info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to unship: jar: URIs from content
186 views
Skip to first unread message
Ehsan Akhgari
Oct 15, 2015, 2:14:19 PM10/15/15
to dev-platform
We currently support URLs such as
<jar:http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1&ctype=application/java-archive!/test.html>.
This is a Firefox specific feature that no other engine implements,
and it increases our attack surface unnecessarily. As such, I would
like to put it behind a pref and disable it for Web content by default.
Are there any objections?
Thanks!
<jar:http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1&ctype=application/java-archive!/test.html>.
This is a Firefox specific feature that no other engine implements,
and it increases our attack surface unnecessarily. As such, I would
like to put it behind a pref and disable it for Web content by default.
Are there any objections?
Thanks!
Bobby Holley
Oct 15, 2015, 2:16:07 PM10/15/15
to Ehsan Akhgari, dev-platform
Huzzah! Thanks for fixing this Ehsan.
On Thu, Oct 15, 2015 at 10:58 AM, Ehsan Akhgari <ehsan....@gmail.com>
wrote:
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
On Thu, Oct 15, 2015 at 10:58 AM, Ehsan Akhgari <ehsan....@gmail.com>
wrote:
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
Aaron Klotz
Oct 15, 2015, 2:16:10 PM10/15/15
to dev-pl...@lists.mozilla.org
SGTM!
Ehsan Akhgari
Oct 15, 2015, 2:31:59 PM10/15/15
to dev-platform
On 2015-10-15 1:58 PM, Ehsan Akhgari wrote:
> We currently support URLs such as
> <jar:http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1&ctype=application/java-archive!/test.html>.
> This is a Firefox specific feature that no other engine implements,
> and it increases our attack surface unnecessarily. As such, I would
> like to put it behind a pref and disable it for Web content by default.
FWIW I filed bug 1215235 for this. We'll wait for this discussion
> We currently support URLs such as
> <jar:http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1&ctype=application/java-archive!/test.html>.
> This is a Firefox specific feature that no other engine implements,
> and it increases our attack surface unnecessarily. As such, I would
> like to put it behind a pref and disable it for Web content by default.
before landing code there.
Jason Duell
Oct 15, 2015, 3:35:26 PM10/15/15
to Ehsan Akhgari, dev-platform
OMG yes please.
Jason
On Thu, Oct 15, 2015 at 11:31 AM, Ehsan Akhgari <ehsan....@gmail.com>
wrote:
Jason
Jason
On Thu, Oct 15, 2015 at 11:31 AM, Ehsan Akhgari <ehsan....@gmail.com>
wrote:
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
--
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
Jason
Nicholas Alexander
Oct 15, 2015, 6:47:25 PM10/15/15
to Ehsan Akhgari, dev-platform
On Thu, Oct 15, 2015 at 10:58 AM, Ehsan Akhgari <ehsan....@gmail.com>
wrote:
> We currently support URLs such as <jar:
> http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1&ctype=application/java-archive!/test.html>.
> This is a Firefox specific feature that no other engine implements, and it
> increases our attack surface unnecessarily. As such, I would like to put
> it behind a pref and disable it for Web content by default.
>
I've always been surprised by this (and resource:, although I think there's
a story behind that one). Glad to see it go.
Nick
wrote:
> We currently support URLs such as <jar:
> http://mxr.mozilla.org/mozilla-central/source/modules/libjar/test/mochitest/bug403331.zip?raw=1&ctype=application/java-archive!/test.html>.
> This is a Firefox specific feature that no other engine implements, and it
> increases our attack surface unnecessarily. As such, I would like to put
> it behind a pref and disable it for Web content by default.
>
a story behind that one). Glad to see it go.
Nick
Robert O'Callahan
Oct 15, 2015, 7:08:11 PM10/15/15
to Nicholas Alexander, Ehsan Akhgari, dev-platform
I'm sad that I won't be able to use jar: URLs to load testcases in ZIP
files uploaded to Bugzilla, but this sounds like the right thing to do.
Rob
--
lbir ye,ea yer.tnietoehr rdn rdsme,anea lurpr edna e hnysnenh hhe uresyf
toD
selthor stor edna siewaoeodm or v sstvr esBa kbvted,t
rdsme,aoreseoouoto
o l euetiuruewFa kbn e hnystoivateweh uresyf tulsa rehr rdm or rnea
lurpr
.a war hsrer holsa rodvted,t nenh hneireseoouot.tniesiewaoeivatewt sstvr
esn
files uploaded to Bugzilla, but this sounds like the right thing to do.
Rob
--
lbir ye,ea yer.tnietoehr rdn rdsme,anea lurpr edna e hnysnenh hhe uresyf
toD
selthor stor edna siewaoeodm or v sstvr esBa kbvted,t
rdsme,aoreseoouoto
o l euetiuruewFa kbn e hnystoivateweh uresyf tulsa rehr rdm or rnea
lurpr
.a war hsrer holsa rodvted,t nenh hneireseoouot.tniesiewaoeivatewt sstvr
esn
Neil
Oct 15, 2015, 7:27:38 PM10/15/15
to
Robert O'Callahan wrote:
>I'm sad that I won't be able to use jar: URLs to load testcases in ZIP files uploaded to Bugzilla
>
Or indeed any ZIP-like file, once you flip the appropriate pref.
