Closed Bug 1066517 Opened 8 years ago Closed 7 years ago

Permission manager should operate on origins instead of host (domain) names

Categories

(Core :: Permission Manager, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1165263

People

(Reporter: freddy, Unassigned)

References

Details

In general, an origin is *the* scope of authority as per RFC6454 (http://tools.ietf.org/html/rfc6454). We should not use domain names.

The current state allows not only downgrades from stored-HTTPS to not-allowed HTTP. It might also lead to attacks from web pages on other ports (i.e. other origins).

Cookies should be left as an exception, as they are sadly designed to operate on host names.
This would sure make the gecko end of permission manager easier, since we could just work with principals...

It would also make it more plausible that permission manager could be sanely used for file://.
OS: Linux → All
Hardware: x86_64 → All
(In reply to Boris Zbarsky [:bz] from comment #1)
> This would sure make the gecko end of permission manager easier, since we
> could just work with principals...
> 
> It would also make it more plausible that permission manager could be sanely
> used for file://.

The current code uses the origin for file:// URIs, ironically.
It seems this is being implemented in bug 1165263 now.

Hooray \o/
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1165263
You need to log in before you can comment on or make changes to this bug.