Closed
Bug 55137
Opened 25 years ago
Closed 11 years ago
Ability to restrict domain to a directory (document.domain or http header)
Categories
(Core :: Security: CAPS, enhancement, P2)
Core
Security: CAPS
Tracking
()
RESOLVED
WONTFIX
Future
People
(Reporter: security-bugs, Assigned: dveditz)
References
Details
Our definition of an "origin" for security purposes is scheme://host:port. A
content developer has the option of widening this definition by assigning to
document.domain. THey should also be able to narrow it to a specific directory
or even a specific file within a host.
This will be useful, for example, on geocities.com, where content from the same
host actually has many different owners. Narrowing the domain would allow an
author who posts to GeoCities to prevent other GeoCities pages from accessing
the author's page.
|
Reporter | |
Comment 1•25 years ago
|
||
This is an enhancement. marking Future.
Status: NEW → ASSIGNED
Target Milestone: --- → Future
|
||
Comment 2•25 years ago
|
||
Setting document.domain is great for expanding trust, but it seems to me that
restricting access should be done by an HTTP header, which the server has more
control over. Wouldn't allowing document.domain to restrict access set up a
race condition between the page's setting document.domain and the attacker's
trying to access the page?
Interestingly, GeoCities' 404 page displays the input url without escaping it
(http://www.cert.org/advisories/CA-2000-02.html). I wonder if they se this up
on purpose in order to remind paranoid users of the problem mentioned in this
bug report.
|
||
Updated•25 years ago
|
QA Contact: czhang → junruh
|
|
Reporter | |
Comment 5•24 years ago
|
||
Target is now 0.9.5, Priority P2.
Priority: P3 → P2
Target Milestone: Future → mozilla0.9.5
|
|
Reporter | |
Comment 6•24 years ago
|
||
time marches on...retargeting to 0.9.6
Target Milestone: mozilla0.9.5 → mozilla0.9.6
|
|
Reporter | |
Comment 7•24 years ago
|
||
I don't think this will work as proposed, because of what Jesse mentioned, but
alternatively, it would be good if we could configure the security manager to
treat directories at a particular depth to be considered separate hosts. This
would solve the GeoCities problem. Changing summary.
Summary: Using document.domain to narrow the domain → Ability to restrict domain to a directory
Target Milestone: mozilla0.9.6 → Future
|
|
||
Updated•23 years ago
|
Summary: Ability to restrict domain to a directory → Ability to restrict domain to a directory (document.domain or http header)
|
||
Updated•23 years ago
|
OS: Mac System 8.5 → All
Hardware: Macintosh → All
|
||
Updated•19 years ago
|
Assignee: security-bugs → dveditz
Status: ASSIGNED → NEW
QA Contact: ckritzer → caps
|
||
Comment 8•13 years ago
|
||
Is this bug still relevant?
|
||
Comment 9•11 years ago
|
||
The idea is still relevant, but we don't need to track it in a Gecko bug. (And it should certainly not involve document.domain.)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•