Re: Configuring Iceweasel security policies.

To: debian-user@lists.debian.org
Subject: Re: Configuring Iceweasel security policies.
From: Scott Ferguson <prettyfly.productions@gmail.com>
Date: Sun, 12 Jun 2011 20:20:17 +1000
Message-id: <[🔎] 4DF492E1.5090503@gmail.com>
In-reply-to: <[🔎] 171057035.74067.62627@heaviside.invalid>
References: <[🔎] 171057035.74067.62627@heaviside.invalid>

On 12/06/11 12:05, peasthope@shaw.ca wrote:
> *	From: Scott Ferguson <prettyfly.productions@gmail.com>
> *	Date: Sat, 11 Jun 2011 23:23:30 +1000
<snipped>
> Here is my explanation again, step by step.
> * I sit in front of the console of dalton.
> * Using Iceweasel in Squeeze, open this. "http://members.shaw.ca/peasthope/#Links";
>   It's public.  Have a look.
> * There I see the link with anchor file:///Category2.html and target the same.
> * Click on that anchor.  I expect dalton:/home/peter/Category2.html 
>  open but nothing happens except for the message to the Iceweasel 
>  error console.  Ref. earlier message.  Is there a syntax such as 
>  dalton.invalid:file:///Category2.html ? 

Yes.

> * Save the page "http://members.shaw.ca/peasthope/"; onto storage of Dalton.
> * Open that page on Dalton.
> * Now in this image from the local copy, click on the anchor file:///Category2.html.
> * Now Category2.html opens.
> 
<snipped>
> 
> The steps above demonstrate that the link from dalton:/Category2.html 
> to dalton:/home/peter/Category2.html works.

Stepping through what you've described above...

You are on a Dalton console.
If you are *not* running as root (and why would you be?)

~$ pwd
~$ /home/peter

You saved the page to "storage of Dalton".... presumably "storage" is
somewhere below /home/peter....

eg.:-
home/peter/"Peter Lyall Easthope.html"

That page contains a link:-
[a href="file:///Category2.html"]file:///Category2.html[/a>]

That link points to Category2.html
ie.:-
~$ mlocate Category2.html (would give based on the info given...)
~$ /home/peter/Category2.html

You then say that the link works (I don't disbelieve you)- but that link
is pointing at the root of Dalton, not the root of Peters home directory....
So "something" I'm assuming in the above scenario is not correct.

Just to clarify:-
When you click on a http link in a html page the link is "relative" to
the web server. If the server is a webserver (eg. Apache) the root is
(generally) /var/www.  The module running on the apache server at
member.shaw.ca means a virtual server for each user has it's root in the
users home directory
eg.
/home/peter (unlikely as you have config files there)
OR
/home/peter/public_html (more likely as now only files used by the web
server are in the root of the web server).

You shouldn't be able to save "Peter Lyall Easthope.html" to anywhere
above your home directory - and yet the file link in it will always
point to the root of Dalton. This is because an absolute file link in a
local (same machine) .html file always has the base of it's path as the
/ of that local machine (where localhost is).

ie doesn't matter whether "Peter Lyall Easthope.html" lives at:-
/"Peter Lyall Easthope.html"
/etc/"Peter Lyall Easthope.html"
/var/log/apt/"Peter Lyall Easthope.html"
OR even /home/peter/"Peter Lyall Easthope.html"

The link file:///Category2.html will always point to
/"Peter Lyall Easthope.html"

Because the browser replaces "file" with localhost, which renders the
URI /"Peter Lyall Easthope.html" (damn absolute links!)

I'm sure, somewhere in all these threads you've explained what Dalton is
running, but I'm a little confused with talk of Oberon and vnc
connections to Iceweasel running on other machines. When I refer to
localhost I mean the machine that hosts Iceweasel. I'm also assuming
that Iceweasel is not running as root, and that the directory that you
save "Peter Lyall Easthope.html" into is mounted on the same machine as
the file Category2.html.

Please correct my misunderstanding.

> 
<snipped - can come back to this later if necessary, just trying to rein
in some of the digression>

>> http://peter@members.shaw.ca/ (from your policy in the last post)
>> A login on a site with no authentication??
> 
> Authentication is not necessary to look at a public Web page.

Agreed - *but* http://peter@members.shaw.ca/ is asking the browser to
login to members.shaw.ca.....
And the server on shaw.ca says "I'm sorry Dave but...." :-D
So what the browser is actually served is members.shaw.ca....
eg.:-
http://peter@members.shaw.ca/ == http://members.shaw.ca/

Which seems like a waste of 6 characters ;-p

> 
> Regards,            ... Peter E.
> 
> 

Cheers, and thanks for your patience.

-- 
It's just a ride and we can change it any time we want.
It's only a choice.
No effort, no work, no job, no savings and money, a choice, right now,
between fear and love.
The eyes of fear want you to put bigger locks on your door, buy guns,
close yourself off.
The eyes of love instead see all of us as one.
 ~ Bill Hicks

Reply to:

Follow-Ups:
- Re (2): Configuring Iceweasel security policies.
  - From: peasthope@shaw.ca

References:
- Re(2): Configuring Iceweasel security policies.
  - From: peasthope@shaw.ca

Prev by Date: Re: k3b can't burn audio CD, got a few coasters today
Next by Date: Is there any valid reason to add an idiotic script to /etc/init.d by an default Debian install that only cause a PITA?
Previous by thread: Re(2): Configuring Iceweasel security policies.
Next by thread: Re (2): Configuring Iceweasel security policies.
Index(es):
- Date
- Thread