b=155760 Changing content by JavaScript document.write => open insecure

lock icon r=javi sr=peterv
2025-01-24 13:52:37 +00:00 · 2003-04-19 14:04:59 +00:00 · 2003-04-19 14:04:59 +00:00 · f8d7c8b06d
commit f8d7c8b06d
parent ab361e2f48
1 changed files with 16 additions and 0 deletions
--- a/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
+++ b/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
@ -539,6 +539,22 @@ nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress* aWebProgress,
        // If a document loading gets triggered, we will see more events.
        return NS_OK;
      }
+
+      if (NS_SUCCEEDED(uri->SchemeIs("wyciwyg", &vs)) && vs)
+      {
+        // We ignore everything caused by wycywig == document.write/writeln
+        // and assume the same security status
+        // Unfortunately, this results in different lock icon states
+        // when using "back".
+        // 1) goto secure page => secure lock icon
+        // 2) trigger document.writeln() => still secure lock icon
+        //    (because we not change lock icon)
+        // 3) go to a different insecure page => insecure lock icon
+        // 4) press "back" button => still insecure lock icon
+        // To fix this, we could try to remember the security state in the 
+        // wyciwyg channel object.
+        return NS_OK;
+      }
    }
  }