Open
Bug 692843
Opened 13 years ago
Updated 2 years ago
Need a way to mark a redirection as "safe" for CORS
Categories
(Core :: Networking: HTTP, defect, P5)
Core
Networking: HTTP
Tracking
()
NEW
People
(Reporter: ma1, Unassigned)
References
Details
(Whiteboard: [necko-triaged])
Some extensions (e.g. HTTPS Everywhere and NoScript) need to transparently redirect channels, and this is broken by CORS when it happens cross-site (e.g. if a HTTP URI is redirected to its HTTPS counterpart), see https://bugzilla.mozilla.org/show_bug.cgi?id=677643#c65 We need to mark some redirects as "safe" so CORS let them happen without complaints. Since these redirects already pass nsIChannelEventSink.REDIRECT_INTERNAL flag to nsIChannelEventSink.asyncOnChannelRedirect(), this might be used as a marker requiring no change in the clients. If this is deemed unsafe/unpractical, a new eventsink or load flag may be introduced.
|
||
Comment 1•13 years ago
|
||
Jonas, last time we talked about this you objected to having REDIRECT_INTERNAL without a URI check being treated as OK by CORS. So I assume you want a new flag?
Priority: -- → P2
Hmm.. I don't really remember my reasoning. It seems like it would be ok to use the REDIRECT_INTERNAL flag here.
|
|
||
Comment 3•13 years ago
|
||
Well, there are some REDIRECT_INTERNAL redirects (e.g. .url files) where it's not clear what we really want to do with CORS... The current code was added in bug 464954, which is sadly light on discussion. :(
|
||
Updated•9 years ago
|
Whiteboard: [necko-would-take]
|
||
Comment 4•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P2 → P5
|
|
||
Updated•5 years ago
|
Assignee: bzbarsky → nobody
Priority: P5 → --
|
||
Updated•5 years ago
|
Priority: -- → P5
Whiteboard: [necko-would-take] → [necko-triaged]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•