[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re (3): Configuring Iceweasel security policies.

From:	Scott Ferguson <prettyfly.productions@gmail.com>
Date:	Mon, 13 Jun 2011 15:30:27 +1000
> To clarify - is it only you that needs to be able to use this file link??

Yes, only me.  The objective is to simplify my testing procedure.  
Of course, the time I've spent to understand it probably outweighs 
the time that will be saved.

> If so - would you only be accessing it from Dalton (or where)??

Yes, only from Dalton.  

> Yes - that is as it should be. A web page should only be able to load a
> file from within it's *purview*. So a http link should point to
> somewhere within the root of the web server (eg. /var/www or
> ~/public_html), and a file link should point to somewhere on the same
> machine the link is served from (think of the authentication).

Sorry to say, I have an argument.  Consider the principle of user 
centrism.  "http://en.wikipedia.org/wiki/User_centered_design";
Suppose user X sits in front of the console showing the Iceweasel interface 
and sees the text "file:///"<path>.  Is that file URI any different 
whether it came from a remote machine or was typed in by X or was pasted 
to the URI bar from the clipboard.  No.  In all cases it is still that 
same text residing in a buffer used by Iceweasel.  Furthermore, that file 
URI always refers the local filesystem; even if the "file:///"<path> 
was retrieved from a remote system.  Therefore the browser should open 
the file URI equally well, regardless of origin.  If a remotely originated 
file URI, or any URI, can be blocked from opening, OK; but the blockage 
should be configurable.  Not hard coded.

> So a http link should point to somewhere within the root of the web server ...

Many Web pages contain links to pages on remote servers.

> ... a file link should point to somewhere on the same machine the link is served from ...

"file:///"<path> is equivalent to "file://localhost/"<path>.  This should be 
true regardless of the origin of the URI text.  Where a file URI poses a 
significant threat, block it.  The circumstance of viewing a file URI 
doesn't change its meaning. 

As I undertand http://kb.mozillazine.org/Security_Policies , Iceweasel with the correct 
settings in /etc/iceweasel/pref/iceweasel.js should open the file URI as I 
describe.  Does Iceweasel have a problem not existing in Mozilla?  A Mozilla 
forum or mailing list might help.  Also I can file a bug report against Iceweasel 
and see what the maintainers say.

Thanks for the extensive discussion,

                                                ... Peter E.
                        
-- 
Telephone 1 360 450 2132.  bcc: peasthope at shaw.ca
Shop pages http://carnot.yi.org/ accessible as long as the old drives survive.
Personal pages http://members.shaw.ca/peasthope/ .
Reply to: