Safely loading URIs
Not all URI loads are safe. For example, loading some
file: URIs can hang the browser or even crash the operating system in some cases. Some other schemes are used internally by Mozilla modules to communicate with each other. Finally, some URIs (e.g.
chrome: give the loaded page expanded privileges. If a web page gets access to a window with such expanded privileges, it may be able to abuse it to gain access to those privileges itself.
To solve this problem, Gecko provides methods that allow the caller to check whether it's safe to load a particular URI. These methods are exposed on the
nsIScriptSecurityManager interface and are called
checkLoadURIStr. All three methods take three arguments: the first argument identifies the source of the URI, the second argument is the URI that one plans to load, and the third argument is a set of flags that can be used to impose additional restrictions on the URIs that may be loaded. It's important to make sure that the first argument to these methods identifies the source of the URI. So if you're implementing a context menu and you add a "View Image" option, the source of the image URI would be the page the image is in, not the chrome document the context menu code is in.
The three methods differ from each other in how the source of the URI is identified and in what is known about the URI to be loaded.
In general, the following guidelines apply for Gecko 1.8:
- If you plan pass a URI string to
nsIWebNavigation.loadURI(which can happen indirectly, e.g. by passing the string to something that loads it in a
<iframe>), you must call
checkLoadURIStrto be secure. There's no way to do this completely securely in Gecko versions prior to 184.108.40.206.
- If you're doing anything else (passing a URI string to some other API like
<img src="">, passing a URI object to an API that loads URI objects, etc.) use whichever method best fits the data you can get your hands on. If you have a choice as to what data you have, prefer
checkLoadURIStr. Note that
checkLoadURIWithPrincipalis not scriptable in Gecko 1.8, so extensions are not able to use it.
A key security change in Gecko 1.9 is the addition of the new
security.fileuri.strict_origin_policy preference. This Boolean preference, which defaults to
true, can be set to
false if the user doesn't want to strictly enforce the same origin policy on
See Same-origin policy for file: URIs for details.