Closed Bug 1029250 Opened 10 years ago Closed 9 years ago

(shumway) Nested child nodes should be disallowed in policy files

Tracking

(Not tracked)

Status:

RESOLVED INCOMPLETE

People

(Reporter: mwobensmith, Assigned: yury)

References

Details

(Whiteboard: [shumway])

Matt Wobensmith [:mwobensmith][:matt:]

Reporter

Description

•

10 years ago

This pertains to content that loads data via flash.net.URLLoader, but likely affects all Flash data-loading APIs.

Consider the case of content on http://foo.com accessing a site with this policy file:

<cross-domain-policy>
	<allow-access-from domain="*"/>
	<cross-domain-policy>
		<allow-access-from domain="*"/>
	</cross-domain-policy>
</cross-domain-policy>


Expected:
Should not load - nested elements not allowed

Actual: 
Data loads

Policy file spec:
http://www.senocular.com/pub/adobe/crossdomain/policyfiles.html

Matt Wobensmith [:mwobensmith][:matt:]

Reporter

Updated

•

10 years ago

Blocks: 1029228

Whiteboard: [shumway]

Chris Peterson [:cpeterson]

Updated

•

10 years ago

Blocks: shumway-m4

Chris Peterson [:cpeterson]

Comment 1

•

9 years ago

Till recommends that Yury look into these security issues.

Assignee: nobody → ydelendik

Nobody; OK to take it and work on it

Updated

•

9 years ago

Product: Firefox → Firefox Graveyard

Emma Humphries ☕️🎸🧞‍♀️✨ (she/they) [:emceeaich] (Pacific Time) use needinfo

Updated

•

9 years ago

Status: NEW → RESOLVED

Closed: 9 years ago

Resolution: --- → INCOMPLETE

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

(shumway) Nested child nodes should be disallowed in policy files

Categories

(Firefox Graveyard :: Shumway, defect)

Tracking

(Not tracked)

People

(Reporter: mwobensmith, Assigned: yury)

References

Details

(Whiteboard: [shumway])

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Comment 1

Updated

Updated