Closed Bug 1066517 Opened 8 years ago Closed 7 years ago
Permission manager should operate on origins instead of host (domain) names
In general, an origin is *the* scope of authority as per RFC6454 (http://tools.ietf.org/html/rfc6454). We should not use domain names. The current state allows not only downgrades from stored-HTTPS to not-allowed HTTP. It might also lead to attacks from web pages on other ports (i.e. other origins). Cookies should be left as an exception, as they are sadly designed to operate on host names.
This would sure make the gecko end of permission manager easier, since we could just work with principals... It would also make it more plausible that permission manager could be sanely used for file://.
(In reply to Boris Zbarsky [:bz] from comment #1) > This would sure make the gecko end of permission manager easier, since we > could just work with principals... > > It would also make it more plausible that permission manager could be sanely > used for file://. The current code uses the origin for file:// URIs, ironically.
It seems this is being implemented in bug 1165263 now. Hooray \o/
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1165263
You need to log in before you can comment on or make changes to this bug.