Closed Bug 1029250 Opened 10 years ago Closed 8 years ago

(shumway) Nested child nodes should be disallowed in policy files

Categories

(Firefox Graveyard :: Shumway, defect)

32 Branch
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: mwobensmith, Assigned: yury)

References

Details

(Whiteboard: [shumway])

This pertains to content that loads data via flash.net.URLLoader, but likely affects all Flash data-loading APIs.

Consider the case of content on http://foo.com accessing a site with this policy file:

<cross-domain-policy>
	<allow-access-from domain="*"/>
	<cross-domain-policy>
		<allow-access-from domain="*"/>
	</cross-domain-policy>
</cross-domain-policy>


Expected:
Should not load - nested elements not allowed

Actual: 
Data loads

Policy file spec:
http://www.senocular.com/pub/adobe/crossdomain/policyfiles.html
Blocks: 1029228
Whiteboard: [shumway]
Till recommends that Yury look into these security issues.
Assignee: nobody → ydelendik
Product: Firefox → Firefox Graveyard
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.