Opened 17 years ago
Closed 17 years ago
#2296 closed Bug (fixed)
Permission denied error when clicking on files in file browser under domain relaxation
Reported by: | Martin Kou | Owned by: | Martin Kou |
---|---|---|---|
Priority: | Normal | Milestone: | FCKeditor 2.6.2 |
Component: | General | Version: | SVN (FCKeditor) - Retired |
Keywords: | Confirmed Firefox Review+ | Cc: |
Description
Reproduction procedure:
- Open sample01.html under domain relaxation mode.
- Open the image dialog.
- Click "Browse Server".
- Click on one of the uploaded image files.
- Permission denied error.
This bug affects both Firefox 2 and Firefox 3.
Attachments (2)
Change History (8)
Changed 17 years ago by
Attachment: | 2296.patch added |
---|
comment:1 Changed 17 years ago by
Keywords: | Review? added |
---|
comment:2 Changed 17 years ago by
Keywords: | Review- added; Review? removed |
---|
comment:3 Changed 17 years ago by
I don't think the domain relaxation stuff is unneeded for Firefox... We're having issue in Firefox 2 and 3 here because the file browser dialog is currently having a different document.domain than the main FCKeditor window.
Let's say I fired up sample01.html from www.fckeditor.local but document.domain is set to fckeditor.local inside sample01.html. Everything inside the window should have document.domain == 'fckeditor.local' or else they cannot interact with each other. If I open the file browser dialog from inside the image dialog, and print out the document.domain value with Firebug, the value would be www.fckeditor.local, which makes it impossible for the file browser to communicate with the main window in any way (thus SetUrl fails).
Applying the #2296 patch alone would cause a regression in #2117 in Firefox 2 because of Firefox 2's XMLHttpRequest bug, described in here. Basically, what this means is, whenever we've set document.domain in Firefox 2, XMLHttpRequest will stop working the "normal way" in the sense that its responseXML attribute will always be inaccessible. The only way to fix this is to parse the responseText to an XML DOM ourselves. We've got the very same fix as #2117 in editor/_source/classes/fckxml_gecko.js for domain relaxation, so #2117 is just fixing a known bug. That is why I said #2117's patch has to be applied in conjunction with this ticket's patch to get a working dialog.
I don't really see any other way this issue can be fixed in JavaScript as domain checking is a very fundamental security feature in Firefox.
Changed 17 years ago by
Attachment: | 2296_2.patch added |
---|
comment:4 Changed 17 years ago by
Keywords: | Review? added; Review- removed |
---|
Proposing a new patch which merges the old patch with #2117's.
comment:5 Changed 17 years ago by
Keywords: | Review+ added; Review? removed |
---|
Tested the patch with IE6, IE7, FF2, FF3, Safari and Opera, with and without domain relaxation. Everything worked well ;)
comment:6 Changed 17 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Fixed with [2108].
Click here for more info about our SVN system.
I've tested the patch, as well as #2115 and #1919 with FF2, FF3, IE6, IE7 ans Safari, with and without document.domain. Almost everything worked well, except:
So, it seems that our domain relaxation stuff is not needed for FF2 in that case. We are almost there, but not there yet.