>I'm sad that I won't be able to use jar: URLs to load testcases in ZIP files uploaded to Bugzilla
>
--
Warning: May contain traces of nuts.
Ehsan Akhgari
Oct 15, 2015, 7:50:38 PM10/15/15
to rob...@ocallahan.org, Nicholas Alexander, dev-platform
On 2015-10-15 7:08 PM, Robert O'Callahan wrote:
> I'm sad that I won't be able to use jar: URLs to load testcases in ZIP
> I'm sad that I won't be able to use jar: URLs to load testcases in ZIP
> files uploaded to Bugzilla, but this sounds like the right thing to do.
When speaking with Boris on IRC today he also mentioned that he does use
jar URLs in this way. You can flip the pref to get this back :-)
Gregory Szorc
Oct 16, 2015, 1:13:14 PM10/16/15
to Robert O'Callahan, Ehsan Akhgari, Nicholas Alexander, dev-platform
On Thu, Oct 15, 2015 at 4:08 PM, Robert O'Callahan <rob...@ocallahan.org>
bz://123456 URL, autodiscover a test case attachment on that bug, download
it, and run it.
wrote:
> I'm sad that I won't be able to use jar: URLs to load testcases in ZIP
> files uploaded to Bugzilla, but this sounds like the right thing to do.
>
If this is a common use case, then `mach test` should be able to accept a
> I'm sad that I won't be able to use jar: URLs to load testcases in ZIP
> files uploaded to Bugzilla, but this sounds like the right thing to do.
>
bz://123456 URL, autodiscover a test case attachment on that bug, download
it, and run it.
Boris Zbarsky
Oct 16, 2015, 2:42:25 PM10/16/15
to
Note that this still changes the security context the attachment is
running in. I'm not super-happy running random reporter-provided code
from file:// without having looked at it first.
-Boris
Robert O'Callahan
Oct 16, 2015, 6:17:33 PM10/16/15
to Gregory Szorc, Ehsan Akhgari, Nicholas Alexander, dev-platform
On Sat, Oct 17, 2015 at 6:13 AM, Gregory Szorc <g...@mozilla.com> wrote:
> On Thu, Oct 15, 2015 at 4:08 PM, Robert O'Callahan <rob...@ocallahan.org>
> wrote:
>
>> I'm sad that I won't be able to use jar: URLs to load testcases in ZIP
>> files uploaded to Bugzilla, but this sounds like the right thing to do.
>>
>
> If this is a common use case, then `mach test` should be able to accept a
> bz://123456 URL, autodiscover a test case attachment on that bug, download
> it, and run it.
>
Not as convenient as clicking on a link.
> On Thu, Oct 15, 2015 at 4:08 PM, Robert O'Callahan <rob...@ocallahan.org>
> wrote:
>
>> I'm sad that I won't be able to use jar: URLs to load testcases in ZIP
>> files uploaded to Bugzilla, but this sounds like the right thing to do.
>>
>
> If this is a common use case, then `mach test` should be able to accept a
> bz://123456 URL, autodiscover a test case attachment on that bug, download
> it, and run it.
>
I guess the right fix would be to have a Web proxy service that accepts
URLs in a custom format, unpacks ZIP files and serves their contents.
Ben Kelly
Oct 17, 2015, 6:48:42 PM10/17/15
to rob...@ocallahan.org, Ehsan Akhgari, Nicholas Alexander, dev-pl...@lists.mozilla.org, Gregory Szorc
On Oct 16, 2015 6:17 PM, "Robert O'Callahan" <rob...@ocallahan.org> wrote:
> I guess the right fix would be to have a Web proxy service that accepts
> URLs in a custom format, unpacks ZIP files and serves their contents.
Bugzilla could do this in a service worker.
> I guess the right fix would be to have a Web proxy service that accepts
> URLs in a custom format, unpacks ZIP files and serves their contents.
Gregory Szorc
Oct 19, 2015, 4:07:32 PM10/19/15
to Ben Kelly, Ehsan Akhgari, Nicholas Alexander, dev-platform, Robert O'Callahan, Gregory Szorc
"Gecko Hackers" Firefox add-on) that runs an appropriate mach command when
said file is downloaded.
Boris Zbarsky
Oct 19, 2015, 7:39:35 PM10/19/15
to
On 10/19/15 4:07 PM, Gregory Szorc wrote:
> Or you could register a custom content type handler (possibly via a special
> "Gecko Hackers" Firefox add-on) that runs an appropriate mach command when
> said file is downloaded.
This ignores the point about running the file after downloading having
> Or you could register a custom content type handler (possibly via a special
> "Gecko Hackers" Firefox add-on) that runs an appropriate mach command when
> said file is downloaded.
different security characteristics from running it from bmo.
-Boris
0 new messages