(shumway) Asterisk should not be allowed in top-level domain token

RESOLVED INCOMPLETE

Status

RESOLVED INCOMPLETE
4 years ago
3 years ago

People

(Reporter: mwobensmith, Assigned: yury)

Tracking

32 Branch
Dependency tree / graph

Details

(Whiteboard: [shumway])

This pertains to content that loads data via flash.net.URLLoader, but likely affects all Flash data-loading APIs.

Consider the case of content on http://foo.com accessing the site http://foo.org with this policy file:

<cross-domain-policy>
	<allow-access-from domain="foo.*" />
</cross-domain-policy>


Expected:
Should not load - wildcard not allowed in TLD

Actual: 
Data loads

Policy file spec - see Appendix - Domain matching:
http://www.senocular.com/pub/adobe/crossdomain/policyfiles.html
(Reporter)

Updated

4 years ago
Blocks: 1029228
Whiteboard: [shumway]
Blocks: 1037580
Till recommends that Yury look into these security issues.
Assignee: nobody → ydelendik
Product: Firefox → Firefox Graveyard
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.