cross-site ajax detection not understanding domain equality fully

UNCONFIRMED
Unassigned

Status

()

Core
Security
UNCONFIRMED
9 years ago
3 years ago

People

(Reporter: Brian Murrell, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10

When trying to use an ajax handler on a webpage, I get the following error:

Security Error: Content at http://kingston.kijiji.ca./c-ViewAd?AdId=130029489 may not load data from http://kingston.kijiji.ca/c-ReportProblemByAjax?AdId=130029489&ViolationType=1.

It's subtle, but notice the difference in the domains of the two URLs.  one is fully qualified, including the terminating dot at the end and the other is "almost" fully qualified but missing the terminating dot.

Should those two domains not be considered equal for purposes of determining cross-site access or not?

Reproducible: Always

Comment 1

9 years ago
Same-origin policy needs to be strict. Different virtual hosts on the same server are not treated as same origin - this is no different. "example.com" and "example.com." always resolve to the same IP address but the server might still treat them as different virtual hosts. IMHO this should be WONTFIX.

Note that the way bug 368702 was fixed we don't even treat these host names as being in same domain - so they cannot share cookies for example. They cannot set document.domain to the same value either.
Component: Security → Security
OS: Linux → All
Product: Firefox → Core
QA Contact: firefox → toolkit
Hardware: x86 → All
Version: unspecified → Trunk
You need to log in before you can comment on or make changes to this bug.