Closed Bug 1029259 Opened 10 years ago Closed 8 years ago

(shumway) Data loading from secure sites by HTTP content should be disallowed

Categories

(Firefox Graveyard :: Shumway, defect)

32 Branch
defect
Not set
major

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: mwobensmith, Unassigned)

References

Details

(Whiteboard: [shumway])

This pertains to content that loads data via flash.net.URLLoader, but likely affects all Flash data-loading APIs.

Content on an HTTP site should never be able to load content from an HTTPS location unless the HTTPS site has a policy file that explicitly allows that content's domain *and* uses the secure="false" attribute.

It appears that currently - by default - HTTP content can load HTTPS content from the same domain. 

Caveat:
I don't have access to the root directory of an SSL-enabled server, so I've been relying on the behavior of bug 1029253 (redirects) to reproduce. If we remedy that - and we implement metapolicy (bug 1029258) - I can revisit this.
Blocks: 1029228
Whiteboard: [shumway]
Product: Firefox → Firefox Graveyard
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.