Open
Bug 494578
Opened 15 years ago
Updated 2 years ago
cross-site ajax detection not understanding domain equality fully
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
UNCONFIRMED
People
(Reporter: brian, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10 When trying to use an ajax handler on a webpage, I get the following error: Security Error: Content at http://kingston.kijiji.ca./c-ViewAd?AdId=130029489 may not load data from http://kingston.kijiji.ca/c-ReportProblemByAjax?AdId=130029489&ViolationType=1. It's subtle, but notice the difference in the domains of the two URLs. one is fully qualified, including the terminating dot at the end and the other is "almost" fully qualified but missing the terminating dot. Should those two domains not be considered equal for purposes of determining cross-site access or not? Reproducible: Always
Comment 1•15 years ago
|
||
Same-origin policy needs to be strict. Different virtual hosts on the same server are not treated as same origin - this is no different. "example.com" and "example.com." always resolve to the same IP address but the server might still treat them as different virtual hosts. IMHO this should be WONTFIX. Note that the way bug 368702 was fixed we don't even treat these host names as being in same domain - so they cannot share cookies for example. They cannot set document.domain to the same value either.
OS: Linux → All
Product: Firefox → Core
QA Contact: firefox → toolkit
Hardware: x86 → All
Version: unspecified → Trunk
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•