Closed Bug 1187347 Opened 10 years ago Closed 10 years ago

service workers should reject scope and script URLs with %2f and %5c encoded characteres

Categories

(Core :: DOM: Service Workers, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1185640

People

(Reporter: bkelly, Unassigned)

References

Details

This is an issue that was raised by a user to to the chrome team. It appears some broken servers will decode %2f and %5c to slash characters before evaluating a URL. The browser doesn't, though. So the scope path restrictions can be bypassed on those servers. https://github.com/slightlyoff/ServiceWorker/issues/630
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.