solve URI scheme problems #447
Comments
|
I still think this is the way to go, but I'd use different names for the scheme types:
If an unknown scheme is detected, the user will see a bar which shows the scheme and buttons to allow or temporarily allow that scheme. |
|
I've re-read this and it looks good. |
mailto yes |
|
#409 seems to be a partly solution for this. In the pull request, nsINestedURI is used. |
|
I've temporarily worked around the problem with commit 583cb45. It will be included in 1.0.beta8. Currently it whitelists the schemes in the first comment. If an unknown scheme is detected in an URI without a host, the user gets notified. So if I wouldn't have whitelisted
The The workaround should be removed not later than for the stable 1.0 release. |
|
1.0beta8 solves the
So what is the plan to get rid of the workaround? I'd be fine with
|
IMHO what you propose is still a workaround (a better one though). I'm planning to integrate custom schemes into the menu. This is, an origin and a destination can be a host, or a scheme without a host, for example. |
|
Edit: total misunderstanding on my part. See below. |
no, sorry for being unclear. After this issue has been solved, link clicks will always be allowed. The issue about |
|
Ok. Nothing to see here, I misunderstood. Thanks for taking the time to explain. |
You're welcome :) |
|
Which link are you referring to @cm-mc? |
|
The link to the restartless build (I assume it had some sort of solution for this problem?), but I see now it has been removed. |
|
In this issue I can't find where the restartless build has been mentioned.
No, as far as I remember nothing has changed on the
Yes, I've removed the branch because I had merged it into |
|
Nvm then, thought this pointed to some sort of fix: |
|
Here is a page, that reproduces the issue for me: http://habrahabr.ru/company/dataline/blog/253609/#habracut. Not sure, what exactly triggers it — would be nice, of you were writing the faulty URI to browser console. |
|
@Alexander--: At least that page seems to load correctly; multiwebsearch just gives me a blank page... |
|
Came across this http://www.off-grid.net/tag/self-sufficiency and was dumped here by requestpolicycontinued. |
|
Just came across a 'ms-windows-store' scheme for Windows Metro desktop apps. See here http://apps.microsoft.com/windows/en-ca/app/chinese-english-dictionary/51d94dcb-ae64-4277-9b2b-ae0a809a314e. |
|
Also http://www.startmenu8.com/pt/index.html - the odd thing: this happened while rp blocking was disabled. |
|
This page contains an unknown https scheme: https://marvel.com/comics |
|
ms-word (unknown to Request Policy) |
|
Just wanted to report |
|
New report for unknown http: http://yasep.org/#_node_3_1 |
|
http://www.albedo100.com/resellers.html |
This commit adds a protocol handler named "rpc" to the Dev Helper extension. It will help testing requests that contain URIs without host, such as "rpc:foobar". See also #447.
|
Thank you for all your comments. Finally the main problem of this issue should be fixed. You will have to wait for the next release though, which should be ready next week. With that release, as commit aee58a1 says, it's possible to add rules which do not specify a host, but a scheme instead. However, note that there is no menu support yet – it's tracked in issue #619. Another part of this issue was about „nested URIs“. As this issue has grown a lot already, I've created a new issue for it, see issue #625. |
|
It still seems broken in youtube with 1.0.beta10. |
|
@thresheek What happens on Youtube? Does Youtube use a special scheme? |
|
@thresheek maybe you're seeing this issue: #626 |
The scheme workaround is not needed anymore. See RequestPolicyContinued#447.
|
I support this thread. The |
|
@Watilin please follow #724, as well as #619. You can work around the problem by manually adding an allow rule from |
The scheme workaround is not needed anymore. See RequestPolicyContinued#447.
and others
At the moment, RequestPolicy is designed to deal with Domain Names (wikipedia). But in fact RP has to deal with any kind of URI, and its syntax (see wikipedia) allows quite a lot.
One important part of the URI is the scheme; common examples are
http,httpsandftp, but it includes alsoabout,mailto,view-sourceand many others. In fact, it could be any arbitrary string, likeUT2004for example (see #412).As there are infinite possibilities for URI schemes, I'd like to generally block unknown schemes, but give the user the possibility to whitelist them. RP already has some hardcoded scheme rules (e.g. in
shouldLoad) – the user will have the ability to extend them.But, we have to keep one fact in mind: there are several non-http schemes which contain an http URI as its path (!).
Example:
view-source:https://github.com–view-sourceis the scheme,https://github.comis the path – this is how the specification is.In that case, we want to extract the "real URL" and check if this one is ok or should be rejected.
My proposal is to have several scheme lists:
normal:URIs with such schemes are processed as alwaysrecursive:URIs with that scheme will be checked for "child" URIswhitelist:requests with destination URIs with such a scheme are allowed directlyThe user may add schemes to the whitelist only.
Requests to unknown schemes will be blocked in general. (user will be informed)
Example schemes:
normal:http, https, ftprecursive:view-source (already implemented (hardcoded))whitelist:{resource, about, data, chrome, moz-icon, moz-filedata, blob, wyciwyg, javascript} (seeRequestPolicyService.prototype._isInternalRequest)Known schemes: (list partly taken from here)
about– conflict with firefusk #131, Allow about:blank as source by default #377, about:healthreport won't work with 1.0.0b3 #399, Cannot use new "Sign in to Sync" in Firefox 29.0 beta #426, (RequestPolicy 1.0.0b3 and KeeFox 1.3.1 conflict #427) – see also mozillazine and theabout:aboutpagechrome-extension(twitch #571)feed– conflict with RSS #395, SeaMonkey feeds not working with 1.0 #313, "Subscribe to This Page" browser feature breaks #386, Requestpolicy 1.0b3 prevent RSS icon subscription #372gopher(Conflict with OverbiteFF #311)jar– Fix requests to jar URIs always being treated as internal #409magnet– Magnet links don't work #410mailto– when clicking on links with custom schemes the resulting request gets blocked #362mediasource– Youtube's Center & DASH Playback (HTML5) #512, RequestPolicy#448 –(or blob?)for Media Source Extensionsmediastreamnxmspotify(Whitelisting spotify links doesn't work sensibly #296)UT2004(GoToMeeting links cannot be allowed #412)The text was updated successfully, but these errors were encountered: