Network.jar.open-unsafe-types

From MozillaZine Knowledge Base
Revision as of 04:31, 28 November 2007 by Unarmed (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Background

Mozilla supports the jar: protocol, which allows the browser to directly load files inside JAR archives (and other files based on ZIP). Unfortunately, this feature can open up cross-site scripting issues on otherwise secure sites, by allowing script content to be loaded inside pages with the same permissions as the page itself. Another bug related to redirects compounded the problem, allowing any site with an open redirect to be compromised the same way, even if it hosted no JAR files.

As part of the patch for this vulnerability, the jar: protocol was modified so that only files sent with Content-Types of application/java-archive or application/x-jar could be loaded. This preference determines whether or not to override that restriction, restoring the old behavior.

Local files are not subject to this restriction, though they are subject to standard checkloaduri restrictions.

Possible values and their effects

True

Allow any valid file to be loaded with the jar: protocol, even if its Content-Type is not considered “safe.”

False

Restrict jar: to files served with the proper Content-Types.

Recommended settings

Changing this preference to true is not recommended unless you have absolute control over the sites the browser is able to visit. While measures were taken to prevent content loaded via jar: from gaining undue permissions, requiring proper Content-Types is added protection.

First checked in

2007-11-26 by Dave Camp

Has an effect in

  • Mozilla Firefox (all versions since 2.0.0.10)
  • SeaMonkey (all versions since 1.1.7)

Related bugs

External links