Jonas Sicking wrote:
>> Can we just remove that? Shouldn't the CheckLoadURI check it does
>> handle this?
> That it does where? TriggerLink calls CheckLoadURIWithPrincipal, but
> that doesn't seem to have enough info to dig back to the DocShell
That's true, but it passes the flag that tells the security manager to deny if
the link is coming from a document loaded via any of the mailnews protocols.
So I guess the real question is what sort of check we want here. Do we care to
do this for an http:// document loaded in a mailnews docshell, e.g.?
Boris Zbarsky wrote:
> Boris Zbarsky wrote:
>> So I guess the real question is what sort of check we want here. Do
>> we care to do this for an http:// document loaded in a mailnews
>> docshell, e.g.?
> Put another way, should this really be doing a more stringent check than
> <meta refresh> does?
That does seem unnecessary I agree, but I do wonder if the right thing
isn't to add the checks to <meta refresh> rather than to remove them
from auto xlinks...