Safely loading URIs

Not all URI loads are safe. For example, loading some file: URIs can hang the browser or even crash the operating system in some cases. Some other schemes are used internally by Mozilla modules to communicate with each other. Finally, some URIs (e.g. chrome: give the loaded page expanded privileges. If a web page gets access to a window with such expanded privileges, it may be able to abuse it to gain access to those privileges itself.

To solve this problem, Gecko provides methods that allow the caller to check whether it's safe to load a particular URI. These methods are exposed on the nsIScriptSecurityManager interface and are called checkLoadURI, checkLoadURIWithPrincipal, and checkLoadURIStr. All three methods take three arguments: the first argument identifies the source of the URI, the second argument is the URI that one plans to load, and the third argument is a set of flags that can be used to impose additional restrictions on the URIs that may be loaded. It's important to make sure that the first argument to these methods identifies the source of the URI. So if you're implementing a context menu and you add a "View Image" option, the source of the image URI would be the page the image is in, not the chrome document the context menu code is in.

Differences between the methods

The three methods differ from each other in how the source of the URI is identified and in what is known about the URI to be loaded.

In general, the following guidelines apply for Gecko 1.8:

  1. If you plan pass a URI string to nsIWebNavigation.loadURI (which can happen indirectly, e.g. by passing the string to something that loads it in a <browser> or <iframe>), you must call checkLoadURIStr to be secure. There's no way to do this completely securely in Gecko versions prior to 1.8.0.4.
  2. If you're doing anything else (passing a URI string to some other API like window.open or <img src="">, passing a URI object to an API that loads URI objects, etc.) use whichever method best fits the data you can get your hands on. If you have a choice as to what data you have, prefer checkLoadURIWithPrincipal to checkLoadURI and prefer checkLoadURI to checkLoadURIStr. Note that checkLoadURIWithPrincipal is not scriptable in Gecko 1.8, so extensions are not able to use it.

Changes in Gecko 1.9

A key security change in Gecko 1.9 is the addition of the new security.fileuri.strict_origin_policy preference. This Boolean preference, which defaults to true, can be set to false if the user doesn't want to strictly enforce the same origin policy on file: URIs.

See Same-origin policy for file: URIs for details.