Closed Bug 1029244 Opened 10 years ago Closed 9 years ago

(shumway) Asterisk should not be allowed in top-level domain token

Tracking

(Not tracked)

Status:

RESOLVED INCOMPLETE

People

(Reporter: mwobensmith, Assigned: yury)

References

Details

(Whiteboard: [shumway])

Matt Wobensmith [:mwobensmith][:matt:]

Reporter

Description

•

10 years ago

This pertains to content that loads data via flash.net.URLLoader, but likely affects all Flash data-loading APIs. Consider the case of content on http://foo.com accessing the site http://foo.org with this policy file: <cross-domain-policy> <allow-access-from domain="foo.*" /> </cross-domain-policy> Expected: Should not load - wildcard not allowed in TLD Actual: Data loads Policy file spec - see Appendix - Domain matching: http://www.senocular.com/pub/adobe/crossdomain/policyfiles.html

Matt Wobensmith [:mwobensmith][:matt:]

Reporter

Updated

•

10 years ago

Blocks: 1029228

Whiteboard: [shumway]

Chris Peterson [:cpeterson]

Updated

•

10 years ago

Blocks: shumway-m4

Chris Peterson [:cpeterson]

Comment 1

•

9 years ago

Till recommends that Yury look into these security issues.

Assignee: nobody → ydelendik

Nobody; OK to take it and work on it

Updated

•

9 years ago

Product: Firefox → Firefox Graveyard

Emma Humphries ☕️🎸🧞‍♀️✨ (she/they) [:emceeaich] (Pacific Time) use needinfo

Updated

•

9 years ago

Status: NEW → RESOLVED

Closed: 9 years ago

Resolution: --- → INCOMPLETE

You need to log in before you can comment on or make changes to this bug.

Bugzilla

(shumway) Asterisk should not be allowed in top-level domain token

Categories

(Firefox Graveyard :: Shumway, defect)

Tracking

(Not tracked)

People

(Reporter: mwobensmith, Assigned: yury)

References

Details

(Whiteboard: [shumway])

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Comment 1

Updated

Updated