Closed
Bug 606555
Opened 14 years ago
Closed 7 years ago
Access-Control-Allow-Origin header appears not to work with about:home
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: lorchard, Unassigned)
References
Details
For Bug 592431, I'm trying to build a snippet server to which about:home will send requests using XMLHttpRequest to an external server (eg. http://snippets.mozilla.com/).
Requests fail when I issued this header in a response:
Access-Control-Allow-Origin: about:home
Requests succeed when I change the header to this instead:
Access-Control-Allow-Origin: *
We'd like this to be less specific, though. Is this expected behavior?
Updated•14 years ago
|
Component: Security → DOM
Product: Firefox → Core
QA Contact: firefox → general
Comment 1•14 years ago
|
||
Just for fun, can you try these header values?
moz-safe-about:home
chrome://browser/content/aboutHome.xhtml
Comment 2•14 years ago
|
||
Per spec, the origin of about:home is a nonce origin, and attempting to convert it to a string produces the string "null". So (again, per spec), there is no way to match the origin of about:home.
Now maybe we should be giving about:home a different origin...
Comment 3•14 years ago
|
||
Boris/Gavin - this bug blocks the snippet service bug: https://bugzilla.mozilla.org/show_bug.cgi?id=592431 which we're trying to get into Fxb 12 - code freeze this Friday.
Is this still a blocker? If so what are next steps?
Reporter | ||
Comment 4•14 years ago
|
||
FWIW, I don't think this is a blocker as far as security review is concerned:
https://bugzilla.mozilla.org/show_bug.cgi?id=592431#c40
At least, not yet, and maybe not in the future since snippets will be behind SSL
Comment 5•14 years ago
|
||
> Is this still a blocker?
It's not a Gecko blocker at the moment, no.
Again, about:home is using a nonce origin. So the behavior observed is correct, given that premise. The Access-Control-Allow-Origin stuff is really not designed to work with non-authority schemes like about:.....
Comment 6•7 years ago
|
||
Closing as INVALID given lack of interest.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•