213
edits
Firefox3.1/Security/ViewSource: Difference between revisions
Firefox3.1/Security/ViewSource (view source)
Revision as of 19:48, 3 December 2008
, 3 December 2008→Overview
| Line 1: | Line 1: | ||
== Overview == | == Overview == | ||
==== Introduction ==== | |||
This page documents security issues in the "View Source" feature. In particular it covers the View Source "Linkification", a new feature in Firefox 3.1. The [https://wiki.mozilla.org/QA/Firefox3.1/ViewSource_Testplan View Source QA TestPlan] provides the most complete current documentation, including bugs. | |||
==== Linkification ==== | |||
Linkification turns URLs in HREF and SRC attributes into hyperlinks which link to the source URL. The current approach is simple to the point of being crude, but it was chosen as a way to get a lot of "bang for the buck", if you will. | |||
When a URL is "linkified", the source URL is first converted into an absolute URL (if it's not already), using the URL to the source file being used. If the source file specifies one or more BASE elements, then the base URL specified by the last BASE element is used. | |||
Once an absolute URL has been constructed, it is turned into a "view-source:" URL. For example the URL "http://www.mozilla.org/projects/minefield/" will be turned into "view-source:http://www.mozilla.org/projects/minefield/". So clicking a link to an HTML page in page source will bring up the source for the new page, not the rendered HTML for that page. | |||
Note that if a URL points to a text file (as determined by MIME type), then both the source URL and the view-source URL constructed from it have the same effect. So CSS and JS files linked from page source work as expected. | |||
Currently images linked from page source do not work correctly (see Bug xxxx). The "mailto:" and "view-source:mailto:" schemes work the same way, although that's by accident. | |||
''Describe the goals and objectives of the feature here.'' | ''Describe the goals and objectives of the feature here.'' | ||