Closed Bug 1141185 Opened 10 years ago Closed 10 years ago

Enforce Adobe's recommendation that Flash clickTAG URL parameters only use http:// or https://

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: cpeterson, Unassigned)

Details

Adobe recommends that ads verify that clickTAG URL parameters in HTML embed tags only use http:// or https://. Shumway should enforce this recommendation. In fact, Gecko could probably do this before loading Adobe's Flash plugin, too. http://www.adobe.com/resources/richmedia/tracking/designers_guide/ This is an important security measure. If you do not take this precaution, a malicious HTML page could source your SWF and pass a clickTAG URL that begins with "javascript:" or another scripting pseudo-protocol. If your ActionScript code were to call getURL with a maliciously crafted JavaScript URL, it would be possible for the site serving the malicious HTML page to obtain the contents of your HTTP cookies or perform other actions on your site's behalf.
Currently we whitelist targets used during "getURL" operation see https://github.com/mozilla/shumway/blob/master/extension/firefox/chrome/ShumwayCom.jsm#L460 to http and https only. We also apply allowScriptAccess policy there. See also https://helpx.adobe.com/flash/kb/control-access-scripts-host-web.html
(In reply to Yury Delendik (:yury) from comment #1) > Currently we whitelist targets used during "getURL" operation see > https://github.com/mozilla/shumway/blob/master/extension/firefox/chrome/ > ShumwayCom.jsm#L460 to http and https only. We also apply allowScriptAccess > policy there. Does that mean this clickTAG policy is already implemented and we can close this bug?
Flags: needinfo?(ydelendik)
> Does that mean this clickTAG policy is already implemented and we can close > this bug? I think so, with exception of "In fact, Gecko could probably do this before loading Adobe's Flash plugin, too." recommendation in comment 0.
Flags: needinfo?(ydelendik)
I'm moving this bug from Firefox::Shumway to Core::Plug-ins because Yury says Shumway effectively implements this already but that Gecko could do this by sanitizing clickTAGs before loading Adobe's Flash plugin too.
Component: Shumway → Plug-ins
OS: Mac OS X → All
Product: Firefox → Core
Hardware: x86 → All
Summary: Shumway should enforce Adobe's recommendation that clickTAG URL parameters only use http:// or https:// → Enforce Adobe's recommendation that Flash clickTAG URL parameters only use http:// or https://
I don't think we want to implement a Flash quirk for this, and if Flash already implements a check that should be sufficient.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.