Closed Bug 1029243 Opened 10 years ago Closed 9 years ago

(shumway) Asterisk in token name should not be allowed

Tracking

(Not tracked)

Status:

RESOLVED INCOMPLETE

People

(Reporter: mwobensmith, Assigned: yury)

References

Details

(Whiteboard: [shumway])

Matt Wobensmith [:mwobensmith][:matt:]

Reporter

Description

•

10 years ago

Consider the case of content on http://foo.com accessing a site with this policy file: <cross-domain-policy> <allow-access-from domain="*foo.com" /> </cross-domain-policy> Expected: Should not load, because foo.com != *foo.com Actual: Data loads Policy file spec - see Appendix - Domain matching: http://www.senocular.com/pub/adobe/crossdomain/policyfiles.html

Matt Wobensmith [:mwobensmith][:matt:]

Reporter

Updated

•

10 years ago

Blocks: 1029228

Whiteboard: [shumway]

Matt Wobensmith [:mwobensmith][:matt:]

Reporter

Comment 1

•

10 years ago

Clarification: This pertains to content that loads data via flash.net.URLLoader, but likely affects all Flash data-loading APIs.

Chris Peterson [:cpeterson]

Updated

•

10 years ago

Blocks: shumway-m4

Chris Peterson [:cpeterson]

Comment 2

•

9 years ago

Till recommends that Yury look into these security issues.

Assignee: nobody → ydelendik

Nobody; OK to take it and work on it

Updated

•

9 years ago

Product: Firefox → Firefox Graveyard

Emma Humphries ☕️🎸🧞‍♀️✨ (she/they) [:emceeaich] (Pacific Time) use needinfo

Updated

•

9 years ago

Status: NEW → RESOLVED

Closed: 9 years ago

Resolution: --- → INCOMPLETE

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

(shumway) Asterisk in token name should not be allowed

Categories

(Firefox Graveyard :: Shumway, defect)

Tracking

(Not tracked)

People

(Reporter: mwobensmith, Assigned: yury)

References

Details

(Whiteboard: [shumway])

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Updated

Comment 2

Updated

Updated