mozilla :: #security

17 Jul 2017
19:43MossopAssuming I'm loading a webpage from one domain and including a script from another that script can still access the webpage's location object including the hash part right?
20:09Mossopnm, got my answer elsewhere
23:20lizzardhi there. I just noticed that a link to crash-stats from bugzilla gives me a warning the link may be harmful:
23:20firebotBug 1375704 NEW, Thousands of content shutdown crashes caused by ScriptPreloader
23:22ulfrhmmm this is new to me. looks like a bugzilla feature. I'll ask around.
23:22lizzardah, i can ask in #bmo
23:24dveditzlizzard: wrong bug link?
23:24dveditzall I see there is "Hi :kmag, Can you help shed some light here?"
23:24lizzardah, the URL link
23:24lizzardin the comment just below that
23:25dveditzwonder if it's because of the spaces in the link (looks like a command?)
23:26lizzardMaybe, but if you try the link under crash signature it works without the warning
23:26lizzardand it also has spaces (i also was wondering that)
23:26dveditzbut that's generated by bugzilla, whereas the "URL" field is (could be) user-entered
23:27lizzardi can edit the crash signature fjield add new ones
23:27dveditzseems like it would be nice to put a warning icon near the link so you don't have to click to find out it's potentially dodgy
23:27dveditzyeah, you can add signatures, but not URLs
23:27dveditzthe resulting URLs are all going to our known crash reporting server
23:28dveditzI'm sure the URL field logic doesn't look at the host and whitelist "known good" domains before giving the warning
23:28lizzardoh, i think i see what you mean about it being bugzilla-generated. Yah, im not worried theres an actual security problem, but i thought maybe we had some new content warning
23:28dveditzI'm just guessing
23:29dveditznot sure the bmo folks will be around this late on the east coast
23:29dveditzi'm curious to know the real answer if you don't mind reporting back
18 Jul 2017
No messages
Last message: 65 days and 13 hours ago