Closed Bug 102262 Opened 18 years ago Closed 18 years ago

Redirects: non http|https URLs allowed in location response header?

Categories

(Core :: Networking: HTTP, defect)

defect
Not set

Tracking

()

VERIFIED FIXED
Future

People

(Reporter: benc, Assigned: darin.moz)

References

()

Details

In bug 84128, kurt prposed that a HTTP redirect might have a file URL.

------- Additional Comments From Kurt Swanson 2001-09-22 19:06 -------

I fail to see how this is a security issue.  If I choose to click on a link that
goes to my local site, who is this going to hurt, and how?  The referring page's
server can't do anything with this, nor even be aware that the user has selected
the link.  Let's even assume that the malicious web site has placed a file on my
local machine (somehow), and tricks me into accessing it through a file: link. 
What damage could mozilla do by loading this file?

In bug 101207, this case was discussed further. CheckloadURI will stop this, but
if it is off, the question, is this legal? If not, we should ignore non-html
related URLs in a redirect.
darin: what should happen?
Assignee: neeti → darin
-> future
Target Milestone: --- → Future
this bug can be closed now that the patch for bug 141061 went in.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Good. What a relief.
Verified per comment #3.
Status: RESOLVED → VERIFIED
QA Contact: tever → junruh
You need to log in before you can comment on or make changes to this bug.