Closed Bug 1029243 Opened 10 years ago Closed 9 years ago

(shumway) Asterisk in token name should not be allowed

Tracking

(Not tracked)

Status:

RESOLVED INCOMPLETE

People

(Reporter: mwobensmith, Assigned: yury)

References

Details

(Whiteboard: [shumway])

Matt Wobensmith [:mwobensmith][:matt:]

Reporter

Description

•

10 years ago

Consider the case of content on http://foo.com accessing a site with this policy file: <cross-domain-policy> <allow-access-from domain="*foo.com" /> </cross-domain-policy> Expected: Should not load, because foo.com != *foo.com Actual: Data loads Policy file spec - see Appendix - Domain matching: http://www.senocular.com/pub/adobe/crossdomain/policyfiles.html

Matt Wobensmith [:mwobensmith][:matt:]

Reporter

Updated

•

10 years ago

Blocks: 1029228

Whiteboard: [shumway]

Matt Wobensmith [:mwobensmith][:matt:]

Reporter

Comment 1

•

10 years ago

Clarification: This pertains to content that loads data via flash.net.URLLoader, but likely affects all Flash data-loading APIs.

Chris Peterson [:cpeterson]

Updated

•

10 years ago

Blocks: shumway-m4

Chris Peterson [:cpeterson]

Comment 2

•

9 years ago

Till recommends that Yury look into these security issues.

Assignee: nobody → ydelendik

Nobody; OK to take it and work on it

Updated

•

9 years ago

Product: Firefox → Firefox Graveyard

Emma Humphries ☕️🎸🧞‍♀️✨ (she/they) [:emceeaich] (Pacific Time) use needinfo

Updated

•

9 years ago

Status: NEW → RESOLVED

Closed: 9 years ago

Resolution: --- → INCOMPLETE

You need to log in before you can comment on or make changes to this bug.

Bugzilla

(shumway) Asterisk in token name should not be allowed

Categories

(Firefox Graveyard :: Shumway, defect)

Tracking

(Not tracked)

People

(Reporter: mwobensmith, Assigned: yury)

References

Details

(Whiteboard: [shumway])

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Updated

Comment 2

Updated

Updated