Re (2): Configuring Iceweasel security policies.
From: Scott Ferguson <prettyfly.productions@gmail.com>
Date: Sun, 12 Jun 2011 20:20:17 +1000
> Stepping through what you've described above...
>
> You are on a Dalton console.
By console I mean the SVGA monitor, keyboard and mouse. It supports X11
in addition to plain CLI.
> If you are *not* running as root (and why would you be?)
Correct. User peter.
> You saved the page to "storage of Dalton".... presumably "storage" is
> somewhere below /home/peter....
>
> eg.:-
> home/peter/"Peter Lyall Easthope.html"
Here I stored it as /home/peter/Desktop/index.html. The choice of name
doesn't change the phenomenon being demonstrated.
We're dealing with two pages. There is the "primary" page containing
the Web link. Then there is the page Category2.html which is target of
the link in the primary page. Category2.html is always local. I can
open Category2.html when the primary page is local. Not when the primary
page is remote.
> You then say that the link works (I don't disbelieve you)- but that link
> is pointing at the root of Dalton, not the root of Peters home directory....
> So "something" I'm assuming in the above scenario is not correct.
Yes. There is a filesystem soft link as we discussed a day or two back.
peter@joule:~$ sudo ln -s /home/peter/Category2.html /Category2.html
peter@joule:~$ ls -l /C*
lrwxrwxrwx 1 root root 23 Jun 12 13:16 /Category2.html -> /home/peter/Category2.html
The filesystem and the Web both having "links" is a possible source of
confusion.
> Just to clarify:-
> When you click on a http link in a html page the link is "relative" to
> the web server.
> ...
> Because the browser replaces "file" with localhost, which renders the
> URI /"Peter Lyall Easthope.html" (damn absolute links!)
Yes, we're in sync for everything in those 5 paragraphs. Keep in
mind the filesystem link from ln -s above. That lets me open
/home/peter/Category2.html by targeting file:///Category2.html.
> I'm sure, somewhere in all these threads you've explained what Dalton is
> running,
Dalton runs Squeeze and Iceweasel.
> but I'm a little confused with talk of Oberon and vnc
> connections to Iceweasel running on other machines.
VNC is completely irrelevant to this discussion. It was
only part of an answer to Ron J. Oberon was mentioned only
to illustrate how I expected a rational browser to behave.
Oberon is not necessary to demonstrate the behaviour of
Iceweasel.
> When I refer to
> localhost I mean the machine that hosts Iceweasel.
Yes, dalton.
> I'm also assuming
> that Iceweasel is not running as root,
Correct.
> ,,, and that the directory that you
> save "Peter Lyall Easthope.html" into is mounted on the same machine as
> the file Category2.html.
Yes. That is dalton.
> Agreed - *but* http://peter@members.shaw.ca/ is asking the browser to
> login to members.shaw.ca.....
> And the server on shaw.ca says "I'm sorry Dave but...." :-D
> So what the browser is actually served is members.shaw.ca....
> eg.:-
> http://peter@members.shaw.ca/ == http://members.shaw.ca/
>
> Which seems like a waste of 6 characters ;-p
Correct. I put in the "peter@" when trying to imagine the meaning of
the error message from Iceweasel. I'll remove it.
The final observation is that there should be a way to open
file:///blah.html, regardless of where the link resides. At present
I can open it only with a link in a local page. The link on a remote
server, targetting file:///blah.html, produces only the error message
from Iceweasel. file:///<name> is always an absolute file name on the
local machine isn't it? Is there a syntax for a non-local file:///<name>?
Logically, that should not be necessary, but it might help with
troubleshooting.
Hopefully the failure of the non-local case is just a security default
which can be overridden. Otherwise it's a bug in Iceweasel.
> Cheers, and thanks for your patience.
Thanks for your patience. The thread is becoming stale and
there are too many small digressions. A fresh description of the
problem with new names might help ... except that everyone must be
fed up with it by now.
Regards, ... Peter E.
--
Telephone 1 360 450 2132. bcc: peasthope at shaw.ca
Shop pages http://carnot.yi.org/ accessible as long as the old drives survive.
Personal pages http://members.shaw.ca/peasthope/ .
Reply to: