(shumway) Data loading from secure sites by HTTP content should be disallowed

RESOLVED INCOMPLETE

Status

--
major
RESOLVED INCOMPLETE
4 years ago
3 years ago

People

(Reporter: mwobensmith, Unassigned)

Tracking

32 Branch
Dependency tree / graph

Details

(Whiteboard: [shumway])

This pertains to content that loads data via flash.net.URLLoader, but likely affects all Flash data-loading APIs.

Content on an HTTP site should never be able to load content from an HTTPS location unless the HTTPS site has a policy file that explicitly allows that content's domain *and* uses the secure="false" attribute.

It appears that currently - by default - HTTP content can load HTTPS content from the same domain. 

Caveat:
I don't have access to the root directory of an SSL-enabled server, so I've been relying on the behavior of bug 1029253 (redirects) to reproduce. If we remedy that - and we implement metapolicy (bug 1029258) - I can revisit this.
(Reporter)

Updated

4 years ago
Blocks: 1029228
Whiteboard: [shumway]
Blocks: 1037580
(Assignee)

Updated

3 years ago
Product: Firefox → Firefox Graveyard
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.