Security and the jar protocol 编辑

This article discusses security concerns with the jar: protocol, which only Firefox has ever implemented for Web content.

Note: Support for the jar: protocol was disabled by default for use from Web content beginning in Firefox 45, but re-enabled again because it broke the experience of IBM iNotes users. iNotes has since been updated so that it no longer needs remote jars, so they have been disabled again in Firefox 55. You may re-enable the feature if necessary by setting the network.jar.block-remote-files preference to false.

Java Archive (JAR) files are simply Zip compressed bundles of files. Firefox 2.0.0.10 (and Firefox 1.5.0.15) fixed a potential security issue in the same origin policy when the jar: protocol was used to load data.

Prior to this change, specifying the jar: protocol caused Firefox to assume that the file being retrieved is a JAR file, regardless of its MIME type (in other words, its MIME type was assumed to be application/zip, regardless of what it actually was). This means that no matter what the file's real contents are, as far as Firefox is concerned, it was a Zip archive.

This ordinarily isn't a big deal, since site developers wouldn't put up dangerous files and set them up to download like Zip archives. However, if a site allows file uploads, Zip files are typically treated as relatively innocuous by web sites in that situation, since they're not executable.

Unless, of course, the browser thinks it's a JAR file.

So starting with Gecko 1.8.0.15 and 1.8.1.10, the jar: protocol is only allowed if the MIME type of the file is application/java-archive. A site that serves a file with that type is essentially promising that it has vetted the content and that it is in fact safe to download and execute. Any other file type results in an "Unsafe file type" error.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:45 次

字数:2362

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文