Give a regular website permission to load `file://` as images

noitidart · August 8, 2016, 5:54am

I created an about page in my addon. It is very good for perf if I use the flag URI_SAFE_FOR_UNTRUSTED_CONTENT. This makes it so Components and other XPCOM is not loaded, basically it makes it a regular web page:

    getURIFlags: function(aURI) {
        return Ci.nsIAboutModule.URI_SAFE_FOR_UNTRUSTED_CONTENT | Ci.nsIAboutModule.ALLOW_SCRIPT | Ci.nsIAboutModule.URI_MUST_LOAD_IN_CHILD;
    },

I am making this load in content process (for e10s) so want it as friendly as possible (no xpcom).

However an issue is file:// images cannot be loaded. Currently I make a resource:// uri out of the file:// URI, however this has issues, you can’t right click and copy image location, or “open in new tab”, it gives security error even with resource:// uri.

Error given when right click and say “View Image” or “Save Image As” or any of the image functions really:

Security Error: Content at about:nativeshot may not load or link to resource://nativeshot_file0/.
uncaught exception: Load of resource://nativeshot_file0/ from about:nativeshot denied.

Is there anyway to give it just permission to load file:// uris? My addon is an image gallery (of screenshots on system).

I can’t find anything in the permissions panel to allow file://uri:

Lithopsian · August 8, 2016, 1:14pm

Some background in this and linked bugs.

You should be able to do this if you load the page as a file url. That used to work. So either that changed or the problem is coming from the about: scheme. I would have thought an about: url would be treated as local rather than remote, but apparently not.

noitidart · August 8, 2016, 6:45pm

Thanks Litho for the quick reply. If I don’t use URI_SAFE_FOR_UNTRUSTED_CONTENT then it works fine, but the page loads Components. The reason why I want to use this flag is because its recommended, especially if I don’t need any XPCOM etc. I just need to load file:// uri into images.

Thanks for that bug! I suck at searching on bugzilla. I’ll try investigating in that direction. I’m thinking maybe tell CheckLoadURI that about:nativeshot is safe for this kind of stuff.

noitidart · August 8, 2016, 7:09pm

I think this is what I have to try to patch:

https://dxr.mozilla.org/mozilla-central/source/caps/nsScriptSecurityManager.cpp#891

I have to tell it to allow just my page to load file uri.

Lithopsian · August 9, 2016, 4:42pm

I guess there is no level of security between “nothing” and “everything”, and “nothing” obviously isn’t allowed to access local files.