Resource URLs - HTTP 编辑

Non-standard

This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.

Resource URLs, URLs prefixed with the resource: scheme, are used by Firefox and Firefox browser extensions to load resources internally, but some of the information is available to sites the browser connects to as well.

Syntax

Resource URLs are composed of two parts: a prefix (resource:), and a URL pointing to the resource you want to load:

resource://<url>

An example:

resource://gre/res/svg.css

When arrows are found in the resource URL's ('->'), it means that the first file loaded the next one:

resource://<File-loader> -> <File-loaded>

Please refer to Identifying resources on the web for more general details.

In this article, we focus on resource URIs, which are used internally by Firefox to point to built-in resources.

Threats

Because some of the information shared by resource: URLs is available to websites, a web page could run internal scripts and inspect internal resources of Firefox, including the default preferences, which could be a serious security and privacy issue.

For example, a script on Browserleaks highlights what Firefox reveals when queried by a simple script running on the site (you can find the code in https://browserleaks.com/firefox).

The file firefox.js passes preference names and values to the pref() function. For example:

http://searchfox.org/mozilla-central/rev/48ea452803907f2575d81021e8678634e8067fc2/browser/app/profile/firefox.js

Web sites can easily collect Firefox default preferences by overriding this pref() function and using the script resource:///defaults/preferences/firefox.js.

Furthermore, some default values of preferences differ between build configurations, such as platform and locale, which means web sites could identify individual users using this information.

Solution

In order to fix this problem, Mozilla changed the behavior of loading resource: URIs in bug 863246, which landed in Firefox 57 (Quantum).

In the past, web content was able to access whatever resource: URIs were desired — not only Firefox’s internal resources, but also extensions’ assets.  Now this behavior is prohibited by default.

It is however still necessary for Firefox to load resources in web content under certain circumstances.  For example, if you open the view source page (View Page Source or View Selection Source), you will find it requires viewsource.css through a resource: URI.  Resources that have to be exposed to web content have been moved to a new location named resource://content-accessible/, which is isolated and only contains non-sensitive resources.  In this way we can keep essential resources exposed and have most threats eliminated.

Note: It is recommended that web and extension developers don’t try to use resource URLs anymore. Their usage was hacky at best, and most usage won’t work any more.

Specifications

resource: is not defined in any specification.

Browser compatibility

resource: is Firefox only.

See also

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:92 次

字数:5060

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文