search

dadler / thumbnail-zoom

Thumbnail Zoom Plus is a Firefox plug-in which shows a full-size image pop-up when you hover over a thumbnail or image link. When you hover your mouse over a thumbnail or an image or video link, the add-on displays the full-size image or video still-frame in a floating window. Supported sites include Amazon, Bing, Facebook, Flickr, Google, IMDb, LinkedIn, Netflix, Pinterest, Reddit, Tumblr, Twitter, Yandex.ru, YouTube, Wikipedia, WordPress, Yahoo Images, and many more.
30 stars 7 forks source link

Does not run on local files #209

Closed Hakkin closed 9 years ago

Hakkin commented 9 years ago

I assume this is known about, since it's specifically mentioned in TestCase.html to run it on a local HTTP server, but is there a specific reason for it? Is it a limitation of Firefox? I have other plugins that seem to run fine on local files.

dadler commented 9 years ago

It's mainly a security consideration. Perhaps I'm a little paranoid but I was concerned that allowing file:// might give a path for sites to access the local filesystem (perhaps exploiting a browser bug so that viewing a file:// might give the site a path to modify it).

Also, file:// links don't have a host server to use for things like checking what rules to use. That wouldn't have to prevent basic usage like linking to an image from working, but it might mean local copies of some sites wouldn't work.

What's the use case where you'd like to do this?

Do you want the html file to be local, the images to be local, or both?

Hakkin commented 9 years ago

I can understand not loading files from file://, and I think that's fine. My use case was loading links from a local html file, which doesn't seem to work either, and I can't think of any security concern it would have.

dadler commented 9 years ago

I've merged your change; thanks.

I also added some security to prevent trying to load a web page for Others (Indirect) from file://.

dadler commented 9 years ago

One small problem I see is that file:// has no host so the user can't prevent pop-ups from local html files using the Disabled Sites preferences tab.

Hakkin commented 9 years ago

If you could allow arbitrary regex to be used in the disabled sites box (against the href), that could work. Though, testing the disabled sites box, it would probably have to be changed quite a bit, since it seems the disabled site entries don't even allow spaces currently (I assume they're split(" "), but I haven't checked the code yet).

It would also probably be a useful change in general, I was thinking it could either be toggled with a check box, or maybe just anything within matching /'s could just be parsed as regex.

dadler commented 9 years ago

I just pushed a fix for 'disabled sites'. It turns out that the pattern matching was already working for file://... The only problem was that the "Add" button for adding the current page didn't have any value for file:// pages.

I changed it to offer to add the full page URL when it's a file:// reference.