XML-RPC tries to limit itself to http and https protocols, but this can be subverted by doing a server side redirect. To prevent this, XML-RPC needs to listen to redirects. Implement nsIHttpEventSink, and in onRedirect check the scheme again, blocking redirects to non http(s) URLs. You can look at XMLHttpRequest implementation on how it did this. Also, if you don't do it already, you should implement auth prompt in case the connection requires login & password. See method nsXMLHttpRequest::GetInterface() for a sample. One caveat, see bug 176051 (btw, Darin, I might need some help there).
nsIAuthPrompt is implemented, but i wanted add one more comment. if you have a same origin policy for xml-rpc requests, then you need to make sure that a HTTP redirect doesn't subvert that policy.
Can XML-RPC be used from Web pages? Are we shipping it by default? (It looks like it's built by default.)
It can't be used by web pages (except by signed script). We build and ship it by default.
Not a blocker since this can't be used by untrusted content.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.3alpha
xml-rpc will be using XMLHttpRequest as per bug 197087. That will handle the redirects safely and resolve this bug, right?
fixed by bug 197087
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.