Closed Bug 1029244 Opened 10 years ago Closed 8 years ago

(shumway) Asterisk should not be allowed in top-level domain token

Categories

(Firefox Graveyard :: Shumway, defect)

Product:
Firefox Graveyard
Component:
Shumway
Version:
32 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: mwobensmith, Assigned: yury)

References

Details

(Whiteboard: [shumway]) 

This pertains to content that loads data via flash.net.URLLoader, but likely affects all Flash data-loading APIs.

Consider the case of content on http://foo.com accessing the site http://foo.org with this policy file:

<cross-domain-policy>
	<allow-access-from domain="foo.*" />
</cross-domain-policy>


Expected:
Should not load - wildcard not allowed in TLD

Actual: 
Data loads

Policy file spec - see Appendix - Domain matching:
http://www.senocular.com/pub/adobe/crossdomain/policyfiles.html
Blocks: 1029228
Whiteboard: [shumway]
Till recommends that Yury look into these security issues.
Assignee: nobody → ydelendik
Product: Firefox → Firefox Graveyard
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.