script>
<script src="/base/js/ng_help.js" type="text/javascript"></script>
<script src="/base/js/rollover.js" type="text/javascript"></script>
<script src="/base/js/browser.js" type="text/javascript"></script>
<!--[if IE 8]>
<style>
.loginPage_inlineEr_padding
{
padding-left: 25px;
}
</style>
<![endif]-->
<script language="javascript">
/* If session time out is reached we should be redirected to login page,
the page will be opened in maincontent frame which is not required,
so we need to change the location */
if(top != self)
top.location.href = "/base/cheetah_login.html";
</script>
<script type='text/javascript' language='JavaScript'>
0 new messages