Closed
Bug 102262
Opened 23 years ago
Closed 23 years ago
Redirects: non http|https URLs allowed in location response header?
Categories
(Core :: Networking: HTTP, defect)
Core
Networking: HTTP
Tracking
()
VERIFIED
FIXED
Future
People
(Reporter: benc, Assigned: darin.moz)
References
()
Details
In bug 84128, kurt prposed that a HTTP redirect might have a file URL.
------- Additional Comments From Kurt Swanson 2001-09-22 19:06 -------
I fail to see how this is a security issue. If I choose to click on a link that
goes to my local site, who is this going to hurt, and how? The referring page's
server can't do anything with this, nor even be aware that the user has selected
the link. Let's even assume that the malicious web site has placed a file on my
local machine (somehow), and tricks me into accessing it through a file: link.
What damage could mozilla do by loading this file?
In bug 101207, this case was discussed further. CheckloadURI will stop this, but
if it is off, the question, is this legal? If not, we should ignore non-html
related URLs in a redirect.
Assignee | ||
Comment 3•23 years ago
|
||
this bug can be closed now that the patch for bug 141061 went in.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 5•22 years ago
|
||
Verified per comment #3.
Status: RESOLVED → VERIFIED
QA Contact: tever → junruh
You need to log in
before you can comment on or make changes to this bug.
Description
•