494578 - cross-site ajax detection not understanding domain equality fully

Status: UNCONFIRMED

(Core :: Security, defect)

Description

[Brian Murrell]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10

When trying to use an ajax handler on a webpage, I get the following error:

Security Error: Content at http://kingston.kijiji.ca./c-ViewAd?AdId=130029489 may not load data from http://kingston.kijiji.ca/c-ReportProblemByAjax?AdId=130029489&ViolationType=1.

It's subtle, but notice the difference in the domains of the two URLs.  one is fully qualified, including the terminating dot at the end and the other is "almost" fully qualified but missing the terminating dot.

Should those two domains not be considered equal for purposes of determining cross-site access or not?

Reproducible: Always

Comment 1

[Wladimir Palant]

Same-origin policy needs to be strict. Different virtual hosts on the same server are not treated as same origin - this is no different. "example.com" and "example.com." always resolve to the same IP address but the server might still treat them as different virtual hosts. IMHO this should be WONTFIX.

Note that the way bug 368702 was fixed we don't even treat these host names as being in same domain - so they cannot share cookies for example. They cannot set document.domain to the same value either.